Introduction
FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you detect, respond to, and manage risky behaviors that put your organization's business-critical data at risk. FortiInsight combines powerful and flexible machine learning with detailed forensics around user actions to provide complete visibility of activities around your organization's data. By monitoring user behavior and data movement both on and off your organization's network, and instantly alerting you to anomalous activities, FortiInsight helps you strengthen your security posture, protect your sensitive information, and support regulatory compliance.
What's new in FortiInsight Cloud version 21.2
The following table lists new features and enhancements in FortiInsight Cloud version 21.2.
Feature |
Description |
---|---|
Enhanced User Profile / Timeline |
|
Updated Polices
|
The following policies have been updated to reduce noise: File Downloaded Through a LOLBAS Binary PSExec Executed On All Machines In Domain |
Enhanced User Profile / Timeline
User Context Dashboard
For example, from Threat Hunting > Live, right click on the user and select View User Profile. This now displays the user profile in a widget style, like the FortiInsight Dashboard. Widget data can be exported to file, maximised for viewing or drill down to view the low-level data.
User Context Timeline
From Contexts > Users on the navigation pane. User activity is shown on a new timeline chart, detailing the number of active users at a given time.
Hovering over the bar will highlight the number of users.
Double clicking on the bar will display enhanced user information for those users.
Such as:
- Department—Corporate department the user works in.
- Manager—Full name of the user's manager. Click to navigate to the manager's user profile.
- Status—Whether the user's account is active, disabled.
User Context Details
From Contexts > Users on the navigation pane. Previously, hovering over the user's name displayed the user context details. Now, clicking on the user name field displays the details in a standardized view.
User Context Tracking
The LDAP agent allows you to sync your Active Directory to FortiInsight. Its aim is to increase the effective searches based on individual users, their managers, department and location.
To install the agent
- Go to Contexts.
- Select Users.
- Select Download LDAP Client.
- Click Download.
FortiInsight Agents
Feature |
Description |
---|---|
MAC Connector[DH1] |
|
Windows Connector |
|
Mac Connector
Endpoint Security Framework
The MacOSX connector now supports directly with the Endpoint Security Framework provided by Apple. Internally, this ensure that all events are now collected via this method rather than utilising a custom Kext module. It also allows support for MacOSX 11 (Big Sur).
Command Line Arguments
Command line arguments, if applicable, are now shown for each Mac event, to standardise agent collection of data.
Windows Connector
Files Deleted Event for Shift Delete
Shift delete operations and removable media deletes have been added to the windows connector and are shown as File Deleted operations in FortiInsight.
Verify SSL Certificate
When installing the windows agent, if the Verifiy host TLS/SSL certificate box is ticked any connection to the host will be blocked if the SSL/TLS certificate is invalid or the url does not match the certificate. This is disabled by default.
In Case You Missed It (ICYMI) FortiInsight 21.1
https://docs.fortinet.com/document/fortiinsight-cloud/21.1.0/release-notes/535328/introduction
The following table lists new features and enhancements in FortiInsight Cloud version 21.1.
Feature |
Description |
---|---|
User Contexts & LDAP connector |
Enhanced User metadata, for all collected users. The collection of this data will utilize the new FortiInsight LDAP connector to gather required user metadata which includes, but not limited to, Display Name, Job Title, Department and Office location. You can then use these new meta fields across FortiInsight whether that is creating policies or general threat hunting searches. |
Most Notable Users |
New Most Notable Users Dashboard provides you with a single dashboard for all the highest risk users within your organization. Any user with a high severity policy or anomaly will feature here. |
FortiGuard GEO IP Database |
FortiInsight now uses the FortiGuard GEO IP database to resolve location data based on collected IP Addresses sent by endpoints. |
Trend Charts |
Trending charts have been added to all Threat Hunting views allowing you to view, highlight, and investigate via the trending charts. |
Investigation Timeline |
Added simplified view of Investigations within FortiInsight - showing you a simple easy to understand the flow of your created investigations. As part of this enhanced view, we have added the ability to add Event types into the investigation (Live, Printed, Network) allowing you to investigate the entire user threat landscape. |
Collection Source |
Easily switch into your Collections from any supported data view. |
Dashboard Management Enhancements |
Standardized all charts across the dashboard, adding better functional controls such as import/export, clone, and enlarge. You can now also export an embedded dashboard and make it your custom one by importing. |
Related resources
The following resources provide more information about FortiInsight: