Fortinet black logo

Administration Guide

Home FortiNDR 7.1.0 Administration Guide
7.1.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Outbreak Search

Outbreak Search

Virtual Security Analyst > Outbreak Search contains tools to determine if there is an outbreak in the network. FortiNDR lets you deal with an outbreak from two directions.

  1. Using a known hash in the FortiNDR database or a physical copy of a file that belongs to the outbreak, you can search for other captured files that share similarities. See Search lead type of hash or detection name.
  2. Using a known outbreak name or known virus family identifier, you can search for captured files that were grouped under the same categories by FortiNDR. See Search lead type of outbreak name.

You can also use quick search in the button bar at the top to search for and access sample profile pages. You can search by hash (MD5 or SHA512) or by exact detection name. If the search returns more than 10 results, there is a View More button and you are redirected to Advance Threat report with the search criteria inserted.

Search lead type of hash or detection name

This search lead type accepts MD5 or SHA512 as a search value. You can submit the sample to FortiNDR in Express Malware Analysis. When the search lead type is detection name, the search value can be an exact detection name, such as W32/Phishing.DDS!tr, or a detection name with wildcards, such as W32/Phishing.%.

For these searches, you must choose one of these search methods: Similarity-Based, Hash-Based, or Detection-Based.

Similarity-Based search uses FortiNDR's similarity engine to search for files that have similar features to the input file. Outbreak search only returns samples with a similarity rate of over 77%.

Hash-Based search returns results based on hash matches. If search lead type is detection name and you select hash-detection, the search returns files that match the hashes of all the files with the input detection name. The result might include files from different detection names because the detection name can change over time.

Detection-Based search matches the input sample by detection name with or without wildcards. If search lead type is hash and you select Detection-Based search, the result returns files that share the same hash as the input detection name. Because detection names can change over time, this search lets you explore other detection names that are used to detect the same outbreak.

Search lead type of outbreak name

When you use outbreak name as a search lead time, FortiNDR returns the following:

  1. Any sample that matches FortiNDR's virus family classification (detection subtype).
  2. Any sample that matches part of the detection name.
  3. Any sample that shares any similarity with any of the files above.

These files are listed in the Related Files tab. Other tabs that have a summary of the detection name, remote connections, and attack scenarios events.

Recursive searches

You can right-click any file in the result and perform other types of searches. This feature lets you find more information that goes beyond the first degree of relationship in an outbreak.

Reports

You can generate a PDF report of the verdict that includes the file's comprehensive information and analysis together with a list of similar files found on the system. Reports can be in PDF, CSV, JSON, or STIXv2 format.

Previous
Next

Outbreak Search

Virtual Security Analyst > Outbreak Search contains tools to determine if there is an outbreak in the network. FortiNDR lets you deal with an outbreak from two directions.

  1. Using a known hash in the FortiNDR database or a physical copy of a file that belongs to the outbreak, you can search for other captured files that share similarities. See Search lead type of hash or detection name.
  2. Using a known outbreak name or known virus family identifier, you can search for captured files that were grouped under the same categories by FortiNDR. See Search lead type of outbreak name.

You can also use quick search in the button bar at the top to search for and access sample profile pages. You can search by hash (MD5 or SHA512) or by exact detection name. If the search returns more than 10 results, there is a View More button and you are redirected to Advance Threat report with the search criteria inserted.

Search lead type of hash or detection name

This search lead type accepts MD5 or SHA512 as a search value. You can submit the sample to FortiNDR in Express Malware Analysis. When the search lead type is detection name, the search value can be an exact detection name, such as W32/Phishing.DDS!tr, or a detection name with wildcards, such as W32/Phishing.%.

For these searches, you must choose one of these search methods: Similarity-Based, Hash-Based, or Detection-Based.

Similarity-Based search uses FortiNDR's similarity engine to search for files that have similar features to the input file. Outbreak search only returns samples with a similarity rate of over 77%.

Hash-Based search returns results based on hash matches. If search lead type is detection name and you select hash-detection, the search returns files that match the hashes of all the files with the input detection name. The result might include files from different detection names because the detection name can change over time.

Detection-Based search matches the input sample by detection name with or without wildcards. If search lead type is hash and you select Detection-Based search, the result returns files that share the same hash as the input detection name. Because detection names can change over time, this search lets you explore other detection names that are used to detect the same outbreak.

Search lead type of outbreak name

When you use outbreak name as a search lead time, FortiNDR returns the following:

  1. Any sample that matches FortiNDR's virus family classification (detection subtype).
  2. Any sample that matches part of the detection name.
  3. Any sample that shares any similarity with any of the files above.

These files are listed in the Related Files tab. Other tabs that have a summary of the detection name, remote connections, and attack scenarios events.

Recursive searches

You can right-click any file in the result and perform other types of searches. This feature lets you find more information that goes beyond the first degree of relationship in an outbreak.

Reports

You can generate a PDF report of the verdict that includes the file's comprehensive information and analysis together with a list of similar files found on the system. Reports can be in PDF, CSV, JSON, or STIXv2 format.

Previous
Next