Fortinet white logo
Fortinet white logo

Administration Guide

Introduction

Introduction

The Forensic Analysis add-on enables a security team (or anyone else) to delve deeply into the actual internals of the communicating devices’ operating system that led up to the security event.

The Forensic Analysis add-on provides an abundance of deep analysis and drill-down options that reveal the process flows, memory stacks and a variety of operating system parameters in a graphic view, such as:

  • Infected device and application details.
  • Evidence path, which includes the process that the threat actor violated and which type of violation was executed.
  • Side-by-side security event comparisons.

This option is only available to users who have purchased the Forensics add-on license, which is part of the Protect and Response license or the Discover, Protect and Response license.

The first stage of working with Forensics is to select one or more security event aggregations or security events to analyze. To do so, use one of the methods below:

  • In the Event Viewer, select a security event aggregation and then click the button. Selecting a security event aggregation lets you analyze the aggregation of events triggered on this process.

    In this case, the Forensics add-on shows a separate tab for each security event associated with the security event aggregation. For example, the figure below shows seven tabs for a security event aggregation containing two events.

  • Select an individual security event in the Event Viewer and then click the button. In this case, the Forensics add-on shows a single tab for the selected security event, with all of its related raw data items.
  • Select a raw data item when in drill down, and then click the button. In this case, the Forensics add-on shows a single tab for the selected security event with a single raw data item.
  • In the FORENSICS tab, select Events. In the page that displays, click the Event Viewer link, shown below, and then select the security event of interest using any of the methods described above.

    You can click the button in the FORENSICS tab to display classification details, including the classification, policy and rules assigned to the FortiEDR Collector that triggered this security event. For more details about classification details, see Classification Details.

To perform deep Forensic analysis:
  1. Select the security events to analyze using one of the methods described on Event Viewer.

    Selected security events that are currently loaded to the FORENSICS tab are marked in the Event Viewer with a fingerprint icon.

  2. Each selected security event is then displayed in the Event Viewer as a separate tab:

    Each tab shows the same information as in the Event Viewer, with additional information as described below.

    The following options for viewing more information are provided:

    In the Raw Events area, use the right and left arrows to scroll through the raw data items for a security event.

    Click the All Raw Data Items button to display all raw data items. Click the Selected Raw Data Items button to select a specific raw data item. This action opens the following window, in which you specify the raw data item(s) to display.

    Click Close in the SELECT RAW DATA ITEMS window. The Events page displays only those raw data items you selected in the view.

    Click the Threat Hunting button to review relevant Activity Events in the Threat Hunting tab

Introduction

Introduction

The Forensic Analysis add-on enables a security team (or anyone else) to delve deeply into the actual internals of the communicating devices’ operating system that led up to the security event.

The Forensic Analysis add-on provides an abundance of deep analysis and drill-down options that reveal the process flows, memory stacks and a variety of operating system parameters in a graphic view, such as:

  • Infected device and application details.
  • Evidence path, which includes the process that the threat actor violated and which type of violation was executed.
  • Side-by-side security event comparisons.

This option is only available to users who have purchased the Forensics add-on license, which is part of the Protect and Response license or the Discover, Protect and Response license.

The first stage of working with Forensics is to select one or more security event aggregations or security events to analyze. To do so, use one of the methods below:

  • In the Event Viewer, select a security event aggregation and then click the button. Selecting a security event aggregation lets you analyze the aggregation of events triggered on this process.

    In this case, the Forensics add-on shows a separate tab for each security event associated with the security event aggregation. For example, the figure below shows seven tabs for a security event aggregation containing two events.

  • Select an individual security event in the Event Viewer and then click the button. In this case, the Forensics add-on shows a single tab for the selected security event, with all of its related raw data items.
  • Select a raw data item when in drill down, and then click the button. In this case, the Forensics add-on shows a single tab for the selected security event with a single raw data item.
  • In the FORENSICS tab, select Events. In the page that displays, click the Event Viewer link, shown below, and then select the security event of interest using any of the methods described above.

    You can click the button in the FORENSICS tab to display classification details, including the classification, policy and rules assigned to the FortiEDR Collector that triggered this security event. For more details about classification details, see Classification Details.

To perform deep Forensic analysis:
  1. Select the security events to analyze using one of the methods described on Event Viewer.

    Selected security events that are currently loaded to the FORENSICS tab are marked in the Event Viewer with a fingerprint icon.

  2. Each selected security event is then displayed in the Event Viewer as a separate tab:

    Each tab shows the same information as in the Event Viewer, with additional information as described below.

    The following options for viewing more information are provided:

    In the Raw Events area, use the right and left arrows to scroll through the raw data items for a security event.

    Click the All Raw Data Items button to display all raw data items. Click the Selected Raw Data Items button to select a specific raw data item. This action opens the following window, in which you specify the raw data item(s) to display.

    Click Close in the SELECT RAW DATA ITEMS window. The Events page displays only those raw data items you selected in the view.

    Click the Threat Hunting button to review relevant Activity Events in the Threat Hunting tab