Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    2023.0.0
    2024.10.0
    2024.9.0
    2024.7.0
    2023.0.0

    27 Feb 2023 version 2023.2

    27 Feb 2023 version 2023.2

    New Functionality

    Investigations API

    The Investigations API is a public API used to manage investigations and queries. With it, you can programmatically run queries in FortiNDR Cloud, run playbooks, and use other investigation functionality. Documentation is available upon request.

    Observation descriptions

    Observations include a description of the observation on the observation's detail page. The description is also available in the metastream and IQL.

    Improved Functionality

    Playbook access

    Playbooks can be added directly from the Investigations menu in the banner.

    Clicking Investigations > Playbook opens the Add Playbook pop-up window.

    Playbook time frames

    The default playbook time frames are now based on the recommended time frame listed for each playbook, as opposed to defaulting to seven days for every playbook.

    Impacted devices table

    The impacted devices table is improved.

    • Columns can be added to and removed from the table.

    • The column order and width can be adjusted by clicking and dragging the column headers.

    • Columns can be locked to the left side of the table by clicking the lock icon in the column header when hovering over the header. These column will continue to be visible when you horizontally scroll through the columns in the table. The Action column is always locked to right side of the table.

    • The table is not paginated; all of the rows can be seen by scrolling down.

    • The table can be sorted by left clicking on a column header. Right clicking on a column gives the options to copy the column values as a comma or newline separated list, or to hide the column.

    • The table layout is saved after leaving the page, and can be reset from the column selection menu.

    Persistent investigations table

    The selected sorting of the investigations table is persistent. For example, if you sort the table by date updated and then browse to a different page in the GUI, the investigations table will still be sorted by date updated when you return to the investigations page.

    Flow state pop-up

    After doing a timeline search, mousing over a flow state value shows a pop-up with the flow state details.

    Default investigation names

    When creating a new investigation from the Investigations list view, to prevent name collisions, instead of a default name of New Investigation, the default name for new investigations is now the first and last name of the user that is creating the investigation with a time and date stamp of when the investigation was created.

    For example: Philip Fry - 2023-03-01 00:17:42 (UTC).

    When creating a new investigation from a detection, to prevent the subject of the investigation from being truncated due to column width limitations, instead of a default name of Investigation from detection rule <detection rule name>, the default name for new investigations is now the name of the detection rule and the first and last name of the user that is creating the investigation with a time and date stamp of when the investigation was created.

    For example: Cobalt Strike Encrypted Philip Fry - 2023-03-01 00:14:10 (UTC).

    Discontinued Functionality

    VPC option for new detection rules

    When creating a new detection rule, VPC cannot be selected as a data source.

    Legacy account version

    When creating a new account, the FortiNDR Cloud version is set to Modern; Legacy can no longer be selected.

    Previous
    Next

    27 Feb 2023 version 2023.2

    27 Feb 2023 version 2023.2

    New Functionality

    Investigations API

    The Investigations API is a public API used to manage investigations and queries. With it, you can programmatically run queries in FortiNDR Cloud, run playbooks, and use other investigation functionality. Documentation is available upon request.

    Observation descriptions

    Observations include a description of the observation on the observation's detail page. The description is also available in the metastream and IQL.

    Improved Functionality

    Playbook access

    Playbooks can be added directly from the Investigations menu in the banner.

    Clicking Investigations > Playbook opens the Add Playbook pop-up window.

    Playbook time frames

    The default playbook time frames are now based on the recommended time frame listed for each playbook, as opposed to defaulting to seven days for every playbook.

    Impacted devices table

    The impacted devices table is improved.

    • Columns can be added to and removed from the table.

    • The column order and width can be adjusted by clicking and dragging the column headers.

    • Columns can be locked to the left side of the table by clicking the lock icon in the column header when hovering over the header. These column will continue to be visible when you horizontally scroll through the columns in the table. The Action column is always locked to right side of the table.

    • The table is not paginated; all of the rows can be seen by scrolling down.

    • The table can be sorted by left clicking on a column header. Right clicking on a column gives the options to copy the column values as a comma or newline separated list, or to hide the column.

    • The table layout is saved after leaving the page, and can be reset from the column selection menu.

    Persistent investigations table

    The selected sorting of the investigations table is persistent. For example, if you sort the table by date updated and then browse to a different page in the GUI, the investigations table will still be sorted by date updated when you return to the investigations page.

    Flow state pop-up

    After doing a timeline search, mousing over a flow state value shows a pop-up with the flow state details.

    Default investigation names

    When creating a new investigation from the Investigations list view, to prevent name collisions, instead of a default name of New Investigation, the default name for new investigations is now the first and last name of the user that is creating the investigation with a time and date stamp of when the investigation was created.

    For example: Philip Fry - 2023-03-01 00:17:42 (UTC).

    When creating a new investigation from a detection, to prevent the subject of the investigation from being truncated due to column width limitations, instead of a default name of Investigation from detection rule <detection rule name>, the default name for new investigations is now the name of the detection rule and the first and last name of the user that is creating the investigation with a time and date stamp of when the investigation was created.

    For example: Cobalt Strike Encrypted Philip Fry - 2023-03-01 00:14:10 (UTC).

    Discontinued Functionality

    VPC option for new detection rules

    When creating a new detection rule, VPC cannot be selected as a data source.

    Legacy account version

    When creating a new account, the FortiNDR Cloud version is set to Modern; Legacy can no longer be selected.

    Previous
    Next