Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiAppSec Cloud User Guide

    Incidents

    Incidents

    Attack events are aggregated into incidents based on common characteristics, allowing you to quickly identify frequent attack types, the most malicious source IP addresses, and more.

    Selecting an incident reveals details such as the attack type, target application, and source IPs.

    You can filter the displayed Incidents by the Last detected time, App Name, Attack Type, CVE ID, Device, Host, Incident ID, Source Country, Source IP, and Tag.

    Incident Organization

    You can add tags with predefined labels to mark incidents, which updates their status icons for easier tracking. These labels are for your reference only and do not affect the system’s threat detection but help with organizing incidents for sorting, filtering, and acknowledgment. Tag names can also be edited to suit your needs.

    Additionally, you can use the Comments link under Incident Details to add notes to an incident.

    Additional Incident Details

    You can access additional information on the selected incident by scrolling down Incident Details clicking More Details.

    When you click on any detail category on this page (except for Threat Sample), a table is displayed showing the information described below, along with the corresponding threat count and block/monitor ratio. The block count indicates how many transactions were blocked, while the monitor count represents the total number of transactions detected for this incident.

    Detail Category Descripion
    Policy Name

    The name of the afflicted application.
    Attack Type

    The type of attack(s) detected by Threat Analytics. Examples include SQL Injections, Cross-Site Scripting, and Trojans Attacks.
    Countries

    The countrie(s) from which attacks in the recorded incident originate.
    Hosts The host(s) of the afflicted application.
    IPs The Client IP address(es) from which the attack came from.
    URLs The URL(s) on your domain where the attacks occurred.
    CVE IDs

    The CVE ID(s) associated with the incident.
    CVE IDs are unique identifiers for tracking publicly disclosed cybersecurity vulnerabilities. They follow the format CVE-YYYY-NNNNN (e.g., CVE-2023-12345) and are managed by the CVE Program, overseen by MITRE.

    If no CVE ID is associated with this attack, this will display as N/A.

    OWASP Top 10

    The OWASP Top 10 risk(s) associated with the incident.

    The OWASP Top 10 is a list of the most critical security risks to web applications, published by the Open Web Application Security Project (OWASP).

    Threat Sample

    This page lists out each detected transaction within the incident and lists out its description, Action, Client IP address, URL, and date detected.

    Previous
    Next

    Incidents

    Incidents

    Attack events are aggregated into incidents based on common characteristics, allowing you to quickly identify frequent attack types, the most malicious source IP addresses, and more.

    Selecting an incident reveals details such as the attack type, target application, and source IPs.

    You can filter the displayed Incidents by the Last detected time, App Name, Attack Type, CVE ID, Device, Host, Incident ID, Source Country, Source IP, and Tag.

    Incident Organization

    You can add tags with predefined labels to mark incidents, which updates their status icons for easier tracking. These labels are for your reference only and do not affect the system’s threat detection but help with organizing incidents for sorting, filtering, and acknowledgment. Tag names can also be edited to suit your needs.

    Additionally, you can use the Comments link under Incident Details to add notes to an incident.

    Additional Incident Details

    You can access additional information on the selected incident by scrolling down Incident Details clicking More Details.

    When you click on any detail category on this page (except for Threat Sample), a table is displayed showing the information described below, along with the corresponding threat count and block/monitor ratio. The block count indicates how many transactions were blocked, while the monitor count represents the total number of transactions detected for this incident.

    Detail Category Descripion
    Policy Name

    The name of the afflicted application.
    Attack Type

    The type of attack(s) detected by Threat Analytics. Examples include SQL Injections, Cross-Site Scripting, and Trojans Attacks.
    Countries

    The countrie(s) from which attacks in the recorded incident originate.
    Hosts The host(s) of the afflicted application.
    IPs The Client IP address(es) from which the attack came from.
    URLs The URL(s) on your domain where the attacks occurred.
    CVE IDs

    The CVE ID(s) associated with the incident.
    CVE IDs are unique identifiers for tracking publicly disclosed cybersecurity vulnerabilities. They follow the format CVE-YYYY-NNNNN (e.g., CVE-2023-12345) and are managed by the CVE Program, overseen by MITRE.

    If no CVE ID is associated with this attack, this will display as N/A.

    OWASP Top 10

    The OWASP Top 10 risk(s) associated with the incident.

    The OWASP Top 10 is a list of the most critical security risks to web applications, published by the Open Web Application Security Project (OWASP).

    Threat Sample

    This page lists out each detected transaction within the incident and lists out its description, Action, Client IP address, URL, and date detected.

    Previous
    Next