Fortinet black logo

Administration Guide

Home FortiNDR 7.0.3 Administration Guide
7.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

ML Configuration

ML Configuration

Use the ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training.

Key concepts
  • Baseline Status: Baselining means the current training is still in progress.
  • Baseline ready: Means the baseline training is done and is ready for anomaly detection.
Note

The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port.

We do not recommend editing these features, unless you have strong understanding of what they do.

ML Configuration contains the following settings:

Device Info

Source Device IP

The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

Destination Device IP

The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

Destination MAC Address

Destination device MAC address.

Destination Device Model

Device model such as: FortiGate, Workstation, IDRAC, etc.

Destination Device Geolocation

Device geographical country such as United States.

Destination Device Category

Device category such as: NAS, Virtual Machine,Firewall, etc.

Destination Device Vendor

Device vendor such as VMware, Dell, Synology, etc.

Destination Device OS

Device Operating system such as Windows, Linux, etc.

Protocol and Application behavior

Transport Layer Protocol

UPD, ICMP, TCP, etc

Application Layer Protocol

TLS, HTTP, SMB, etc

Protocol/Application Behaviors/Action

Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

Others

Session Packet Size

FortiNDR categorizes the packet size into 3 groups:

  • Small: Less than 100 bytes
  • Medium: 101- 99999 bytes
  • Larger: Equal to and greater than 100000 bytes

Destination Port

Port number such as, 22, 445, none reserved port, etc.

TLS Version

The TLS version if TLS is being used.

Typically, it will take 7 days for baseline of traffic. Choosing different features to train new baseline will cause the ML system start another 7 day training period. The old baseline is discarded during the re-training. You will not be able to get ML detection during that time.

Previous
Next

ML Configuration

Use the ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training.

Key concepts
  • Baseline Status: Baselining means the current training is still in progress.
  • Baseline ready: Means the baseline training is done and is ready for anomaly detection.
Note

The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port.

We do not recommend editing these features, unless you have strong understanding of what they do.

ML Configuration contains the following settings:

Device Info

Source Device IP

The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

Destination Device IP

The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

Destination MAC Address

Destination device MAC address.

Destination Device Model

Device model such as: FortiGate, Workstation, IDRAC, etc.

Destination Device Geolocation

Device geographical country such as United States.

Destination Device Category

Device category such as: NAS, Virtual Machine,Firewall, etc.

Destination Device Vendor

Device vendor such as VMware, Dell, Synology, etc.

Destination Device OS

Device Operating system such as Windows, Linux, etc.

Protocol and Application behavior

Transport Layer Protocol

UPD, ICMP, TCP, etc

Application Layer Protocol

TLS, HTTP, SMB, etc

Protocol/Application Behaviors/Action

Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

Others

Session Packet Size

FortiNDR categorizes the packet size into 3 groups:

  • Small: Less than 100 bytes
  • Medium: 101- 99999 bytes
  • Larger: Equal to and greater than 100000 bytes

Destination Port

Port number such as, 22, 445, none reserved port, etc.

TLS Version

The TLS version if TLS is being used.

Typically, it will take 7 days for baseline of traffic. Choosing different features to train new baseline will cause the ML system start another 7 day training period. The old baseline is discarded during the re-training. You will not be able to get ML detection during that time.

Previous
Next