Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    26.1.0
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    Behavioral observations

    Behavioral observations

    A Behavioral Observation is an output from an expert system or machine learning-based model that considers one or more event types and historical events. These observations are produced by analyzing threat actors' behaviors, profiling various aspects to identify unknown malicious activity. Not every observation is malicious on its own, but those deemed detection-worthy will have detections created by the Fortinet team, typically for high and some moderate-level observations.

    FortiNDR Cloud's power comes from combining detections and observations, which can be viewed in various sections like the Entity Panel and Observations page.

    How Behavioral Observations are different from Detections:

    Behavioral Observations

    Detections

    • Non-malicious observations provide context for threat hunting, investigations, and detection triage.
    • Observations do not have severity levels.
    • Observations cannot be assigned or resolved in workflows.
    • Observations cannot be muted
    • Suspicious or malicious behavior is usually flagged as detections.
    • Detections can be based on single network events, Suricata events or observations.
    • Detections can be assigned or resolved in work flows.
    • Detections can be muted.

    Behavioral Observations page

    The Behavioral Observations page shows observations for a selected time range and filters. By default, the page shows observations for the previous two weeks and all confidence levels. This is also the landing page for the Behavioral Observations widget in the default Dashboard.

    You can use the search field to find observations that contain instances of a specific IP address, Observation UUID or text in the Observation Title and Description columns. Use the date picker to create a custom time frame. Behavioral Observations can be retrieved for up to the last 90 days.

    Working with Behavioral Observations

    Behavioral Observations can be used in threat hunting and as additional evidence for analyzing network activities. They can be viewed at the device level within the Entity Panel. You can use Behavioral Observations to create custom detectors and as evidence in IQL to initiate investigations.

    Behavioral Observations Widget

    When you log into the FortiNDR Cloud Portal, the Default Dashboard displays the Behavioral Observations widget. This widget shows a list of the Behavioral Observations for the previous two weeks. Click an Observation Title to pivot to the Behavioral Observation Details page.

    Behavioral Observation Details

    The observation class, category and description appear at the top-left of the page. You can view Behavioral Observations for an individual entity in the Entity Panel by clicking the IP in the Src column.

    Right-click the Source IP to Search Events by field, or launch an Entity Lookup, Global Search or Guided Query. Click the CSV button in the Observation Instances section, to download the data in the page as CSV file.

    You can use queries based on the observation details to create a new detector. For more information, see Creating a detector.

    Behavioral Observation fields

    Property

    Description

    category

    Category of the observation: asset, account, software, flow, file, relationship

    class

    		 Class of the activity: anomalous, newly observed, specific

    dst_ip

    		 The destination IP of the impacted device. There may be observations with no destination device.

    src_ip

    		 The source IP of the impacted device. There may be observations with no source device.
    Previous
    Next

    Behavioral observations

    Behavioral observations

    A Behavioral Observation is an output from an expert system or machine learning-based model that considers one or more event types and historical events. These observations are produced by analyzing threat actors' behaviors, profiling various aspects to identify unknown malicious activity. Not every observation is malicious on its own, but those deemed detection-worthy will have detections created by the Fortinet team, typically for high and some moderate-level observations.

    FortiNDR Cloud's power comes from combining detections and observations, which can be viewed in various sections like the Entity Panel and Observations page.

    How Behavioral Observations are different from Detections:

    Behavioral Observations

    Detections

    • Non-malicious observations provide context for threat hunting, investigations, and detection triage.
    • Observations do not have severity levels.
    • Observations cannot be assigned or resolved in workflows.
    • Observations cannot be muted
    • Suspicious or malicious behavior is usually flagged as detections.
    • Detections can be based on single network events, Suricata events or observations.
    • Detections can be assigned or resolved in work flows.
    • Detections can be muted.

    Behavioral Observations page

    The Behavioral Observations page shows observations for a selected time range and filters. By default, the page shows observations for the previous two weeks and all confidence levels. This is also the landing page for the Behavioral Observations widget in the default Dashboard.

    You can use the search field to find observations that contain instances of a specific IP address, Observation UUID or text in the Observation Title and Description columns. Use the date picker to create a custom time frame. Behavioral Observations can be retrieved for up to the last 90 days.

    Working with Behavioral Observations

    Behavioral Observations can be used in threat hunting and as additional evidence for analyzing network activities. They can be viewed at the device level within the Entity Panel. You can use Behavioral Observations to create custom detectors and as evidence in IQL to initiate investigations.

    Behavioral Observations Widget

    When you log into the FortiNDR Cloud Portal, the Default Dashboard displays the Behavioral Observations widget. This widget shows a list of the Behavioral Observations for the previous two weeks. Click an Observation Title to pivot to the Behavioral Observation Details page.

    Behavioral Observation Details

    The observation class, category and description appear at the top-left of the page. You can view Behavioral Observations for an individual entity in the Entity Panel by clicking the IP in the Src column.

    Right-click the Source IP to Search Events by field, or launch an Entity Lookup, Global Search or Guided Query. Click the CSV button in the Observation Instances section, to download the data in the page as CSV file.

    You can use queries based on the observation details to create a new detector. For more information, see Creating a detector.

    Behavioral Observation fields

    Property

    Description

    category

    Category of the observation: asset, account, software, flow, file, relationship

    class

    		 Class of the activity: anomalous, newly observed, specific

    dst_ip

    		 The destination IP of the impacted device. There may be observations with no destination device.

    src_ip

    		 The source IP of the impacted device. There may be observations with no source device.
    Previous
    Next