Using FortiView – FortiAnalyzer – FortiOS 6.2.3
Viewing FortiView dashboards
When viewing FortiView dashboards, use the controls in the toolbar to select a device, specify a time period, refresh the view, and switch to full-screen mode.
Many widgets on FortiView dashboards let you drill down to view more details. To drill down to view more details, click, double-click, or right-click an element to view details about different dimensions in different tabs. You can continue to drill down by double-clicking an entry. Click the close icon in the widget’s toolbar to return to the previous view. Many FortiView widgets support multiple chart types such as table view, bubble view, map view, tile view, etc.
- In widgets that support multiple views, select the settings icon in the top-right corner of the widget to choose another view.
- If sorting is available, there is a Sort By dropdown list in the top-left. l Some widgets have a Show dropdown list in the bottom-right for you to select how many items to display. l To sort by a column in table view, click the column title.
- To view more information in graphical views such as bubble, map, or user view, hover the mouse over a graphical element.
Some dashboards include multiple widgets. For example, Applications & Websites > Top Cloud Applications includes widgets for Top Cloud Application and Top Cloud User.
Viewing the threat map
You can view an animated world map that displays threats from unified threat management logs. Threats are displayed in real-time. No replay or additional details are available.
You must specify the longitude and latitude of the device to enable threats for the device to display in the threat map. You can edit the device settings to identify the geographical location of the device in Device Manager. For more information, see Editing device information on page 29
To view the threat map:
- Go to FortiView > Threats > Threat Map.
- In the map, view the geographic location of the threats.
Threats are displayed when the threat level is greater than zero. l A yellow line indicates a high threat. l A red line indicates a critical threat.
- In the Threat Window, view the Time, Threat, Source, Destination, and Severity(score).
Filter FortiView widgets using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.
To filter FortiView widgets using filters in the toolbar:
- Specify filters in the Add Filter
- Filter Mode: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or “or”.
- Text Search: Click the Switch to Text Search icon at the right end of the Add Filter In Text Search mode, enter the search criteria (log field names and values). Click the Switch to FilterMode icon to go back to Filter Mode.
- In the Device list, select a device.
- In the Time list, select a time period.
To filter FortiView widgets using the right-click menu:
In the selected view, right-click an entry and select a filter criterion (Search <filtervalue>).
Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.
Viewing related logs
You can view the related logs for a FortiView summary in Log View. When you view related logs, the same filters that you applied to the FortiView summary are applied to the log messages.
To view related logs for a FortiView summary, right-click the entry and select View Related Logs.
Exporting filtered summaries
You can export filtered FortiView summaries or from any level of drilldown to PDF and report charts. Filtered summaries are always exported in table format.
To export a filtered summary:
- In the filtered summary view or its drilldown, select the tools icon in the top-right corner of the widget and choose Export to PDF or Export to Report Chart.
- In the dialog box, review and configure settings:
- Specify a file name for the exported file. l In the Top field, specify the number of entries to export.
- If you are in a drilldown view, the tab you are in is selected by default. You can select more tabs. If you are exporting to report charts, the export creates one chart for each tab.
- Click OK.
Charts are saved in the Chart Library. You can use them in the same way you use other charts.
Monitoring resource usage of devices
You can monitor how much FortiAnalyzer system resources (e.g., CPU, memory, and disk space) each device uses. When ADOMs are enabled, this information is displayed per ADOM. In a specific ADOM, you can view the resource usage information of all the devices under the ADOM.
Go to SOC > FortiView > System > Resource Usage to monitor resource usage for devices.
Long-lived session handling
Because traffic logs are only sent at the end of a session, long-lived sessions can be unintentionally excluded when narrowing searches in FortiView. To account for this, interim traffic logs can be enabled through FortiOS, allowing FortiView to show the trend of session history rather than one large volume once the session is closed.
For a long-lived session with a duration greater than two minutes, interim traffic logs are generated with the Log ID of 20.
- For interim traffic logs, the sentdelta and rcvddelta fields are filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log.
- Interim traffic logs are not counted in Sessions, but the sentdelta and recvddelta in related traffic logs will be added when calculating the sent and received bytes.
When a long-lived session ends, a traffic log with a Log ID of 13 is sent which indicates the session is closed.
Viewing Compromised Hosts
Compromised Hosts or Indicators of Compromise Service (IOC) is a licensed feature.
To view Compromised Hosts, you must turn on the UTM web filter of FortiGate devices and subscribe your
FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard on page 106.
The Indicators of Compromise Service (IOC) downloads the threat database from FortiGuard. The FortiGuard threat database contains the blacklist and suspicious list. IOC detects suspicious events and potentially compromised network traffic using sophisticated algorithms on the threat database.
FortiAnalyzer identifies possible compromised hosts by checking the threat database against an event’s IP, domain, and URL in the following logs of each end user:
l Web filter logs. l DNS logs. l Traffic logs.
When a threat match is found, sophisticated algorithms calculate a threat score for the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall IOC.
Compromised Hosts displays the results showing end users with suspicious web usage which can indicate that the endpoint is compromised. You can drill down to view threat details.
Understanding Compromised Hosts entries
When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.
