Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
smkml
Staff
Staff

Created on ‎04-01-2024 03:42 PM

Article Id 307856

Technical Tip: Incidents in FortiView triggered based on session ID

Description

 

This article describes the way the incident information shown in FortiView -> Threats -> Top Threats is triggered based on a session ID count of how many times a given threat occurs. The incidents are not a cumulative log of each threat in the FortiView.

 

fortiview incidents.png

 

Scope

 

FortiAnalyzer.

 

Solution

 

In this example, threat=blocked-connection will be used to show the details.

 

threat blocked-connection.png

 

Upon taking test user ( 172.16.78.32 ) to show the session id details, it becomes visible that 3 incidents are triggered. 

 

specific user.png

Notice that there are 3 different session IDs on the details of each incidents when double clicking on it. 

 

session id 1.png

 

session id 2.png

 

session id 3.png

 

Upon removing the Security Event List = 'blocked-connection' filter, FortiAnalyzer will list the logs. Here, each of the items will have the same 3 session IDs identified earlier.

 

session id in fortiview.gif

Note: Incidents in FortiView are different from incidents in FortiSOC, where incidents management is more granular. 

123
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.