How FortiInsight works
FortiInsight monitors endpoint activity in the form of events. It provides automated inspection and alerts against these events in the form of policy and Augmented intelligence (AI) based inspections, as well as extensive search capabilities across the record of endpoint events for the past seven days.
Solution architecture
The FortiInsight solution consists of the following components:
- Endpoint agents
- Events
-
FortiInsight Cloud service
You install agents on endpoints, which are Windows desktop computers and servers. The agents collect activity data on the endpoints and send the data, in the form of events, as they happen in real time on the endpoints, to the FortiInsight Cloud service. The FortiInsight Cloud service then stores and analyzes the data.
Endpoint agents
Endpoint agents use HTTPS to send data to the FortiInsight Cloud service. FortiInsight agents are lightweight, and typically run using less than 1% CPU and 50 MB of memory. The result is that FortiInsight is able to capture event data without slowing down endpoint devices.
When a device is offline, the endpoint agent continues to collect and store data locally on the device. When the device reconnects to the network, the agent sends the stored data to the FortiInsight Cloud service.
FortiInsight automatically authenticates and registers new endpoints that are deployed on your organization's network. All you need to do is push the agent out.
Events
Events are system-level activities that occur on your network. For example, when a file is created, a user logs on, or a process is stopped. FortiInsight captures event information from endpoints, such as:
- Network events, such as file upload or download activities.
- User events, such as a user login or a file read in Excel.
Each FortiInsight event contains the following elements:
|
Element |
Description |
|---|---|
|
User |
The user account carrying out the activity. |
|
Endpoint |
The machine that the activity took place on. |
|
Activity |
The activity type, such as 'file uploaded' and 'file read'. |
|
Application or process |
The name of the application or process. For example, explorer.exe and winword.exe. |
|
Resource |
This is typically the path, filename, and file type involved in the activity. |
|
Network destination and origin |
For events on the Network page (Threat Hunting > Network), the network locations where the activity started and ended, including the port number that was used for the transfer. |
Because there is a large volume of event data streaming in through FortiInsight, events are compacted after a certain threshold to optimize backend storage.
Secure storage
Data at rest
The data that the FortiInsight solution collects is stored securely.
For hosted deployments, all data at rest is encrypted. The FortiInsight solution is not a multi-tenant system, therefore no segregation is required since each set of backend servers, including the database, is dedicated to a particular client. Access to a client's system is locked down to the public IP address provided by the client (and Fortinet for administration purposes).
For on-premise deployments, we provide recommendations for how you can configure your FortiInsight deployment for optimal security.
Stored passwords
FortiInsight UI passwords are stored securely. The passwords are salted and hashed, and are not stored in plaintext.