Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    2024.10.0
    2024.10.0
    2024.9.0
    2024.7.0

    Detections

    Detections

    FortiNDR Cloud Detections is an alert mechanism that notifies you when events matching a specific criteria appear in your account. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network.

    The Detections page displays a list of Detectors with active Detections in your account.

    • A Detector is the query and parameters used to identify activity in the network.

    • A Detection is the actual occurrence of activity satisfying a detector.

    Each row in the page displays a single detector with at least one active detection.

    A Detection is created when an event matches a detector's query. Detections are identified based on both the IP address and the Sensor ID to avoid issues with overlapping IP space. A duplicate detection is not generated if a detection already exists for the IP address and sensor ID pair. Instead, the Last Seen timestamp is updated and the event is added to the detector's latest events. This also resets the counter for the detection's Resolution Period if detections for the detector are set to resolve automatically.

    By default the Detections page displays all Active detectors in your account. Once all detections for a detector are resolved or muted, the detector's status is automatically updated from Active to Idle. You can create a filter to view all detectors and detections regardless of their status.

    The Detections page displays the following information:

    Name The detector name.
    Category

    There are three categories for detectors: Attack, Potentially Unwanted Application (PUA), and Posture. Each category contains a more detailed subcategory. For more information, see Detector Categories.
    Severity

    The severity measures the potential impact to the confidentiality, integrity, or availability of information systems and resources if the activity is confirmed to be a true positive. Severity can be assigned to one of the following values:

    Severity Description Examples
    High Significant to fair impact with the potential to spread or escalate Malicious code execution, C2 communications, lateral movement, data exfiltration.
    Moderate Fair impact with minimal potential to spread or escalate Activity that could indicate malicious intent, untargeted attacks with unknown success, data leakage, subversion of security or monitoring tools
    Low Little to no impact expected Potentially unauthorized software, devices, or resource use, untargeted adware or spyware, compromise of a personal device or device on an untrusted network, insecure configurations
    Confidence

    Confidence measures how likely events matching the detector’s query are indicative of the activity specified in the detector description. A detector's confidence indicates its minimum true-positive detection rate.

    Confidence Minimum True-Positive Rate
    High 90%
    Moderate 75%
    Low 50%

    FortiGuard Lab assigns a detector's initial confidence based on its performance during testing. Once deployed, detectors are monitored for changes in their true-positive detection rate, which is based on the resolution state chosen by an analyst when resolving a detection. Once a detector crosses a higher or lower threshold, it is reviewed to determine whether it should be tuned or whether the confidence should be modified.
    Last Seen The UTC date and time when the last known event tied to the detector was observed. This is useful when determining when the most recent change to a detector has occurred.
    Author The account that authored the detector.
    Impacted Devices The internal IP address in the src.ip or dst.ip fields used to generate detections. This field is configurable.
    Status

    By default, every detection is in an Active state upon creation. Active detections generate a notification (see Email notifications), but Muted detections will not. Detections remain Active until they are resolved manually by an analyst or automatically based on the detector's Resolution Period. Once resolved, their status changes to Resolved.

    Detection State Description
    Active When an event matching a detector is observed, a detection is generated and set to Active by default. A notification is triggered for Active detections.
    Muted When an event matching a detector is observed, but some aspect of it is muted. A notification is not triggered for muted detections.
    Resolved When a detection is resolved, either manually by an analyst or automatically, and is no longer Active.

