Fortinet black logo

Administration Guide

Home FortiNDR 7.4.6 Administration Guide
7.4.6
7.4.6
7.4.5
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Anomaly tab

Anomaly tab

The Anomaly tab provides insight into the anomaly content detected by FortiNDR and its occurrences in the network. To learn more about the connections related to a specific anomaly, double-click a record in the list to open the Anomaly Information pane. This pane contains all the connection pairs if there are multiple combinations of source and destination.

By default the Anomaly tab displays the following information:

Column Description
Latest Timestamp The date the record was updated.
Attack Name The attack name provided by FortiGuard. Hover over the name to view the Impact, Product List and Recommended Action. You can also use this column to explore the attack name and search FortiGuard.
Anomaly Severity The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
First Timestamp The timestamp for the first time the anomaly was detected.
To view the sessions for a selected condition:
  1. In the Anomaly tab, double-click a record in the list. The Anomaly Information pane opens.
  2. Click the Analytic tab.
  3. Double-click a log in the list. The Sessions Log for selected condition pane opens. The connection pair information is displayed.

From the Session Log pane, you have the option of viewing the source and destination device and viewing the sessions. For more information, see Session tab.

Anomaly Information

The Anomaly Information pane contains two tabs: General and Analytic.

General tab

The General tab displays the following information:

General
  • Anomaly Type
  • Severity
  • Reason
Additional Information
  • HTTP Version
  • HTTP Response Code
  • HTTP Server Name
  • HTTP URL
  • Malicious Behavior
Last Anomaly Occurrence
  • Latest Occurrence
  • Count( Past Week)
  • Count( Historic)
  • Latest Source IP
  • Latest Source Port
  • Latest Source MAC
  • Latest Source Packet Size
  • Latest Source Country
  • Latest Source Device Model
  • Latest Source OS
  • Latest Source Device Category
  • Latest Source Device Sub Category
  • Latest Destination IP
  • Latest Destination Port
  • Latest Destination MAC
  • Latest Destination Packet Size
  • Latest Destination Country
  • Latest Destination Device Model
  • Latest Destination OS
  • Latest Destination Device Category
  • Latest Destination Device Sub Category

Analytic tab

The Analytic tab displays the following information about he the connection pair:

Src IP The source IP. Hover over the record to view the view the IP Address, Country and Related Service.
Source Network

The source network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Dst Ip The destination IP. Hover over the record to view the view the IP Address, Country and Related Service.
Destination Network

The destination network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
Previous
Next

Anomaly tab

Anomaly tab

The Anomaly tab provides insight into the anomaly content detected by FortiNDR and its occurrences in the network. To learn more about the connections related to a specific anomaly, double-click a record in the list to open the Anomaly Information pane. This pane contains all the connection pairs if there are multiple combinations of source and destination.

By default the Anomaly tab displays the following information:

Column Description
Latest Timestamp The date the record was updated.
Attack Name The attack name provided by FortiGuard. Hover over the name to view the Impact, Product List and Recommended Action. You can also use this column to explore the attack name and search FortiGuard.
Anomaly Severity The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
First Timestamp The timestamp for the first time the anomaly was detected.
To view the sessions for a selected condition:
  1. In the Anomaly tab, double-click a record in the list. The Anomaly Information pane opens.
  2. Click the Analytic tab.
  3. Double-click a log in the list. The Sessions Log for selected condition pane opens. The connection pair information is displayed.

From the Session Log pane, you have the option of viewing the source and destination device and viewing the sessions. For more information, see Session tab.

Anomaly Information

The Anomaly Information pane contains two tabs: General and Analytic.

General tab

The General tab displays the following information:

General
  • Anomaly Type
  • Severity
  • Reason
Additional Information
  • HTTP Version
  • HTTP Response Code
  • HTTP Server Name
  • HTTP URL
  • Malicious Behavior
Last Anomaly Occurrence
  • Latest Occurrence
  • Count( Past Week)
  • Count( Historic)
  • Latest Source IP
  • Latest Source Port
  • Latest Source MAC
  • Latest Source Packet Size
  • Latest Source Country
  • Latest Source Device Model
  • Latest Source OS
  • Latest Source Device Category
  • Latest Source Device Sub Category
  • Latest Destination IP
  • Latest Destination Port
  • Latest Destination MAC
  • Latest Destination Packet Size
  • Latest Destination Country
  • Latest Destination Device Model
  • Latest Destination OS
  • Latest Destination Device Category
  • Latest Destination Device Sub Category

Analytic tab

The Analytic tab displays the following information about he the connection pair:

Src IP The source IP. Hover over the record to view the view the IP Address, Country and Related Service.
Source Network

The source network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Dst Ip The destination IP. Hover over the record to view the view the IP Address, Country and Related Service.
Destination Network

The destination network.

You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

Count (Historic) The total number of times the anomaly was observed.
Count (Past week) The total number of times the anomaly was observed during the past week .
Previous
Next