Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    2024.10.0
    2024.10.0
    2024.9.0
    2024.7.0

    Triage detections

    Triage detections

    The Triage detections view is the landing page for the Detections tab. Use this view to review and respond to detections triggered by the detector.

    To view the Triage detections page:
    1. Go to Detections > Triage detections. The Detections page opens.
    2. (Optional) Filter the detections on the page.

      Search

      Enter the technique ID, technique name or technique description.

      Detectors are filtered based on the prefix matching the selected technique ID. If Technique T1234 is entered, the detectors returned include its sub-techniques T1234.001, T1234.002, T1234.003, etc.

      Severity

      Select High (H), Medium (M), or Low (L).

      Additional Filters

      Click the filter icon to view additional filters.

      Filter

      Description

      CategoryFilter the detectors by category. See, Detector Categories.

      Assigned to

      Filter by assigned detections. See, Assigning detections.

      Created ByFilter by the account that created the detector.
      TechniqueFilter by the technique used for the detection.
      Confidence

      Select High (H), Medium (M), or Low (L).

      Detection Status

      Select All, Active or Idle.

      All

      Returns all detections the user has access to regardless of whether or not it was triggered in the current account.

      ActiveReturns all active detections.
      Idle Returns all detections that have been triggered in the current account but are not currently active.
      MutedSelect Unmuted or Muted. See, Muting detectors.
      DisabledSelect Enabled or Disabled. See, Disabling detectors.
      Order ByOrder the detectors by Impacted Devices, Muted Devices, Severity, Confidence, Category, or Last Seen.
    3. Click a detector to open the Details page. The following information is displayed:

      Category

      The attack category.

      First Seen

      The UTC date and time the first event associated with the detection occurred.

      Last Seen

      The UTC date and time of the last known event tied to the detector was observed.

      Updated

      The UTC date and time the detector was modified.

      Resolution Method

      • Automatic: The detection will be resolved if events containing the same host and sensor ID are not observed for the specified time period.

      • Manual: The detection will remain active until an analyst resolves the detection.

      MITRE ATT&CK

      The MITRE ATT&CK ID.

      Primary Technique

      The primary attack name and ID.

      Specificity

      Behaviors

      The behavior coverage.

      Description

      A description of the detection. You can use this description to search for detections. See, Search for detections with the detector description

      Next StepsRecommendations to resolve the detection.
      Show Matching EventsClick to view the Entity Lookup.
      AuthorThe detector author.
      Impacted Device FieldThe fields used to generate the detection. The internal IP address in the src.ip or dst.ip fields is the default.
      Indicator Fields

      The indicators the detector uses to generate the detection.

      Tooltip

      This information is useful for identifying related activity and tracking indicators over time.

      Detectors can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.

      Impacted devices

      The active detections for the detector. All Active defections are displayed by default. You can create a filter to view Muted or Resolved detections. See, Impacted Devices.

      You can use this tab to resolve detections or to search for a device by IP.

      Query

      This tab displays the IQL query defined for the detector. You can use a query string to create a custom detector. See, Adding custom filters to a detector query.

      Events

      This tab displays all of the events that have matched the detector's query.

      • Left-click on an entity to open the Entity Panel.

      • Right-click a field to open its menu (for example, Search Events, Targeted Search and Copy to Clipboard).

      • Hover a column header to lock, sort or arrange the columns.

      Note

      These events are duplicates of the original matching event. When an event matches a detector's query, a copy is created and added to the detector's list of Latest Events so the event remains associated with the detector.

      This list can display up to the last 1000 matching events. Events could remain in the list in perpetuity if the detector rarely fires.

      Indicators

      This tab displays the field value extracted from a detection's event(s) as defined by the detector.

      This information is useful for identifying related activity and tracking indicators over time. Detectors can define up to five fields to extract indicators from and each detection can store up to five unique indicators for each indicator field.

      Detections Graph

      The Detections Graph plots a detector's detection volume over time.

      If a posture-related detector fires constantly, the graph will help show whether the issue is improving or worsening over time.

    Search for detections with the detector description

    You can use text of the detector description to search for detections. Copy and paste the description text into and Global Search field and click Enter. Search results will be highlighted in the Detection Description column of the in the Detections section of results.

    Impacted Devices

    Column

    Description
    Device IP

    The device IP address.

    DHCP Hostname

    The DHCP lease hostname.

    Username

    The device username.
    Hostname

    The device hostname.

    MAC Address

    The device MAC address
    Lifetime Events

    The number of events over the device lifetime. Click the link to drill down to the earliest events.

    Indicators

    The number of indicators of compromise. Click the link to view the indicators associated with the device IP.

    First Seen

    The date the event was first seen.
    Last Seen

    The date the event was last seen.

    Created

    The date the event was created.

    Updated

    The date the event was updated.

    Sensor ID

    The sensor ID. Hover over the ID to view the sensor information and annotations. Tags associated with the sensor are displayed within the column. Click the ID to open the Sensor Details page.

    Account

    The account the device belongs to.

    Status

    The detection status (Active, Muted or Resolved). See Detections.
    Muted by

    The user who muted the detector.

    Date Muted

    The date the detector was muted.
    Resolved by

    The user who resolved the detection.

    Resolution

    The resolution description.

    Date Resolved

    The date the detection was resolved.

