Entity Panel

An Entity is a unique identifier on the network. At this time, FortiNDR Cloud supports IP addresses and domains as entities. Entities are extracted from event data and cataloged in their own data store.

The Entity Panel displays the contextual information collected for an entity from within and outside the network. You can access the Entity Panel for an entity by clicking an IP address in the detector details tabs or clicking View Device Details in the Actions menu.

The Entity Panel is organized into tabs, which are listed on the right side of the page.

Summary	Shows the first and last seen timestamps, applied tags, and a summary of records on subsequent tabs.
WHOIS	Populated by FortiNDR Cloud WHOIS.
VirusTotal	Populated by FortiNDR Cloud integration with VirusTotals details for: Detected URLs:A URL that returned results. Resolved URLs: VirusTotal passive DNS resolution results. Communicating Samples: Hashes of files that called out to the entity during dynamic analysis. Downloaded Samples: Hashes of files that were downloaded from the entity during dynamic analysis. Referrer Samples: Hashes of files that referred to the entity, but may have not communicated directly, during dynamic analysis.
PDNS	All passive DNS records observed for the entity for the life of the account. Two sets of data are displayed: DNS record in the time range and Passive DNS record all time. Records are displayed in the order they were last seen. The records within the time range appear at the top of the list. Records within the time range are highlighted by First in Time Range and Last in Time Range. The Type field indicates if the DNS type such as IPv4 (a), IPv6 (aaaa), canonical name (CNAME), name server (NS), mail exchange (MX), and text TXT.
Detections	All FortiNDR Cloud detections observed for the entity for the life of the account.
Accounts	Kerberos and NTLM records observed for the entity over the past 30 days, particularly useful for identifying the users of an internal asset.
DHCP	All DHCP records for the entity for the life of the account.
Software	All software associated with the entity, observed from any network protocol.
FortiGuard	Indicates a malicious file is detected, with the message File identified as malicious.Click the section header or the FortiGuard icon to view the attributes about the malicious file. If the attributes are not available, then none are displayed. See To view malicious files with FortiGuard.
FortiEDR	This tab appears when the FortiEDR integration is enabled. For more information see, FortiEDR integration for FortiNDR Cloud.
Crowdstrike	This tab appears when the Crowdstrike integration is enabled. For more information see, CrowdStrike Falcon integration for FortiNDR Cloud.

Adding annotations and viewing malicious files

To add an annotation:

In the Summary tab click Add an Annotation. The Create an annotation dialog opens.
From the Select an annotation type drop-down, select the annotation type.
In the Enter an annotation name field, enter a name for the annotation.
In the Enter a description field, enter the annotation.
Click Save. The annotation is added to the Summary tab.

For information about managing annotations, see Manage Annotations.

To modify annotations:

In the Entity Panel, click Modify Annotations. The Manage Annotations for <IP_address> dialog opens.
(Optional) In the search field, enter an annotation name.
Select or deselect an annotation and click Update.

To view malicious files with FortiGuard:

In the investigation results, click the link in the File column.
Click a link in the Files dialog.
The FortiGuard area displays the File identified as malicious flag.

Date ranges

Keep the following considerations in mind when view viewing results with the date range picker.

Summary tab	The date range picker is displayed In the Summary tab. The results in each section above the dashed line (Detections, DHCP, Account and Software)is captured within this date range. The information below the dashed line is independent from this date range. Sections in the Summary tab that use the date picker (such as DHCP) will also display the date picker in the corresponding tab. The date range picker in any tab is global. If you change the start and end date in one tab it will change the date range everywhere in the panel.
Date out of range	The Account and Software tabs only display results for last 90 days. If the date picker end date exceeds 90 days, Date out of range is displayed.
Default time range	The date range on Entity Panel defaults to the time range based on the page the panel is opened in. The time range in the Entity Panel matches range when opened from the following pages: Entity Lookup Visualizer Detection Table Sensor Visibility Investigate Results Adhoc Search Observation Detail Detections is default to last 7 days when opened from the following pages: Detection page Detection-Indicator page Detection-Triage Page

Accessing the Entity Panel

You can access the Entity Panel from the following pages:

Investigation Results: Click an IP address in the Results table.
Observation : In the Dashboard > Observation details
Manage Annotations: Click the Entity Name in the Manage Annotations page when the entity is a valid IP, CIDR, domain, or URL.
Adhoc Search Results
Visualizer
Detection Table
Detection Triage
Detection Triage Devices
Entity Lookup
Detection Event Indicator
Visible Device Page (Sensor)

Entity Panel

The Entity Panel is organized into tabs, which are listed on the right side of the page.

