Category Archives: FortiAnalyzer

Enabling and disabling SOC – FortiAnalyzer – FortiOS 6.2.3

Enabling and disabling SOC

The FortiAnalyzer SOC module can be disabled for performance tuning through the CLI. When disabled, the GUI will hide the SOC modules as well as the FortiView and Monitors panes, and stop background processing for this feature.

To disable SOC in the CLI:

config system global set disable-module fortiview-noc

end

To enable SOC in the CLI:

config system global unset disable-module end

Disabling the SOC module will cause the FortiAnalyzer to return the following error message when the FortiGate attempts to retrieve FortiAnalyzer data: Server Error: FortiView\/NOC function is disabled on FortiAnalyzer.

The FortiGate GUI displays the message: Failed to retrieve FortiView data.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Using FortiView – FortiAnalyzer – FortiOS 6.2.3

1 Reply

Using FortiView

Viewing FortiView dashboards

When viewing FortiView dashboards, use the controls in the toolbar to select a device, specify a time period, refresh the view, and switch to full-screen mode.

Many widgets on FortiView dashboards let you drill down to view more details. To drill down to view more details, click, double-click, or right-click an element to view details about different dimensions in different tabs. You can continue to drill down by double-clicking an entry. Click the close icon in the widget’s toolbar to return to the previous view. Many FortiView widgets support multiple chart types such as table view, bubble view, map view, tile view, etc.

In widgets that support multiple views, select the settings icon in the top-right corner of the widget to choose another view.
If sorting is available, there is a Sort By dropdown list in the top-left. l Some widgets have a Show dropdown list in the bottom-right for you to select how many items to display. l To sort by a column in table view, click the column title.
To view more information in graphical views such as bubble, map, or user view, hover the mouse over a graphical element.

Some dashboards include multiple widgets. For example, Applications & Websites > Top Cloud Applications includes widgets for Top Cloud Application and Top Cloud User.

Viewing the threat map

You can view an animated world map that displays threats from unified threat management logs. Threats are displayed in real-time. No replay or additional details are available.

You must specify the longitude and latitude of the device to enable threats for the device to display in the threat map. You can edit the device settings to identify the geographical location of the device in Device Manager. For more information, see Editing device information on page 29

To view the threat map:

Go to FortiView > Threats > Threat Map.
In the map, view the geographic location of the threats.

Threats are displayed when the threat level is greater than zero. l A yellow line indicates a high threat. l A red line indicates a critical threat.

In the Threat Window, view the Time, Threat, Source, Destination, and Severity(score).

Filtering FortiView

Filter FortiView widgets using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.

To filter FortiView widgets using filters in the toolbar:

Specify filters in the Add Filter
- Filter Mode: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or “or”.
- Text Search: Click the Switch to Text Search icon at the right end of the Add Filter In Text Search mode, enter the search criteria (log field names and values). Click the Switch to FilterMode icon to go back to Filter Mode.
In the Device list, select a device.
In the Time list, select a time period.

To filter FortiView widgets using the right-click menu:

In the selected view, right-click an entry and select a filter criterion (Search <filtervalue>).

Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

Viewing related logs

You can view the related logs for a FortiView summary in Log View. When you view related logs, the same filters that you applied to the FortiView summary are applied to the log messages.

To view related logs for a FortiView summary, right-click the entry and select View Related Logs.

Exporting filtered summaries

You can export filtered FortiView summaries or from any level of drilldown to PDF and report charts. Filtered summaries are always exported in table format.

To export a filtered summary:

In the filtered summary view or its drilldown, select the tools icon in the top-right corner of the widget and choose Export to PDF or Export to Report Chart.
In the dialog box, review and configure settings:
- Specify a file name for the exported file. l In the Top field, specify the number of entries to export.
- If you are in a drilldown view, the tab you are in is selected by default. You can select more tabs. If you are exporting to report charts, the export creates one chart for each tab.
Click OK.

Charts are saved in the Chart Library. You can use them in the same way you use other charts.

Monitoring resource usage of devices

You can monitor how much FortiAnalyzer system resources (e.g., CPU, memory, and disk space) each device uses. When ADOMs are enabled, this information is displayed per ADOM. In a specific ADOM, you can view the resource usage information of all the devices under the ADOM.

Go to SOC > FortiView > System > Resource Usage to monitor resource usage for devices.

