FortiSIEM Using the Analysis Menu

Using the Analysis Menu

The Analysis menu located in the Summary dashboards presents a number of options for gathering more information about items selected in the dashboard. You can also access the Analysis menu items by selecting a line in a summary dashboard, and hovering your mouse over the IP address of the device until the blue Analysis menu option appears.

Analysis Menu Options

Menu

Option

Description
Quick Info The Quick Info view of a device, which you can also access through the Analysis menu or hovering your mouse cursor over the Device IP column, displays General and Health information for the device, and when appropriate, Identity and Location information. It also contains links to additional information about the device:

Incidents

An exportable summary of incidents associated with the device

Health

Availability, Performance, and Security health information for the device. You can also access this information by clicking the Device Health user interface control, or by selecting Device Health in the Analysis menu.

BizService

Any business services impacted by the device. You can also access this information by selecting Impacted Business Services in the Analysis menu.

Applications

Displays a report on the top 10 applications associated with the device by Average CPU Utilization over the past hour Vulnerability and IP Status (Not used in the Dashboard view)

Displays the vulnerability status reports that are also available by selecting Vulnerability and IPS Status in the Analysis menu

Hardware Health (Used only for the CMDB/Storage view)

Displays health information for the hardware being used for storage

Interfaces

Displays a report on the top 10 interfaces associated with the device by average throughput Topology

Shows the device’s location in the network topology. You can also access this information by selecting Topology in the A nalysis menu.

The Quick Info view also contains two links, Goto Config Item, which links to the device entry in the CMDB, and Goto Identity , which links to Analytics > Identity and Location Report, where you can edit this information for the device.

Topology Shows the device location within the network topology
Device

Health

Availability, Performance, and Security health reports for the device. You can also access this information by selecting a device in the Summary dashboard, and then click Health, or by going to Quick Info > Health after selecting the device. If any I ncidents are displayed, click the number to view the Incident Summary. Depending on the reported metric, you can zoom in for a closer look at graphs and reports by clicking the Magnifying Glass icon that appears when you hover your mouse cursor over them.
Incidents

Summary

A summary of incidents associated with the device. Select an incident and then hover your mouse cursor over the Incident Name to open the View Incident Details option, which will load the selected incident into the Incident Dashboard. See the topics under Incidents – Flash version for more information about working with the Incident Dashboard. If you hover your mouse cursor over the Incident Target for an incident in the Incident Summary screen, you will see some additional options, including:

Add to Watch List – add the incident target to a watch list. See Watch Lists for more information.

Show Related Real Time Search – opens a real time search using the Host IP and Name for the incident target

Show Related Historical Search – opens an historical search using the Host IP and Name for the incident target

 

Device

Availability

Displays reports for Availability Trend Status, Ping Response Time, and Ping Packet Loss for the device over the past hour, and Device Uptime for the device over the past thirty minutes
Device

Performance

Displays reports for Performance Health Trend, Avg Memory Utilization, Avg CPU Utilization, and Avg Disk Utilization ov er the past hour for the device

 

Interface

Status

Displays reports for Interface Utilization Percentage, Interface Error Percentage, Interface Traffic, and Interface Error

Count over the past hour for the device

Application

Performance

Displays reports for Average Application CPU Utilization, Application CPU Utilization, Average Application Memory

Utilization, and Application Memory Utilization over the past hour for the device

Event Status Displays reports for Events per Second, Top Network Connections, Top Events by Severity, and Top TCP/UDP Ports ove r the past hour for the device
All Events by Group for the Last 10 Minutes Opens an Historial Search for the selected device using these criteria
Traffic Status Displays reports for All Permitted Traffic Sourced From or Destined to the selected device, and All Denied Traffic

Sourced from or Destined to the selected device over the previous hour

Vulnerability and IPS Status Displays reports for All Vulnerabilities for Last 1 Day and All Warning + Critical IPS Events for the device over the past 24 hours
Impacted

Biz Services

Business services that contain the selected device
Real-time

Events

Opens a Real-Time Search for the selected device
Historical

Events for

Last 5 Mins

Opens an historical search for all events associated with the device over the past five minutes

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.