Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiEndpoint Administration Guide

    Investigation View

    Investigation View

    The Investigation View window is accessible from the Details Pane using the Investigation View button () of an event under Threat Hunting. It helps understand the flow of activity events during Threat Hunting with a dynamic and interactive graphical view of the activity events details: source, action and target.

    The graphical view provides the ability to add more activity events to the graph and show the relationship and timeline of the occurrence of those activities, such as the following:

    • All actions performed by a given process

    • All files the process has created or updated

    • All IPs the process has initiated communication with

    It also allows you to interactively view a chain of activity events in the following ways:

    • Browse between the various processes involved in the chain

    • See all activity events related to one node and decide which nodes to add to the graph

    Note

    The view adds visualization and interaction of existing data that is already available in other non-graphical and non-interactive forms without creating or generating any additional data.

    The following figure illustrates the various components of an Investigation View window launched from the Details Pane under Threat Hunting, which has the window title "Threat Hunting + activity name.

    Note

    Compared with the Investigation View window launched from the Incidents view, this view has the following limitations:

    • Some threat hunting and investigation capabilities are unavailable, such as exporting the graph as JSON, variants navigation graph, and Stacks view.

    • Some general event details are missing in the first row, such as classification and incident response.

    Component

    Description
    1

    General details about the device that generated the event, such as Collector status, process name, and IP address.
    2

    Use the Export button () to export the Investigation View window as an SVG file to share with others or for record reasons.

    This is the only option to save a graph that includes dynamic changes based on the default graph view, such as adding processes.
    3

    Graphical flow diagram with a process tree that you can build according to your investigation needs, from left to right and top to bottom. The tree is also interactive, which means you can click on a specific component to drill down for more details or contextual actions.

    A

    Node—Source of an activity or event, which can be a process, an endpoint, a thread or service, or another security product. Nodes are represented by boxes with icons for the activity type, some with descriptions under the boxes.

    • Click on a node to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific node.

    • Click the Collapse () or Expand () icon in the right of a node icon to show or hide all the downstream nodes, edges, and leaves.

    • Right-click a node to perform actions allowed on the node, including any custom actions you defined. These action buttons also appear in the Details Pane, which is available on the right after you click the node.

      The list of available options varies by node type. The following is an example list of actions for a process node.

    B

    Edge—Activity event type or action represented by a curved line with an arrow. An edge can be one activity event/action or an aggregation of several. The numbered arrows indicate the sequence of actions and specify the action that was performed, such as Process Creation, Socket Close, Block and so on. Multiple operations performed between two processes are represented by multiple arrows between them. Edges that triggered the event are indicated in red.

    Click on an edge to display the Details pane on the right with contextual information about that specific edge.

    Edges may also have icons below them indicating classification or MITRE & Behavior models. Click on an icon for more detailed information.

    C

    Leaf—Target of activity event of type File, Registry Key, Registry Value, Network components (IP/DNS/URL). A leaf can also be a group of artifacts. For example, all the files created or modified by a process. Leaves have a round shape ().

    • Click on a leaf to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific leaf.

    • Right-click a leaf to perform actions allowed on the leaf, including any custom actions you defined. These action buttons are also available in the Details Pane, which appear on the right after you click the leaf.

      The list of available options varies by leaf type. The following is an example list of actions for a network leaf:

    D

    Hint—Categorized groups of activities related to a node that are not part of the main chain of activity events and thus not represented in the graphical diagram. Click a node to show the number of relevant activities. The hints no longer display after you move the selection to another node or edge.

    • Click the Expand () or Collapse () icon near a leaf hint to show or hide the node or leaf list of that type.

    • Right-click the type name of a hint and select Add to graph to add the relevant leaves to the graph or select View activity event to pull out the Activity events tables for this specific file type. The Add to graph option is unavailable when the number of hints exceeds 500, in which case you can only choose to view the activity event.

    E

    Use the MITRE & Behavior legend to highlight the corresponding icons below relevant edges in the diagram.

    F

    • Use the Zoom In (), Zoom Out (), and Zoom To Fit () buttons to adjust the graph window size.

    • Use the Reset () button to restore the graph to the default view.

    • Use the Undo () button to cancel an operation.
    4

    Details pane for the selected node, edge, or leaf where you can view details of the activity, action, or target, and perform common actions on a node or leaf, such as retrieving a file, remediating devices upon malware detection, or adding an application to the Application Control policy blocklist. The actions can also be performed by right-clicking a node or leaf and selecting the option from the menu. For specific leaf types, this pane also includes an Insights tab which allows you to run queries to retrieve analytics data, such as the number of communicating processes or devices of a certain IP. The Insights options are also available from the right-click menu of those leaf types.
    5

    Contextual Activity events tables for the selected node or leaf organized by tabs of activity types. Drag the top edge of the table up for a fuller view of the table. Activities with a number at the front of the row are already in the graph and the number matches the one in the graph.

    • To add activities to the graph, select the corresponding rows and click Add to graph ().

    • To customize the columns to display in the table, click Customize ().

    • To search for a specific activity or event, enter keywords in the search bar on the top right corner ().

    • To filter the results in the Activity Events table to include or exclude a specific value, use the green plus () and red minus () icons that appear when you hover over the value. Multiple filters are supported. To delete a filter, click the cancel icon that appear when you hover over the filter on the top-left of the table.
    Previous
    Next

    Investigation View

    Investigation View

    The Investigation View window is accessible from the Details Pane using the Investigation View button () of an event under Threat Hunting. It helps understand the flow of activity events during Threat Hunting with a dynamic and interactive graphical view of the activity events details: source, action and target.

    The graphical view provides the ability to add more activity events to the graph and show the relationship and timeline of the occurrence of those activities, such as the following:

    • All actions performed by a given process

    • All files the process has created or updated

    • All IPs the process has initiated communication with

    It also allows you to interactively view a chain of activity events in the following ways:

    • Browse between the various processes involved in the chain

    • See all activity events related to one node and decide which nodes to add to the graph

    Note

    The view adds visualization and interaction of existing data that is already available in other non-graphical and non-interactive forms without creating or generating any additional data.

    The following figure illustrates the various components of an Investigation View window launched from the Details Pane under Threat Hunting, which has the window title "Threat Hunting + activity name.

    Note

    Compared with the Investigation View window launched from the Incidents view, this view has the following limitations:

    • Some threat hunting and investigation capabilities are unavailable, such as exporting the graph as JSON, variants navigation graph, and Stacks view.

    • Some general event details are missing in the first row, such as classification and incident response.

    Component

    Description
    1

    General details about the device that generated the event, such as Collector status, process name, and IP address.
    2

    Use the Export button () to export the Investigation View window as an SVG file to share with others or for record reasons.

    This is the only option to save a graph that includes dynamic changes based on the default graph view, such as adding processes.
    3

    Graphical flow diagram with a process tree that you can build according to your investigation needs, from left to right and top to bottom. The tree is also interactive, which means you can click on a specific component to drill down for more details or contextual actions.

    A

    Node—Source of an activity or event, which can be a process, an endpoint, a thread or service, or another security product. Nodes are represented by boxes with icons for the activity type, some with descriptions under the boxes.

    • Click on a node to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific node.

    • Click the Collapse () or Expand () icon in the right of a node icon to show or hide all the downstream nodes, edges, and leaves.

    • Right-click a node to perform actions allowed on the node, including any custom actions you defined. These action buttons also appear in the Details Pane, which is available on the right after you click the node.

      The list of available options varies by node type. The following is an example list of actions for a process node.

    B

    Edge—Activity event type or action represented by a curved line with an arrow. An edge can be one activity event/action or an aggregation of several. The numbered arrows indicate the sequence of actions and specify the action that was performed, such as Process Creation, Socket Close, Block and so on. Multiple operations performed between two processes are represented by multiple arrows between them. Edges that triggered the event are indicated in red.

    Click on an edge to display the Details pane on the right with contextual information about that specific edge.

    Edges may also have icons below them indicating classification or MITRE & Behavior models. Click on an icon for more detailed information.

    C

    Leaf—Target of activity event of type File, Registry Key, Registry Value, Network components (IP/DNS/URL). A leaf can also be a group of artifacts. For example, all the files created or modified by a process. Leaves have a round shape ().

    • Click on a leaf to display the Details pane on the right and the Activity events tables on the bottom with contextual information about that specific leaf.

    • Right-click a leaf to perform actions allowed on the leaf, including any custom actions you defined. These action buttons are also available in the Details Pane, which appear on the right after you click the leaf.

      The list of available options varies by leaf type. The following is an example list of actions for a network leaf:

    D

    Hint—Categorized groups of activities related to a node that are not part of the main chain of activity events and thus not represented in the graphical diagram. Click a node to show the number of relevant activities. The hints no longer display after you move the selection to another node or edge.

    • Click the Expand () or Collapse () icon near a leaf hint to show or hide the node or leaf list of that type.

    • Right-click the type name of a hint and select Add to graph to add the relevant leaves to the graph or select View activity event to pull out the Activity events tables for this specific file type. The Add to graph option is unavailable when the number of hints exceeds 500, in which case you can only choose to view the activity event.

    E

    Use the MITRE & Behavior legend to highlight the corresponding icons below relevant edges in the diagram.

    F

    • Use the Zoom In (), Zoom Out (), and Zoom To Fit () buttons to adjust the graph window size.

    • Use the Reset () button to restore the graph to the default view.

    • Use the Undo () button to cancel an operation.
    4

    Details pane for the selected node, edge, or leaf where you can view details of the activity, action, or target, and perform common actions on a node or leaf, such as retrieving a file, remediating devices upon malware detection, or adding an application to the Application Control policy blocklist. The actions can also be performed by right-clicking a node or leaf and selecting the option from the menu. For specific leaf types, this pane also includes an Insights tab which allows you to run queries to retrieve analytics data, such as the number of communicating processes or devices of a certain IP. The Insights options are also available from the right-click menu of those leaf types.
    5

    Contextual Activity events tables for the selected node or leaf organized by tabs of activity types. Drag the top edge of the table up for a fuller view of the table. Activities with a number at the front of the row are already in the graph and the number matches the one in the graph.

    • To add activities to the graph, select the corresponding rows and click Add to graph ().

    • To customize the columns to display in the table, click Customize ().

    • To search for a specific activity or event, enter keywords in the search bar on the top right corner ().

    • To filter the results in the Activity Events table to include or exclude a specific value, use the green plus () and red minus () icons that appear when you hover over the value. Multiple filters are supported. To delete a filter, click the cancel icon that appear when you hover over the filter on the top-left of the table.
    Previous
    Next