Fortinet black logo

Administration Guide

Home FortiNDR 7.4.2 Administration Guide
7.4.2
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Connection tab

Connection tab

The Connection tab lists all the connection pairs for the anomaly type (such as Network Attacks and Encrypted Attack). Double-click an entry to explore the anomaly content for anomalies that have occurred within the same connection pair.

By default, the Connection tab displays the following information:

Column Definition
Latest Timestamp The date the record was updated.
Src IP The source IP.
Source Network

The source network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Dst IP The destination IP.
Destination Network

The destination network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Src Port The source port.
Dst Port The destination port.
Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
First Event Timestamp The timestamp for the first time the anomaly event was detected.
To view the sessions for a selected condition:
  1. In the Anomaly tab, double-click a record in the list. The Anomaly Information pane opens.
  2. Click the Analytic tab.
  3. Double-click a log in the list. The Sessions Log for selected condition pane opens. the connection pair information is displayed.

From the Session Log pane, you have the option of viewing the source and destination device and viewing the sessions. For more information, see Session tab.

Session Information

The Session Information pane contains two tabs: General and Analytic.

General tab

The General tab displays the following information:

General

  • Session ID

  • Start Time

  • End Time

  • Traffic Volume

  • VLAN ID

  • Port ID
Anomaly

  • Anomaly Type

  • Severity

  • Reason
Additional Information

  • HTTP Version

  • HTTP Response Code

  • HTTP Server Name

  • HTTP URL

  • Malicious Behavior

Source Device
  • Source IP
  • Source Port
  • Source MAC
  • Source Packet Size
  • Source Country
  • Source Device Model
  • Source OS
  • Source Device Category
  • Source Device Sub Category

Destination Device
  • Destination IP
  • Destination Port
  • Destination MAC
  • Destination Packet Size
  • Destination Country
  • Destination Device Model
  • Destination OS
  • Destination Device Category
  • Destination Device Sub Category
Analytic tab

By default, he Analytic tab displays the following information about he the connection pair:

Column

Definition
Anomaly Severity The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Attack Name The attack name provided by FortiGuard. Hover over the name to view the Impact, Product List and Recommended Action. You can also use this column to explore the attack name and search FortiGuard.
Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
Previous
Next

Connection tab

The Connection tab lists all the connection pairs for the anomaly type (such as Network Attacks and Encrypted Attack). Double-click an entry to explore the anomaly content for anomalies that have occurred within the same connection pair.

By default, the Connection tab displays the following information:

Column Definition
Latest Timestamp The date the record was updated.
Src IP The source IP.
Source Network

The source network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Dst IP The destination IP.
Destination Network

The destination network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Src Port The source port.
Dst Port The destination port.
Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
First Event Timestamp The timestamp for the first time the anomaly event was detected.
To view the sessions for a selected condition:
  1. In the Anomaly tab, double-click a record in the list. The Anomaly Information pane opens.
  2. Click the Analytic tab.
  3. Double-click a log in the list. The Sessions Log for selected condition pane opens. the connection pair information is displayed.

From the Session Log pane, you have the option of viewing the source and destination device and viewing the sessions. For more information, see Session tab.

Session Information

The Session Information pane contains two tabs: General and Analytic.

General tab

The General tab displays the following information:

General

  • Session ID

  • Start Time

  • End Time

  • Traffic Volume

  • VLAN ID

  • Port ID
Anomaly

  • Anomaly Type

  • Severity

  • Reason
Additional Information

  • HTTP Version

  • HTTP Response Code

  • HTTP Server Name

  • HTTP URL

  • Malicious Behavior

Source Device
  • Source IP
  • Source Port
  • Source MAC
  • Source Packet Size
  • Source Country
  • Source Device Model
  • Source OS
  • Source Device Category
  • Source Device Sub Category

Destination Device
  • Destination IP
  • Destination Port
  • Destination MAC
  • Destination Packet Size
  • Destination Country
  • Destination Device Model
  • Destination OS
  • Destination Device Category
  • Destination Device Sub Category
Analytic tab

By default, he Analytic tab displays the following information about he the connection pair:

Column

Definition
Anomaly Severity The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Attack Name The attack name provided by FortiGuard. Hover over the name to view the Impact, Product List and Recommended Action. You can also use this column to explore the attack name and search FortiGuard.
Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
Previous
Next