What’s new in FortiNDR 7.0.1
FortiNDR detects anomalies using a variety of methods, such as FortiGuard feeds like IPS, botnet IP and DNS DB, as well as added features such as IOC campaign lookup, vulnerable protocols and weak ciphers detection. Apart from detecting protocols like FortiOS NGFW, FortiNDR also looks into the behavior of devices & users, such as FTP download, or SMB copy.
Improved ML Detection and Traffic profiling
FortiNDR uses Machine Learning to profile traffic. FortiNDR 7.0.1 provides more granular options for baselining and anomaly detection. Enhancements include:
- A critical server which only communicates to 5 IP addresses, then NDR configuration
- A user PC which will browse internet
Reorganized logic for AV & ANN scan
FortiNDR has both AV engine and ANN (neural networks) for file extraction and scan. FortiNDR 7.0.1 now uses AV engine to pre-scan files first and then use ANN to extract the detailed malware features.
Increased manual submission and NFS to scan 12 layers for ZIP files
FortiNDR 7.0.1 aligns all file input methods (via fabric devices, API, manual and NFS) to extract 12 layers of ZIP files by default.
Increased NDR throughput
FortiNDR 7.0.1 has increased sniffer throughput compared to v7.0.0. This is a result of improving CPU utilization and multi-threading processes for NDR daemons.
JA3 detection enhancement
FortiNDR 7.0.1 looks for both JA3 (client) and JA3 (server) detection, resulting in reducing false positives in detection.
Offline FortiGuard updates support
In FortiNDR 7.0.1 new CLIs were created to load different FortiGuard DB updates. New CLIs are:
exec restore avdb/ipsdb/kdb [disk/tftp/ftp] filename
Please refer to CLI guide for details.
GUI
NDR Dashboard now supports date drill-down per widget (1 day ,1 week and 1 month)
Device inventory naming
When FortiNDR is unable to determine OS of devices from IOT lookup, default naming of device has been changed from OS_Hash of mac address. E.g. UNKNOWN_XYZ to DEVICE_XYZ