DOCUMENT LIBRARY

User Guide

Home FortiNDR Cloud 2024.7.0 User Guide

2024.7.0

Key terms and concepts

Key terms and concepts

Term	Definition
ATR	FortiGuard Applied Threat Research
Detection	An alert mechanism that notifies you when a unique pair of events satisfy a rule. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network.
Detection lifecycle	The status states of a detection (Active, Muted, or Resolved).
Five-tuple (5-tuple)	The source IP, source port, destination IP, destination port, and transport protocol. For more information, see Network events.
Flow	A collection of continuous packets having the same unique five-tuple (source IP, source port, destination IP, destination port, transport protocol) within a short time frame.
Indicators	An indicator is a field value extracted from a detection's event(s) as defined by the detection rule. This information is useful for identifying related activity and tracking indicators over time. Rules can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.
MITRE ATT&CK	MITRE ATT&CK is a knowledge base of threat behaviors relied upon by security professionals worldwide. You can map FortiGuard Lab detection rules to MITRE ATT&CK, to enable visibility into the threat coverage provided by FortiNDR Cloud.
Rule	A signature and other parameters used to detect something.
Tuning	The process of hiding known behaviors in a rule using one of the following three mechanisms: Muting: Hides a detection but allows it to be created. Muted detections can be reviewed in bulk on a recurring basis. See Muting rules. Excluding: Prevents detections from ever being created. Excluded detections cannot be reviewed in bulk on a recurring basis. See Excluding devices. Filtering: Tuned out everything else, (such as external entities and non-entity fields) by adding your own logic to rules authored by FortiGuard Labs to customize the rule to your network. See Adding filters to rules.

Previous

Next

Key terms and concepts

Key terms and concepts

Term	Definition
ATR	FortiGuard Applied Threat Research
Detection	An alert mechanism that notifies you when a unique pair of events satisfy a rule. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network.
Detection lifecycle	The status states of a detection (Active, Muted, or Resolved).
Five-tuple (5-tuple)	The source IP, source port, destination IP, destination port, and transport protocol. For more information, see Network events.
Flow	A collection of continuous packets having the same unique five-tuple (source IP, source port, destination IP, destination port, transport protocol) within a short time frame.
Indicators	An indicator is a field value extracted from a detection's event(s) as defined by the detection rule. This information is useful for identifying related activity and tracking indicators over time. Rules can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.
MITRE ATT&CK	MITRE ATT&CK is a knowledge base of threat behaviors relied upon by security professionals worldwide. You can map FortiGuard Lab detection rules to MITRE ATT&CK, to enable visibility into the threat coverage provided by FortiNDR Cloud.
Rule	A signature and other parameters used to detect something.
Tuning	The process of hiding known behaviors in a rule using one of the following three mechanisms: Muting: Hides a detection but allows it to be created. Muted detections can be reviewed in bulk on a recurring basis. See Muting rules. Excluding: Prevents detections from ever being created. Excluded detections cannot be reviewed in bulk on a recurring basis. See Excluding devices. Filtering: Tuned out everything else, (such as external entities and non-entity fields) by adding your own logic to rules authored by FortiGuard Labs to customize the rule to your network. See Adding filters to rules.

Previous

Next