Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.2.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.2.1 User Guide
    7.2.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Viewing a Case in Depth

    Viewing a Case in Depth

    You can drill down on a Case from Cases > List View, select a Case, then click Action> Drill Down.

    Overview

    The Overview page provides the following case information:

    • Case Overview - The following Case attributes are shown in this section: Organization, Severity, Risk and Risk Explanation. For details on case attributes, see Case Attributes.
    • Case Progress - The following Case attributes related to the Case’s progress are shown in this section: Status, Stage, Assignee, Created, Assigned, Interested, Due, Elapsed, Close Code, Close Code Description and Case Management Policy. For details on case attributes, see Case Attributes.
    • Incidents - All incidents related to a case are listed here. Clicking on an incident's ID link will take you to that incident on the Incidents List View page.
    • Hosts - The assets involved with the case are listed, for example IP addresses.
    • Observables - Events, non-threatening or malicious, on a network or system.
    • Techniques - Any relevant MITRE ATT&CK Tactics and Techniques are listed.

    Explore View

    Case Explore View provides the same view as Incidents > Explorer, but only for the Incidents included in a Case.

    See here for details.

    MITRE ATT&CK View

    Case MITRE ATT&CK View provides the same view as Incidents > MITRE ATT&CK, but only for the Incidents included in a Case.

    See here for details.

    Investigate View

    Case Investigate View provides the same view as Incidents > Investigate, but only for the Incidents included in a Case. The entire Incident Attack Graph is shown at once for all Incidents included in the Case.

    See here for details.

    Case Notes

    The Notes section displays all existing notes for a case, and allows you to Add, Edit and/or Delete a note, assuming you have permission to do so. Click on the refresh icon to update the notes section. The options to Edit or Delete a note appear in the right upper corner of each note. To add a new note, enter the note in the Add New Note section, and click the Save icon when done. For more information on the tools available when creating a note, see the following table.

    Icon

    Description

    Undo

    Click to undo the latest change.

    Redo

    Click to re-apply the last undo change.
    Text Size Increase/decrease text size. Click the Text Size icon, and select a text size to apply to selected text, or for the text to be entered.
    Font Color Set the color of your font. Click the Font Color icon, and select a color to apply to selected text, or for the text to be entered. You can also enter a hex color code and click the Submit icon instead of selecting a pre-defined color. If you click the Remove Format icon from the color selection, only the color format will be changed.
    Align

    Configure the alignment of your text. Click the Align icon, and select one of the following options:

    • Align left - Click to align text to the left.
    • Align center - Click to center text.
    • Align right - Click to align text to the right.
    • Align Justify - Click to apply justification alignment to the text.
    Bold Click the Bold icon to toggle the Bold format on or off. You can enter text with Bold formatting, or select text and apply the Bold format.
    Underline Click the Underline icon to toggle the Underline format on or off. You can enter text with the Underline format, or select text and apply the Underline format.
    Italic Click the Italic icon to toggle the Italic format on or off. You can enter text that is Italicized, or select text and apply the Italic format.
    Strike Click the Strike icon to toggle Strikethrough format on or off. You can enter text with the strikethrough format, or select text and apply the Strikethrough format.
    Remove Format Select the text you wish to remove existing text formatting from, then click the Remove Format button. This remove all formatting from the selected text. For example, if the size of your text is 72 pixels, with a red font, clicking remove format will change the text size to the default size, and color.

    Full screen

    Click to toggle between full screen and window view.

    Save

    Click to save the note content.

    Case Evidence

    The Evidence page provides the trigger events for the Incidents in the case, and any events that have also been linked to the case. Any attachments that have been uploaded to the case can be found in the right pane.

    The main pane is comprised of two sections. The left column displays the incidents and events associated with the case. You can select an incident under Incidents in Case, or select Events to see its raw event data. Click on Detail > to display the Event Details sidebar. This sidebar provides the raw message and a list of the event's attributes for examination.

    The right pane displays all files attached to the case. Next to each file is a Download icon and Trash icon. Click the Download icon to download an attachment. Click the Trash icon to remove the attachment from a case.

    Action History

    The Action History page provides the following:

    Case Action History - Timeline of all case actions that have been taken.

    Incidents Action History - Timeline of all the actions taken to incidents related to the case.