    Previous
    Next

    Triage detections

    Triage detections

    The Triage detections view is the landing page for the Detections tab. Use this view to review and respond to detections triggered by the detector.

    To view the Triage detections page:
    1. Go to Detections > Triage detections. The Detections page opens.
    2. (Optional) Filter the detections on the page.

      Search

      Enter the technique ID, technique name or technique description.

      Detectors are filtered based on the prefix matching the selected technique ID. If Technique T1234 is entered, the detectors returned include its sub-techniques T1234.001, T1234.002, T1234.003, etc.

      Severity

      Select High (H), Medium (M), or Low (L).

      Additional Filters

      Click the filter icon to view additional filters.

      Filter

      Description

      CategoryFilter the detectors by category. See, Detector Categories.

      Assigned to

      Filter by assigned detections. See, Assigning detections.

      Created ByFilter by the account that created the detector.
      TechniqueFilter by the technique used for the detection.
      Confidence

      Select High (H), Medium (M), or Low (L).

      Detection Status

      Select All, Active or Idle.

      All

      Returns all detections the user has access to regardless of whether or not it was triggered in the current account.

      ActiveReturns all active detections.
      Idle Returns all detections that have been triggered in the current account but are not currently active.
      MutedSelect Unmuted or Muted. See, Muting detectors.
      DisabledSelect Enabled or Disabled. See, Disabling detectors.
      Order ByOrder the detectors by Impacted Devices, Muted Devices, Severity, Confidence, Category, or Last Seen.
    3. Click a detector to open the Details page. The following information is displayed:

      Category

      The attack category.

      First Seen

      The UTC date and time the first event associated with the detection occurred.

      Last Seen

      The UTC date and time of the last known event tied to the detector was observed.

      Updated

      The UTC date and time the detector was modified.

      Resolution Method

      • Automatic: The detection will be resolved if events containing the same host and sensor ID are not observed for the specified time period.

      • Manual: The detection will remain active until an analyst resolves the detection.

      MITRE ATT&CK

      The MITRE ATT&CK ID.

      Primary Technique

      The primary attack name and ID.

      Specificity

      Behaviors

      The behavior coverage.

      Description

      A description of the detection. You can use this description to search for detections. See, Search for detections with the detector description

      Next StepsRecommendations to resolve the detection.
      Show Matching EventsClick to view the Entity Lookup.
      AuthorThe detector author.
      Impacted Device FieldThe fields used to generate the detection. The internal IP address in the src.ip or dst.ip fields is the default.
      Indicator Fields

      The indicators the detector uses to generate the detection.

      Tooltip

      This information is useful for identifying related activity and tracking indicators over time.

      Detectors can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.

      Impacted devices

      The active detections for the detector. All Active defections are displayed by default. You can create a filter to view Muted or Resolved detections. See, Impacted Devices.

      You can use this tab to resolve detections or to search for a device by IP.

      Query

      This tab displays the IQL query defined for the detector. You can use a query string to create a custom detector. See, Adding custom filters to a detector query.

      Events

      This tab displays all of the events that have matched the detector's query.

      • Left-click on an entity to open the Entity Panel.

      • Right-click a field to open its menu (for example, Search Events, Targeted Search and Copy to Clipboard).

      • Hover a column header to lock, sort or arrange the columns.

      Note

      These events are duplicates of the original matching event. When an event matches a detector's query, a copy is created and added to the detector's list of Latest Events so the event remains associated with the detector.

      This list can display up to the last 1000 matching events. Events could remain in the list in perpetuity if the detector rarely fires.

      Indicators

      This tab displays the field value extracted from a detection's event(s) as defined by the detector.

      This information is useful for identifying related activity and tracking indicators over time. Detectors can define up to five fields to extract indicators from and each detection can store up to five unique indicators for each indicator field.

      Detections Graph

      The Detections Graph plots a detector's detection volume over time.

      If a posture-related detector fires constantly, the graph will help show whether the issue is improving or worsening over time.

    Search for detections with the detector description

    You can use text of the detector description to search for detections. Copy and paste the description text into and Global Search field and click Enter. Search results will be highlighted in the Detection Description column of the in the Detections section of results.

    Impacted Devices

    Column

    Description
    Device IP

    The device IP address.

    DHCP Hostname

    The DHCP lease hostname.

    Username

    The device username.
    Hostname

    The device hostname.

    MAC Address

    The device MAC address
    Lifetime Events

    The number of events over the device lifetime. Click the link to drill down to the earliest events.

    Indicators

    The number of indicators of compromise. Click the link to view the indicators associated with the device IP.

    First Seen

    The date the event was first seen.
    Last Seen

    The date the event was last seen.

    Created

    The date the event was created.

    Updated

    The date the event was updated.

    Sensor ID

    The sensor ID. Hover over the ID to view the sensor information and annotations. Tags associated with the sensor are displayed within the column. Click the ID to open the Sensor Details page.

    Account

    The account the device belongs to.

    Status

    The detection status (Active, Muted or Resolved). See Detections.
    Muted by

    The user who muted the detector.

    Date Muted

    The date the detector was muted.
    Resolved by

    The user who resolved the detection.

    Resolution

    The resolution description.

    Date Resolved

    The date the detection was resolved.

    Previous
    Next