Administration Guide

Introduction
- Getting Started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center Standalone)
- Anomaly tab
- Connection tab
- Session tab
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Fabric Connectors
  - ICAP Connectors
  - Security Fabric Connector
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Attack Scenario
- Attack scenario navigation and timeline
- Understanding kill chain and scenario engine
Host Story
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment
  - Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor Settings (Center Standalone)
- Firmware
- Settings
- SNMP
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
Troubleshooting
- FortiNDR troubleshooting tips
- FortiNDR health checks
- Rebuild RAID disk
- Managing FortiNDR disk usage for Center mode
- Managing FortiNDR disk usage for Standalone and Sensor mode
- Export malware
- Working with false positives and false negatives
- Troubleshoot ICAP and OFTP connection issues
- Troubleshoot Log Settings
- Troubleshoot Network Share
- Troubleshooting the VM License
- Troubleshooting the updater
- Troubleshooting tips for Network File Share
- Sensor logs not displaying in Center GUI
- Troubleshooting FortiNDR VM high CPU usage
- Troubleshooting inactive Netflow status
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G: Supported Application Protocol List
Appendix H: File types and protocols
Appendix I: Operational Technology / SCADA vendor and application list
Appendix J: Center Sensor Deployment
Change Log

Home FortiNDR 7.4.3 Administration Guide

7.4.3

Session tab

The Session tab lists all the sessions related to the same anomaly type (such as Network Attacks and Encrypted Attack). Each row is an anomaly event. Sessions with multiple anomaly events under the same anomaly type will have multiples rows with the same session ID.

By default, the Session tab displays the following information:

Column	Description
Open Time	The date and time the session started.
Anomaly Severity	The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Src IP	The source IP.
Source Network	The source network. You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.
Dst IP	The destination IP.
Destination Network	Filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.
Attack Name	The attack name provided by FortiGuard. Hover over the name to view the Impact, Product List and Recommended Action. You can also use this column to explore the attack name and search FortiGuard.

Session Information

Double-click a sessions in the list to view the Session Information page. The following information is displayed:

General	Session ID Start Time End Time Traffic Volume VLAN ID Port ID
Anomaly	Anomaly Type Severity Reason
Additional Information	HTTP Version HTTP Response Code HTTP Server Name HTTP URL Malicious Behavior
Source Device	Source IP Source Port Source MAC Source Packet Size Source Country Source Device Model Source OS Source Device Category Source Device Sub Category
Destination Device	Destination IP Destination Port Destination MAC Destination Packet Size Destination Country Destination Device Model Destination OS Destination Device Category Destination Device Sub Category

View source and destination devices

You can view the source and destination device from the View Device dropdown in the Session tab. The Session tab is available in all the Network Insights monitors except for Device History.

To view the source and destination devices:

In the Session tab, select a record in the table.
Click View Device > View Source Device, or View Destination Device. The Information and Malware Host Story tabs are displayed.

View sessions

To view the session page:

Select a record in the Session tab and click View Session. The Session page opens.

You can use the right-side navigation to move up and down the page.

The Session page contains the following information:

Anomaly

Session Information

Device Information

Activity

ML Discovery

Detection Information

Mitre Attack

The Mitre Attack widget tracks the number of events that occurred for each MITRE attack tactics category. For more information, see MITRE ATT&CK.

Session tab

By default, the Session tab displays the following information:

Column	Description
Open Time	The date and time the session started.
Anomaly Severity	The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).
Src IP	The source IP.
Source Network	The source network. You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.
Dst IP	The destination IP.
Destination Network	Filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.
Attack Name	The attack name provided by FortiGuard. Hover over the name to view the Impact, Product List and Recommended Action. You can also use this column to explore the attack name and search FortiGuard.

Session Information

Double-click a sessions in the list to view the Session Information page. The following information is displayed:

General	Session ID Start Time End Time Traffic Volume VLAN ID Port ID
Anomaly	Anomaly Type Severity Reason
Additional Information	HTTP Version HTTP Response Code HTTP Server Name HTTP URL Malicious Behavior
Source Device	Source IP Source Port Source MAC Source Packet Size Source Country Source Device Model Source OS Source Device Category Source Device Sub Category
Destination Device	Destination IP Destination Port Destination MAC Destination Packet Size Destination Country Destination Device Model Destination OS Destination Device Category Destination Device Sub Category

View source and destination devices

You can view the source and destination device from the View Device dropdown in the Session tab. The Session tab is available in all the Network Insights monitors except for Device History.

To view the source and destination devices:

In the Session tab, select a record in the table.
Click View Device > View Source Device, or View Destination Device. The Information and Malware Host Story tabs are displayed.

View sessions

To view the session page:

Select a record in the Session tab and click View Session. The Session page opens.

You can use the right-side navigation to move up and down the page.

The Session page contains the following information:

Anomaly

Session Information

Device Information

Activity

ML Discovery

Detection Information

Mitre Attack

The Mitre Attack widget tracks the number of events that occurred for each MITRE attack tactics category. For more information, see MITRE ATT&CK.