Long-lived session handling

Because traffic logs are only sent at the end of a session, long-lived sessions can be unintentionally excluded when narrowing searches in FortiView. To account for this, interim traffic logs can be enabled through FortiOS, allowing FortiView to show the trend of session history rather than one large volume once the session is closed.

For a long-lived session with a duration greater than two minutes, interim traffic logs are generated with the Log ID of 20.

For interim traffic logs, the sentdelta and rcvddelta fields are filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log.
Interim traffic logs are not counted in Sessions, but the sentdelta and recvddelta in related traffic logs will be added when calculating the sent and received bytes.

When a long-lived session ends, a traffic log with a Log ID of 13 is sent which indicates the session is closed.

Viewing Compromised Hosts

Compromised Hosts or Indicators of Compromise Service (IOC) is a licensed feature.

To view Compromised Hosts, you must turn on the UTM web filter of FortiGate devices and subscribe your

FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard on page 106.

The Indicators of Compromise Service (IOC) downloads the threat database from FortiGuard. The FortiGuard threat database contains the blacklist and suspicious list. IOC detects suspicious events and potentially compromised network traffic using sophisticated algorithms on the threat database.

FortiAnalyzer identifies possible compromised hosts by checking the threat database against an event’s IP, domain, and URL in the following logs of each end user:

l Web filter logs. l DNS logs. l Traffic logs.

When a threat match is found, sophisticated algorithms calculate a threat score for the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall IOC.

Compromised Hosts displays the results showing end users with suspicious web usage which can indicate that the endpoint is compromised. You can drill down to view threat details.

Understanding Compromised Hosts entries

When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.

If a match is found in the blacklist, then FortiAnalyzer displays the endpoint in Compromised Hosts with a Verdict of Infected.

If a match is found in the suspicious list, then FortiAnalyzer flags the endpoint for further analysis.

In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint’s statistics for the same day and then updates the score.

If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts.

When an endpoint is displayed in Compromised Hosts, all the suspicious logs which contributed to the score are listed.

When the database is rebuilt, all log entries are reinserted and rescanned.

Working with Compromised Hosts information

Go to SOC > FortiView > Threats > Compromised Hosts.

When viewing Compromised Hosts:

Use the widget settings icon to select Table or Users format, set the refresh interval, and modify other widget settings.
Use the tools icon to export the information, edit rescan configuration, and set additional display options.
Use the toolbar to select devices, specify a time period, refresh the view, select a theme (Day, Night, and Ocean), and switch to full-screen mode.

When you view an event, the # of Threats is the number of unique Threat Names associated with that compromised host (end user).

When you drill down to view details, the # of Events is the number of logs matching each blacklist entry for that compromised host (end user).

To acknowledge a Compromised Hosts line item, click Ack on that line. l To filter entries, click Add Filter and specify devices or a time period.
To drill down and view threat details, double-click a tile or a row.

Incorrectly rated IOCs can be reported within the Threat Intel Lookup screen, accessible by double-clicking on an End User, selecting the detected pattern from the Blacklist, and clicking Report Misrated IOC.

Subscribing FortiAnalyzer to FortiGuard

To keep your FortiAnalyzer threat database up to date:

Ensure your FortiAnalyzer can reach FortiGuard at fortinet.com.
Purchase a FortiGuard Indicators of Compromise Service license and apply that license to the product registration.

No change is needed on the FortiAnalyzer side.

To subscribe FortiAnalyzer to FortiGuard:

Go to System Settings > Dashboard.
In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click Purchase.
After purchasing the license, check that the FortiGuard > Indicators of Compromise Service is Licensed and shows the expiry date.

Managing a Compromised Hosts rescan policy

The Compromised Hosts scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.

Requirements for managing a Compromised Hosts rescan policy: l This feature requires a valid indicators of compromise (IOC) license. The rescan options will not be available in the GUI or CLI without a license.

l The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.

To configure rescan settings and check rescan results:

Go to SOC > FortiView > Threats > Compromised Hosts.
From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration. The Edit Compromised Hosts Rescan Policy Settings window opens.
Under Compromised Hosts Rescan Global Settings:
1. Enable Global Compromised Hosts Rescan.
2. Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
Under Compromised Hosts Rescan Current ADOM Settings:
1. Enable Current ADOM Compromised Hosts Rescan.
2. Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
3. Set the number of previous days’ logs that are scanned.

By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.

All tasks are shown in the Rescan tasks table, which includes:

l The start and end time of each task. l The status of the task (complete, running, etc.). l How complete a task is, as a percentage. l The total number of scanned logs and the threat count (the number of logs with threats) for each task. l The IOC package update time. l A count of the new threats that were added in this update.

