FortiDeceptor – Monitor Attacks

Monitor Attacks

Administrators can monitor attacks in two ways:

To monitor attacks using Incident pages:

  • Incident > Analysis lists incidents and related events detected by FortiDeceptor. l Incident > Campaign lists attacks and related events detected by FortiDeceptor. l Incident > Attack Map shows attacks and related events detected by FortiDeceptor.

To monitor attacks using Dashboard widgets:

  • Use the Dashboard Incidents & Events Distribution See Incidents and Events Distribution on page 18. l Use the Dashboard Incidents & Events Count widget.

Analysis

Incident > Analysis lists the Incidents detected by FortiDeceptor.

To use the Analysis page:

  1. Go to Incident > Analysis.
  2. The Analysis page displays the list of events:
Severity Severity of the event.
Last Activity Date and time of the last activity.
Type Type of event.
Attacker IP Attacker IP mask.
Attacker User Attacker username.
Victim IP IP address of the victim.
Victim Port Port of the victim.
Lure Name of the lure service.
Decoy ID Unique ID of the Decoy VM.
ID ID of the incident.
Attacker Port Port where the attack originated.
Tag Key Unique key string for the incident.
Attacker Password Password used by the attacker.
Start   Date and time when the attack started.
  1. To refresh the data, click Refresh.
  2. To download the detailed analysis report in PDF format, click Export to PDF.
  3. To mark items as read, expand the incident details or click Mark all as read.

Newly-detected incidents are in bold to indicate they are unread.

  1. To display specific types of events, click Show All, IPS Events Only, or Web FilterEvents Only.
  2. To specify columns and table settings, use the Settings icon at the bottom right.

Campaign

Incident > Campaign lists the Attacks detected by FortiDeceptor. An Attack consists of multiple Incidents.

To use the Campaign page:

  1. Go to Incident > Campaign.
  2. The Campaign page displays the list of attacks:
Severity   Severity of the event.
Start   Date and time when the attack started.
Last Activity   Date and time of the last activity.
Attacker IP   IP mask of the attacker.
ID   ID of the campaign record.
Timeline   Click Timeline to see the timeline of the Attack from start to finish.
Table   Click Table to see all the Events in table view.
  1. To refresh the data, click Refresh.
  2. To export the data, click Export to PDF.
  3. To specify columns and table settings, use the Settings icon at the bottom right.

Attack Map

Incident > Attack Map is a visual representation of the entire network showing real endpoints, Decoy VMs, and ongoing attacks.

To work with the Attack Map:

  1. Go to Incident > Attack Map. l To change the display, drag items to another location. l Scroll to zoom in or out. l Click a node to see its information.
  2. At the bottom of the Attack Map, use the timeline indicator to set the start and end time.
  3. Click Click to begin filtering to select a different filter type and type values. Filter types include AttackerIP, Victim IP, and Decoy IP.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

  1. To locate the node on the map, use the LOCATE BY IP
  2. To save a snapshot of the map, click Save view .

Incidents and Events Distribution

This dashboard widget displays the number of incidents and events with the following risk level information and options.

Unknown Incident or Event where the risk level is unknown. Entries are in grey.
Low Risk Incident or Event where the risk level is low. Entries are in green.
Medium Risk Incident or Event where the risk level is medium. Entries are in yellow.
High Risk Incident or Event where the risk level is high. Entries are in orange.
Critical Incident or Event where the risk level is critical. Entries are in red.

Hover over the pie chart to see the number of Incidents or Events and their percentage.

To customize this widget:

  1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Incidents and Events Count

This dashboard widget displays the number of Incidents and Events.

Event Click Event to show or hide the number of events in the time period. Events are in blue.
Incidents Click Incident to show or hide the number of incidents in the time period. Incidents are in orange.
Time/Date The time or date the Incident or Event occurred.

To customize this widget:

  1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Top 10 Attackers by Events

This dashboard widget displays the top ten attackers by the number of events.

IP Address IP address of the attacker.
Number of Events Hover over an IP address to see the total number of Events.

Top 10 Attackers by Incidents

This dashboard widget displays the top ten attackers by the number of incidents.

IP Address IP address of the attacker.
Number of Incidents Hover over an IP address to see the total number of Incidents.

Top 10 IPS Attacks

This widget displays the top 10 IPS attacks by the number of attack events.

IPS attack name IP address of the attacker.
Number of attack events Hover over an IPS attack name to see the total number of attack events.

Incidents Distribution by Service

This dashboard widget displays the number of Incidents by service with the following information and options.

SSH Number of incidents occurring on SSH service with the percentage on a pie chart.
SAMBA Number of incidents occurring on SAMBA service with the percentage on a pie chart.
SMB Number of incidents occurring on SMB service with the percentage on a pie chart.
RDP Number of incidents occurring on RDP service with the percentage on a pie chart.
HTTP Number of incidents occurring on HTTP service with the percentage on a pie chart.
FTP Number of incidents occurring on FTP service with the percentage on a pie chart.
TFTP Number of incidents occurring on TFTP service with the percentage on a pie chart.
SNMP Number of incidents occurring on SNMP service with the percentage on a pie chart.
MODBUS Number of incidents occurring on MODBUS service with the percentage on a pie chart.
S7COMM Number of incidents occurring on S7COMM service with the percentage on a pie chart.
BACNET Number of incidents occurring on BACNET service with the percentage on a pie chart.
IPMI Number of incidents occurring on IPMI service with the percentage on a pie chart.
TRICONEX Number of incidents occurring on TRICONEX service with the percentage on a pie chart.
GUARDIAN-AST Number of incidents occurring on GUARDIAN-AST service with the percentage on a pie chart.
IEC104 Number of incidents occurring on IEC104 service with the percentage on a pie chart.

Global Attacker Distribution

This widget displays the number of Attackers by country on a global map.

 

This entry was posted in Administration Guides, FortiDeceptor on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.