    Detector Categories

    Category Subcategory Description
    Attack Infection Vector Attacks in the initial stages before an exploit attempt has been made or malicious code has been executed. Examples include downloading a malicious executable file, navigating to a web site that is known to redirect to exploitation servers, or an attempt to authenticate to an SSH server from a malicious host.
    Attack Exploitation Attacks in the process of exploiting known vulnerabilities such as those listed in MITRE’s Common Vulnerabilities and Exposures (CVE) list. While FortiNDR Cloud may be unable to determine the success of a launched exploit, any hosts attempting exploits (that are not approved internal scanners) should be investigated for signs of compromise.
    Attack Installation Installation of malicious software (staging) for persistence in an environment. For example, the Cobalt Strike staging tool downloading a Beacon backdoor over HTTP in order to provide persistence on a compromised host and run further post-exploitation commands.
    Attack Lateral Movement Tools and techniques commonly used by attackers to pivot from a compromised host to other assets within the environment. Such tools may also be legitimately used by system administrators but should be investigated, especially for hosts from which this activity has not be observed before.
    Attack Command and Control Command and control traffic between compromised hosts and attacker infrastructure.
    Attack Exfiltration Data exfiltration from compromised assets to external entities.
    Attack Discovery Tools and techniques commonly used by attackers to identify accesible hosts and services. Such tools may also be legitimately used by system administrators but should be investigated, especially for hosts from which this activity has not be observed before.
    Attack Impact Malware or behavior intended to disrupt the business, such as distributed denial of service (DDoS) and ransomware attacks.
    PUA Adware Malware characterized by its use of advertisements to generate revenue for the author. Adware is often installed alongside third-party applications and remains on a system as a browser add-on or self-proclaimed optimization software. Most adware is considered low risk due to its innocuous nature.
    PUA Spyware Malware characterized by its focus on gathering device and user information without the user’s knowledge. This information is usually sent back to the authors for a variety of purposes, ranging from market research to targeted monitoring. Spyware is usually installed alongside third-party applications and persists on a system as a backdoor or as software that purports to be useful. Most spyware is considered low risk due to its historical use for low-impact data collection and advertising.
    PUA Unauthorized Resource Use Applications that utilize system resources without a user’s knowledge or consent. Such applications are usually installed alongside third-party applications or as a component of malware in order to monetize a successfully compromised host (for example, via click fraud or cryptocurrency mining).
    Posture Potentially Unauthorized Software of Device Applications or devices that circumvent organizational policies or increase the attack surface of an organization. These detectors cover various applications that may be used to bypass monitoring tools and access controls, or store sensitive information in unauthorized locations. This category also includes tools that may be legitimately used for system administration, development, or penetration testing, but are also commonly used by attackers to enumerate access and pivot within a compromised environment.
    Posture Insecure Configuration Configurations within an environment that make it more vulnerable to exploitation or post-exploitation techniques used by attackers. Such configurations include outdated software, use of deprecated cryptographic standards, or configurations resulting in data leakage.
    Posture Anomalous Activity Network activity that is abnormal and should be investigated to determine its cause. The activity may be malicious in nature or a misconfiguration that may or may not have security implications.
    Previous
    Next

    Related Videos

    sidebar video

    FortiNDR Cloud - Detection Triage

    • 205 views
    • 9 months ago

    Detections

    Detections

    FortiNDR Cloud Detections is an alert mechanism that notifies you when events matching a specific criteria appear in your account. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network.

    The Detections page displays a list of Detectors with active Detections in your account.

    • A Detector is the query and parameters used to identify activity in the network.

    • A Detection is the actual occurrence of activity satisfying a detector.

    Each row in the page displays a single detector with at least one active detection.

    A Detection is created when an event matches a detector's query. Detections are identified based on both the IP address and the Sensor ID to avoid issues with overlapping IP space. A duplicate detection is not generated if a detection already exists for the IP address and sensor ID pair. Instead, the Last Seen timestamp is updated and the event is added to the detector's latest events. This also resets the counter for the detection's Resolution Period if detections for the detector are set to resolve automatically.

    By default the Detections page displays all Active detectors in your account. Once all detections for a detector are resolved or muted, the detector's status is automatically updated from Active to Idle. You can create a filter to view all detectors and detections regardless of their status.

    The Detections page displays the following information:

    Name The detector name.
    Category

    There are three categories for detectors: Attack, Potentially Unwanted Application (PUA), and Posture. Each category contains a more detailed subcategory. For more information, see Detector Categories.
    Severity

    The severity measures the potential impact to the confidentiality, integrity, or availability of information systems and resources if the activity is confirmed to be a true positive. Severity can be assigned to one of the following values:

    Severity Description Examples
    High Significant to fair impact with the potential to spread or escalate Malicious code execution, C2 communications, lateral movement, data exfiltration.
    Moderate Fair impact with minimal potential to spread or escalate Activity that could indicate malicious intent, untargeted attacks with unknown success, data leakage, subversion of security or monitoring tools
    Low Little to no impact expected Potentially unauthorized software, devices, or resource use, untargeted adware or spyware, compromise of a personal device or device on an untrusted network, insecure configurations
    Confidence

    Confidence measures how likely events matching the detector’s query are indicative of the activity specified in the detector description. A detector's confidence indicates its minimum true-positive detection rate.