Running tasks can be canceled by clicking the Cancel button in the Status column.

Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.
Click Back to return to the settings window.
Click OK to return to the compromised hosts list.
In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.

Examples of using FortiView

You can use FortiView to find information about your network. The following are some examples.

Finding application and user information

Company ABC has over 1000 employees using different applications across different divisional areas, including supply chain, accounting, facilities and construction, administration, and IT.

The administration team received a $6000 invoice from a software provider to license an application called Widget-Pro. According to the software provider, an employee at Company ABC is using Widget-Pro software.

The system administrator wants to find who is using applications that are not in the company’s list of approved applications. The administrator also wants to determine whether the user is unknown to FortiGuard signatures, identify the list of users, and perform an analysis of their systems.

To find application and user information:

If using ADOMs, ensure that you are in the correct ADOM.
Go to SOC > FortiView > Applications & Websites > Top Applications.
Click Add Filter, select Application, type Widget-Pro.
If you do not find the application in the filtered results, go to Log View > Traffic.
Click the Add Filter box, select Source IP, type the source IP address, and click Go.

Analyzing and reporting on network traffic

A new administrator starts at #1 Technical College. The school has a free WiFi for students on the condition that they accept the terms and policies for school use.

The new administrator is asked to analyze and report on the top source and destinations students visit, the source and destinations that consume the most bandwidth, and the number of attempts to visit blocked sites.

To review the source and destination traffic and bandwidth:

If using ADOMs, ensure that you are in the correct ADOM.
Go to SOC > FortiView > Traffic > Top Sources.
Go to SOC > FortiView > Traffic > Top Destinations.

If available, select the icon beside the IP address to see its WHOIS information.

FortiView – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

FortiView

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and more.

FortiView allows you to use multiple filters in the consoles, enabling you to narrow your view to a specific time, by user ID or local IP address, by application, and others. You can use it to investigate traffic activity such as user uploads/downloads or videos watched on YouTube on a network-wide user group or on an individual-user level.

In FortiView dashboards, you can view summaries of log data such as top threats to your network, top sources of network traffic, and top destinations of network traffic.

Depending on which dashboard you are viewing, information can be viewed in different formats: table, bubble, map, or tile. Alternative chart types are available in each widget’s Settings menu.

For each summary, you can drill down to see more details.

FortiGate, FortiCarrier, and FortiClient EMS devices support FortiView.

How ADOMs affect FortiView

When ADOMs are enabled, each ADOM has its own data analysis in FortiView.

Fabric ADOMs will show data analysis from all eligible devices in the Security Fabric.

Logs used for FortiView

FortiView displays data from Analytics logs. Data from Archive logs is not displayed in FortiView. For more information, see Analytics and Archive logs on page 22.

FortiView dashboards

Many dashboards display a historical chart in a table format to show changes over the selected time period.

If you sort by a different column, the chart shows the history of the sorted column. For example, if you sort by Sessions Blocked/Allowed, the chart shows the history of blocked and allowed sessions. If you sort by Bytes Sent/Received, the chart shows the history of bytes sent and received.

When you drill down to view a line item, the historical chart show changes for that line item.

FortiView dashboards for FortiGate and FortiCarrier devices

Category View		Description
Threats	Top Threats	Lists the top threats to your network. The following incidents are considered threats: l Risk applications detected by application control. l Intrusion incidents detected by IPS. l Malicious web sites detected by web filtering. l Malware/botnets detected by antivirus.
	Threat Map	Displays a map of the world that shows the top traffic destinations starting at the country of origin. Threats are displayed when the threat score is greater than zero and either the source or destination IP is a public IP address. The Threat Window below the map, shows the threat, source, destination, severity, and time. The color gradient of the lines indicate the traffic risk. A yellow line indicates a high risk and a red line indicates a critical risk. This view does not support filtering and Day, Night, and Ocean themes. See also Viewing the threat map on page 102.
	Compromised Hosts	Displays end users with suspicious web use compromises, including end users’ IP addresses, overall threat rating, and number of threats. To use this feature: 1. UTM logs of the connected FortiGate devices must be enabled. 2. The FortiAnalyzer must subscribe to FortiGuard to keep its threat database up-to-date.
	FortiSandbox Detection	Displays a summary of FortiSandbox related detections. The following information is displayed: Filename, End User and/or IP, Destination IP, Analysis (Clean, Suspicious or Malicious rating), Action (Passthrough, Blocked, etc.), and Service (HTTP, FTP, SMTP, etc.). Select an entry to view additional information in the drilldown menu. Clicking a FortiSandbox action listed in the Process Flow displays details about that action, including the Overview, Indicators, Behavior Chronology Chart, Tree View, and more. Information included in the Details and Tree View tab is only available with FortiSandbox 3.1.0 and above.