Summary	Shows the first and last seen timestamps, applied tags, and a summary of records on subsequent tabs.
WHOIS	Populated by FortiNDR Cloud WHOIS.
VirusTotal	Populated by FortiNDR Cloud integration with VirusTotals details for: Detected URLs:A URL that returned results. Resolved URLs: VirusTotal passive DNS resolution results. Communicating Samples: Hashes of files that called out to the entity during dynamic analysis. Downloaded Samples: Hashes of files that were downloaded from the entity during dynamic analysis. Referrer Samples: Hashes of files that referred to the entity, but may have not communicated directly, during dynamic analysis.
PDNS	All passive DNS records observed for the entity for the life of the account. Two sets of data are displayed: DNS record in the time range and Passive DNS record all time. Records are displayed in the order they were last seen. The records within the time range appear at the top of the list. Records within the time range are highlighted by First in Time Range and Last in Time Range. The Type field indicates if the DNS type such as IPv4 (a), IPv6 (aaaa), canonical name (CNAME), name server (NS), mail exchange (MX), and text TXT.
Detections	All FortiNDR Cloud detections observed for the entity for the life of the account.
Accounts	Kerberos and NTLM records observed for the entity over the past 30 days, particularly useful for identifying the users of an internal asset.
DHCP	All DHCP records for the entity for the life of the account.
Software	All software associated with the entity, observed from any network protocol.
FortiGuard	Indicates a malicious file is detected, with the message File identified as malicious.Click the section header or the FortiGuard icon to view the attributes about the malicious file. If the attributes are not available, then none are displayed. See To view malicious files with FortiGuard.
FortiEDR	This tab appears when the FortiEDR integration is enabled. For more information see, FortiEDR integration for FortiNDR Cloud.
Crowdstrike	This tab appears when the Crowdstrike integration is enabled. For more information see, CrowdStrike Falcon integration for FortiNDR Cloud.

Adding annotations and viewing malicious files

To add an annotation:

In the Summary tab click Add an Annotation. The Create an annotation dialog opens.
From the Select an annotation type drop-down, select the annotation type.
In the Enter an annotation name field, enter a name for the annotation.
In the Enter a description field, enter the annotation.
Click Save. The annotation is added to the Summary tab.

For information about managing annotations, see Manage Annotations.

To modify annotations:

In the Entity Panel, click Modify Annotations. The Manage Annotations for <IP_address> dialog opens.
(Optional) In the search field, enter an annotation name.
Select or deselect an annotation and click Update.

To view malicious files with FortiGuard:

In the investigation results, click the link in the File column.
Click a link in the Files dialog.
The FortiGuard area displays the File identified as malicious flag.

Date ranges

Keep the following considerations in mind when view viewing results with the date range picker.

Summary tab	The date range picker is displayed In the Summary tab. The results in each section above the dashed line (Detections, DHCP, Account and Software)is captured within this date range. The information below the dashed line is independent from this date range. Sections in the Summary tab that use the date picker (such as DHCP) will also display the date picker in the corresponding tab. The date range picker in any tab is global. If you change the start and end date in one tab it will change the date range everywhere in the panel.
Date out of range	The Account and Software tabs only display results for last 90 days. If the date picker end date exceeds 90 days, Date out of range is displayed.
Default time range	The date range on Entity Panel defaults to the time range based on the page the panel is opened in. The time range in the Entity Panel matches range when opened from the following pages: Entity Lookup Visualizer Detection Table Sensor Visibility Investigate Results Adhoc Search Observation Detail Detections is default to last 7 days when opened from the following pages: Detection page Detection-Indicator page Detection-Triage Page

Accessing the Entity Panel

You can access the Entity Panel from the following pages:

Investigation Results: Click an IP address in the Results table.
Observation : In the Dashboard > Observation details
Manage Annotations: Click the Entity Name in the Manage Annotations page when the entity is a valid IP, CIDR, domain, or URL.
Adhoc Search Results
Visualizer
Detection Table
Detection Triage
Detection Triage Devices
Entity Lookup
Detection Event Indicator
Visible Device Page (Sensor)

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

User Guide

Entity Panel

Entity Panel

Adding annotations and viewing malicious files

To add an annotation:

To modify annotations:

To view malicious files with FortiGuard:

Date ranges

Accessing the Entity Panel

On This Page

Related Videos

FortiNDR Cloud - Entity Panel Overview

Entity Panel

Entity Panel