Document
Library

Administration Guide

Introduction
- Getting Started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
- Hardening
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center Standalone)
- Anomaly tab
- Connection tab
- Session tab
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Fabric Connectors
  - ICAP Connectors
  - Security Fabric Connector
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Attack Scenario
- Attack scenario navigation and timeline
- Understanding kill chain and scenario engine
Host Story
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment
  - Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor Settings (Center Standalone)
- Firmware
- Settings
- SNMP
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
Troubleshooting
- FortiNDR troubleshooting tips
- FortiNDR health checks
- Rebuild RAID disk
- Managing FortiNDR disk usage for Center mode
- Managing FortiNDR disk usage for Standalone and Sensor mode
- Export malware
- Working with false positives and false negatives
- Troubleshoot ICAP and OFTP connection issues
- Troubleshoot Log Settings
- Troubleshoot Network Share
- Troubleshooting the VM License
- Troubleshooting the updater
- Troubleshooting tips for Network File Share
- Sensor logs not displaying in Center GUI
- Troubleshooting FortiNDR VM high CPU usage
- Troubleshooting inactive Netflow status
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G: Supported Application Protocol List
Appendix H: File types and protocols
Appendix I: Operational Technology / SCADA vendor and application list
Appendix J: Center Sensor Deployment
Change Log

Home FortiNDR 7.4.5 Administration Guide

7.4.5

NDR Muting

NDR Muting

The Virtual Security Analyst > NDR Muting page displays all the rules added to hide detections that you are not interested in. Once an anomaly is muted, FortiNDR will:

Hide	The anomaly in any insight page’s Anomaly tab. The session related to the muted anomaly in any insight page’s Session tab. The connection pair related to the muted anomaly in any insight page’s Connection tab.
Stop	Triggering email alerts from the muted anomaly. Triggering enforcement from the muted anomaly. Generating syslog messages related to the muted anomaly (Standalone and Sensor mode only).

You can mute certain detections in the Botnet, FortiGuard IOC, Network Attacks, Weak/Vulnerable Communication, Encrypted Attack, and ML Discovery insight pages. Once the attack is muted, any information related to this anomaly will be hidden from the insight pages, although the information is not deleted.

Note

NDR Muting rules can be applied in Center and Sensor mode. However, these muting rules are only applied locally. For example, if you hide an attack on a Center device, the same attack is not automatically hidden in the GUI of a Sensor device and vice versa.

The NDR Muting displays the following information:

Last Modified	The date and time the rule was last modified.
Rule ID	The rule's unique ID.
Rule Type	The rule type.
Rule	The rule name and tag.
Created By	The name of the admin who created the rule.
Comment	Comments by the admin.
Status	The current status of the rule (enabled / disabled).
Rule	The rule content. For example, if the Rule Type is Anomaly, the rule will be a JSON of anomaly type and content.

Muting rules in Network Insights

To mute an NDR Rule:

Go to Network Insights and open a page with the Anomaly Tab (Botnet, FortiGuard IOC, Network Attacks, Weak/Vulnerable Communication, Encrypted Attack, or ML Discovery).
Right-click a detection and select Add to NDR Mute Rule.

To view muted detections in Network Insights pages:

Go to Network Insights and open a page.
Disable NDR Mute OFF.

Managing muted rules

To enable/disable NDR muted rules:

Go to Virtual Security Analyst > NDR Muting, and select a rule in the list.
In the toolbar, click Edit.
Next to Status, select Enable or Disable.

To delete multiple rules:

In the toolbar, click the Delete Multiple dropdown.
Select one of the following options:
- Delete older than 30 days
- Delete All

To delete an NDR rule:

Go to Virtual Security Analyst > NDR Muting, and select a rule in the list.
In the toolbar, click Delete.

Previous

Next

NDR Muting

NDR Muting

The Virtual Security Analyst > NDR Muting page displays all the rules added to hide detections that you are not interested in. Once an anomaly is muted, FortiNDR will:

Hide	The anomaly in any insight page’s Anomaly tab. The session related to the muted anomaly in any insight page’s Session tab. The connection pair related to the muted anomaly in any insight page’s Connection tab.
Stop	Triggering email alerts from the muted anomaly. Triggering enforcement from the muted anomaly. Generating syslog messages related to the muted anomaly (Standalone and Sensor mode only).

You can mute certain detections in the Botnet, FortiGuard IOC, Network Attacks, Weak/Vulnerable Communication, Encrypted Attack, and ML Discovery insight pages. Once the attack is muted, any information related to this anomaly will be hidden from the insight pages, although the information is not deleted.

Note

NDR Muting rules can be applied in Center and Sensor mode. However, these muting rules are only applied locally. For example, if you hide an attack on a Center device, the same attack is not automatically hidden in the GUI of a Sensor device and vice versa.

The NDR Muting displays the following information:

Last Modified	The date and time the rule was last modified.
Rule ID	The rule's unique ID.
Rule Type	The rule type.
Rule	The rule name and tag.
Created By	The name of the admin who created the rule.
Comment	Comments by the admin.
Status	The current status of the rule (enabled / disabled).
Rule	The rule content. For example, if the Rule Type is Anomaly, the rule will be a JSON of anomaly type and content.

Muting rules in Network Insights

To mute an NDR Rule:

Go to Network Insights and open a page with the Anomaly Tab (Botnet, FortiGuard IOC, Network Attacks, Weak/Vulnerable Communication, Encrypted Attack, or ML Discovery).
Right-click a detection and select Add to NDR Mute Rule.

To view muted detections in Network Insights pages:

Go to Network Insights and open a page.
Disable NDR Mute OFF.

Managing muted rules

To enable/disable NDR muted rules:

Go to Virtual Security Analyst > NDR Muting, and select a rule in the list.
In the toolbar, click Edit.
Next to Status, select Enable or Disable.

To delete multiple rules:

In the toolbar, click the Delete Multiple dropdown.
Select one of the following options:
- Delete older than 30 days
- Delete All

To delete an NDR rule:

Go to Virtual Security Analyst > NDR Muting, and select a rule in the list.
In the toolbar, click Delete.

Previous

Next