Category View		Description
Traffic	Top Source	Displays the highest network traffic by source IP address and interface, device, threat score (blocked and allowed), sessions (blocked and allowed), and bytes (sent and received).
	Top Source Addresses	Displays the top source addresses by source object, interface, device, threat score (blocked and allowed), sessions (blocked and allowed), and bytes (sent and received).
	Top Destinations	Displays the highest network traffic by destination IP addresses, the applications used to access the destination, sessions, and bytes. If available, click the icon beside the IP address to see its WHOIS information.
	Top Destination Addresses	Displays the top destination addresses by destination objects, applications, sessions, and bytes. If available, click the icon beside the IP address to see its WHOIS information.
	Top Country/Region	Displays the highest network traffic by country in terms of traffic sessions, including the destination, threat score, sessions, and bytes.
	Policy Hits	Lists the policy hits by policy, device name, VDOM, number of hits, bytes, and last used time and date.
	DNS Logs	Summarizes the DNS activity on the network. Double click an entry to drill down to the specific details about that domain.
Applications & Websites	Top Applications	Displays the top applications used on the network including the application name, category, risk level, and sessions blocked and allowed. Bytes sent and received can also be enabled through the widget settings. For a usage example, see Finding application and user information on page 109.
	Top Cloud Applications	Displays the top cloud applications used on the network.
	Top Cloud Users	Displays the top cloud users on the network.
	Top Website Domains	Displays the top allowed and blocked website domains on the network.
	Top Website Categories	Displays the top website categories.
	Top Browsing Users	Displays the top web-browsing users, including source, group, number of sites visited, browsing time, and number of bytes sent and received.
VPN SSL & Dialup IPsec		Displays the users who are accessing the network by using the following types of security over a virtual private network (VPN) tunnel: secure socket layers (SSL) and Internet protocol security (IPsec).
Category View		Description
System		You can view VPN traffic for a specific user from the top view and drilldown views. In the top view, double-click a user to view the VPN traffic for the specific user. In the drilldown view, click an entry from the table to display the traffic logs that match the VPN user and the destination.
	Site-to-Site IPsec	Displays the names of VPN tunnels with Internet protocol security (IPsec) that are accessing the network.
	Admin Logins	Displays the users who logged into the managed device.
	System Events	Displays events on the managed device.
	Resource Usage	Displays device CPU, memory, logging, and other performance information for the managed device. Resource Usage includes two widgets: Resource Usage Average and Resource Usage Peak.
	Failed Authentication Attempts	Displays the IP addresses of the users who failed to log into the managed device.

SOC Monitoring – FortiAnalyzer – FortOS 6.2.3

Leave a reply

SOC Monitoring

Use the Security Operations Center (SOC) to view Monitors and FortiView.

Monitors are designed for network and security operation centers where dashboards are displayed across multiple large monitors.

Monitors

SOC (Security Operations Center) Monitors are designed for a network and security operations center where multiple dashboards are displayed in large monitors.

In the Monitors view, dashboards display both real-time monitoring and historical trends. Centralized monitoring and awareness help you to effectively monitor network events, threats, and security alerts. Use Monitors dashboards to view multiple panes of network activity, including monitoring network security, compromised hosts, endpoints, Security Fabric, WiFi security, and FAZ system performance.

A typical scenario is to set up dashboards and widgets to display information most relevant to your network and security operations. Use the main monitors in the middle to display important dashboards in a larger size. Then use the monitors on the sides to display other information in smaller widgets.

For example, use the top monitor in the middle to display the Top Threat Destinations widget in full screen, use the monitor(s) below that to display other Threat Monitor widgets, use the monitors on the left to display WiFi Monitor widgets at the top and FAZ Performance Monitor widgets at the bottom, and use the monitors on the right as a workspace to display widgets showing the busiest network activity. You can move, add, or remove widgets.

Monitors dashboards and widgets are very flexible and have the following features:

You can create predefined or custom dashboards. l For both predefined and custom dashboards, you can add, delete, move, or resize widgets. l You can add the same dashboard multiple times on the same or different monitors. l Each widget monitors one activity.
You can add the same widget multiple times and apply different settings to each one. For example, you can add widgets to monitor the same activity using a different chart type, refresh interval, or time period.
You can resize widgets or display a widget in full screen.

SOC monitor dashboards

SOC monitors include predefined dashboards.

Both predefined and custom dashboards can be modified with widgets, including: Threats widgets, Compromised Hosts widgets, Traffic widgets, Applications & Websites widgets, VPN widgets, WiFi widgets, Endpoints widgets, System widgets, Threat Research widgets, Security Fabric widgets, and FortiClient Software widgets.

For example, the default Threat Monitor dashboard includes four widgets: Threat Map, Top Threat Destinations, Top Threats, and Top Virus Incidents OverTime. These widgets can be removed, enlarged, reduced, or customized, and new widgets can be added to the dashboard.

For more information, see Customizing the Monitors dashboard on page 96.

SOC Monitors includes the following predefined dashboards:

Threats	Monitors the top security threats to your network.
Traffic	Monitors the traffic on your network.
Applications & Websites		Monitors the application and website traffic on your network.
Compromised Hosts		Monitors compromises and suspicious web use in your network.
FortiSandbox Detections		Monitors FortiSandbox detections on your network.
Endpoints		Monitors endpoint activity on your network.
Fabric State of Security		Monitors your network’s Security Fabric rating, score, and topology. This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.
VPN		Monitors VPN activity on your network.
WiFi		Monitors WiFi access points and SSIDs.
Local System Performance		Monitors the local system performance of the FortiAnalyzer unit.
FortiClient Software Inventory		Monitors the FortiClient endpoints sending logs to FortiAnalyzer.
Archive		Includes FortiAnalyzer NOC-SOC modules from versions prior to 6.2.0.

Threats widgets

Threats includes the following widgets:

Top Threat Destinations	A world map, spinning 3D globe, or table showing the top 10, 20, 50, 100 threat destinations. On the map view, hover the cursor over data points to see the source device and IP address, destination IP address and country, threat level, and the number of incidents (blocked and allowed).
Top Threats	The top threats to your network. Hover the cursor over data points to see the threat, category, threat level, threat score (blocked and allowed), and the number of incidents (blocked and allowed). The following incidents are considered threats: l Risk applications detected by application control l Intrusion incidents detected by IPS l Malicious web sites detected by web filtering l Malware/botnets detected by antivirus
Top Threats (FortiClient)	The top threats to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets. Only visible in a Fabric ADOM.
Top Threats Over Time by Threat Scores		The historical threats to your network from risk applications, intrusion incidents, malicious web sites, and malware/botnets.
Top Threats by Weight & Count		The top threats by weight and count to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets.
FortiSandbox Detection		FortiSandbox detection detail, including scan doc name, source user, destination IP, verdict level, action, and service.
FortiSandbox – Scanning Statistics		The number of files detected by FortiSandbox by type: Malicious, Suspicious, Clean, and Others.
FortiSandbox – Top Malicious & Suspicious File Users		Users or IP addresses that have the highest number of malicious and suspicious files detected by FortiSandbox.
Threat Map		Threats happening right now across the world.

Compromised Hosts widgets

Compromised Hosts includes the following widget:

Compromised Hosts

Suspicious web use compromises. By default, this widget includes two panes: Compromised Hosts and Compromised Hosts Incidents.

The Compromised Hosts pane automatically rotates through compromised hosts. You can pause autoplay or click > or < to manually move to another compromised host.

The Compromised Hosts Incidents pane displays a map of compromised hosts incidents.

Click Settings to change the number of top compromised hosts, Time Period, Refresh Interval, Autoplay Interval, and to show or hide Compromised Hosts Incidents.

Traffic widgets

Traffic includes the following widgets:

User Data Flow	Bandwidth breakdown of top user destination country/region or application usage.
Top Sources Today	Near real-time network traffic by blocked and allowed sessions.
Top Sources	The highest network traffic by source IP address and interface, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top Source Address Objects	The highest network traffic by source address objects, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top Country/Region	The highest network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top Country/Region Over Time by Sessions	The historical network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top Policy Hits	Top policy hits from recent traffic.
Policy Hits Over Time by Bandwidth	The historical policy hits from recent traffic.
Top Destinations	Top destinations from recent traffic.
Top Destination Address Objects	Top destination address objects from recent traffic.
Traffic Over Time by Sessions	The historical destinations from recent traffic.
Top Cloud Users	Top cloud users from recent traffic.
DNS Logs	Top DNS logs from recent traffic.
Top Source (FortiDDoS)	Top source IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Destination (FortiDDoS)	Top destination IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Type (FortiDDoS)	Top types from recent traffic. Only available in a Fabric ADOM.

