Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    25.4.a
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    Key terms and concepts

    Key terms and concepts

    Term

    Definition

    ATR

    FortiGuard Applied Threat Research

    Behavioral Observation

    A Behavioral Observation is an output from a system that analyzes events and behaviors to identify potentially malicious activity (e.g., Domain Similar to Malware DGA Domain and Malicious PE File). Depending on your environment, not all Behavioral Observations indicate malicious activity. For example, if you recently created a new SSH server, then the New SSH Server observation is not malicious. See, Behavioral observations.
    Detection

    An alert mechanism that notifies you when a unique pair of events satisfy a detector. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network.
    Detection lifecycle The status states of a detection (Active, Muted, or Resolved).
    Detector A query and other parameters used to detect something.

    Dwell

    Average time (in seconds) between when an incident was first seen and when it was resolved. See the FortiNDR Cloud Detections Report section in FortiNDR Cloud Detections Report.

    Example

    Example dashboards are custom dashboards created by Fortinet and shared with all customers, allowing users to view and use them within their own environments.

    Five-tuple (5-tuple)

    The source IP, source port, destination IP, destination port, and transport protocol. For more information, see Network events.

    Flow

    A collection of continuous packets having the same unique five-tuple (source IP, source port, destination IP, destination port, transport protocol) within a short time frame.

    Indicators

    An indicator is a field value extracted from a detection's event(s) as defined by the detector. This information is useful for identifying related activity and tracking indicators over time. Detectors can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.

    Mean Time To Detect (MTTD)

    Average time (in seconds) between when an incident was first seen and when it was created in the system. See the FortiNDR Cloud Detections Report section in FortiNDR Cloud Detections Report.

    Mean Time To Resolve (MTTR)

    Average time (in seconds) between when an incident was created and when it was resolved. See the FortiNDR Cloud Detections Report section in FortiNDR Cloud Detections Report.
    MITRE ATT&CK MITRE ATT&CK is a knowledge base of threat behaviors relied upon by security professionals worldwide. You can map FortiGuard Lab detectors to MITRE ATT&CK, to enable visibility into the threat coverage provided by FortiNDR Cloud.
    Tuning

    The process of hiding known behaviors in a detector using one of the following three mechanisms:

    • Muting: Hides a detection but allows it to be created. Muted detections can be reviewed in bulk on a recurring basis. See Muting detectors.

    • Excluding: Prevents detections from ever being created. Excluded detections cannot be reviewed in bulk on a recurring basis. See Excluding devices.

    • Filtering: Tuned out everything else, (such as external entities and non-entity fields) by adding your own logic to detectors authored by FortiGuard Labs to customize the detector to your network. See Adding filters to detectors.
    Previous
    Next

    Key terms and concepts

    Key terms and concepts

    Term

    Definition

    ATR

    FortiGuard Applied Threat Research

    Behavioral Observation

    A Behavioral Observation is an output from a system that analyzes events and behaviors to identify potentially malicious activity (e.g., Domain Similar to Malware DGA Domain and Malicious PE File). Depending on your environment, not all Behavioral Observations indicate malicious activity. For example, if you recently created a new SSH server, then the New SSH Server observation is not malicious. See, Behavioral observations.
    Detection

    An alert mechanism that notifies you when a unique pair of events satisfy a detector. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network.
    Detection lifecycle The status states of a detection (Active, Muted, or Resolved).
    Detector A query and other parameters used to detect something.

    Dwell

    Average time (in seconds) between when an incident was first seen and when it was resolved. See the FortiNDR Cloud Detections Report section in FortiNDR Cloud Detections Report.

    Example

    Example dashboards are custom dashboards created by Fortinet and shared with all customers, allowing users to view and use them within their own environments.

    Five-tuple (5-tuple)

    The source IP, source port, destination IP, destination port, and transport protocol. For more information, see Network events.

    Flow

    A collection of continuous packets having the same unique five-tuple (source IP, source port, destination IP, destination port, transport protocol) within a short time frame.

    Indicators

    An indicator is a field value extracted from a detection's event(s) as defined by the detector. This information is useful for identifying related activity and tracking indicators over time. Detectors can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.

    Mean Time To Detect (MTTD)

    Average time (in seconds) between when an incident was first seen and when it was created in the system. See the FortiNDR Cloud Detections Report section in FortiNDR Cloud Detections Report.

    Mean Time To Resolve (MTTR)

    Average time (in seconds) between when an incident was created and when it was resolved. See the FortiNDR Cloud Detections Report section in FortiNDR Cloud Detections Report.
    MITRE ATT&CK MITRE ATT&CK is a knowledge base of threat behaviors relied upon by security professionals worldwide. You can map FortiGuard Lab detectors to MITRE ATT&CK, to enable visibility into the threat coverage provided by FortiNDR Cloud.
    Tuning

    The process of hiding known behaviors in a detector using one of the following three mechanisms:

    • Muting: Hides a detection but allows it to be created. Muted detections can be reviewed in bulk on a recurring basis. See Muting detectors.

    • Excluding: Prevents detections from ever being created. Excluded detections cannot be reviewed in bulk on a recurring basis. See Excluding devices.

    • Filtering: Tuned out everything else, (such as external entities and non-entity fields) by adding your own logic to detectors authored by FortiGuard Labs to customize the detector to your network. See Adding filters to detectors.
    Previous
    Next