Fortinet black logo

Administration Guide

Home FortiNDR 7.0.1 Administration Guide
7.0.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

NDR Log

NDR Log

The NDR Log view displays information anomalies detected on the network, traffic sources and destinations, as well as devices discovered and detected by FortiNDR. Users are welcomed to use NDR Anomaly Type column to narrow and investigate the anomalies, by session or by device view.

Anomaly tab

This Anomaly tab displays anomalies detected on the network. In a normal network, only a small percentage of network traffic are anomalies. The FortiNDR engine records both normal and anomaly traffic.

You can filter the logs by Anomaly Type but clicking the Filter icon in the column heading.

Tooltip

When filtering the Anomaly Type column, you can use !=<type> to filter out the types you don't want to see.

Session Tab

Use the Sessions tab to understand the relationship between sessions and anomalies. There could be multiple behaviors within a session and some connections within a session could be an anomaly. For example, a user accessing the Internet browses both Facebook normally and hits an IOC campaign Emotet within same session. You can also view the traffic Source and Destination, to determine whether the connection is internal or external.

To filter the sessions in the view, hover a column heading and click the filter icon.

To drill down on the session information, click View Session Detail. Click the Action menu to view related information.

Device Tab

The Device tab the devices detected by FortiNDR. The FortiGuard IOT service is used to identify device information based on the MAC address. You can drill down to the devices page by clicking View Device Detail details.

The Device page shows information about the device activity (both anomaly and normal events), as well as a heatmap for anomalies over the selected time period. A line graph shows the device traffic (inbound and outbound bandwidth combined). The Confidence Level indicates our confidence in identifying the device category.

In this following image, the device is identified as Network Firewall. The window at the bottom of the page shows the top anomalies, activities, traffic, neighbors, external services, a geolocation map of the device traffic and machine learning discovery.

The Malware Host Story shows information about the malware Risk Level and Scenario Type.

Previous
Next

NDR Log

The NDR Log view displays information anomalies detected on the network, traffic sources and destinations, as well as devices discovered and detected by FortiNDR. Users are welcomed to use NDR Anomaly Type column to narrow and investigate the anomalies, by session or by device view.

Anomaly tab

This Anomaly tab displays anomalies detected on the network. In a normal network, only a small percentage of network traffic are anomalies. The FortiNDR engine records both normal and anomaly traffic.

You can filter the logs by Anomaly Type but clicking the Filter icon in the column heading.

Tooltip

When filtering the Anomaly Type column, you can use !=<type> to filter out the types you don't want to see.

Session Tab

Use the Sessions tab to understand the relationship between sessions and anomalies. There could be multiple behaviors within a session and some connections within a session could be an anomaly. For example, a user accessing the Internet browses both Facebook normally and hits an IOC campaign Emotet within same session. You can also view the traffic Source and Destination, to determine whether the connection is internal or external.

To filter the sessions in the view, hover a column heading and click the filter icon.

To drill down on the session information, click View Session Detail. Click the Action menu to view related information.

Device Tab

The Device tab the devices detected by FortiNDR. The FortiGuard IOT service is used to identify device information based on the MAC address. You can drill down to the devices page by clicking View Device Detail details.

The Device page shows information about the device activity (both anomaly and normal events), as well as a heatmap for anomalies over the selected time period. A line graph shows the device traffic (inbound and outbound bandwidth combined). The Confidence Level indicates our confidence in identifying the device category.

In this following image, the device is identified as Network Firewall. The window at the bottom of the page shows the top anomalies, activities, traffic, neighbors, external services, a geolocation map of the device traffic and machine learning discovery.

The Malware Host Story shows information about the malware Risk Level and Scenario Type.

Previous
Next