Fortinet black logo

Introduction

Copy Link
Copy Doc ID 80e9c9f4-09d1-11ec-a4c4-00505692583a:970300
Download PDF

Introduction

This document provides the following information for FortiInsight version 7.0.0:

What's new in FortiInsight version 7.0.0

The following table lists new features and enhancements in FortiInsight version 7.0.0.

Feature

Description

Enhancements as Cloud 21.2

Enhanced User Profile / Timeline

  • User Context Dashboard. A dashboard giving a high level overview of user activity.
  • User Context Timeline
  • User Context Details
  • User Context Tracking

Updated Polices

The following policies have been updated to reduce noise:

  • File Downloaded Through a LOLBAS Binary
  • PSExec Executed On All Machines In Domain

Xen build image

FortiInsight VM can now be deployed to AWS using the Xen vhd image.

Enhanced User Profile / Timeline

User Context Dashboard

For example, from Threat Hunting > Live, right click on the user and select View User Profile. This now displays the user profile in a widget style, like the FortiInsight Dashboard. Widget data can be exported to file, maximised for viewing or drill down to view the low-level data.

User Context Timeline

From Contexts > Users on the navigation pane. User activity is shown on a new timeline chart, detailing the number of active users at a given time.

Hovering over the bar will highlight the number of users.

Double clicking on the bar will display enhanced user information for those users, such as:

  • Department—Corporate department the user works in.
  • Manager—Full name of the user's manager. Click to navigate to the manager's user profile.
  • Status—Whether the user's account is active, disabled.

User Context Details

From Contexts > Users on the navigation pane. Previously, hovering over the user's name displayed the user context details. Now, clicking on the user name field displays the details in a standardized view.

User Context Tracking

The LDAP agent allows you to sync your Active Directory to FortiInsight. Its aim is to increase the effective searches based on individual users, their managers, department and location.

To install the agent

  1. Go to Contexts.
  2. Select Users.
  3. Select Download LDAP Client.
  4. Click Download.

Xen Build Image

FortiInsight images are currently not available in AWS market place. It is recommended to use your own account to download and launch FortiInsight Virtual Machine (VM). Download the FortiInsight Xen Super image (VHD) file from the Fortinet Support website https://support.fortinet.com. For install instructions see FortiInsight AWS Installation.

FortiInsight Agents

Agent Feature

Description

MAC Connector

  • Add supports for MacOSX 11 “Big Sur”
  • Integrates with Endpoint security framework provided by MacOSX
  • All “new process created” activities will now report the command line arguments used to start the process

Windows Connector

  • Support for “shift-delete” on files, or folders, has now been added ensuring these are reported correctly as “file deleted” events.
  • You can now ensure that the endpoint agent will verify SSL/TLS certificates before attempting to send data.
  • Added further enhancements to “file uploaded” and “file downloaded” events.
  • Support added for very short-lived process, to ensure that collection is not disrupted.

Mac Connector

Endpoint Security Framework

The MacOSX connector now supports directly with the Endpoint Security Framework provided by Apple. Internally, this ensure that all events are now collected via this method rather than utilising a custom Kext module. It also allows support for MacOSX 11 (Big Sur).

Command Line Arguments

Command line arguments, if applicable, are now shown for each Mac event, to standardise agent collection of data.

Windows Connector

Files Deleted Event for Shift Delete

Shift delete operations and removable media deletes have been added to the windows connector and are shown as File Deleted operations in FortiInsight.

Verify SSL Certificate

When installing the windows agent, if the Verifiy host TLS/SSL certificate box is ticked any connection to the host will be blocked if the SSL/TLS certificate is invalid or the url does not match the certificate. This is disabled by default.

Introduction

This document provides the following information for FortiInsight version 7.0.0:

What's new in FortiInsight version 7.0.0

The following table lists new features and enhancements in FortiInsight version 7.0.0.

Feature

Description

Enhancements as Cloud 21.2

Enhanced User Profile / Timeline

  • User Context Dashboard. A dashboard giving a high level overview of user activity.
  • User Context Timeline
  • User Context Details
  • User Context Tracking

Updated Polices

The following policies have been updated to reduce noise:

  • File Downloaded Through a LOLBAS Binary
  • PSExec Executed On All Machines In Domain

Xen build image

FortiInsight VM can now be deployed to AWS using the Xen vhd image.

Enhanced User Profile / Timeline

User Context Dashboard

For example, from Threat Hunting > Live, right click on the user and select View User Profile. This now displays the user profile in a widget style, like the FortiInsight Dashboard. Widget data can be exported to file, maximised for viewing or drill down to view the low-level data.

User Context Timeline

From Contexts > Users on the navigation pane. User activity is shown on a new timeline chart, detailing the number of active users at a given time.

Hovering over the bar will highlight the number of users.

Double clicking on the bar will display enhanced user information for those users, such as:

  • Department—Corporate department the user works in.
  • Manager—Full name of the user's manager. Click to navigate to the manager's user profile.
  • Status—Whether the user's account is active, disabled.

User Context Details

From Contexts > Users on the navigation pane. Previously, hovering over the user's name displayed the user context details. Now, clicking on the user name field displays the details in a standardized view.

User Context Tracking

The LDAP agent allows you to sync your Active Directory to FortiInsight. Its aim is to increase the effective searches based on individual users, their managers, department and location.

To install the agent

  1. Go to Contexts.
  2. Select Users.
  3. Select Download LDAP Client.
  4. Click Download.

Xen Build Image

FortiInsight images are currently not available in AWS market place. It is recommended to use your own account to download and launch FortiInsight Virtual Machine (VM). Download the FortiInsight Xen Super image (VHD) file from the Fortinet Support website https://support.fortinet.com. For install instructions see FortiInsight AWS Installation.

FortiInsight Agents

Agent Feature

Description

MAC Connector

  • Add supports for MacOSX 11 “Big Sur”
  • Integrates with Endpoint security framework provided by MacOSX
  • All “new process created” activities will now report the command line arguments used to start the process

Windows Connector

  • Support for “shift-delete” on files, or folders, has now been added ensuring these are reported correctly as “file deleted” events.
  • You can now ensure that the endpoint agent will verify SSL/TLS certificates before attempting to send data.
  • Added further enhancements to “file uploaded” and “file downloaded” events.
  • Support added for very short-lived process, to ensure that collection is not disrupted.

Mac Connector

Endpoint Security Framework

The MacOSX connector now supports directly with the Endpoint Security Framework provided by Apple. Internally, this ensure that all events are now collected via this method rather than utilising a custom Kext module. It also allows support for MacOSX 11 (Big Sur).

Command Line Arguments

Command line arguments, if applicable, are now shown for each Mac event, to standardise agent collection of data.

Windows Connector

Files Deleted Event for Shift Delete

Shift delete operations and removable media deletes have been added to the windows connector and are shown as File Deleted operations in FortiInsight.

Verify SSL Certificate

When installing the windows agent, if the Verifiy host TLS/SSL certificate box is ticked any connection to the host will be blocked if the SSL/TLS certificate is invalid or the url does not match the certificate. This is disabled by default.