Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiEDR/XDR 6.0.0 Administration Guide
    6.0.0
    6.2.0
    6.0.0
    5.2.1
    5.2.0
    5.1.0
    5.0.0
    4.2.0
    4.1.1
    4.1.0

    Investigation View

    Investigation View

    The Investigation View window helps understand the flow of activity events during Threat Hunting with a dynamic and interactive graphical view of the activity events details: source, action and target. The graphical view provides the ability to add more activity events to the graph and show the relationship and timeline of the occurrence of those activities, such as the following:

    • All actions performed by a given process

    • All files the process has created or updated

    • All IPs the process has initiated communication with

    It also allows you to interactively view a chain of activity events in the following ways:

    • Browse between the various processes involved in the chain

    • See all activity events related to one node in the Security Event graph

    • Switch and see the graph chain on the other involved endpoints while analyzing security event on one device

    You can access the Investigation View using the Investigation View button () in the following locations:

    • ADVANCED DATA tab under EVENTS VIEWER to investigate the security event chain

    • Details Pane of an event under Forensics > Threat Hunting to start investigation of the chain of activity events

    Note
    • The Investigation View adds visualization and interaction of existing data that is already available in other non-graphical and non-interactive forms without creating or generating any additional data.
    • The Investigation View is available only to user roles with Forensics permissions, which means all standard roles except IT. Read-Only user can only view and manipulate graphs but cannot remediate or perform other actions.

    The following figure illustrates the various components of an Investigation View window launched from the ADVANCED DATA tab under EVENTS VIEWER. The window launched from the Details Pane of an event under Forensics > Threat Hunting looks similar but with fewer general details at the top section.

    Component

    Description
    1

    General details about the event, such as event ID, process name, classification, IP address, and incident responses.

    The window launched from the Details Pane of an event under Forensics > Threat Hunting have the following differences in this section:

    • The window title says "Threat Hunting + activity name" instead of "Investigation + event ID".

    • Fewer general details: details in the first row, such as classification and incident response, are not shown.
    2

    Use the Export button () to export the Investigation View window as an SVG file to share with others or for record reasons. This is the only option to save a graph that includes dynamic changes based on the default graph view, such as adding processes.
    3

    Graphical flow diagram with a process tree that you can build according to your investigation needs, from left to right and top to bottom. The tree is also interactive, which means you can click on a specific component to drill down for more details or contextual actions.

    A

    Node—Source of an activity or event, which can be a process, an endpoint, a thread or service, or another security product. Nodes are represented by boxes with icons for the activity type, some with descriptions under the boxes.

    • Click on a node to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific node.

    • Click the Collapse () or Expand () icon in the right of a node icon to show or hide all the downstream nodes, edges, and leaves.

    • Right-click a node to perform actions allowed on the node, including any custom actions you defined. These action buttons also appear in the Details Pane, which is available on the right after you click the node.

      The list of available options varies by node type. The following is an example list of actions for a process node.

    B

    Edge—Activity event type or action represented by a curved line with an arrow. An edge can be one activity event/action or an aggregation of several. The numbered arrows indicate the sequence of actions and specify the action that was performed, such as Process Creation, Socket Close, Block and so on. Multiple operations performed between two processes are represented by multiple arrows between them.

    Click on an edge to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific edge.

    Edges may also have icons below them indicating classification or violation of certain rules and MITRE & Behavior models. Click on an icon to display detailed information about the classification or violation.

    C

    Leaf—Target of activity event of type File, Registry Key, Registry Value, Network components (IP/DNS/URL). A leaf can also be a group of artifacts. For example, all the files created or modified by a process. Leaves have a round shape ().

    • Click on a leaf to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific leaf.

    • Right-click a leaf to perform actions allowed on the leaf, including any custom actions you defined. These action buttons are also available in the Details Pane, which appear on the right after you click the leaf.

      The list of available options varies by leaf type. The following is an example list of actions for a network leaf:

    D

    Hint—Categorized groups of activities related to a node that are not part of the main chain of activity events and thus not represented in the graphical diagram. Click a node to show the number of relevant activities. The hints no longer display after you move the selection to another node or edge.

    • Click the Expand () or Collapse () icon near a leaf hint to show or hide the node or leaf list of that type.

    • Right-click the type name of a hint and select Add to graph to add the relevant leaves to the graph or select View activity event to pull out the Activity events tables for this specific file type. The Add to graph option is unavailable when the number of hints exceeds 500, in which case you can only choose to view the activity event.

    E

    Use the Rules or MITRE & Behavior legends to highlight the corresponding icons below relevant edges in the diagram.

    F

    • Use the Zoom In (), Zoom Out (), and Zoom To Fit () buttons to adjust the graph window size.

    • Use the Reset () button to restore the graph to the default view.

    • Use the Undo () button to cancel an operation.
    4

    Details pane for the selected node, edge, or leaf where you can view details of the activity, action, or target, and perform common actions on a node or leaf, such as retrieving a file, Remediating a device upon malware detection, or adding an application to the Application Control policy blocklist. The actions can also be performed by right-clicking a node or leaf and selecting the option from the menu.

