This is an enhancement to the FortiSOC module supporting multiple endpoints and users for incidents.
- In the Event Monitor, you can raise or add events with multiple endpoints and users to an incident.
When endpoint/users are manually raised/added to an incident, only the first endpoint will be displayed when the incident is raised and there is an approximate five second delay to show multiple endpoint/user information on the incident analysis page. When a playbook runs a task using the local connector to create an incident, there is an approximate 20 second delay to display all information.
- On the incident analysis page, information about multiple endpoint/users is available in the Affected Assets tab.
You can also click the navigation arrows in the Affected Endpoint/User widget to show additional users and endpoints.
Click a user in the Affected Assets list to see additional endpoint information in a dialog window.