Incidents – FortiAnalyzer – FortiOS 6.2.3

Incidents

To view incidents, go to Incidents & Events > Incidents > All Incidents.

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

Raising an incident

You can raise an incident only from alerts generated for one endpoint.

You can raise an incident in the following ways:

  • In Incidents & Events > Incidents > All Incidents, click Create New in the toolbar. This opens the Create New Incident
  • In Incidents & Events > All Events, right-click an event and select Raise Incident. This opens the Raise Incident pane with the applicable fields filled in, such as the Affected Endpoint.

Following is a description of the options available in the Create New Incident and Raise Incident pane.

Incident Reporter The admin account raising the incident. This field cannot be changed.
Incident Category Select a category from the dropdown list.
Severity Select a severity level from the dropdown list.
Status Select a status from the dropdown list.
Affected Endpoint In the Raise Incident pane, the affected endpoint is filled in and cannot be changed.

In the Create New Incident pane, select the affected endpoint from the dropdown list.

Description If you wish, enter a description.

Analyzing an incident

In Incidents & Events > Incidents > All Incidents, double-click an incident or right-click an incident and select Analysis Page.

The incident analysis page shows the incident’s Affected Endpoint and User, Incident Life Cycle, Incident Info, Timeline, and Events related to the incident.

In the Incident Info panel, you can change the Incident Category, Severity, Status, and Description.

In the Events panel, you can review and delete events attached to the incident.

Configuring incident settings

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

When an incident is created, updated, or deleted, you can send a notification to external platforms using selected fabric connectors.

To configure incident notification settings:

  1. Go to Incidents & Events > Incidents > Incident Settings.
  2. Select a Fabric Connector from the dropdown list.
  3. Select which notifications you want to receive: l Send notification when new incident is created. Incidents with draft status will not triggernotification. l Send notification when new incident is updated. l Send notification when new incident is deleted.
  4. To add more fabric connectors, click Add Fabric Connector and repeat the above steps to configure notification settings.

 

This entry was posted in Administration Guides, FortiAnalyzer on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.