Fortinet white logo
Fortinet white logo

Administration Guide

Analysis

Analysis

The Analysis page displays the list of incidents detected by FortiDeceptor. Use this page to generate the Incidents Report PDF. You can also export the list as a CSV file.

When you expand an incident to the view the details, the incident is marked as read. Newly-detected incidents are in bold to indicate they are unread.

The Analysis page displays the following information:

Severity

Severity of the event.

Protocol

Network protocol the attacker used to perform the attack.

Last Activity

Date and time of the last activity.

Type

Event Type

Triggered By
Connection
  1. Port scan (SYNConnection).
  2. Ping.
  3. SYN connection.
  4. Access to the service with no other interaction like accessing a web server without entering any credentials.
Reconnaissance
  1. Port scan (Full TCP Connection).
  2. Access the decoy network share and browse files.
  3. Access the decoy web application and browse the web application.
  4. Access decoy FTP server and browse files.
Interaction
  1. The attacker accesses the decoy and passes the log in phase.
  2. Attacker logs into a decoy and runs commands inside the session like RDP.
Infection
  1. Attacker copies files to the decoy.
  2. Attacker accesses the decoy and downloads files from the internet.
  3. The attacker runs an exploit against the decoy and injects a binary file.

Attacker IP

Attacker IP address.

Attacker User

Attacker username.

Victim IP

IP address of the victim.

Victim Port

Port of the victim.

Decoy ID

Unique ID of the Decoy VM.

ID

ID of the incident.

Attacker IP

Attacker IP address and domain name.

Attacker Port

Port where the attack originated.

Tag Key

Unique key string for the incident.

Attacker Password

Password used by the attacker.

Start

Date and time when the attack started.

Tooltip

The infected files captured by the decoy are saved as a password protected .zip file you can download. The password for the file is FortiDeceptor.

Table settings

Use the Actions menu at the top of the page to export the incidents table and sort the events. The table settings allow you to show or hide columns and set the order of the column headings in the table.

The following options are available in the Actions menu:

Action

Description

Refresh Click to refresh the data.
PDF Report

Click to download the detailed analysis report in PDF format.

Export to CSV

Click to export the list as a CSV file. Depending on the number of incidents, the file may take some time to generate and export.

Mark all as read Click to mark all the incidents as read.
Show Click to display the incident events by type: Interaction Events Only (default), IPS Events Only, Web Filter Events Only, or All.
To generate the Incidents Report PDF:
  1. Go to Incident > Analysis.
  2. In the Actions menu, click PDF Report. The Generate PDF Report dialog opens.
  3. In the From and To fields, specify the time range for the report.
  4. (Optional) In the Mail Address (optional) enter an email address to send the report. Separate multiple email addresses with a semi-colon (;).
  5. Click Generate.
To configure the table settings:
  1. Go to System > Table Customization. The Table Customization dialog opens.
  2. In the Incident Columns pane:
    • To show a column: Drag and drop the headers from the Available Column Headers to Customized Column Headers and Orders.
    • To hide a column: Drag and drop the headers from the Customized Column Headers and Orders to Available Column Headers.
    • To change the column order: Drag and drop the position of the headers in Customized Column Headers and Orders.
  3. In the Table Settings pane, configure the table size and view.

    Page SizeEnter the number of incidents to display per page when View Type > Pagination is selected.
    View TypeSelect Pagination, Infinite Scroll or Both.

  4. Click Apply.

Viewing the incident details

You can view the incident details in timeline or table view.

To view the incident details:
  1. Go to Incident > Analysis.
  2. Click the arrow to expand the incident. The Timeline tab opens.

  3. Click the Table tab to view the incident details as a table.

Analysis

Analysis

The Analysis page displays the list of incidents detected by FortiDeceptor. Use this page to generate the Incidents Report PDF. You can also export the list as a CSV file.

When you expand an incident to the view the details, the incident is marked as read. Newly-detected incidents are in bold to indicate they are unread.

The Analysis page displays the following information:

Severity

Severity of the event.

Protocol

Network protocol the attacker used to perform the attack.

Last Activity

Date and time of the last activity.

Type

Event Type

Triggered By
Connection
  1. Port scan (SYNConnection).
  2. Ping.
  3. SYN connection.
  4. Access to the service with no other interaction like accessing a web server without entering any credentials.
Reconnaissance
  1. Port scan (Full TCP Connection).
  2. Access the decoy network share and browse files.
  3. Access the decoy web application and browse the web application.
  4. Access decoy FTP server and browse files.
Interaction
  1. The attacker accesses the decoy and passes the log in phase.
  2. Attacker logs into a decoy and runs commands inside the session like RDP.
Infection
  1. Attacker copies files to the decoy.
  2. Attacker accesses the decoy and downloads files from the internet.
  3. The attacker runs an exploit against the decoy and injects a binary file.

Attacker IP

Attacker IP address.

Attacker User

Attacker username.

Victim IP

IP address of the victim.

Victim Port

Port of the victim.

Decoy ID

Unique ID of the Decoy VM.

ID

ID of the incident.

Attacker IP

Attacker IP address and domain name.

Attacker Port

Port where the attack originated.

Tag Key

Unique key string for the incident.

Attacker Password

Password used by the attacker.

Start

Date and time when the attack started.

Tooltip

The infected files captured by the decoy are saved as a password protected .zip file you can download. The password for the file is FortiDeceptor.

Table settings

Use the Actions menu at the top of the page to export the incidents table and sort the events. The table settings allow you to show or hide columns and set the order of the column headings in the table.

The following options are available in the Actions menu:

Action

Description

Refresh Click to refresh the data.
PDF Report

Click to download the detailed analysis report in PDF format.

Export to CSV

Click to export the list as a CSV file. Depending on the number of incidents, the file may take some time to generate and export.

Mark all as read Click to mark all the incidents as read.
Show Click to display the incident events by type: Interaction Events Only (default), IPS Events Only, Web Filter Events Only, or All.
To generate the Incidents Report PDF:
  1. Go to Incident > Analysis.
  2. In the Actions menu, click PDF Report. The Generate PDF Report dialog opens.
  3. In the From and To fields, specify the time range for the report.
  4. (Optional) In the Mail Address (optional) enter an email address to send the report. Separate multiple email addresses with a semi-colon (;).
  5. Click Generate.
To configure the table settings:
  1. Go to System > Table Customization. The Table Customization dialog opens.
  2. In the Incident Columns pane:
    • To show a column: Drag and drop the headers from the Available Column Headers to Customized Column Headers and Orders.
    • To hide a column: Drag and drop the headers from the Customized Column Headers and Orders to Available Column Headers.
    • To change the column order: Drag and drop the position of the headers in Customized Column Headers and Orders.
  3. In the Table Settings pane, configure the table size and view.

    Page SizeEnter the number of incidents to display per page when View Type > Pagination is selected.
    View TypeSelect Pagination, Infinite Scroll or Both.

  4. Click Apply.

Viewing the incident details

You can view the incident details in timeline or table view.

To view the incident details:
  1. Go to Incident > Analysis.
  2. Click the arrow to expand the incident. The Timeline tab opens.

  3. Click the Table tab to view the incident details as a table.