Applications & Websites widgets

Applications & Websites includes the following widgets:

Top Applications	The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications Over Time by Sessions	The historical sessions of applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications (FortiClient)	The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received). Only available in a Fabric ADOM.
Top Cloud Applications	Top cloud applications from recent traffic.
Cloud Applications Over Time by Sessions	The historical sessions of cloud applications used on the network.
Top Website Domains	Top website domains from recent traffic.
Top Website Categories		Top website categories from recent traffic.
Top Website (FortiClient)		Top website domains from recent traffic. Only available in a Fabric ADOM.
Website Browsing Over Time by Sessions		The historical websites browsing sessions from recent traffic.
Top Browsing User		Top browsing users from recent traffic.
Browsing User Over Time by Bandwidth		The historical browsing users from recent traffic.

VPN widgets

VPN includes the following widgets:

Top Dialup VPN	The users accessing the network using SSL or IPsec over a VPN tunnel.
VPN Site-to-Site	The names of VPN tunnels with Internet protocol security (IPsec) that are accessing the network.

WiFi widgets

WiFi includes the following widgets:

Authorized APs	The names of authorized WiFi access points on the network.
Top SSID	The top SSID (service set identifiers) of authorized WiFi access points on the network. Hover the cursor over data points to see the SSID and bytes (sent and received).
Top SSID Over Time by Bandwidth	The historical SSID (service set identifiers) traffic of authorized WiFi access points on the network.
Top Rogue APs	The top SSID (service set identifiers) of unauthorized WiFi access points on the network. Hover the cursor over data points to see the SSID and total live time.
WiFi Clients	The top WiFi access points on the network by bandwidth/sessions.

Endpoints widgets

Endpoints includes the following widgets:

Top Endpoint Vulnerabilities	Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID.
Top Endpoint Vulnerabilities (FortiClient)		Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID. Only available in a Fabric ADOM.
Top Endpoint Devices with Vulnerabilities		Vulnerability information about FortiClient endpoints including source IP address and device.
Top Endpoint Devices with Vulnerabilities (FortiClient)		Vulnerability information about FortiClient endpoints including source IP address and device. Only available in a Fabric ADOM.
User Vulnerabilities Summary		User vulnerabilities summary.
All Endpoints		All endpoints.
All Endpoints (FortiClient)		All endpoints.
Top Endpoint Threats		Top threats from all endpoints.
Top Endpoints Applications		Top applications from all endpoints. Only available in a Fabric ADOM.

System widgets

This dashboard monitors the system performance of the FortiAnalyzer unit running SOC and not the logging devices. It includes the following widgets:

CPU & Memory Usage	The usage status of the CPU and memory.
Multi Core CPU Usage	The usage status of a multi-core CPU.
Insert Rate vs Receive Rate	The number of logs received vs the number of logs actively inserted into the database, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Insert rate: how many logs are being actively inserted into the database. If the insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of logs waiting to be inserted.
Receive Rate vs Forwarding Rate	The number of logs received vs the number of logs forwarded out, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Forward rate: how many logs are being forwarded out.
Disk I/O		The disk Transaction Rate (I/Os per second), Throughput (KB/s), or Utilization (%). The Transaction Rate and Throughput graphs also show the maximum and minimum disk activity.
Resource Usage Average		Overview of average resource usage history across all devices.
Resource Usage Peak		Overview of peak resource usage history across all devices.
Admin Logins		Top admin logins from recent traffic.
System Events		Top system events from recent traffic.
Failed Authentication Attempts		Top unauthorized connections from recent traffic.

Threat Research widgets

Threat Research includes the following widgets:

Worldwide Threat

Prevalence – Today

(UTC)

The top virus, IPS, botnet, and application threats globally today based on UTC. This data is from FortiGuard and not from FortiGate.

Top Virus

Incidents Over

Time

Local virus incidents in the last one month.

Security Fabric widgets

Security Fabric includes the following widgets.

This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.

