Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiEndpoint Administration Guide

    Forensics

    Forensics

    The Forensics functionality is unavailable for mobile incidents.

    Use the Forensics menu to delve deeply into the actual internals of the communicating devices’ operating system that led up to the security event.

    The Forensic Viewer provides an abundance of deep analysis and drill-down options that reveal the process flows, memory stacks and a variety of operating system parameters in a graphic view, such as:

    • Infected device and application details.
    • Evidence path, which includes the process that the threat actor violated and which type of violation was executed.
    • Side-by-side security event comparisons.

    The first stage of working with Forensics is to select one or more security event aggregations or security events to analyze. To do so, use one of the methods below:

    • In the Incidents view, select a security event aggregation and then click the Forensics button (). Selecting a security event aggregation lets you analyze the aggregation of events triggered on this process.

      In this case, the Forensics viewer shows a separate tab for each security event associated with the security event aggregation. For example, the figure below shows 4 tabs for a security event aggregation containing two events.

    • Select an individual security event in the Event Viewer and then click the Forensics button (). In this case, the Forensics viewer shows a single tab for the selected security event, with all of its related variants.
    • Select a variant when in drill down, and then click the Forensics button (). In this case, the Forensics Viewer shows a single tab for the selected security event with a single variant.
    To perform deep Forensic analysis:
    1. Select the security events to analyze using one of the methods described in Incidents.

      Selected security events that are currently loaded to the Forensics Viewer are marked in the Incidents with a fingerprint icon.

    2. Each selected security event is then displayed in the Incidents as a separate tab:

      Each tab shows the same information as in the Incidents, with additional information as described below.

      The following options for viewing more information are provided:

      In the Variants area, expand and select all or specific variants to display for a security event.

      Click the Threat Hunting button to review relevant Activity Events in the Threat Hunting tab.

    Note

    The Connect to Device button opens a console that provides direct access to EDR-protected devices.
    Previous
    Next

    Forensics

    Forensics

    The Forensics functionality is unavailable for mobile incidents.

    Use the Forensics menu to delve deeply into the actual internals of the communicating devices’ operating system that led up to the security event.

    The Forensic Viewer provides an abundance of deep analysis and drill-down options that reveal the process flows, memory stacks and a variety of operating system parameters in a graphic view, such as:

    • Infected device and application details.
    • Evidence path, which includes the process that the threat actor violated and which type of violation was executed.
    • Side-by-side security event comparisons.

    The first stage of working with Forensics is to select one or more security event aggregations or security events to analyze. To do so, use one of the methods below:

    • In the Incidents view, select a security event aggregation and then click the Forensics button (). Selecting a security event aggregation lets you analyze the aggregation of events triggered on this process.

      In this case, the Forensics viewer shows a separate tab for each security event associated with the security event aggregation. For example, the figure below shows 4 tabs for a security event aggregation containing two events.

    • Select an individual security event in the Event Viewer and then click the Forensics button (). In this case, the Forensics viewer shows a single tab for the selected security event, with all of its related variants.
    • Select a variant when in drill down, and then click the Forensics button (). In this case, the Forensics Viewer shows a single tab for the selected security event with a single variant.
    To perform deep Forensic analysis:
    1. Select the security events to analyze using one of the methods described in Incidents.

      Selected security events that are currently loaded to the Forensics Viewer are marked in the Incidents with a fingerprint icon.

    2. Each selected security event is then displayed in the Incidents as a separate tab:

      Each tab shows the same information as in the Incidents, with additional information as described below.

      The following options for viewing more information are provided:

      In the Variants area, expand and select all or specific variants to display for a security event.

      Click the Threat Hunting button to review relevant Activity Events in the Threat Hunting tab.

    Note

    The Connect to Device button opens a console that provides direct access to EDR-protected devices.
    Previous
    Next