Fortinet white logo
Fortinet white logo

Administration Guide

Analyzing an incident

Analyzing an incident

In Incidents & Events > Incidents, double-click an incident or right-click an incident and select Analysis.

The analysis page shows the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

In the incident information panel, you can change information collected about the incident.

In order to assist SOC analysts during their investigation, information including comments and reports can be attached to incidents.

In the Events panel, you can review and delete events attached to the incident. See Raising an incident.

The Analysis page includes the following information and features:

Panel

Description

Incident information

General information about the incident.

Click Edit to modify the following information:

  • Incident Number: The unique incident ID. This is displayed, but cannot be modifed.
  • Incident Date/Time: The date and time that the incident was created. This is displayed, but cannot be modifed.
  • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.
  • Severity: The severity of the incident, including High, Medium, and Low.
  • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.
  • Affected Endpoint: The endpoint associated with this incident. This is displayed, but cannot be modifed.
  • Description: A description of the incident provided by the administrator.
  • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

Click Refresh to manually update the displayed information.

Affected Endpoint/User Information about the affected endpoint/user. When multiple endpoints/users are associated with the incident, the total number is displayed and you can click the forward or backwards arrow on the tile to cycle between them.
Executed Playbooks

The history of executed playbooks related to the incident.

Click Execute Playbook to run a playbook configured with the On_Demand trigger. See Automation.

Audit History

Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

Click Expand All to see additional details.

Incident Timeline

The timeline of the events raised for the incident.

Scroll using your mouse wheel to change the displayed time frame.

Comments

Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

Enter a comment and click POST to create a new comment.

Existing comments can be edited and deleted by administrators.

Events

Displays the events that have been raised for this incident.

Reports

Attach and manage reports related to this incident.

See Adding reports to an incident.

Indicators

Displays indicators attached to an incident from FortiGuard, FortiMail, or event handlers.

Hover your mouse over an indicator to view detailed information from FortiGuard or click Details under Results to view information from FortiMail including sender reputation and email statistics.

Indicator information can be attached to incidents using the FortiGuard and FortiMail connector in playbooks, or when an incident is created from an event that includes indicators identified in the event handler.

Affected Assets

Displays affected asset(s) in a table. Includes the host, user, IP address, and MAC address of the asset.

Selecting a user shows endpoint information in a window.

Processes

Displays endpoint processes associated with this incident including the process ID, process path, and network connection.

Select a time period to view by choosing a snapshot from the snapshot dropdown.

Processes can be displayed in a table format or as raw data.

Software

Displays endpoint software associated with this incident including the software, installation path, and installation time.

Select a time period to view by choosing a snapshot from the snapshot dropdown.

Software can be displayed in a table format or as raw data.

Vulnerabilities

Displays endpoint vulnerabilities associated with this incident including the vulnerability name, ID, severity, and category.

Select a time period to view by choosing a snapshot from the snapshot dropdown.

Vulnerabilities can be displayed in a table format or as raw data.

Note

Some features of incident analysis are only available with the applicable license.

Analyzing an incident

Analyzing an incident

In Incidents & Events > Incidents, double-click an incident or right-click an incident and select Analysis.

The analysis page shows the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

In the incident information panel, you can change information collected about the incident.

In order to assist SOC analysts during their investigation, information including comments and reports can be attached to incidents.

In the Events panel, you can review and delete events attached to the incident. See Raising an incident.

The Analysis page includes the following information and features:

Panel

Description

Incident information

General information about the incident.

Click Edit to modify the following information:

  • Incident Number: The unique incident ID. This is displayed, but cannot be modifed.
  • Incident Date/Time: The date and time that the incident was created. This is displayed, but cannot be modifed.
  • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.
  • Severity: The severity of the incident, including High, Medium, and Low.
  • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.
  • Affected Endpoint: The endpoint associated with this incident. This is displayed, but cannot be modifed.
  • Description: A description of the incident provided by the administrator.
  • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

Click Refresh to manually update the displayed information.

Affected Endpoint/User Information about the affected endpoint/user. When multiple endpoints/users are associated with the incident, the total number is displayed and you can click the forward or backwards arrow on the tile to cycle between them.
Executed Playbooks

The history of executed playbooks related to the incident.

Click Execute Playbook to run a playbook configured with the On_Demand trigger. See Automation.

Audit History

Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

Click Expand All to see additional details.

Incident Timeline

The timeline of the events raised for the incident.

Scroll using your mouse wheel to change the displayed time frame.

Comments

Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

Enter a comment and click POST to create a new comment.

Existing comments can be edited and deleted by administrators.

Events

Displays the events that have been raised for this incident.

Reports

Attach and manage reports related to this incident.

See Adding reports to an incident.

Indicators

Displays indicators attached to an incident from FortiGuard, FortiMail, or event handlers.

Hover your mouse over an indicator to view detailed information from FortiGuard or click Details under Results to view information from FortiMail including sender reputation and email statistics.

Indicator information can be attached to incidents using the FortiGuard and FortiMail connector in playbooks, or when an incident is created from an event that includes indicators identified in the event handler.

Affected Assets

Displays affected asset(s) in a table. Includes the host, user, IP address, and MAC address of the asset.

Selecting a user shows endpoint information in a window.

Processes

Displays endpoint processes associated with this incident including the process ID, process path, and network connection.

Select a time period to view by choosing a snapshot from the snapshot dropdown.

Processes can be displayed in a table format or as raw data.

Software

Displays endpoint software associated with this incident including the software, installation path, and installation time.

Select a time period to view by choosing a snapshot from the snapshot dropdown.

Software can be displayed in a table format or as raw data.

Vulnerabilities

Displays endpoint vulnerabilities associated with this incident including the vulnerability name, ID, severity, and category.

Select a time period to view by choosing a snapshot from the snapshot dropdown.

Vulnerabilities can be displayed in a table format or as raw data.

Note

Some features of incident analysis are only available with the applicable license.