Security Fabric Rating Report	A report showing the security rating details of connected Security Fabric devices. Click a milestone to drill down and hover the cursor over data points to see more details.
Security Fabric Score	The current and historical Security Fabric scores. The Historical Security Fabric Scores pane displays your Security Fabric score over time and how it compares to the industry average and the industry score range. You can hide the Historical Security Fabric Scores pane.
Security Fabric Topology	A topology map showing the logical structure of connected Security Fabric devices.
Best Practices Overview	Overview of the device best practices across regions of North America, Latin America, EMEA, and APAC.

FortiClient Software widgets

FortiClient Software includes the following widget:

FortiClient

Software Inventory

The total number of apps installed, top apps, new apps installed, top apps by installs, and top hosts by number of apps.

Using the Monitors dashboard

SOC monitors dashboards contain widgets that provide network and security information. Use the controls in the dashboard toolbar to work with a dashboard.

Add Widget	Add widgets to a predefined or custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Dashboard	Create a new dashboard or reset a predefined dashboard to its default settings. For custom dashboards, you can rename or delete the custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Create New	Create a new dashboard.
Reset	Reset a predefined dashboard to its default widgets and settings.
Rename	Rename a custom dashboard.
Delete	Delete a custom dashboard.
Devices	Select the devices to include in the widget data. The device list will also include a Security Fabric if available. To select a Security Fabric, you need to first create a Security Fabric group in FortiGate and add the Security Fabric group in FortiAnalyzer.
Time Period	Select a time period from the dropdown menu, or set a custom time period.
Refresh	Refresh the data in the widgets.
Background color	Change the background color of the dashboard to make widgets easier to view in different room lighting. l Day shows a brighter gray background color. l Night shows a black background. l Ocean shows a blue background color.
Hide Side-menu or Show Side-menu	Hide or show the tree menu on the left. In a typical SOC environment, the side menu is hidden and dashboards are displayed in full screen mode.

Use the controls in the widget title bar to work with widgets.

Settings icon	Change the settings of the widget. Widgets have settings applicable to that widget, such as how many of the top items to display, Time Period, Refresh Interval, and Chart Type.
View different chart types		Some widget settings let you choose different chart types such as the Disk I/O and Top Countries widget. You can add these widgets multiple times and set each widget to show a different chart type.
Hide or show a data type		For widgets that show different data types, click a data type in the title bar to hide or show that data type in the graph. For example, in the Insert Rate vs Receive Rate widget, click Receive Rate or Insert Rate in the title bar to hide or show that data. In the Disk I/O widget, click Read or Write in the title bar to hide or show that data type.
Remove widget icon		Delete the widget from a predefined or custom dashboard.
Move widget		Click and drag a widget’s title bar to move it to another location.
Resize widget		Click and drag the resize button in the bottom-right of the widget.
View more details		Hover the cursor over a widget’s data points to see more details.
View a narrower time period		Some widgets have buttons below the graph. Click and drag the buttons to view a narrower time period.
Zoom in and out		For widgets that show information on a map such as the Top Threat Destinations widget, use the scroll wheel to change the zoom level. Click and drag the map to view a different area.

Customizing the Monitors dashboard

You can add any widget to a predefined dashboard. You can also move, resize, or delete widgets. You cannot rename or delete a predefined dashboard. To reset a predefined dashboard to its default settings, click Dashboard > Reset.

You can add the same widget multiple times and configure each one differently, such as showing a different Time Period, Refresh Interval, or Chart Type.

To create a dashboard:

In the toolbar, click Dashboard > Create New.
Specify the Name and whether you want to create a blank dashboard or use a template.

If you select From Template, specify which predefined dashboard you want to use as a template.

Click OK. The new dashboard appears In the tree menu.

To display Security Fabric in Monitors:

Create a Security Fabric in FortiGate.
Add the Security Fabric in FortiAnalyzer.
Go to SOC > Monitors > Dashboards.
Select the Fabric State of Security dashboard.
Select the Security Fabric from the Devices

To add a widget:

Select the predefined or custom dashboard where you want to add a widget.
Click Add Widget to expand the menu; then locate the widget you want to add.
Click the + button to add widgets.
When you have finished adding widgets, click the close button to close the Add Widget

Incidents – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Incidents

To view incidents, go to Incidents & Events > Incidents > All Incidents.

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

Raising an incident

You can raise an incident only from alerts generated for one endpoint.

You can raise an incident in the following ways:

In Incidents & Events > Incidents > All Incidents, click Create New in the toolbar. This opens the Create New Incident
In Incidents & Events > All Events, right-click an event and select Raise Incident. This opens the Raise Incident pane with the applicable fields filled in, such as the Affected Endpoint.