If a match is found in the blacklist, then FortiAnalyzer displays the endpoint in Compromised Hosts with a Verdict of Infected.
If a match is found in the suspicious list, then FortiAnalyzer flags the endpoint for further analysis.
In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint’s statistics for the same day and then updates the score.
If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts.
When an endpoint is displayed in Compromised Hosts, all the suspicious logs which contributed to the score are listed.
When the database is rebuilt, all log entries are reinserted and rescanned.
Working with Compromised Hosts information
Go to SOC > FortiView > Threats > Compromised Hosts.
When viewing Compromised Hosts:
- Use the widget settings icon to select Table or Users format, set the refresh interval, and modify other widget settings.
- Use the tools icon to export the information, edit rescan configuration, and set additional display options.
- Use the toolbar to select devices, specify a time period, refresh the view, select a theme (Day, Night, and Ocean), and switch to full-screen mode.
When you view an event, the # of Threats is the number of unique Threat Names associated with that compromised host (end user).
When you drill down to view details, the # of Events is the number of logs matching each blacklist entry for that compromised host (end user).
- To acknowledge a Compromised Hosts line item, click Ack on that line. l To filter entries, click Add Filter and specify devices or a time period.
- To drill down and view threat details, double-click a tile or a row.
Incorrectly rated IOCs can be reported within the Threat Intel Lookup screen, accessible by double-clicking on an End User, selecting the detected pattern from the Blacklist, and clicking Report Misrated IOC.
Subscribing FortiAnalyzer to FortiGuard
To keep your FortiAnalyzer threat database up to date:
- Ensure your FortiAnalyzer can reach FortiGuard at fortinet.com.
- Purchase a FortiGuard Indicators of Compromise Service license and apply that license to the product registration.
No change is needed on the FortiAnalyzer side.
To subscribe FortiAnalyzer to FortiGuard:
- Go to System Settings > Dashboard.
- In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click Purchase.
- After purchasing the license, check that the FortiGuard > Indicators of Compromise Service is Licensed and shows the expiry date.
Managing a Compromised Hosts rescan policy
The Compromised Hosts scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.
Requirements for managing a Compromised Hosts rescan policy: l This feature requires a valid indicators of compromise (IOC) license. The rescan options will not be available in the GUI or CLI without a license.
l The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.
To configure rescan settings and check rescan results:
- Go to SOC > FortiView > Threats > Compromised Hosts.
- From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration. The Edit Compromised Hosts Rescan Policy Settings window opens.
- Under Compromised Hosts Rescan Global Settings:
- Enable Global Compromised Hosts Rescan.
- Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
- Under Compromised Hosts Rescan Current ADOM Settings:
- Enable Current ADOM Compromised Hosts Rescan.
- Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
- Set the number of previous days’ logs that are scanned.
By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.
- All tasks are shown in the Rescan tasks table, which includes:
l The start and end time of each task. l The status of the task (complete, running, etc.). l How complete a task is, as a percentage. l The total number of scanned logs and the threat count (the number of logs with threats) for each task. l The IOC package update time. l A count of the new threats that were added in this update.
Running tasks can be canceled by clicking the Cancel button in the Status column.
- Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.
- Click Back to return to the settings window.
- Click OK to return to the compromised hosts list.
- In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.
Examples of using FortiView
You can use FortiView to find information about your network. The following are some examples.
Finding application and user information
Company ABC has over 1000 employees using different applications across different divisional areas, including supply chain, accounting, facilities and construction, administration, and IT.
The administration team received a $6000 invoice from a software provider to license an application called Widget-Pro. According to the software provider, an employee at Company ABC is using Widget-Pro software.
The system administrator wants to find who is using applications that are not in the company’s list of approved applications. The administrator also wants to determine whether the user is unknown to FortiGuard signatures, identify the list of users, and perform an analysis of their systems.
To find application and user information:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to SOC > FortiView > Applications & Websites > Top Applications.
- Click Add Filter, select Application, type Widget-Pro.
- If you do not find the application in the filtered results, go to Log View > Traffic.
- Click the Add Filter box, select Source IP, type the source IP address, and click Go.
Analyzing and reporting on network traffic
A new administrator starts at #1 Technical College. The school has a free WiFi for students on the condition that they accept the terms and policies for school use.
The new administrator is asked to analyze and report on the top source and destinations students visit, the source and destinations that consume the most bandwidth, and the number of attempts to visit blocked sites.
To review the source and destination traffic and bandwidth:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to SOC > FortiView > Traffic > Top Sources.
- Go to SOC > FortiView > Traffic > Top Destinations.
If available, select the icon beside the IP address to see its WHOIS information.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
In the compromised hosts list, often there is a discrepancy of the displayed ip addresses and hostnames. Our dhcp scope is for 8 hours and every day I check the compromised hosts list, often the logged in usernames along with the ip addresses and the usernames are misplaced. When I check the ipaddress on the dhcp address leases, it would point to a different host and many a times, I found the device in the dhcp address lease is the device which is infected and not the ones in the fortianalyzer. Have you come across this? Do we need to do any settings changed in the fortianalyzer to query the dhcp serverto display the accurate information?