Fortinet black logo

Administration Guide

Home FortiInsight Cloud 6.4.0 Administration Guide
6.4.0
21.2.0
21.1.0
6.4.0
6.2.0
6.0.0
5.6.0
5.4.0

AI

AI

FortiInsight Augmented intelligence (AI) adds context, risks, and ratings to activities on your network to find a wide range of threats. It learns general facts about normal behavior in order to identify when anomalous behavior occurs.

FortiInsight AI uses risk scoring to decide how anomalous an event is. For example, a development team is likely to access and edit different files and applications than a marketing or sales team does. By learning what usual behavior patterns are, AI can help identify when abnormal events occur.

AI scoring

The severity score is a combination of risk and anomalism. FortiInsight decides how risky an activity is, and then how unusual it is for that user. If an activity is high risk and unusual, the score will be high. If an activity is low risk and determined not to be especially unusual for that user, the score will be low.

The machine learning models of FortiInsight automatically generate AI alerts. The AI alerts are scored on a combination of the following factors:

  • Anomalism: The amount of deviation from normal behavior that the event represents.
  • Risk: A static score, according to the type of program, data, or activity that the event represents. For example, a cloud backup program is medium risk.

The risk category for each alert (low, medium, or high) is the same for both AI and policy-based alerts:

  • Low: 0 to 39

  • Medium: 40 to 69

  • High: 70 to 100

Feedback

To provide AI with information about alerts, use the Feedback column on the AI Alerts page (Alerts > AI). If AI has identified an event that you think is anomalous, click the thumbs-up icon to give positive feedback. If AI has identified an event that you do not think is a threat, click the thumbs-down icon. AI will learn based on your responses.

The following image shows and example of the Feedback column.

AI tags

As FortiInsight AI inspects incoming events for anomalism, it also attempts to categorize anomalous events using tags. AI inspects the events for specific characteristics, as defined in the AI tag definitions, and applies the appropriate tags to events that match. For example, AI applies the Potential Leaver tag to an event that involves a user writing a CV file, and the Malicious File tag to events that display common characteristics of ransomware.

The AI Alerts page shows the most commonly detected tags in the summary table, and allows you to search the list of alerts for particular tags.

Using AI tags

You can sort AI tags by risk and other columns. This sorting makes it easier for you to find the tags that you are looking for. You can also search for tags within a table.

Navigate to the AI > Tags tab. Click on any tag to edit color codes and icons.

The following image shows an example of an AI tag.

Change tag risk setting

The risk slider on the Tag page allows you to quickly change the risk rating of your tags.

The following image shows the risk slider.

AI training

AI takes two weeks to learn what normal behavior looks like and form an effective baseline. After this, AI will automatically switch from learning mode to anomalous detection mode and will begin to identify anomalies.

AI settings

This section allows you to define file types, folders, and users that you think are high risk. FortiInsight AI then attaches a higher risk to anomalous events that include these elements.

Once these settings have been added you must enable, risky_user, risky_filetypes and risky_filepath to allow the AI module to learn these and start to alert on their anomalous behaviours.

Previous
Next

AI

FortiInsight Augmented intelligence (AI) adds context, risks, and ratings to activities on your network to find a wide range of threats. It learns general facts about normal behavior in order to identify when anomalous behavior occurs.

FortiInsight AI uses risk scoring to decide how anomalous an event is. For example, a development team is likely to access and edit different files and applications than a marketing or sales team does. By learning what usual behavior patterns are, AI can help identify when abnormal events occur.

AI scoring

The severity score is a combination of risk and anomalism. FortiInsight decides how risky an activity is, and then how unusual it is for that user. If an activity is high risk and unusual, the score will be high. If an activity is low risk and determined not to be especially unusual for that user, the score will be low.

The machine learning models of FortiInsight automatically generate AI alerts. The AI alerts are scored on a combination of the following factors:

  • Anomalism: The amount of deviation from normal behavior that the event represents.
  • Risk: A static score, according to the type of program, data, or activity that the event represents. For example, a cloud backup program is medium risk.

The risk category for each alert (low, medium, or high) is the same for both AI and policy-based alerts:

  • Low: 0 to 39

  • Medium: 40 to 69

  • High: 70 to 100

Feedback

To provide AI with information about alerts, use the Feedback column on the AI Alerts page (Alerts > AI). If AI has identified an event that you think is anomalous, click the thumbs-up icon to give positive feedback. If AI has identified an event that you do not think is a threat, click the thumbs-down icon. AI will learn based on your responses.

The following image shows and example of the Feedback column.

AI tags

As FortiInsight AI inspects incoming events for anomalism, it also attempts to categorize anomalous events using tags. AI inspects the events for specific characteristics, as defined in the AI tag definitions, and applies the appropriate tags to events that match. For example, AI applies the Potential Leaver tag to an event that involves a user writing a CV file, and the Malicious File tag to events that display common characteristics of ransomware.

The AI Alerts page shows the most commonly detected tags in the summary table, and allows you to search the list of alerts for particular tags.

Using AI tags

You can sort AI tags by risk and other columns. This sorting makes it easier for you to find the tags that you are looking for. You can also search for tags within a table.

Navigate to the AI > Tags tab. Click on any tag to edit color codes and icons.

The following image shows an example of an AI tag.

Change tag risk setting

The risk slider on the Tag page allows you to quickly change the risk rating of your tags.

The following image shows the risk slider.

AI training

AI takes two weeks to learn what normal behavior looks like and form an effective baseline. After this, AI will automatically switch from learning mode to anomalous detection mode and will begin to identify anomalies.

AI settings

This section allows you to define file types, folders, and users that you think are high risk. FortiInsight AI then attaches a higher risk to anomalous events that include these elements.

Once these settings have been added you must enable, risky_user, risky_filetypes and risky_filepath to allow the AI module to learn these and start to alert on their anomalous behaviours.

Previous
Next