Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiDeceptor 5.1.0 Administration Guide
    5.1.0
    6.0.1
    6.0.0
    5.3.2
    5.3.1
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Analysis

    Analysis

    The Analysis page displays the list of incidents detected by FortiDeceptor. Use this page to generate the Incidents Report PDF. The Incidents Report can be generated one at time, or you can schedule the report to generate on a recurring basis. You can also export incidents list as a CSV file.

    When you expand an incident to the view the details, the incident is marked as read. Newly-detected incidents are in bold to indicate they are unread. To refresh the data click the Refresh button in the toolbar.

    Tooltip

    You can configure the table settings by clicking the gear icon at the bottom-right of the page or go to System > Table Customization. For more information, see Table Customization.

    The Analysis page displays the following information:

    Severity

    Severity of the event.

    Protocol

    Network protocol the attacker used to perform the attack.

    Last Activity

    Date and time of the last activity.

    Type

    Event Type

    		 Triggered By
    Connection
    1. Port scan (SYNConnection).
    2. Ping.
    3. SYN connection.
    4. Access to the service with no other interaction like accessing a web server without entering any credentials.
    Reconnaissance
    1. Port scan (Full TCP Connection).
    2. Access the decoy network share and browse files.
    3. Access the decoy web application and browse the web application.
    4. Access decoy FTP server and browse files.
    Interaction
    1. The attacker accesses the decoy and passes the log in phase.
    2. Attacker logs into a decoy and runs commands inside the session like RDP.
    Infection
    1. Attacker copies files to the decoy.
    2. Attacker accesses the decoy and downloads files from the internet.
    3. The attacker runs an exploit against the decoy and injects a binary file.

    Attacker IP

    Attacker IP address.

    Attacker User

    Attacker username.

    Victim IP

    IP address of the victim.

    Victim Port

    Port of the victim.

    Decoy ID

    Unique ID of the Decoy VM.

    ID

    ID of the incident.

    Attacker IP

    Attacker IP address and domain name.

    Attacker Port

    Port where the attack originated.

    Tag Key

    Unique key string for the incident.

    Attacker Password

    Password used by the attacker.

    Start

    Date and time when the attack started.
    Tooltip

    The infected files captured by the decoy are saved as a password protected .zip file you can download. The password for the file is FortiDeceptor.
    To generate the Incidents Report:

    1. Go to Incidents > Analysis.

    2. In the toolbar, click PDF Report.

    3. Configure the report settings.

      Mail Address Enter the destination email for the report.
      Scheduler Type Select One Time or Recurring.

      User Timezone

      For one time reports, set the recipient's timezone.

      Generate report for data From

      For one time reports, select the report start date and time.

      Generate report for data To

      For one time reports, select the report end date and time.

      Scheduler Timezone For recurring reports, select the scheduled timezone.
      Scheduler Start For recurring reports, select the schedule start date and time.
      Scheduler End For recurring reports, select the schedule end date and time.
      Scheduler Interval Select Daily, Weekly, or Monthly.
      Days

      For Weekly reports, select the day of the week to generate the report.

      For Monthly reports, select the date to generate the report.

      Time Select the time to generate the report for the selected day.

    4. Click Generate.

    To export the Incidents list a CSV file:

    • In the toolbar, click Export to CSV.

    It may take some time to export the report depending on the number of incidents in the list.

    Previous
    Next

    Analysis

    Analysis

    The Analysis page displays the list of incidents detected by FortiDeceptor. Use this page to generate the Incidents Report PDF. The Incidents Report can be generated one at time, or you can schedule the report to generate on a recurring basis. You can also export incidents list as a CSV file.

    When you expand an incident to the view the details, the incident is marked as read. Newly-detected incidents are in bold to indicate they are unread. To refresh the data click the Refresh button in the toolbar.

    Tooltip

    You can configure the table settings by clicking the gear icon at the bottom-right of the page or go to System > Table Customization. For more information, see Table Customization.

    The Analysis page displays the following information:

    Severity

    Severity of the event.

    Protocol

    Network protocol the attacker used to perform the attack.

    Last Activity

    Date and time of the last activity.

    Type

    Event Type

    		 Triggered By
    Connection
    1. Port scan (SYNConnection).
    2. Ping.
    3. SYN connection.
    4. Access to the service with no other interaction like accessing a web server without entering any credentials.
    Reconnaissance
    1. Port scan (Full TCP Connection).
    2. Access the decoy network share and browse files.
    3. Access the decoy web application and browse the web application.
    4. Access decoy FTP server and browse files.
    Interaction
    1. The attacker accesses the decoy and passes the log in phase.
    2. Attacker logs into a decoy and runs commands inside the session like RDP.
    Infection
    1. Attacker copies files to the decoy.
    2. Attacker accesses the decoy and downloads files from the internet.
    3. The attacker runs an exploit against the decoy and injects a binary file.

    Attacker IP

    Attacker IP address.

    Attacker User

    Attacker username.

    Victim IP

    IP address of the victim.

    Victim Port

    Port of the victim.

    Decoy ID

    Unique ID of the Decoy VM.

    ID

    ID of the incident.

    Attacker IP

    Attacker IP address and domain name.

    Attacker Port

    Port where the attack originated.

    Tag Key

    Unique key string for the incident.

    Attacker Password

    Password used by the attacker.

    Start

    Date and time when the attack started.
    Tooltip

    The infected files captured by the decoy are saved as a password protected .zip file you can download. The password for the file is FortiDeceptor.
    To generate the Incidents Report:

    1. Go to Incidents > Analysis.

    2. In the toolbar, click PDF Report.

    3. Configure the report settings.

      Mail Address Enter the destination email for the report.
      Scheduler Type Select One Time or Recurring.

      User Timezone

      For one time reports, set the recipient's timezone.

      Generate report for data From

      For one time reports, select the report start date and time.

      Generate report for data To

      For one time reports, select the report end date and time.

      Scheduler Timezone For recurring reports, select the scheduled timezone.
      Scheduler Start For recurring reports, select the schedule start date and time.
      Scheduler End For recurring reports, select the schedule end date and time.
      Scheduler Interval Select Daily, Weekly, or Monthly.
      Days

      For Weekly reports, select the day of the week to generate the report.

      For Monthly reports, select the date to generate the report.

      Time Select the time to generate the report for the selected day.

    4. Click Generate.

    To export the Incidents list a CSV file:

    • In the toolbar, click Export to CSV.

    It may take some time to export the report depending on the number of incidents in the list.

    Previous
    Next