    Confidence Minimum True-Positive Rate
    High 90%
    Moderate 75%
    Low 50%

    FortiGuard Lab assigns a detector's initial confidence based on its performance during testing. Once deployed, detectors are monitored for changes in their true-positive detection rate, which is based on the resolution state chosen by an analyst when resolving a detection. Once a detector crosses a higher or lower threshold, it is reviewed to determine whether it should be tuned or whether the confidence should be modified.
    Last Seen The UTC date and time when the last known event tied to the detector was observed. This is useful when determining when the most recent change to a detector has occurred.
    Author The account that authored the detector.
    Impacted Devices The internal IP address in the src.ip or dst.ip fields used to generate detections. This field is configurable.
    Status

    By default, every detection is in an Active state upon creation. Active detections generate a notification (see Email notifications), but Muted detections will not. Detections remain Active until they are resolved manually by an analyst or automatically based on the detector's Resolution Period. Once resolved, their status changes to Resolved.

    Detection State Description
    Active When an event matching a detector is observed, a detection is generated and set to Active by default. A notification is triggered for Active detections.
    Muted When an event matching a detector is observed, but some aspect of it is muted. A notification is not triggered for muted detections.
    Resolved When a detection is resolved, either manually by an analyst or automatically, and is no longer Active.

    Detector Categories

    Category Subcategory Description
    Attack Infection Vector Attacks in the initial stages before an exploit attempt has been made or malicious code has been executed. Examples include downloading a malicious executable file, navigating to a web site that is known to redirect to exploitation servers, or an attempt to authenticate to an SSH server from a malicious host.
    Attack Exploitation Attacks in the process of exploiting known vulnerabilities such as those listed in MITRE’s Common Vulnerabilities and Exposures (CVE) list. While FortiNDR Cloud may be unable to determine the success of a launched exploit, any hosts attempting exploits (that are not approved internal scanners) should be investigated for signs of compromise.
    Attack Installation Installation of malicious software (staging) for persistence in an environment. For example, the Cobalt Strike staging tool downloading a Beacon backdoor over HTTP in order to provide persistence on a compromised host and run further post-exploitation commands.
    Attack Lateral Movement Tools and techniques commonly used by attackers to pivot from a compromised host to other assets within the environment. Such tools may also be legitimately used by system administrators but should be investigated, especially for hosts from which this activity has not be observed before.
    Attack Command and Control Command and control traffic between compromised hosts and attacker infrastructure.
    Attack Exfiltration Data exfiltration from compromised assets to external entities.
    Attack Discovery Tools and techniques commonly used by attackers to identify accesible hosts and services. Such tools may also be legitimately used by system administrators but should be investigated, especially for hosts from which this activity has not be observed before.
    Attack Impact Malware or behavior intended to disrupt the business, such as distributed denial of service (DDoS) and ransomware attacks.
    PUA Adware Malware characterized by its use of advertisements to generate revenue for the author. Adware is often installed alongside third-party applications and remains on a system as a browser add-on or self-proclaimed optimization software. Most adware is considered low risk due to its innocuous nature.
    PUA Spyware Malware characterized by its focus on gathering device and user information without the user’s knowledge. This information is usually sent back to the authors for a variety of purposes, ranging from market research to targeted monitoring. Spyware is usually installed alongside third-party applications and persists on a system as a backdoor or as software that purports to be useful. Most spyware is considered low risk due to its historical use for low-impact data collection and advertising.
    PUA Unauthorized Resource Use Applications that utilize system resources without a user’s knowledge or consent. Such applications are usually installed alongside third-party applications or as a component of malware in order to monetize a successfully compromised host (for example, via click fraud or cryptocurrency mining).
    Posture Potentially Unauthorized Software of Device Applications or devices that circumvent organizational policies or increase the attack surface of an organization. These detectors cover various applications that may be used to bypass monitoring tools and access controls, or store sensitive information in unauthorized locations. This category also includes tools that may be legitimately used for system administration, development, or penetration testing, but are also commonly used by attackers to enumerate access and pivot within a compromised environment.
    Posture Insecure Configuration Configurations within an environment that make it more vulnerable to exploitation or post-exploitation techniques used by attackers. Such configurations include outdated software, use of deprecated cryptographic standards, or configurations resulting in data leakage.
    Posture Anomalous Activity Network activity that is abnormal and should be investigated to determine its cause. The activity may be malicious in nature or a misconfiguration that may or may not have security implications.
    Previous
    Next