This article describes the way the incident information shown in FortiView -> Threats -> Top Threats is triggered based on a session ID count of how many times a given threat occurs. The incidents are not a cumulative log of each threat in the FortiView.
FortiAnalyzer.
In this example, threat=blocked-connection will be used to show the details.
Upon taking test user ( 172.16.78.32 ) to show the session id details, it becomes visible that 3 incidents are triggered.
Notice that there are 3 different session IDs on the details of each incidents when double clicking on it.
Upon removing the Security Event List = 'blocked-connection' filter, FortiAnalyzer will list the logs. Here, each of the items will have the same 3 session IDs identified earlier.
Note: Incidents in FortiView are different from incidents in FortiSOC, where incidents management is more granular.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.