Getting started

Getting started

This page provides a list of initial tasks to help you set up and begin using the FortiNDR Cloud portal and threat detection capabilities.

1: Configure access and notifications

These tasks focus on ensuring secure access and setting up mandatory user notifications.

Task	Details & Source Reference
Log in to the Portal	You can log in using either a FortiNDR Cloud account or Single Sign-On (SSO). See FortiNDR Cloud portal.
Enable Multi-Factor Authentication (MFA)	Enable MFA Multi-factor authentication to require all users to enter an MFA token when they log in to FortiNDR Cloud. See Multi-factor authentication.
Configure Email Notifications	By default, you receive an email for every detection and a daily digest summarizing the last 24 hours. To customize these settings, see Email notifications.
Configure global search	Global Search allows you to search FortiNDR Cloud using a text string, IP address, or domain. You can enter multiple IPs and domains, separated by a comma or space. See Configuring global search.
Review Account Data Scope	Review the definitions of Network entity and Network events: Network entity Network events

2: Deploy the sensor

To deploy the sensor, obtain the registration code and provision the physical or virtual sensor. Ensure the sensor is connected to a monitored network and define your internal network address ranges.

For an overview of the sensor deployment process, see Sensors deployment.
For dedicated physical and cloud sensor installation guides see the FortiNDR Cloud Sensors page.

3: Initial Triage and investigation workflow

Once data is flowing, familiarize yourself with the core detection and investigation pages.

Action	Details & Source Reference
Review active alerts	Go to Detections > Triage detections. This view is the default landing page for the Detections tab. Detections are alerts generated when a unique pair of events satisfies a detector query.
Mute expected devices to reduce noise from known or authorized activities	Muting allows you to ignore authorized or expected behaviors for a specific host. This is commonly done for devices like sandboxes or vulnerability scanners that routinely trigger detections. See Muting .
Perform an Entity Lookup to initiate an investigation using minimal information	An Entity Lookup is the starting point for an investigation. Enter an IP address or domain name in the Search field at the top of the portal. The results page returns Network, Entity, and Security Intelligence information. See Entity lookup .
Access the Entity Panel to view detailed information about an IP address or domain	The Entity Panel displays contextual information collected from both inside and outside the network (including WHOIS, VirusTotal, DHCP, and detection history). You can access it by left-clicking any entity anywhere in the portal. See Entity Panel .
Use a detection as a starting point for an investigation	Go to Detections > Triage detections, open a detector, and click Start Investigation. This opens the Add Query to Investigation dialog, where you can define the query name, time range and decide whether to create a new investigation or add the query to an existing one. See Using detectors for investigations.

Getting started

This page provides a list of initial tasks to help you set up and begin using the FortiNDR Cloud portal and threat detection capabilities.

1: Configure access and notifications

These tasks focus on ensuring secure access and setting up mandatory user notifications.

Task	Details & Source Reference
Log in to the Portal	You can log in using either a FortiNDR Cloud account or Single Sign-On (SSO). See FortiNDR Cloud portal.
Enable Multi-Factor Authentication (MFA)	Enable MFA Multi-factor authentication to require all users to enter an MFA token when they log in to FortiNDR Cloud. See Multi-factor authentication.
Configure Email Notifications	By default, you receive an email for every detection and a daily digest summarizing the last 24 hours. To customize these settings, see Email notifications.
Configure global search	Global Search allows you to search FortiNDR Cloud using a text string, IP address, or domain. You can enter multiple IPs and domains, separated by a comma or space. See Configuring global search.
Review Account Data Scope	Review the definitions of Network entity and Network events: Network entity Network events

2: Deploy the sensor

To deploy the sensor, obtain the registration code and provision the physical or virtual sensor. Ensure the sensor is connected to a monitored network and define your internal network address ranges.

For an overview of the sensor deployment process, see Sensors deployment.
For dedicated physical and cloud sensor installation guides see the FortiNDR Cloud Sensors page.

3: Initial Triage and investigation workflow

Once data is flowing, familiarize yourself with the core detection and investigation pages.

Action	Details & Source Reference
Review active alerts	Go to Detections > Triage detections. This view is the default landing page for the Detections tab. Detections are alerts generated when a unique pair of events satisfies a detector query.
Mute expected devices to reduce noise from known or authorized activities	Muting allows you to ignore authorized or expected behaviors for a specific host. This is commonly done for devices like sandboxes or vulnerability scanners that routinely trigger detections. See Muting .
Perform an Entity Lookup to initiate an investigation using minimal information	An Entity Lookup is the starting point for an investigation. Enter an IP address or domain name in the Search field at the top of the portal. The results page returns Network, Entity, and Security Intelligence information. See Entity lookup .
Access the Entity Panel to view detailed information about an IP address or domain	The Entity Panel displays contextual information collected from both inside and outside the network (including WHOIS, VirusTotal, DHCP, and detection history). You can access it by left-clicking any entity anywhere in the portal. See Entity Panel .
Use a detection as a starting point for an investigation	Go to Detections > Triage detections, open a detector, and click Start Investigation. This opens the Add Query to Investigation dialog, where you can define the query name, time range and decide whether to create a new investigation or add the query to an existing one. See Using detectors for investigations.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

User Guide

Getting started

1: Configure access and notifications

2: Deploy the sensor

3: Initial Triage and investigation workflow

Getting started

Getting started

1: Configure access and notifications

2: Deploy the sensor

3: Initial Triage and investigation workflow