Fortinet black logo

New Features

Home FortiClient 7.2.0 New Features
7.2.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

FortiGuard Forensics service support on on-premise EMS 7.2.2

FortiGuard Forensics service support on on-premise EMS 7.2.2

On-premise EMS 7.2.2 supports the FortiGuard Forensics service. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.

You can only request forensic analysis for Windows endpoints.

You can track forensics analysis requests and statuses from the following widgets in Dashboard > Forensics Analysis. The widgets are not available in FortiClient Cloud:

Widget

Information shown

Active Concurrent Forensics Analysis Requests

Number of active requests and available requests. You can only have five concurrent requests.

Forensics Analysis Status

Ticket status of each endpoint's forensics analysis task.

Forensics Analysis Result

Forensics verdict for analyzed endpoints:

  • Clean
  • Compromised
  • Suspicious

Forensics Analysis Unread Reports

Number of endpoints for which report are unread or not downloaded.

Top 10 Latest Forensics Analysis Reports

Analysis report, the time that it was updated, and the verdict.

You can drill down on the Forensics Analysis Status, Forensics Analysis Result, and Forensics Analysis Unread Reports widgets by clicking into the charts.

You need to apply the Forensics license to EMS to access this feature. The following assumes that you have acquired and applied the license as necessary.

To request forensic analysis for an endpoint:
  1. Enable the forensic analysis feature:
    1. In EMS, go to System Settings > Feature Select.

    2. Enable FortiGuard Forensics Analysis.

    3. Click Save.

  2. Configure forensic analysis in a profile:
    1. Go to Endpoint Profiles > System Settings.

    2. Create a new profile or edit an existing one.

    3. Under Endpoint Control, toggle Enable Forensics Feature on.

    4. Click Save.

    5. Include this profile in a policy, and apply the policy to the desired endpoint.

  3. Request analysis:
    1. Go to Endpoints > All Endpoints.
    2. Select the desired endpoint.
    3. Under Forensics Analysis, click Request Analysis.
  4. Complete the questionnaire:
    1. In the Summary of the Issue field, enter a description of the issue that you are observing on the endpoint.
    2. In the Reason of Escalation field, select the desired option, or enter another reason in the Other field.
    3. In the First Identified Activity field, enter the date that you first observed the issue.
    4. In the Actions Taken to Date field, select any actions you took to resolve this issue.
    5. In the Supplementary Logs field, enter the path to logs that you would like the analyst to review.
    6. If desired, provide details in the Comment field.
  5. Click Finish. Once you submit the request, EMS notifies FortiClient and the forensics agent on the endpoint starts collecting forensics logs. FortiClient uploads the logs to the cloud and shares a link with the analyst. In EMS, you can see the status of the analysis request in the endpoint summary:

    Status

    Description

    Ticket Status

    Status of the ticket. Possible statuses are:

    • Request Submitted: EMS is creating the forensics analysis request and sending the information to the team.
    • Pending: Forensic analysis request has been initiated. The Forensics team has not yet assigned it to an analyst.
    • In Progress: Forensics team has assigned the request to an analyst, who has begun working on it.
    • Failed: analyst could not connect to the endpoint.
    • Cancelled: indicates one of the following:
      • The analyst needed more information about the endpoint to perform the analysis.
      • The EMS administrator canceled the request.
    • Completed: analyst has completed analysis on the endpoint and shared the result in a PDF document. You can download the report from the endpoint summary's Forensic Analysis section.

    Agent Status

    Status of the forensic agent collecting logs on the endpoint. Possible statuses are:

    • Pending: EMS has notified FortiClient that a forensic analysis request is submitted, but the forensic agent is not running yet.
    • Running: forensics agent starts collecting forensics logs.
    • Collection Completed: forensics agent has completed collecting forensics logs.
    • Upload Started: FortiClient has started to upload the logs to the cloud.
    • Upload Completed: FortiClient has completed uploading the logs to the cloud.
    • Upload Failed: FortiClient failed to upload the logs to the cloud.

    Task ID

    Request ID in the FortiGuard forensics system.

  6. Once the analysis is complete, you can click Download Report in the endpoint summary to view the details. You an also view the verdict that the analyst arrived at. You can also filter the endpoint list based on whether the forensics service is enabled, the status, and verdict.

To enable email notifications when a forensic analysis status is updated:

  1. Go to System Settings > EMS Alerts.

  2. Enable Forensics Analysis is updated.

  3. Click Save. When a forensic analysis status updates on EMS, EMS sends an email with the new status information.

To change the forensic log upload server:

  1. Go to System Settings > FortiGuard Services.

  2. Under Forensics Services, select the desired upload server.

  3. Click Save.

Previous
Next

FortiGuard Forensics service support on on-premise EMS 7.2.2

On-premise EMS 7.2.2 supports the FortiGuard Forensics service. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.

