Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    26.1.0
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    Manage annotations

    Manage annotations

    Annotations help you categorize and enrich entities (such as IP addresses, domains, or usernames) with additional context for easier investigation and filtering.

    Viewing annotations in the portal

    Annotations appear against a blue background wherever an IP address is displayed. They can also be searched using IQL when the annotations are present in the data. When you hover over an annotation, a tooltip displays the annotation name and description. Clicking the annotation opens a pop-up with full details.

    On the Manage Annotations page, you can open the Entity Panel by clicking the Entity Name when it is a valid IP, CIDR, domain, or URL. Right-click an entity with a valid IP to:

    • Search Events
    • View Detection Context
    • View/Create Annotations
    • Perform an Entity Lookup
    • Perform a Global Search
    • Open a Guided Queue

    Automatic critical asset identification

    FortiGuard ATR uses rich network metadata to automatically discover and classify critical assets across enterprise environments. This process identifies high-value infrastructure components such as Domain Controllers, DNS servers, SSH servers, FTP servers, SMTP servers, and other core services by analyzing behavioral patterns, protocols, and role-based traffic correlations.

    Once identified, these assets are annotated within the FortiNDR Cloud platform to enhance network visibility and analytical context. This enrichment helps security teams distinguish routine activity from potential threats targeting essential systems. By adding this layer of asset intelligence, FortiNDR Cloud improves detection accuracy, prioritization, and relevance for high-impact business systems.

    A crown icon appears next assets annotated by FortiGuard ATR in detection tables. The crown is color-coded to indicate its severity level:

    • Red for high risk
    • Orange for moderate risk
    • Yellow for low risk

    Managing annotations

    To manage annotations, click the gear icon at the top-right of the page and select Manage Annotations. The Manage Annotations page allows you to create, edit, and organize annotations and associate them with specific entities.

    The annotations table lists all existing annotations with their type, name, description, and actions, and provides an option to add new annotations. The entities table shows all entities linked to a selected annotation, including their names, types, and management actions. The search function allows you to search for any text in the Annotation Name and Annotation Description columns.

    You can create the following annotation types: Application, Environment, Location, Owner, Role, Tag and Identified Assets (system-generated). Identified Assets annotations are automatically created by FortiGuard ATR and cannot be manually added.

    To create an annotation:
    1. Click Add Annotations > Create Annotation.
    2. Configure the annotation settings:

      Select an annotation type

      Select Application, Environment, Location, Owner, Role, Tag, or Identified Assets.

      Note

      Identified Assets only applies to FortiGuard ATR. See, Automatic critical asset identification.

      A color-coded crown icon will appear only on assets annotated by FortiGuard ATR in the events and detections tables. See Detections table.

      Enter an annotation nameEnter a name for the annotation.
      Enter a descriptionEnter the annotation.
    3. Click Save.
    To add annotations with a CSV file:

    1. Create the CSV file. The file must contain the following : annotation type, annotation name, description, entity, entity_type.

      The annotation type must begin with a lower case letter, and the annotation name must be unique within the same type.

    2. Click Add Annotations > Upload CSV.

    3. Upload the CSV file.

    4. Click Save.

    To edit an annotation:
    1. Click the Actions menu at the right side of the annotation and select Edit Annotation.

    2. Update the annotation and click Save.
    To delete an annotation:
    1. Click the Actions menu at the right side of the annotation and select Remove Annotation.

    2. Click Confirm.
    To add entities:
    1. Click +Add Entity. The Add Entities dialog opens.

    2. Enter one or more entities (IP Address, CIDR, domain or username) separated by a comma, space, or return.

    3. Click Save. FortiNDR Cloud validates the fields and identifies any errors.

    To bulk remove entities:
    1. Above the entities table, Click Remove bulk entities.

    2. Click Confirm.
    Previous
    Next

    Manage annotations

    Manage annotations

    Annotations help you categorize and enrich entities (such as IP addresses, domains, or usernames) with additional context for easier investigation and filtering.

    Viewing annotations in the portal

    Annotations appear against a blue background wherever an IP address is displayed. They can also be searched using IQL when the annotations are present in the data. When you hover over an annotation, a tooltip displays the annotation name and description. Clicking the annotation opens a pop-up with full details.

    On the Manage Annotations page, you can open the Entity Panel by clicking the Entity Name when it is a valid IP, CIDR, domain, or URL. Right-click an entity with a valid IP to:

    • Search Events
    • View Detection Context
    • View/Create Annotations
    • Perform an Entity Lookup
    • Perform a Global Search
    • Open a Guided Queue

    Automatic critical asset identification

    FortiGuard ATR uses rich network metadata to automatically discover and classify critical assets across enterprise environments. This process identifies high-value infrastructure components such as Domain Controllers, DNS servers, SSH servers, FTP servers, SMTP servers, and other core services by analyzing behavioral patterns, protocols, and role-based traffic correlations.

    Once identified, these assets are annotated within the FortiNDR Cloud platform to enhance network visibility and analytical context. This enrichment helps security teams distinguish routine activity from potential threats targeting essential systems. By adding this layer of asset intelligence, FortiNDR Cloud improves detection accuracy, prioritization, and relevance for high-impact business systems.

    A crown icon appears next assets annotated by FortiGuard ATR in detection tables. The crown is color-coded to indicate its severity level:

    • Red for high risk
    • Orange for moderate risk
    • Yellow for low risk

    Managing annotations

    To manage annotations, click the gear icon at the top-right of the page and select Manage Annotations. The Manage Annotations page allows you to create, edit, and organize annotations and associate them with specific entities.

    The annotations table lists all existing annotations with their type, name, description, and actions, and provides an option to add new annotations. The entities table shows all entities linked to a selected annotation, including their names, types, and management actions. The search function allows you to search for any text in the Annotation Name and Annotation Description columns.

    You can create the following annotation types: Application, Environment, Location, Owner, Role, Tag and Identified Assets (system-generated). Identified Assets annotations are automatically created by FortiGuard ATR and cannot be manually added.

    To create an annotation:
    1. Click Add Annotations > Create Annotation.
    2. Configure the annotation settings:

      Select an annotation type

      Select Application, Environment, Location, Owner, Role, Tag, or Identified Assets.

      Note

      Identified Assets only applies to FortiGuard ATR. See, Automatic critical asset identification.

      A color-coded crown icon will appear only on assets annotated by FortiGuard ATR in the events and detections tables. See Detections table.

      Enter an annotation nameEnter a name for the annotation.
      Enter a descriptionEnter the annotation.
    3. Click Save.
    To add annotations with a CSV file:

    1. Create the CSV file. The file must contain the following : annotation type, annotation name, description, entity, entity_type.

      The annotation type must begin with a lower case letter, and the annotation name must be unique within the same type.

    2. Click Add Annotations > Upload CSV.

    3. Upload the CSV file.

    4. Click Save.

    To edit an annotation:
    1. Click the Actions menu at the right side of the annotation and select Edit Annotation.

    2. Update the annotation and click Save.
    To delete an annotation:
    1. Click the Actions menu at the right side of the annotation and select Remove Annotation.

    2. Click Confirm.
    To add entities:
    1. Click +Add Entity. The Add Entities dialog opens.

    2. Enter one or more entities (IP Address, CIDR, domain or username) separated by a comma, space, or return.

    3. Click Save. FortiNDR Cloud validates the fields and identifies any errors.

    To bulk remove entities:
    1. Above the entities table, Click Remove bulk entities.

    2. Click Confirm.
    Previous
    Next