    For specific leaf types, this pane also includes an Insights tab which allows you to run queries to retrieve analytics data, such as the number of communicating processes or devices of a certain IP. The Insights options are also available from the right-click menu of those leaf types.
    5

    Contextual Activity events tables for the selected node or leaf organized by tabs of activity types. Drag the top edge of the table up for a fuller view of the table. Activities with a number at the front of the row are already in the graph and the number matches the one in the graph. For activities not in to the graph, you can add them to the graph by selecting the corresponding rows and clicking Add to graph (). To customize the columns to display in the table, click Customize (). You can also search for a specific activity or event by keywords in the search bar on the top right corner.
    Previous
    Next

    Investigation View

    Investigation View

    The Investigation View window helps understand the flow of activity events during Threat Hunting with a dynamic and interactive graphical view of the activity events details: source, action and target. The graphical view provides the ability to add more activity events to the graph and show the relationship and timeline of the occurrence of those activities, such as the following:

    • All actions performed by a given process

    • All files the process has created or updated

    • All IPs the process has initiated communication with

    It also allows you to interactively view a chain of activity events in the following ways:

    • Browse between the various processes involved in the chain

    • See all activity events related to one node in the Security Event graph

    • Switch and see the graph chain on the other involved endpoints while analyzing security event on one device

    You can access the Investigation View using the Investigation View button () in the following locations:

    • ADVANCED DATA tab under EVENTS VIEWER to investigate the security event chain

    • Details Pane of an event under Forensics > Threat Hunting to start investigation of the chain of activity events

    Note
    • The Investigation View adds visualization and interaction of existing data that is already available in other non-graphical and non-interactive forms without creating or generating any additional data.
    • The Investigation View is available only to user roles with Forensics permissions, which means all standard roles except IT. Read-Only user can only view and manipulate graphs but cannot remediate or perform other actions.

    The following figure illustrates the various components of an Investigation View window launched from the ADVANCED DATA tab under EVENTS VIEWER. The window launched from the Details Pane of an event under Forensics > Threat Hunting looks similar but with fewer general details at the top section.

    Component

    Description
    1

    General details about the event, such as event ID, process name, classification, IP address, and incident responses.

    The window launched from the Details Pane of an event under Forensics > Threat Hunting have the following differences in this section:

    • The window title says "Threat Hunting + activity name" instead of "Investigation + event ID".

    • Fewer general details: details in the first row, such as classification and incident response, are not shown.
    2

    Use the Export button () to export the Investigation View window as an SVG file to share with others or for record reasons. This is the only option to save a graph that includes dynamic changes based on the default graph view, such as adding processes.
    3

    Graphical flow diagram with a process tree that you can build according to your investigation needs, from left to right and top to bottom. The tree is also interactive, which means you can click on a specific component to drill down for more details or contextual actions.

    A

    Node—Source of an activity or event, which can be a process, an endpoint, a thread or service, or another security product. Nodes are represented by boxes with icons for the activity type, some with descriptions under the boxes.

    • Click on a node to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific node.

    • Click the Collapse () or Expand () icon in the right of a node icon to show or hide all the downstream nodes, edges, and leaves.

    • Right-click a node to perform actions allowed on the node, including any custom actions you defined. These action buttons also appear in the Details Pane, which is available on the right after you click the node.

      The list of available options varies by node type. The following is an example list of actions for a process node.

    B

    Edge—Activity event type or action represented by a curved line with an arrow. An edge can be one activity event/action or an aggregation of several. The numbered arrows indicate the sequence of actions and specify the action that was performed, such as Process Creation, Socket Close, Block and so on. Multiple operations performed between two processes are represented by multiple arrows between them.

    Click on an edge to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific edge.

    Edges may also have icons below them indicating classification or violation of certain rules and MITRE & Behavior models. Click on an icon to display detailed information about the classification or violation.

    C

    Leaf—Target of activity event of type File, Registry Key, Registry Value, Network components (IP/DNS/URL). A leaf can also be a group of artifacts. For example, all the files created or modified by a process. Leaves have a round shape ().

    • Click on a leaf to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific leaf.

    • Right-click a leaf to perform actions allowed on the leaf, including any custom actions you defined. These action buttons are also available in the Details Pane, which appear on the right after you click the leaf.

      The list of available options varies by leaf type. The following is an example list of actions for a network leaf:

    D

    Hint—Categorized groups of activities related to a node that are not part of the main chain of activity events and thus not represented in the graphical diagram. Click a node to show the number of relevant activities. The hints no longer display after you move the selection to another node or edge.

    • Click the Expand () or Collapse () icon near a leaf hint to show or hide the node or leaf list of that type.

    • Right-click the type name of a hint and select Add to graph to add the relevant leaves to the graph or select View activity event to pull out the Activity events tables for this specific file type. The Add to graph option is unavailable when the number of hints exceeds 500, in which case you can only choose to view the activity event.

    E

    Use the Rules or MITRE & Behavior legends to highlight the corresponding icons below relevant edges in the diagram.

    F

    • Use the Zoom In (), Zoom Out (), and Zoom To Fit () buttons to adjust the graph window size.

    • Use the Reset () button to restore the graph to the default view.

    • Use the Undo () button to cancel an operation.
    4

    Details pane for the selected node, edge, or leaf where you can view details of the activity, action, or target, and perform common actions on a node or leaf, such as retrieving a file, Remediating a device upon malware detection, or adding an application to the Application Control policy blocklist. The actions can also be performed by right-clicking a node or leaf and selecting the option from the menu.

    For specific leaf types, this pane also includes an Insights tab which allows you to run queries to retrieve analytics data, such as the number of communicating processes or devices of a certain IP. The Insights options are also available from the right-click menu of those leaf types.
    5

    Contextual Activity events tables for the selected node or leaf organized by tabs of activity types. Drag the top edge of the table up for a fuller view of the table. Activities with a number at the front of the row are already in the graph and the number matches the one in the graph. For activities not in to the graph, you can add them to the graph by selecting the corresponding rows and clicking Add to graph (). To customize the columns to display in the table, click Customize (). You can also search for a specific activity or event by keywords in the search bar on the top right corner.
    Previous
    Next