Following is a description of the options available in the Create New Incident and Raise Incident pane.

Incident Reporter	The admin account raising the incident. This field cannot be changed.
Incident Category	Select a category from the dropdown list.
Severity	Select a severity level from the dropdown list.
Status	Select a status from the dropdown list.
Affected Endpoint	In the Raise Incident pane, the affected endpoint is filled in and cannot be changed. In the Create New Incident pane, select the affected endpoint from the dropdown list.
Description	If you wish, enter a description.

Analyzing an incident

In Incidents & Events > Incidents > All Incidents, double-click an incident or right-click an incident and select Analysis Page.

The incident analysis page shows the incident’s Affected Endpoint and User, Incident Life Cycle, Incident Info, Timeline, and Events related to the incident.

In the Incident Info panel, you can change the Incident Category, Severity, Status, and Description.

In the Events panel, you can review and delete events attached to the incident.

Configuring incident settings

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

When an incident is created, updated, or deleted, you can send a notification to external platforms using selected fabric connectors.

To configure incident notification settings:

Go to Incidents & Events > Incidents > Incident Settings.
Select a Fabric Connector from the dropdown list.
Select which notifications you want to receive: l Send notification when new incident is created. Incidents with draft status will not triggernotification. l Send notification when new incident is updated. l Send notification when new incident is deleted.
To add more fabric connectors, click Add Fabric Connector and repeat the above steps to configure notification settings.

Subnet lists – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Subnet lists

In Incidents & Events, you can define subnet lists which can be added to subnet groups.

Subnet lists and groups can be used to create a whitelist or blacklist in event handlers.

Creating a subnet list

To create a new subnet:

Go to Incidents & Events > Subnet Lists.
Select Create New > Subnet.
Enter a name for the subnet.
Select a Subnet type and configure the corresponding information. Subnet types include: l Subnet Notation l IP Range l Batch Add
Select OK.

Once a subnet has been created, it can be edited, cloned, or deleted by highlighting it and selecting the corresponding action in Subnet List toolbar.

Creating a subnet group

To create a subnet group:

Go to Incidents & Events > Subnet List.
Select Create New > Subnet Group.
Enter a name for the subnet group.
Select the subnet entries to be included in the group and select OK in the pop-up window.
Select OK.

Once a subnet group has been created, it can be edited, cloned, or deleted by highlighting it and selecting the corresponding action in Subnet List toolbar.

Assigning subnet filters to event handlers

You can streamline SOC processes by defining a subnet whitelist/blacklist for event handlers. These addresses can be linked to any event handler to enable or prevent it from triggering an event. Creating a subnet whitelist/blacklist for event handlers eliminates the need to specify common networks in every event handler.

To include or exclude subnets in an event handler:

Go to Incidents & Events > Event HandlerList.
Select an event handler to edit from the list.
In the Subnet category, select Specify.
Choose which subnets to include or exclude by selecting them from the corresponding dropdown menu.
Select OK.

Understanding event statuses – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Understanding event statuses

In the Event Monitor dashboards, you can view the status of an event in the Event Status column. Event statuses include Unhandled, Mitigated, Contained, and (blank).

Event statuses are applied by the associated event handler. When creating a custom event handler, you can manually select an event status or choose to allow FortiAnalyzer to decide.

In general, when Allow FortiAnalyzerto choose is selected, the event status for UTM events is applied based on the following:

Event status		Description
Unhandled		The security event risk is not mitigated or contained, so it is considered open. Example: an IPS/AV log with action=pass will have the event status Unhandled. Botnet and IoC events are also considered Unhandled.
Contained		The risk source is isolated. Example: an AV log with action=quarantine will have the event status Contained.
Mitigated		The security risk is mitigated by being blocked or dropped.
Event status		Description
		Example: an IPS/AV log with action=block/drop will have the event status Mitigated.
(Blank)		Other scenarios.

Creating custom views – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Creating custom views

To create a custom view:

Go to Incidents & Events.
Select an existing view to copy.
Select Add Filters to add any additional filters you want to include in the custom view.
Select the custom view icon on the top-right side of the toolbar.
Enter a name for the custom view and assign it to one of the following categories:

l By Endpoint l By Threat l System Events l Custom View

Select OK to save the view.

Once the custom view is created, you can modify it further by removing or adding filters. Modifications can be saved by selecting the custom view icon and choosing Save or Save As to save the changes as a new view.