Administration Guide

Introduction
- Getting started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center Standalone)
- Anomaly tab
- Connection tab
- Session tab
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Fabric Connectors
  - ICAP Connectors
  - Security Fabric Connector
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Attack Scenario
- Attack scenario navigation and timeline
- Understanding kill chain and scenario engine
Host Story
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment
  - Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor Settings (Center Standalone)
- Firmware
- Settings
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
Troubleshooting
- FortiNDR troubleshooting tips
- FortiNDR health checks
- Rebuild RAID disk
- Managing FortiNDR disk usage for Center mode
- Managing FortiNDR disk usage for Standalone and Sensor mode
- Export malware
- Working with false positives and false negatives
- Troubleshoot ICAP and OFTP connection issues
- Troubleshoot Log Settings
- Troubleshoot Network Share
- Troubleshooting the VM License
- Troubleshooting the updater
- Troubleshooting tips for Network File Share
- Sensor logs not displaying in Center GUI
- Troubleshooting FortiNDR VM high CPU usage
- Troubleshooting inactive Netflow status
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G : Supported Application Protocol List
Appendix H: File types and protocols
Appendix I: Operational Technology / SCADA vendor and application list
Appendix J: Center Sensor Deployment
Change Log

Home FortiNDR 7.4.2 Administration Guide

7.4.2

Express Malware Analysis

Go to Virtual Security Analysis > Express Malware Analysis to quickly upload a file and get the verdict. Express Malware Analysis is supported in both the GUI and the API. The default file size limit is 200MB. The file size limit can be changed using the CLI.

For information about using the API to submit files, see Appendix A: API guide > Submit files.

Express Malware Analysis is not available in Center mode.

To submit a file for Express Malware Analysis:

Go to Virtual Security Analyst > Express Malware Analysis. The Submit New File window opens.

Submit a file for analysis. The default file size limit is 200MB. The file size limit can be changed using the CLI.

Click Upload then navigate to the file location on your device and click Open.
In the Password field, enter the password for the file. If the file does not require a password, FortiNDR will use Infected by default. The Password field is displayed whether the file requires a password or not.

Click OK. The verdict is displayed.

Submission Time	The date and time the file was uploaded.
Submitted Filename	The name of the file that was uploaded.
Submission User	The user that submitted the file.
MD5	The verdict result from MD5 checksum of the file.
Verdict	The attack scenario used to identify the malware attack.
Confidence	The confidence level as a percentage.
Risk	The risk verdict (High, Medium, Low or No Risk).
Status	The submission status.
File Type	The file type such as Zip or PE. Other indicates the detected file type is not supported by Artificial Neural Networks (ANN).
Indicator	Indicates the detection has IOC details.

Click View Sample Detail to view the sample information. This page explains the verdict by showing the feature composition of the file.

There are four tabs at the bottom of the page:

Tab	Description
History	Displays the history of the same malware (by hash) on the network. FortiNDR does not go back and rescan files based on the previous verdict. If you want to rescan a file based on the latest ANN, use manual or API upload instead.
Similar files	FortiNDR has a similar engine analysis based on the features detected. This is useful for detecting similar variants of the original malware.
MITRE information (and Investigator view)	For Portable Executable (PE ) files, FortiNDR can display a drill down of the MITRE ATT&CK matrix that shows the TTPs used for a particular malware.
IOC (Indicators of Compromise)	For text-based malware, FortiNDR can display more contextual information of malware, such as file contain abnormal javascipt, and so on. This helps you understand why FortiNDR determines it is malware.

When a zip file is uploaded, double-click the entry to view the contents and verdict of the files.

(Optional) Click Generate Reportto view the report summary in PDF and JSON format.

To change the file size limit with the CLI:

execute file-size-threshold

Configuring the table

You can show or hide columns by clicking the gear icon in the header.

Click Configure Table to select the columns you want to show or hide.