NDR Muting
The Virtual Security Analyst > NDR Muting page displays all the rules added to hide detections that you are not interested in. Once an anomaly is muted, FortiNDR will:
Hide |
|
Stop |
|
You can mute certain detections in the Botnet, FortiGuard IOC, Network Attacks, Weak/Vulnerable Communication, Encrypted Attack, and ML Discovery insight pages. Once the attack is muted, any information related to this anomaly will be hidden from the insight pages, although the information is not deleted.
NDR Muting rules can be applied in Center and Sensor mode. However, these muting rules are only applied locally. For example, if you hide an attack on a Center device, the same attack is not automatically hidden in the GUI of a Sensor device and vice versa. |
The NDR Muting displays the following information:
Last Modified | The date and time the rule was last modified. |
Rule ID | The rule's unique ID. |
Rule Type | The rule type. |
Rule | The rule name and tag. |
Created By | The name of the admin who created the rule. |
Comment | Comments by the admin. |
Status |
The current status of the rule (enabled / disabled). |
Rule |
The rule content. For example, if the Rule Type is Anomaly, the rule will be a JSON of anomaly type and content. |
Muting rules in Network Insights
To mute an NDR Rule:
- Go to Network Insights and open a page with the Anomaly Tab (Botnet, FortiGuard IOC, Network Attacks, Weak/Vulnerable Communication, Encrypted Attack, or ML Discovery).
- Right-click a detection and select Add to NDR Mute Rule.
To view muted detections in Network Insights pages:
- Go to Network Insights and open a page.
- Disable NDR Mute OFF.
Managing muted rules
To enable/disable NDR muted rules:
- Go to Virtual Security Analyst > NDR Muting, and select a rule in the list.
- In the toolbar, click Edit.
-
Next to Status, select Enable or Disable.
To delete multiple rules:
- In the toolbar, click the Delete Multiple dropdown.
- Select one of the following options:
- Delete older than 30 days
- Delete All
To delete an NDR rule:
- Go to Virtual Security Analyst > NDR Muting, and select a rule in the list.
- In the toolbar, click Delete.