Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home SOCaaS User Guide

    Request forensic analysis

    Request forensic analysis

    You can submit forensic analysis requests from within an alert in the SOCaaS portal.

    In order to submit a request, you must have one device (FortiClient EMS or FortiSASE) onboarded with a valid forensic analysis entitlement, and there must be at least one endpoint in the alert. See Forensic analysis and Licensing.

    When viewing an alert that does not meet these requirements, the Request Forensic Analysis button will be grayed out and you cannot submit a forensic analysis request.

    Within the alert, under the CORRELATIONS > Endpoints tab at the bottom of the alert, you will find the endpoints that are associated with an alert.

    To submit a request for forensic analysis in an alert:

    1. In an SOCaaS alert, click Request Forensic Analysis at the top of the alert page.

      The Request Forensic Analysis wizard opens.

    2. Complete the Request Forensic Analysis wizard:

      1. Select an endpoint from the dropdown list.

        • Only endpoints associated with this alert are displayed.

        • Only one endpoint can be selected for each forensic analysis request.

        • When the selected endpoint is an IP address, a new mandatory field is displayed for you to provide the endpoint hostname.

      2. Confirm if the endpoint is managed by an EMS or SASE device by clicking Yes or No on the prompt. Endpoints must be managed by FortiClient EMS or FortiSASE in order to perform forensic analysis.

        • Clicking Yes will submit the forensic analysis request.

        • Clicking No will display a note that forensic analysis can only be performed on endpoints managed by FortiClient EMS or FortiSASE.

      3. After the service request has been submitted, you will need to take additional actions to grant the required access to the Forensics Analysis team. The SOCaaS Request Forensic Analysis wizard provides you with links to resources that will guide you on the next steps.

    Submitted forensic analysis requests can be viewed from the Forensic Analysis tab on the alert or by going to Forensic Analysis in the SOCaaS portal. See View forensic analysis request details.

    Previous
    Next

    Request forensic analysis

    Request forensic analysis

    You can submit forensic analysis requests from within an alert in the SOCaaS portal.

    In order to submit a request, you must have one device (FortiClient EMS or FortiSASE) onboarded with a valid forensic analysis entitlement, and there must be at least one endpoint in the alert. See Forensic analysis and Licensing.

    When viewing an alert that does not meet these requirements, the Request Forensic Analysis button will be grayed out and you cannot submit a forensic analysis request.

    Within the alert, under the CORRELATIONS > Endpoints tab at the bottom of the alert, you will find the endpoints that are associated with an alert.

    To submit a request for forensic analysis in an alert:

    1. In an SOCaaS alert, click Request Forensic Analysis at the top of the alert page.

      The Request Forensic Analysis wizard opens.

    2. Complete the Request Forensic Analysis wizard:

      1. Select an endpoint from the dropdown list.

        • Only endpoints associated with this alert are displayed.

        • Only one endpoint can be selected for each forensic analysis request.

        • When the selected endpoint is an IP address, a new mandatory field is displayed for you to provide the endpoint hostname.

      2. Confirm if the endpoint is managed by an EMS or SASE device by clicking Yes or No on the prompt. Endpoints must be managed by FortiClient EMS or FortiSASE in order to perform forensic analysis.

        • Clicking Yes will submit the forensic analysis request.

        • Clicking No will display a note that forensic analysis can only be performed on endpoints managed by FortiClient EMS or FortiSASE.

      3. After the service request has been submitted, you will need to take additional actions to grant the required access to the Forensics Analysis team. The SOCaaS Request Forensic Analysis wizard provides you with links to resources that will guide you on the next steps.

    Submitted forensic analysis requests can be viewed from the Forensic Analysis tab on the alert or by going to Forensic Analysis in the SOCaaS portal. See View forensic analysis request details.

    Previous
    Next