Fortinet white logo
Fortinet white logo

Introduction

Introduction

This document provides the following information for FortiInsight version 21.2:

What's new in FortiInsight Cloud version 21.2

The following table lists new features and enhancements in FortiInsight Cloud version 21.2.

Feature

Description

Enhanced User Profile / Timeline

  • User Context Dashboard. A dashboard giving a high level overview of user activity.
  • User Context Timeline
  • User Context Details
  • User Context Tracking

Updated Polices

The following policies have been updated to reduce noise: File Downloaded Through a LOLBAS Binary

PSExec Executed On All Machines In Domain

Enhanced User Profile / Timeline

User Context Dashboard

For example, from Threat Hunting > Live, right click on the user and select View User Profile. This now displays the user profile in a widget style, like the FortiInsight Dashboard. Widget data can be exported to file, maximised for viewing or drill down to view the low-level data.

User Context Timeline

From Contexts > Users on the navigation pane. User activity is shown on a new timeline chart, detailing the number of active users at a given time.

Hovering over the bar will highlight the number of users.

Double clicking on the bar will display enhanced user information for those users.

Such as:

  • Department—Corporate department the user works in.
  • Manager—Full name of the user's manager. Click to navigate to the manager's user profile.
  • Status—Whether the user's account is active, disabled.

User Context Details

From Contexts > Users on the navigation pane. Previously, hovering over the user's name displayed the user context details. Now, clicking on the user name field displays the details in a standardized view.

User Context Tracking

The LDAP agent allows you to sync your Active Directory to FortiInsight. Its aim is to increase the effective searches based on individual users, their managers, department and location.

To install the agent

  1. Go to Contexts.
  2. Select Users.
  3. Select Download LDAP Client.
  4. Click Download.

FortiInsight Agents

Feature

Description

MAC Connector[DH1]

  • Adds support for MacOSX 11 “Big Sur”
  • Integrates with Endpoint security framework provided by MacOSX
  • All “new process created” activities will now report the command line arguments used to start the process

Windows Connector

  • Support for “shift-delete” on files, or folders, has now been added ensuring these are reported correctly as “file deleted” events.
  • You can now ensure that the endpoint agent will verify SSL/TLS certificates before attempting to send data.
  • Added further enhancements to “file uploaded” and “file downloaded” events.
  • Support added for very short-lived process, to ensure that collection is not disrupted.
Mac Connector
Endpoint Security Framework

The MacOSX connector now supports directly with the Endpoint Security Framework provided by Apple. Internally, this ensure that all events are now collected via this method rather than utilising a custom Kext module. It also allows support for MacOSX 11 (Big Sur).

Command Line Arguments

Command line arguments, if applicable, are now shown for each Mac event, to standardise agent collection of data.

Windows Connector
Files Deleted Event for Shift Delete

Shift delete operations and removable media deletes have been added to the windows connector and are shown as File Deleted operations in FortiInsight.

Verify SSL Certificate

When installing the windows agent, if the Verifiy host TLS/SSL certificate box is ticked any connection to the host will be blocked if the SSL/TLS certificate is invalid or the url does not match the certificate. This is disabled by default.

Related resources

The following resources provide more information about FortiInsight:

Introduction

Introduction

This document provides the following information for FortiInsight version 21.2:

What's new in FortiInsight Cloud version 21.2

The following table lists new features and enhancements in FortiInsight Cloud version 21.2.

Feature

Description

Enhanced User Profile / Timeline

  • User Context Dashboard. A dashboard giving a high level overview of user activity.
  • User Context Timeline
  • User Context Details
  • User Context Tracking

Updated Polices

The following policies have been updated to reduce noise: File Downloaded Through a LOLBAS Binary

PSExec Executed On All Machines In Domain

Enhanced User Profile / Timeline

User Context Dashboard

For example, from Threat Hunting > Live, right click on the user and select View User Profile. This now displays the user profile in a widget style, like the FortiInsight Dashboard. Widget data can be exported to file, maximised for viewing or drill down to view the low-level data.

User Context Timeline

From Contexts > Users on the navigation pane. User activity is shown on a new timeline chart, detailing the number of active users at a given time.

Hovering over the bar will highlight the number of users.

Double clicking on the bar will display enhanced user information for those users.

Such as:

  • Department—Corporate department the user works in.
  • Manager—Full name of the user's manager. Click to navigate to the manager's user profile.
  • Status—Whether the user's account is active, disabled.

User Context Details

From Contexts > Users on the navigation pane. Previously, hovering over the user's name displayed the user context details. Now, clicking on the user name field displays the details in a standardized view.

User Context Tracking

The LDAP agent allows you to sync your Active Directory to FortiInsight. Its aim is to increase the effective searches based on individual users, their managers, department and location.

To install the agent

  1. Go to Contexts.
  2. Select Users.
  3. Select Download LDAP Client.
  4. Click Download.

FortiInsight Agents

Feature

Description

MAC Connector[DH1]

  • Adds support for MacOSX 11 “Big Sur”
  • Integrates with Endpoint security framework provided by MacOSX
  • All “new process created” activities will now report the command line arguments used to start the process

Windows Connector

  • Support for “shift-delete” on files, or folders, has now been added ensuring these are reported correctly as “file deleted” events.
  • You can now ensure that the endpoint agent will verify SSL/TLS certificates before attempting to send data.
  • Added further enhancements to “file uploaded” and “file downloaded” events.
  • Support added for very short-lived process, to ensure that collection is not disrupted.
Mac Connector
Endpoint Security Framework

The MacOSX connector now supports directly with the Endpoint Security Framework provided by Apple. Internally, this ensure that all events are now collected via this method rather than utilising a custom Kext module. It also allows support for MacOSX 11 (Big Sur).

Command Line Arguments

Command line arguments, if applicable, are now shown for each Mac event, to standardise agent collection of data.

Windows Connector
Files Deleted Event for Shift Delete

Shift delete operations and removable media deletes have been added to the windows connector and are shown as File Deleted operations in FortiInsight.

Verify SSL Certificate

When installing the windows agent, if the Verifiy host TLS/SSL certificate box is ticked any connection to the host will be blocked if the SSL/TLS certificate is invalid or the url does not match the certificate. This is disabled by default.

Related resources

The following resources provide more information about FortiInsight: