Fortinet black logo

Introduction

Copy Link
Copy Doc ID 37385887-1beb-11ec-8c53-00505692583a:535328
Download PDF

Introduction

FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you detect, respond to, and manage risky behaviors that put your organization's business-critical data at risk. FortiInsight combines powerful and flexible machine learning with detailed forensics around user actions to provide complete visibility of activities around your organization's data. By monitoring user behavior and data movement both on and off your organization's network, and instantly alerting you to anomalous activities, FortiInsight helps you strengthen your security posture, protect your sensitive information, and support regulatory compliance.

What's new in FortiInsight Cloud version 21.2

The following table lists new features and enhancements in FortiInsight Cloud version 21.2.

Feature

Description

Enhanced User Profile / Timeline

  • User Context Dashboard. A dashboard giving a high level overview of user activity.
  • User Context Timeline
  • User Context Details
  • User Context Tracking

Updated Polices

The following policies have been updated to reduce noise: File Downloaded Through a LOLBAS Binary

PSExec Executed On All Machines In Domain

Enhanced User Profile / Timeline

User Context Dashboard

For example, from Threat Hunting > Live, right click on the user and select View User Profile. This now displays the user profile in a widget style, like the FortiInsight Dashboard. Widget data can be exported to file, maximised for viewing or drill down to view the low-level data.

User Context Timeline

From Contexts > Users on the navigation pane. User activity is shown on a new timeline chart, detailing the number of active users at a given time.

Hovering over the bar will highlight the number of users.

Double clicking on the bar will display enhanced user information for those users.

Such as:

  • Department—Corporate department the user works in.
  • Manager—Full name of the user's manager. Click to navigate to the manager's user profile.
  • Status—Whether the user's account is active, disabled.

User Context Details

From Contexts > Users on the navigation pane. Previously, hovering over the user's name displayed the user context details. Now, clicking on the user name field displays the details in a standardized view.

User Context Tracking

The LDAP agent allows you to sync your Active Directory to FortiInsight. Its aim is to increase the effective searches based on individual users, their managers, department and location.

To install the agent

  1. Go to Contexts.
  2. Select Users.
  3. Select Download LDAP Client.
  4. Click Download.

FortiInsight Agents

Feature

Description

MAC Connector[DH1]

  • Adds support for MacOSX 11 “Big Sur”
  • Integrates with Endpoint security framework provided by MacOSX
  • All “new process created” activities will now report the command line arguments used to start the process

Windows Connector

  • Support for “shift-delete” on files, or folders, has now been added ensuring these are reported correctly as “file deleted” events.
  • You can now ensure that the endpoint agent will verify SSL/TLS certificates before attempting to send data.
  • Added further enhancements to “file uploaded” and “file downloaded” events.
  • Support added for very short-lived process, to ensure that collection is not disrupted.
Mac Connector
Endpoint Security Framework

The MacOSX connector now supports directly with the Endpoint Security Framework provided by Apple. Internally, this ensure that all events are now collected via this method rather than utilising a custom Kext module. It also allows support for MacOSX 11 (Big Sur).

Command Line Arguments

Command line arguments, if applicable, are now shown for each Mac event, to standardise agent collection of data.

Windows Connector
Files Deleted Event for Shift Delete

Shift delete operations and removable media deletes have been added to the windows connector and are shown as File Deleted operations in FortiInsight.

Verify SSL Certificate

When installing the windows agent, if the Verifiy host TLS/SSL certificate box is ticked any connection to the host will be blocked if the SSL/TLS certificate is invalid or the url does not match the certificate. This is disabled by default.

In Case You Missed It (ICYMI) FortiInsight 21.1

https://docs.fortinet.com/document/fortiinsight-cloud/21.1.0/release-notes/535328/introduction

The following table lists new features and enhancements in FortiInsight Cloud version 21.1.

Feature

Description

User Contexts & LDAP connector

Enhanced User metadata, for all collected users. The collection of this data will utilize the new FortiInsight LDAP connector to gather required user metadata which includes, but not limited to, Display Name, Job Title, Department and Office location. You can then use these new meta fields across FortiInsight whether that is creating policies or general threat hunting searches.

Most Notable Users

New Most Notable Users Dashboard provides you with a single dashboard for all the highest risk users within your organization. Any user with a high severity policy or anomaly will feature here.

FortiGuard GEO IP Database

FortiInsight now uses the FortiGuard GEO IP database to resolve location data based on collected IP Addresses sent by endpoints.

Trend Charts

Trending charts have been added to all Threat Hunting views allowing you to view, highlight, and investigate via the trending charts.

Investigation Timeline

Added simplified view of Investigations within FortiInsight - showing you a simple easy to understand the flow of your created investigations. As part of this enhanced view, we have added the ability to add Event types into the investigation (Live, Printed, Network) allowing you to investigate the entire user threat landscape.

Collection Source

Easily switch into your Collections from any supported data view.

Dashboard Management Enhancements

Standardized all charts across the dashboard, adding better functional controls such as import/export, clone, and enlarge. You can now also export an embedded dashboard and make it your custom one by importing.

