Fortinet white logo
Fortinet white logo

Administration Guide

Analysis

Analysis

The Analysis page displays the list of incidents detected by FortiDeceptor. Use this page to generate the Incidents Report PDF. The Incidents Report can be generated one at time, or you can schedule the report to generate on a recurring basis. You can also export incidents list as a CSV file.

When you expand an incident to the view the details, the incident is marked as read. Newly-detected incidents are in bold to indicate they are unread. To refresh the data click the Refresh button in the toolbar.

Tooltip

You can configure the table settings by hovering over the left-side of the table header and clicking the gear icon .

The Analysis page displays the following information:

Last Activity

Date and time of the last activity.

Start

Date and time when the attack started.

Severity

Severity of the event.

Events

Show the event number of the Incident

Protocol

Network protocol the attacker used to perform the attack.

Type

Event Type

Triggered By
Connection
  1. Port scan (SYNConnection).
  2. Ping.
  3. SYN connection.
  4. Access to the service with no other interaction like accessing a web server without entering any credentials.
Reconnaissance
  1. Port scan (Full TCP Connection).
  2. Access the decoy network share and browse files.
  3. Access the decoy web application and browse the web application.
  4. Access decoy FTP server and browse files.
Interaction
  1. The attacker accesses the decoy and passes the log in phase.
  2. Attacker logs into a decoy and runs commands inside the session like RDP.
Infection
  1. Attacker copies files to the decoy.
  2. Attacker accesses the decoy and downloads files from the internet.
  3. The attacker runs an exploit against the decoy and injects a binary file.

Appliance

In CM mode, this column displays the name of the appliance where the victim decoy is deployed.

Attacker User

Attacker username.

Attacker Password

Password used by the attacker.

Attacker MAC

Attacker MAC address.

Attacker IP

Attacker IP address and domain name.

Attacker Port

Port where the attack originated.

Victim IP

IP address of the victim.

Victim Port

Port of the victim.

Decoy ID

Unique ID of the Decoy VM.

Decoy Name

Decoy name of the victim.

ID

ID of the incident.

Tooltip

The infected files captured by the decoy are saved as a password protected .zip file you can download. The password for the file is FortiDeceptor.

To generate the Incidents Report:
  1. Go to Incidents > Analysis.

  2. In the toolbar, click PDF Report.

  3. Configure the report settings.

    Mail Address Enter the destination email for the report.
    Scheduler Type Select One Time or Recurring.

    User Timezone

    This setting cannot be modified. It is consistent with the system Time Zone setting.

    Generate report for data From

    For one time reports, select the report start date and time.

    Generate report for data To

    For one time reports, select the report end date and time.

    Scheduler Timezone For recurring reports, select the scheduled timezone.
    Scheduler Start For recurring reports, select the schedule start date and time.
    Scheduler End For recurring reports, select the schedule end date and time.
    Scheduler Interval Select Daily, Weekly, or Monthly.
    Days

    For Weekly reports, select the day of the week to generate the report.

    For Monthly reports, select the date to generate the report.

    Time Select the time to generate the report for the selected day.
  4. Click Generate.
    Note

    For recurring reports, the report generation is delayed by approximately 30 minutes.

To export the Incidents list a CSV file:
  • In the toolbar, click Export to CSV.

It may take some time to export the report depending on the number of incidents in the list.

To filter the Incident table:
  • In the Search field at the top-right of the page, click the plus sign and select a filterable column. Use the date picker to select the date range and click Apply.

  • Hover over a column heading and click the filter icon.

Analysis

Analysis

The Analysis page displays the list of incidents detected by FortiDeceptor. Use this page to generate the Incidents Report PDF. The Incidents Report can be generated one at time, or you can schedule the report to generate on a recurring basis. You can also export incidents list as a CSV file.

When you expand an incident to the view the details, the incident is marked as read. Newly-detected incidents are in bold to indicate they are unread. To refresh the data click the Refresh button in the toolbar.

Tooltip

You can configure the table settings by hovering over the left-side of the table header and clicking the gear icon .

The Analysis page displays the following information:

Last Activity

Date and time of the last activity.

Start

Date and time when the attack started.

Severity

Severity of the event.

Events

Show the event number of the Incident

Protocol

Network protocol the attacker used to perform the attack.

Type

Event Type

Triggered By
Connection
  1. Port scan (SYNConnection).
  2. Ping.
  3. SYN connection.
  4. Access to the service with no other interaction like accessing a web server without entering any credentials.
Reconnaissance
  1. Port scan (Full TCP Connection).
  2. Access the decoy network share and browse files.
  3. Access the decoy web application and browse the web application.
  4. Access decoy FTP server and browse files.
Interaction
  1. The attacker accesses the decoy and passes the log in phase.
  2. Attacker logs into a decoy and runs commands inside the session like RDP.
Infection
  1. Attacker copies files to the decoy.
  2. Attacker accesses the decoy and downloads files from the internet.
  3. The attacker runs an exploit against the decoy and injects a binary file.

Appliance

In CM mode, this column displays the name of the appliance where the victim decoy is deployed.

Attacker User

Attacker username.

Attacker Password

Password used by the attacker.

Attacker MAC

Attacker MAC address.

Attacker IP

Attacker IP address and domain name.

Attacker Port

Port where the attack originated.

Victim IP

IP address of the victim.

Victim Port

Port of the victim.

Decoy ID

Unique ID of the Decoy VM.

Decoy Name

Decoy name of the victim.

ID

ID of the incident.

Tooltip

The infected files captured by the decoy are saved as a password protected .zip file you can download. The password for the file is FortiDeceptor.

To generate the Incidents Report:
  1. Go to Incidents > Analysis.

  2. In the toolbar, click PDF Report.

  3. Configure the report settings.

    Mail Address Enter the destination email for the report.
    Scheduler Type Select One Time or Recurring.

    User Timezone

    This setting cannot be modified. It is consistent with the system Time Zone setting.

    Generate report for data From

    For one time reports, select the report start date and time.

    Generate report for data To

    For one time reports, select the report end date and time.

    Scheduler Timezone For recurring reports, select the scheduled timezone.
    Scheduler Start For recurring reports, select the schedule start date and time.
    Scheduler End For recurring reports, select the schedule end date and time.
    Scheduler Interval Select Daily, Weekly, or Monthly.
    Days

    For Weekly reports, select the day of the week to generate the report.

    For Monthly reports, select the date to generate the report.

    Time Select the time to generate the report for the selected day.
  4. Click Generate.
    Note

    For recurring reports, the report generation is delayed by approximately 30 minutes.

To export the Incidents list a CSV file:
  • In the toolbar, click Export to CSV.

It may take some time to export the report depending on the number of incidents in the list.

To filter the Incident table:
  • In the Search field at the top-right of the page, click the plus sign and select a filterable column. Use the date picker to select the date range and click Apply.

  • Hover over a column heading and click the filter icon.