Document
Library

Administration Guide

Introduction
- Getting Started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center Standalone)
- Anomaly tab
- Connection tab
- Session tab
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Fabric Connectors
  - ICAP Connectors
  - Security Fabric Connector
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Attack Scenario
- Attack scenario navigation and timeline
- Understanding kill chain and scenario engine
Host Story
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment
  - Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor Settings (Center Standalone)
- Firmware
- Settings
- SNMP
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
Troubleshooting
- FortiNDR troubleshooting tips
- FortiNDR health checks
- Rebuild RAID disk
- Managing FortiNDR disk usage for Center mode
- Managing FortiNDR disk usage for Standalone and Sensor mode
- Export malware
- Working with false positives and false negatives
- Troubleshoot ICAP and OFTP connection issues
- Troubleshoot Log Settings
- Troubleshoot Network Share
- Troubleshooting the VM License
- Troubleshooting the updater
- Troubleshooting tips for Network File Share
- Sensor logs not displaying in Center GUI
- Troubleshooting FortiNDR VM high CPU usage
- Troubleshooting inactive Netflow status
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G: Supported Application Protocol List
Appendix H: File types and protocols
Appendix I: Operational Technology / SCADA vendor and application list
Appendix J: Center Sensor Deployment
Change Log

Home FortiNDR 7.4.3 Administration Guide

7.4.3

FortiGuard IOC

FortiGuard IOC

Network Insights > FortiGuard IOC detections are suspicious URLs and IPs that are flagged by FortiGuard. This anomaly discovery depends on FortiNDR look up in the FortiGuard IOC service. Apart from URL category (e.g. malicious websites), you will also see an Extra Info column for any campaign name involved (e.g. Solarwind, Locky Ransomware).

The FortiGuard IOC monitor displays the following information:

Column	Description
URL Category	The UR Category.
IOC	The Indications of Compromise service.
Anomaly Severity	The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Count (Historic)	The total number of times the anomaly was observed.
Count (Past week)	The total number of times the anomaly was observed during the past week .
First Timestamp	The timestamp for the first time the anomaly was detected.

Tooltip

For information about muting rules, see NDR Muting.

Previous

Next

FortiGuard IOC

FortiGuard IOC

Network Insights > FortiGuard IOC detections are suspicious URLs and IPs that are flagged by FortiGuard. This anomaly discovery depends on FortiNDR look up in the FortiGuard IOC service. Apart from URL category (e.g. malicious websites), you will also see an Extra Info column for any campaign name involved (e.g. Solarwind, Locky Ransomware).

The FortiGuard IOC monitor displays the following information:

Column	Description
URL Category	The UR Category.
IOC	The Indications of Compromise service.
Anomaly Severity	The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Count (Historic)	The total number of times the anomaly was observed.
Count (Past week)	The total number of times the anomaly was observed during the past week .
First Timestamp	The timestamp for the first time the anomaly was detected.

Tooltip

For information about muting rules, see NDR Muting.

Previous

Next