Related resources

The following resources provide more information about FortiInsight:

Introduction

FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you detect, respond to, and manage risky behaviors that put your organization's business-critical data at risk. FortiInsight combines powerful and flexible machine learning with detailed forensics around user actions to provide complete visibility of activities around your organization's data. By monitoring user behavior and data movement both on and off your organization's network, and instantly alerting you to anomalous activities, FortiInsight helps you strengthen your security posture, protect your sensitive information, and support regulatory compliance.

What's new in FortiInsight Cloud version 21.2

The following table lists new features and enhancements in FortiInsight Cloud version 21.2.

Feature

Description

Enhanced User Profile / Timeline

  • User Context Dashboard. A dashboard giving a high level overview of user activity.
  • User Context Timeline
  • User Context Details
  • User Context Tracking

Updated Polices

The following policies have been updated to reduce noise: File Downloaded Through a LOLBAS Binary

PSExec Executed On All Machines In Domain

Enhanced User Profile / Timeline

User Context Dashboard

For example, from Threat Hunting > Live, right click on the user and select View User Profile. This now displays the user profile in a widget style, like the FortiInsight Dashboard. Widget data can be exported to file, maximised for viewing or drill down to view the low-level data.

User Context Timeline

From Contexts > Users on the navigation pane. User activity is shown on a new timeline chart, detailing the number of active users at a given time.

Hovering over the bar will highlight the number of users.

Double clicking on the bar will display enhanced user information for those users.

Such as:

  • Department—Corporate department the user works in.
  • Manager—Full name of the user's manager. Click to navigate to the manager's user profile.
  • Status—Whether the user's account is active, disabled.

User Context Details

From Contexts > Users on the navigation pane. Previously, hovering over the user's name displayed the user context details. Now, clicking on the user name field displays the details in a standardized view.

User Context Tracking

The LDAP agent allows you to sync your Active Directory to FortiInsight. Its aim is to increase the effective searches based on individual users, their managers, department and location.

To install the agent

  1. Go to Contexts.
  2. Select Users.
  3. Select Download LDAP Client.
  4. Click Download.

FortiInsight Agents

Feature

Description

MAC Connector[DH1]

  • Adds support for MacOSX 11 “Big Sur”
  • Integrates with Endpoint security framework provided by MacOSX
  • All “new process created” activities will now report the command line arguments used to start the process

Windows Connector

  • Support for “shift-delete” on files, or folders, has now been added ensuring these are reported correctly as “file deleted” events.
  • You can now ensure that the endpoint agent will verify SSL/TLS certificates before attempting to send data.
  • Added further enhancements to “file uploaded” and “file downloaded” events.
  • Support added for very short-lived process, to ensure that collection is not disrupted.
Mac Connector
Endpoint Security Framework

The MacOSX connector now supports directly with the Endpoint Security Framework provided by Apple. Internally, this ensure that all events are now collected via this method rather than utilising a custom Kext module. It also allows support for MacOSX 11 (Big Sur).

Command Line Arguments

Command line arguments, if applicable, are now shown for each Mac event, to standardise agent collection of data.

Windows Connector
Files Deleted Event for Shift Delete

Shift delete operations and removable media deletes have been added to the windows connector and are shown as File Deleted operations in FortiInsight.

Verify SSL Certificate

When installing the windows agent, if the Verifiy host TLS/SSL certificate box is ticked any connection to the host will be blocked if the SSL/TLS certificate is invalid or the url does not match the certificate. This is disabled by default.

In Case You Missed It (ICYMI) FortiInsight 21.1

https://docs.fortinet.com/document/fortiinsight-cloud/21.1.0/release-notes/535328/introduction

The following table lists new features and enhancements in FortiInsight Cloud version 21.1.

Feature

Description

User Contexts & LDAP connector

Enhanced User metadata, for all collected users. The collection of this data will utilize the new FortiInsight LDAP connector to gather required user metadata which includes, but not limited to, Display Name, Job Title, Department and Office location. You can then use these new meta fields across FortiInsight whether that is creating policies or general threat hunting searches.

Most Notable Users

New Most Notable Users Dashboard provides you with a single dashboard for all the highest risk users within your organization. Any user with a high severity policy or anomaly will feature here.

FortiGuard GEO IP Database

FortiInsight now uses the FortiGuard GEO IP database to resolve location data based on collected IP Addresses sent by endpoints.

Trend Charts

Trending charts have been added to all Threat Hunting views allowing you to view, highlight, and investigate via the trending charts.

Investigation Timeline

Added simplified view of Investigations within FortiInsight - showing you a simple easy to understand the flow of your created investigations. As part of this enhanced view, we have added the ability to add Event types into the investigation (Live, Printed, Network) allowing you to investigate the entire user threat landscape.

Collection Source

Easily switch into your Collections from any supported data view.

Dashboard Management Enhancements

Standardized all charts across the dashboard, adding better functional controls such as import/export, clone, and enlarge. You can now also export an embedded dashboard and make it your custom one by importing.

Related resources

The following resources provide more information about FortiInsight: