Analyzing attack logs in FortiWeb Cloud Threat Analytics
Attack logs on FortiWeb can be forwarded to FortiWeb Cloud, which allows you to leverage the powerful AI-based Threat Analytics service that helps identify significant threats and zoom in on the threats that matter.
Prerequisites for using Threat Analytics for FortiWeb's attack logs:
-
You have a valid Threat Analytics service license.
-
Threat Analytics service is enabled in FortiWeb.
Please note that when your license expires or becomes invalid, the log forwarding will stop immediately regardless whether the Threat Analytics service is enabled or not.
14-day eval license
Starting 7.2.2 a 14-day eval license is provided for customers that would want to evaluate the Threat Analytics service. The 14-day eval license can only be used once. If you had enabled Threat Analytics in previous releases but did not have a valid license, the 14-day eval license will be automatically applied after upgrading to version 7.2.2 and later.
Threat Analytics
Threat Analytics uses machine learning algorithms to identify attack patterns across your entire application assets and aggregate them into security incidents and assign severity. It helps separate real threats from informational alerts and false positives and help you focus on the threats that matter.
Attack events are aggregated and then grouped into incidents by common characteristics. In this way, you can quickly find out which attack types occur frequently, the most malicious source IP addresses, etc.
By clicking the incident number, you will see the incident details including the attack type, the target application, source IPs, etc.
You can use predefined tags for Threat Analytics incidents. This helps in labeling incidents for future usage such as sorting, filtering and acknowledging incidents. It's supported to edit the tag name according to you needs.
It also provides an additional layer of incident analysis and offers recommendations to improve your security posture.
To enable Threat Analytics:
- Contact Sales team to purchase a license with the Threat Analytics service, then register the license on Support site: https://support.fortinet.com
- Log in to FortiWeb.
- Check the status of Threat Analytics in the Licenses widget in Dashboard > Status. It should be displayed as Valid.
- In the System Information Widget in Dashboard > Status, click Enable Threat Analytics, then click OK in the pop-up window.
- Make sure Enable Attack Log is switched on in Log&Report > Log Config > Other Log Settings.
- Go to Dashboard > Status, click Add Widget, then select Threat Analytics in the System section. The Threat Analytics widget will be displayed on the Status page. You can view whether FortiWeb is successfully connected with FortiWeb Cloud and whether the attack logs are being forwarded.
- Wait for FortiWeb to generate attack logs.
- Log in to FortiWeb Cloud with the account you used when registering your license on Fortinet Support site.
For more information on the Threat Analytics, see this article in FortiWeb Cloud Online Help.