Detections
FortiNDR Cloud Detections is an alert mechanism that notifies you when events matching a specific criteria appear in your account. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network.
The Detections page displays a list of Rules with active Detections in your account.
-
A Rule is the signature and parameters used to identify activity in the network.
-
A Detection is the actual occurrence of activity satisfying a rule.
Each row in the page displays a single rule with at least one active detection.
A Detection is created when an event matches a rule's signature. Detections are identified based on both the IP address and the Sensor ID to avoid issues with overlapping IP space. A duplicate detection is not generated if a detection already exists for the IP address and sensor ID pair. Instead, the Last Seen timestamp is updated and the event is added to the rule's Latest Events. This also resets the counter for the detection's Resolution Period if detections for the rule are set to resolve automatically.
By default the Detections page displays all Active rules in your account. Once all detections for a rule are resolved or muted, the rule's status is automatically updated from Active to Idle. You can create a filter to view all rules and detections regardless of their status.
The Detections page displays the following information:
Name | The rule name. | ||||||||||||
Category |
There are three categories for rules: Attack, Potentially Unwanted Application (PUA), and Posture. Each category contains a more detailed subcategory. For more information, see Rule Categories. |
||||||||||||
Severity |
The severity measures the potential impact to the confidentiality, integrity, or availability of information systems and resources if the activity is confirmed to be a true positive. Severity can be assigned to one of the following values:
|
||||||||||||
Confidence |
Confidence measures how likely events matching the rule's signature are indicative of the activity specified in the rule description. A rule's confidence indicates its minimum true-positive detection rate.
FortiGuard Lab assigns a rule's initial confidence based on its performance during testing. Once deployed, rules are monitored for changes in their true-positive detection rate, which is based on the resolution state chosen by an analyst when resolving a detection. Once a rule crosses a higher or lower threshold, it is reviewed to determine whether it should be tuned or whether the confidence should be modified. |
||||||||||||
Last Seen | The UTC date and time when the last known event tied to the rule was observed. This is useful when determining when the most recent change to a rule has occurred. | ||||||||||||
Author | The account that authored the rule. | ||||||||||||
Impacted Devices | The internal IP address in the src.ip or dst.ip fields used to generate detections. This field is configurable. |
||||||||||||
Status |
By default, every detection is in an Active state upon creation. Active detections generate a notification (see Manage subscriptions), but Muted detections will not. Detections remain Active until they are resolved manually by an analyst or automatically based on the rule's Resolution Period. Once resolved, their status changes to Resolved.
|
Rule Categories
Category | Subcategory | Description |
---|---|---|
Attack | Infection Vector | Attacks in the initial stages before an exploit attempt has been made or malicious code has been executed. Examples include downloading a malicious executable file, navigating to a web site that is known to redirect to exploitation servers, or an attempt to authenticate to an SSH server from a malicious host. |
Attack | Exploitation | Attacks in the process of exploiting known vulnerabilities such as those listed in MITRE’s Common Vulnerabilities and Exposures (CVE) list. While FortiNDR Cloud may be unable to determine the success of a launched exploit, any hosts attempting exploits (that are not approved internal scanners) should be investigated for signs of compromise. |
Attack | Installation | Installation of malicious software (staging) for persistence in an environment. For example, the Cobalt Strike staging tool downloading a Beacon backdoor over HTTP in order to provide persistence on a compromised host and run further post-exploitation commands. |
Attack | Lateral Movement | Tools and techniques commonly used by attackers to pivot from a compromised host to other assets within the environment. Such tools may also be legitimately used by system administrators but should be investigated, especially for hosts from which this activity has not be observed before. |
Attack | Command and Control | Command and control traffic between compromised hosts and attacker infrastructure. |
Attack | Exfiltration | Data exfiltration from compromised assets to external entities. |
Attack | Discovery | Tools and techniques commonly used by attackers to identify accesible hosts and services. Such tools may also be legitimately used by system administrators but should be investigated, especially for hosts from which this activity has not be observed before. |
Attack | Impact | Malware or behavior intended to disrupt the business, such as distributed denial of service (DDoS) and ransomware attacks. |
PUA | Adware | Malware characterized by its use of advertisements to generate revenue for the author. Adware is often installed alongside third-party applications and remains on a system as a browser add-on or self-proclaimed optimization software. Most adware is considered low risk due to its innocuous nature. |
PUA | Spyware | Malware characterized by its focus on gathering device and user information without the user’s knowledge. This information is usually sent back to the authors for a variety of purposes, ranging from market research to targeted monitoring. Spyware is usually installed alongside third-party applications and persists on a system as a backdoor or as software that purports to be useful. Most spyware is considered low risk due to its historical use for low-impact data collection and advertising. |
PUA | Unauthorized Resource Use | Applications that utilize system resources without a user’s knowledge or consent. Such applications are usually installed alongside third-party applications or as a component of malware in order to monetize a successfully compromised host (for example, via click fraud or cryptocurrency mining). |
Posture | Potentially Unauthorized Software of Device | Applications or devices that circumvent organizational policies or increase the attack surface of an organization. These rules cover various applications that may be used to bypass monitoring tools and access controls, or store sensitive information in unauthorized locations. This category also includes tools that may be legitimately used for system administration, development, or penetration testing, but are also commonly used by attackers to enumerate access and pivot within a compromised environment. |
Posture | Insecure Configuration | Configurations within an environment that make it more vulnerable to exploitation or post-exploitation techniques used by attackers. Such configurations include outdated software, use of deprecated cryptographic standards, or configurations resulting in data leakage. |
Posture | Anomalous Activity | Network activity that is abnormal and should be investigated to determine its cause. The activity may be malicious in nature or a misconfiguration that may or may not have security implications. |