Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    26.2.a
    26.2.a
    26.2.0
    26.1.b
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    Detections details

    Detections details

    The Detection Details page provides a consolidated view of suspicious or malicious activity on your network. It helps you quickly understand what happened, which devices were involved, and how severe the threat may be.

    This page brings together all key information needed to investigate a security event. You can see the affected device, the type of threat detected, when the activity occurred, and how the activity fits into the larger attack sequence. A visual timeline highlights the order of events, making it easier to trace how the behavior developed. You can also review related detections that may indicate a multi‑stage attack, such as downloader activity, payload execution, or credential‑theft tools.

    For deeper investigation, the page includes context about past detections on the same device, as well as a full list of raw network events that contributed to the alert. This enables you to verify the detection, understand its impact, and determine the appropriate next steps.

    To view the device details page:
    Dashboard In the High Risk Devices widget, hover over a line in the chart and click Detection Detail.
    Detections
    • In Gallery view, click a detector. In the Impacted Devices tab, click a blank area in a table row or click the See Detections Details icon in the Actions column of the table.
    • In Table view, click a blank area in a table row or click the See Detections Details icon in the Actions column of the table.
    Detections Device Timeline Hover over a line in the chart and click Detection Detail.

    Use the items in the tool bar to start an Investigation, resolve and assign detections, and mute detections and devices. Click any IP address in the page to open the Entity Panel.

    The Device Details page contains the following widgets:

    Widget Description
    Devices

    Displays the source and destination IP addresses involved in the detection, along with the risk score and annotations that describe the traffic or detection type. Additional information such as geolocation, integrations including FortiEDR and FortiManager, hostnames, and PDNS is also shown when available.
    Incident Event Timeline Shows timestamps for each event so you can follow the sequence of actions that led to the detection. Select an event in the timeline to view the related device details in the Devices widget. This helps with incident reconstruction and triage.
    Detection Overview

    Shows all the available information related to the detector and the detection.

    The first row of cards provides information about the detector. Click the detector name to view the detector details. From here, you can pivot to the Detection Details page.

    The subsequent rows provide information about the current detection. Hover over the sensor name to view more information, or click it to open the sensor’s details page.

    The detector description and next steps are displayed when available.
    Event Details Panel

    Shows the event type associated with the corresponding event selected in the Incident Event Timeline.

    More details are shown when the event type is Observation, Suricata, and DPI. And if there are Intel Hits, intel hits details will also be shown.

    Resolution History & Context

    Displays charts and detection context cards that show how the current detection fits into broader device and network activity.

    • The Resolution Count shows the amount of resolved detections, the resolution triggered by this detector, or with the same device IP of the current detection.
    • The Detection Contextshows the related detections and observations with the current device IP. For more information, see Detections context.
    • Click See Details to pivot to the Detection Context page.
    More information

    The More Information section has three tabs:

    • The Events tab shows the events for this detection as a table.
    • The Indicators tab shows the indicators list for this detection.
    • The Query tab shows the query signature for the detector.
    Previous
    Next

    Detections details

    Detections details

    The Detection Details page provides a consolidated view of suspicious or malicious activity on your network. It helps you quickly understand what happened, which devices were involved, and how severe the threat may be.

    This page brings together all key information needed to investigate a security event. You can see the affected device, the type of threat detected, when the activity occurred, and how the activity fits into the larger attack sequence. A visual timeline highlights the order of events, making it easier to trace how the behavior developed. You can also review related detections that may indicate a multi‑stage attack, such as downloader activity, payload execution, or credential‑theft tools.

    For deeper investigation, the page includes context about past detections on the same device, as well as a full list of raw network events that contributed to the alert. This enables you to verify the detection, understand its impact, and determine the appropriate next steps.

    To view the device details page:
    Dashboard In the High Risk Devices widget, hover over a line in the chart and click Detection Detail.
    Detections
    • In Gallery view, click a detector. In the Impacted Devices tab, click a blank area in a table row or click the See Detections Details icon in the Actions column of the table.
    • In Table view, click a blank area in a table row or click the See Detections Details icon in the Actions column of the table.
    Detections Device Timeline Hover over a line in the chart and click Detection Detail.

    Use the items in the tool bar to start an Investigation, resolve and assign detections, and mute detections and devices. Click any IP address in the page to open the Entity Panel.

    The Device Details page contains the following widgets:

    Widget Description
    Devices

    Displays the source and destination IP addresses involved in the detection, along with the risk score and annotations that describe the traffic or detection type. Additional information such as geolocation, integrations including FortiEDR and FortiManager, hostnames, and PDNS is also shown when available.
    Incident Event Timeline Shows timestamps for each event so you can follow the sequence of actions that led to the detection. Select an event in the timeline to view the related device details in the Devices widget. This helps with incident reconstruction and triage.
    Detection Overview

    Shows all the available information related to the detector and the detection.

    The first row of cards provides information about the detector. Click the detector name to view the detector details. From here, you can pivot to the Detection Details page.

    The subsequent rows provide information about the current detection. Hover over the sensor name to view more information, or click it to open the sensor’s details page.

    The detector description and next steps are displayed when available.
    Event Details Panel

    Shows the event type associated with the corresponding event selected in the Incident Event Timeline.

    More details are shown when the event type is Observation, Suricata, and DPI. And if there are Intel Hits, intel hits details will also be shown.

    Resolution History & Context

    Displays charts and detection context cards that show how the current detection fits into broader device and network activity.

    • The Resolution Count shows the amount of resolved detections, the resolution triggered by this detector, or with the same device IP of the current detection.
    • The Detection Contextshows the related detections and observations with the current device IP. For more information, see Detections context.
    • Click See Details to pivot to the Detection Context page.
    More information

    The More Information section has three tabs:

    • The Events tab shows the events for this detection as a table.
    • The Indicators tab shows the indicators list for this detection.
    • The Query tab shows the query signature for the detector.
    Previous
    Next