Fortinet white logo
Fortinet white logo

User Guide

Device Triage

Device Triage

Use the Device Triage page to review and respond to detections based on the risk score associated with a device. This page highlights the most critically impacted assets in your environment. Each section of the page offers a different perspective of active detections to help focus on what devices may deserve higher urgency.

The Device Triage page is organized into three panes:

Impacted devices

Impacted Devices, located in the left-side pane helps you prioritize your triage process. Devices are displayed by their IP address, hostname, and Risk Score on a scale between 1-10 where 1 indicates low risk and 10 indicates high risk. The score is calculated from currently active detections of a device and is intended to be used in conjunction with your knowledge of the environment. Devices are ordered from high to low risk and can be searched , filtered, and sorted.

Detection timeline

The Detection Timeline is located in the pane at the top of the page and displays a timeline of detections for each impacted device. To view the timeline for an impacted device, click the device in the Impacted Devices pane. The timeline will automatically scale to show all active and unmuted detections associated with the device. Click the filter button in the top right of the timeline to include muted or resolved detections in the timeline. You can drag the timeline left and right or zoom by scrolling over it to explore detections over time.

Detection rules

Detection rules are located in the pane at the bottom of the page. The rules are sorted by severity by default. To view more information about a detection rule in the listed, click the rule title to open the rule details pane within the pane.

Assigning detections

To assign detections:
  1. Go to Detections > Triage Devices
  2. In the Impacted Devices pane, select a device.
  3. In the detections table at the bottom of the page, scroll to the Detection Rule column and click a rule.
  4. In the Impacted Devices tab, click the Assigned to dropdown and select a user from the list.

For more information about assigning detections, see Assigning detections.

Tooltip

You can filter the detections timeline and detections table by click the Assigned and Unassigned buttons at the top of the page. You can also click the Assigned to dropdown to filter the tables by users assigned to detections.

Device Triage

Device Triage

Use the Device Triage page to review and respond to detections based on the risk score associated with a device. This page highlights the most critically impacted assets in your environment. Each section of the page offers a different perspective of active detections to help focus on what devices may deserve higher urgency.

The Device Triage page is organized into three panes:

Impacted devices

Impacted Devices, located in the left-side pane helps you prioritize your triage process. Devices are displayed by their IP address, hostname, and Risk Score on a scale between 1-10 where 1 indicates low risk and 10 indicates high risk. The score is calculated from currently active detections of a device and is intended to be used in conjunction with your knowledge of the environment. Devices are ordered from high to low risk and can be searched , filtered, and sorted.

Detection timeline

The Detection Timeline is located in the pane at the top of the page and displays a timeline of detections for each impacted device. To view the timeline for an impacted device, click the device in the Impacted Devices pane. The timeline will automatically scale to show all active and unmuted detections associated with the device. Click the filter button in the top right of the timeline to include muted or resolved detections in the timeline. You can drag the timeline left and right or zoom by scrolling over it to explore detections over time.

Detection rules

Detection rules are located in the pane at the bottom of the page. The rules are sorted by severity by default. To view more information about a detection rule in the listed, click the rule title to open the rule details pane within the pane.

Assigning detections

To assign detections:
  1. Go to Detections > Triage Devices
  2. In the Impacted Devices pane, select a device.
  3. In the detections table at the bottom of the page, scroll to the Detection Rule column and click a rule.
  4. In the Impacted Devices tab, click the Assigned to dropdown and select a user from the list.

For more information about assigning detections, see Assigning detections.

Tooltip

You can filter the detections timeline and detections table by click the Assigned and Unassigned buttons at the top of the page. You can also click the Assigned to dropdown to filter the tables by users assigned to detections.