Requesting forensic analysis on an endpoint
You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.
You can only request forensic analysis for Windows endpoints.
You need to apply the Forensics license to EMS to access this feature. The following assumes that you have acquired and applied the license as necessary.
To request forensic analysis for an endpoint:
-
Enable the forensic analysis feature:
- In EMS, go to System Settings > Feature Select.
Enable FortiGuard Forensics Analysis.
Click Save.
-
Configure forensic analysis in a profile:
- Go to Endpoint Profiles > System Settings.
Create a new profile or edit an existing one.
Under Endpoint Control, toggle Enable Forensics Feature on.
- Click Save.
Include this profile in a policy, and apply the policy to the desired endpoint.
- Request analysis:
- Go to Endpoints > All Endpoints.
- Select the desired endpoint.
- Under Forensics Analysis, click Request Analysis.
- Complete the questionnaire:
- In the Summary of the Issue field, enter a description of the issue that you are observing on the endpoint.
- In the Reason of Escalation field, select the desired option, or enter another reason in the Other field.
- In the First Identified Activity field, enter the date that you first observed the issue.
- In the Actions Taken to Date field, select any actions you took to resolve this issue.
- In the Supplementary Logs field, enter the path to logs that you would like the analyst to review.
- If desired, provide details in the Comment field.
- Click Finish. Once you submit the request, EMS notifies FortiClient and the forensics agent on the endpoint starts collecting forensics logs. FortiClient uploads the logs to the cloud and shares a link with the analyst. In EMS, you can see status of the analysis request in the endpoint summary:
Status
Description
Ticket Status
Status of the ticket. Possible statuses are:
- Request Submitted: EMS is creating the forensics analysis request and sending the information to the team.
- Pending: Forensic analysis request has been initiated. The Forensics team has not yet assigned it to an analyst.
- In Progress: Forensics team has assigned the request to an analyst, who has begun working on it.
- Failed: analyst could not connect to the endpoint.
- Cancelled: indicates one of the following:
- The analyst needed more information about the endpoint to perform the analysis.
- The EMS administrator canceled the request.
- Completed: analyst has completed analysis on the endpoint and shared the result in a PDF document. You can download the report from the endpoint summary's Forensic Analysis section.
Agent Status
Status of the forensic agent collecting logs on the endpoint. Possible statuses are:
- Pending: EMS has notified FortiClient that a forensic analysis request is submitted, but the forensic agent is not running yet.
- Running: forensics agent starts collecting forensics logs.
- Collection Completed: forensics agent has completed collecting forensics logs.
- Upload Started: FortiClient has started to upload the logs to the cloud.
- Upload Completed: FortiClient has completed uploading the logs to the cloud.
- Upload Failed: FortiClient failed to upload the logs to the cloud.
Task ID
Request ID in the FortiGuard forensics system.
- Once the analysis is complete, you can click Download Report in the endpoint summary to view the details. You can also view the verdict that the analyst arrived at. You can also filter the endpoint list based on whether the forensics service is enabled, the status, and verdict.