You can only request forensic analysis for Windows endpoints.

You can track forensics analysis requests and statuses from the following widgets in Dashboard > Forensics Analysis. The widgets are not available in FortiClient Cloud:

Widget

Information shown

Active Concurrent Forensics Analysis Requests

Number of active requests and available requests. You can only have five concurrent requests.

Forensics Analysis Status

Ticket status of each endpoint's forensics analysis task.

Forensics Analysis Result

Forensics verdict for analyzed endpoints:

  • Clean
  • Compromised
  • Suspicious

Forensics Analysis Unread Reports

Number of endpoints for which report are unread or not downloaded.

Top 10 Latest Forensics Analysis Reports

Analysis report, the time that it was updated, and the verdict.

You can drill down on the Forensics Analysis Status, Forensics Analysis Result, and Forensics Analysis Unread Reports widgets by clicking into the charts.

You need to apply the Forensics license to EMS to access this feature. The following assumes that you have acquired and applied the license as necessary.

To request forensic analysis for an endpoint:
  1. Enable the forensic analysis feature:
    1. In EMS, go to System Settings > Feature Select.

    2. Enable FortiGuard Forensics Analysis.

    3. Click Save.

  2. Configure forensic analysis in a profile:
    1. Go to Endpoint Profiles > System Settings.

    2. Create a new profile or edit an existing one.

    3. Under Endpoint Control, toggle Enable Forensics Feature on.

    4. Click Save.

    5. Include this profile in a policy, and apply the policy to the desired endpoint.

  3. Request analysis:
    1. Go to Endpoints > All Endpoints.
    2. Select the desired endpoint.
    3. Under Forensics Analysis, click Request Analysis.
  4. Complete the questionnaire:
    1. In the Summary of the Issue field, enter a description of the issue that you are observing on the endpoint.
    2. In the Reason of Escalation field, select the desired option, or enter another reason in the Other field.
    3. In the First Identified Activity field, enter the date that you first observed the issue.
    4. In the Actions Taken to Date field, select any actions you took to resolve this issue.
    5. In the Supplementary Logs field, enter the path to logs that you would like the analyst to review.
    6. If desired, provide details in the Comment field.
  5. Click Finish. Once you submit the request, EMS notifies FortiClient and the forensics agent on the endpoint starts collecting forensics logs. FortiClient uploads the logs to the cloud and shares a link with the analyst. In EMS, you can see the status of the analysis request in the endpoint summary:

    Status

    Description

    Ticket Status

    Status of the ticket. Possible statuses are:

    • Request Submitted: EMS is creating the forensics analysis request and sending the information to the team.
    • Pending: Forensic analysis request has been initiated. The Forensics team has not yet assigned it to an analyst.
    • In Progress: Forensics team has assigned the request to an analyst, who has begun working on it.
    • Failed: analyst could not connect to the endpoint.
    • Cancelled: indicates one of the following:
      • The analyst needed more information about the endpoint to perform the analysis.
      • The EMS administrator canceled the request.
    • Completed: analyst has completed analysis on the endpoint and shared the result in a PDF document. You can download the report from the endpoint summary's Forensic Analysis section.

    Agent Status

    Status of the forensic agent collecting logs on the endpoint. Possible statuses are:

    • Pending: EMS has notified FortiClient that a forensic analysis request is submitted, but the forensic agent is not running yet.
    • Running: forensics agent starts collecting forensics logs.
    • Collection Completed: forensics agent has completed collecting forensics logs.
    • Upload Started: FortiClient has started to upload the logs to the cloud.
    • Upload Completed: FortiClient has completed uploading the logs to the cloud.
    • Upload Failed: FortiClient failed to upload the logs to the cloud.

    Task ID

    Request ID in the FortiGuard forensics system.

  6. Once the analysis is complete, you can click Download Report in the endpoint summary to view the details. You an also view the verdict that the analyst arrived at. You can also filter the endpoint list based on whether the forensics service is enabled, the status, and verdict.

To enable email notifications when a forensic analysis status is updated:

  1. Go to System Settings > EMS Alerts.

  2. Enable Forensics Analysis is updated.

  3. Click Save. When a forensic analysis status updates on EMS, EMS sends an email with the new status information.

To change the forensic log upload server:

  1. Go to System Settings > FortiGuard Services.

  2. Under Forensics Services, select the desired upload server.

  3. Click Save.

Previous
Next