Network events
FortiNDR Cloud network sensors perform deep packet inspection of all observed network traffic and extract key protocol metadata for processing by the FortiNDR Cloud data pipeline. This metadata is organized into records called Events.
Flow
A flow is how FortiNDR Cloud organizes traffic for parsing and tying together events. A flow is a unique session between two hosts. Specifically, a flow is a collection of continuous packets having the same unique five-tuple (source IP, source port, destination IP, destination port, transport protocol) within a short time frame.
Every flow is identified with a unique flow_id
. Multiple events can be produced from a single flow and are assigned the same flow_id
.
There three categories of events:
-
Flow events: The Flow event type, contains metadata from the lower layers of the OSI model (IPs, ports, byte counts, transport protocol, etc).
-
Protocol events: Most event types such as DNS, HTTP, and SSL, contains metadata from the upper layers of the OSI model.
-
Synthetic events: The Suricata and Software event types, contains metadata produced by processes that scan or analyze traffic rather than metadata taken directly from network traffic.
Every flow will have exactly one Flow event, zero or more protocol events, and zero or more synthetic events. There can only be one Flow event because FortiNDR Cloud can summarize all the networking/flow data in one record. There can be zero or more protocol events because the flow could be a raw network socket with no known application, an HTTP connection with numerous HTTP requests over the same connection, an RDP connection over SSL with an X.509 certificate exchanged, or anything else. Similarly, one flow could trigger twelve Suricata signatures just as easily as zero signatures.
Regardless of how many events are produced from a single flow, FortiNDR Cloud assigns them the same unique flow_id
, which provides a a bigger picture surrounding other events in the session.
Working with events and flows
Running a query will return a list of events. If an event in the list stands out for some reason, you can run a separate query for that event's flow_id
to see what other events were produced during that session/connection/conversations/flow.
Protocols are parsed regardless of port or service. Events are normalized for time and enriched with Geo-IP information and Threat Intelligence for additional context. Once this processing and enrichment is finished, events are surfaced through the FortiNDR Cloud portal and APIs.