Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home SOCaaS User Guide

    Alert correlations

    Alert correlations

    SOCaaS includes the following correlations in the alert details.

    Events

    The security events detected from logs triaged by SOC analysts and resulted in the alert escalation.

    Click on the name of an event to view the event details page.

    Customers can retrieve sample event logs for events to help them with the alert investigation. See Getting logs from an event for instructions.

    Indicators

    The indicators or signs of compromise that are extracted from the security events. This can include IP addresses, domain names, file hashes, and URLs.

    Alert Indicators can include links to enriched FortiGuard data when available. Clicking the link will open the FortiGuard page in a new dialog window, with details about affected products, impact, recommended actions, and more.

    Find these links in the alert details, under Correlations > Indicators, and click on the highlighted value of the event to view the FortiGuard Labs data.

    Assets

    		 The Fabric device(s) from which logs were collected and security events were detected.

    Endpoints

    		 The endpoint(s) associated with this alert that are extracted from the security event.
    Users

    The user(s) associated with this alert that are extracted from the security event.

    Tooltip

    This field will not contain information if the fields related to user privacy have been excluded from logs when configuring FortiAnalyzer log forwarding.

    If you do not want user information to be included due to privacy concerns or related compliance requirements, please ensure that user identifiable information has been removed from the logs before sending them to SOCaaS. See Sending logs from an on-premise FortiAnalyzer.

    Attachments

    Triage artifacts such as raw log and triage reports. This also includes customer attachments that can be added directly in the tab.

    Note

    Users can share files related to the alert with the Fortinet SOC team by clicking the Add option. PDF, PNG, JPEG, text, and CSV files are supported.

    Alerts

    Displays correlated alerts that include the same endpoint(s) that are affected by this alert.

    You can click on an alert to view its details. When you click on another alert, the previous alert's ID is displayed in the navigation breadcrumb at the top of the page so that you can easily navigate back to previous alerts. Click the back button to return to the last alert viewed.

    Forensic Analysis

    Displays forensic analysis requests associated with endpoints included in this alert.

    You can click on a forensic analysis request to view its details.

    For more information, see View forensic analysis request details and Request forensic analysis.
    Previous
    Next

    Alert correlations

    Alert correlations

    SOCaaS includes the following correlations in the alert details.

    Events

    The security events detected from logs triaged by SOC analysts and resulted in the alert escalation.

    Click on the name of an event to view the event details page.

    Customers can retrieve sample event logs for events to help them with the alert investigation. See Getting logs from an event for instructions.

    Indicators

    The indicators or signs of compromise that are extracted from the security events. This can include IP addresses, domain names, file hashes, and URLs.

    Alert Indicators can include links to enriched FortiGuard data when available. Clicking the link will open the FortiGuard page in a new dialog window, with details about affected products, impact, recommended actions, and more.

    Find these links in the alert details, under Correlations > Indicators, and click on the highlighted value of the event to view the FortiGuard Labs data.

    Assets

    		 The Fabric device(s) from which logs were collected and security events were detected.

    Endpoints

    		 The endpoint(s) associated with this alert that are extracted from the security event.
    Users

    The user(s) associated with this alert that are extracted from the security event.

    Tooltip

    This field will not contain information if the fields related to user privacy have been excluded from logs when configuring FortiAnalyzer log forwarding.

    If you do not want user information to be included due to privacy concerns or related compliance requirements, please ensure that user identifiable information has been removed from the logs before sending them to SOCaaS. See Sending logs from an on-premise FortiAnalyzer.

    Attachments

    Triage artifacts such as raw log and triage reports. This also includes customer attachments that can be added directly in the tab.

    Note

    Users can share files related to the alert with the Fortinet SOC team by clicking the Add option. PDF, PNG, JPEG, text, and CSV files are supported.

    Alerts

    Displays correlated alerts that include the same endpoint(s) that are affected by this alert.

    You can click on an alert to view its details. When you click on another alert, the previous alert's ID is displayed in the navigation breadcrumb at the top of the page so that you can easily navigate back to previous alerts. Click the back button to return to the last alert viewed.

    Forensic Analysis

    Displays forensic analysis requests associated with endpoints included in this alert.

    You can click on a forensic analysis request to view its details.

    For more information, see View forensic analysis request details and Request forensic analysis.
    Previous
    Next