    Previous
    Next

    Viewing a Case in Depth

    Viewing a Case in Depth

    You can drill down on a Case from Cases > List View, select a Case, then click Action> Drill Down.

    Overview

    The Overview page provides the following case information:

    • Case Overview - The following Case attributes are shown in this section: Organization, Severity, Risk and Risk Explanation. For details on case attributes, see Case Attributes.
    • Case Progress - The following Case attributes related to the Case’s progress are shown in this section: Status, Stage, Assignee, Created, Assigned, Interested, Due, Elapsed, Close Code, Close Code Description and Case Management Policy. For details on case attributes, see Case Attributes.
    • Incidents - All incidents related to a case are listed here. Clicking on an incident's ID link will take you to that incident on the Incidents List View page.
    • Hosts - The assets involved with the case are listed, for example IP addresses.
    • Observables - Events, non-threatening or malicious, on a network or system.
    • Techniques - Any relevant MITRE ATT&CK Tactics and Techniques are listed.

    Explore View

    Case Explore View provides the same view as Incidents > Explorer, but only for the Incidents included in a Case.

    See here for details.

    MITRE ATT&CK View

    Case MITRE ATT&CK View provides the same view as Incidents > MITRE ATT&CK, but only for the Incidents included in a Case.

    See here for details.

    Investigate View

    Case Investigate View provides the same view as Incidents > Investigate, but only for the Incidents included in a Case. The entire Incident Attack Graph is shown at once for all Incidents included in the Case.

    See here for details.

    Case Notes

    The Notes section displays all existing notes for a case, and allows you to Add, Edit and/or Delete a note, assuming you have permission to do so. Click on the refresh icon to update the notes section. The options to Edit or Delete a note appear in the right upper corner of each note. To add a new note, enter the note in the Add New Note section, and click the Save icon when done. For more information on the tools available when creating a note, see the following table.

    Icon

    Description

    Undo

    Click to undo the latest change.

    Redo

    Click to re-apply the last undo change.
    Text Size Increase/decrease text size. Click the Text Size icon, and select a text size to apply to selected text, or for the text to be entered.
    Font Color Set the color of your font. Click the Font Color icon, and select a color to apply to selected text, or for the text to be entered. You can also enter a hex color code and click the Submit icon instead of selecting a pre-defined color. If you click the Remove Format icon from the color selection, only the color format will be changed.
    Align

    Configure the alignment of your text. Click the Align icon, and select one of the following options:

    • Align left - Click to align text to the left.
    • Align center - Click to center text.
    • Align right - Click to align text to the right.
    • Align Justify - Click to apply justification alignment to the text.
    Bold Click the Bold icon to toggle the Bold format on or off. You can enter text with Bold formatting, or select text and apply the Bold format.
    Underline Click the Underline icon to toggle the Underline format on or off. You can enter text with the Underline format, or select text and apply the Underline format.
    Italic Click the Italic icon to toggle the Italic format on or off. You can enter text that is Italicized, or select text and apply the Italic format.
    Strike Click the Strike icon to toggle Strikethrough format on or off. You can enter text with the strikethrough format, or select text and apply the Strikethrough format.
    Remove Format Select the text you wish to remove existing text formatting from, then click the Remove Format button. This remove all formatting from the selected text. For example, if the size of your text is 72 pixels, with a red font, clicking remove format will change the text size to the default size, and color.

    Full screen

    Click to toggle between full screen and window view.

    Save

    Click to save the note content.

    Case Evidence

    The Evidence page provides the trigger events for the Incidents in the case, and any events that have also been linked to the case. Any attachments that have been uploaded to the case can be found in the right pane.

    The main pane is comprised of two sections. The left column displays the incidents and events associated with the case. You can select an incident under Incidents in Case, or select Events to see its raw event data. Click on Detail > to display the Event Details sidebar. This sidebar provides the raw message and a list of the event's attributes for examination.

    The right pane displays all files attached to the case. Next to each file is a Download icon and Trash icon. Click the Download icon to download an attachment. Click the Trash icon to remove the attachment from a case.

    Action History

    The Action History page provides the following:

    Case Action History - Timeline of all case actions that have been taken.

    Incidents Action History - Timeline of all the actions taken to incidents related to the case.

    Previous
    Next