SOC Monitoring – FortiAnalyzer – FortOS 6.2.3

SOC Monitoring

Use the Security Operations Center (SOC) to view Monitors and FortiView.

Monitors are designed for network and security operation centers where dashboards are displayed across multiple large monitors.

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and more.

Monitors

SOC (Security Operations Center) Monitors are designed for a network and security operations center where multiple dashboards are displayed in large monitors.

In the Monitors view, dashboards display both real-time monitoring and historical trends. Centralized monitoring and awareness help you to effectively monitor network events, threats, and security alerts. Use Monitors dashboards to view multiple panes of network activity, including monitoring network security, compromised hosts, endpoints, Security Fabric, WiFi security, and FAZ system performance.

A typical scenario is to set up dashboards and widgets to display information most relevant to your network and security operations. Use the main monitors in the middle to display important dashboards in a larger size. Then use the monitors on the sides to display other information in smaller widgets.

For example, use the top monitor in the middle to display the Top Threat Destinations widget in full screen, use the monitor(s) below that to display other Threat Monitor widgets, use the monitors on the left to display WiFi Monitor widgets at the top and FAZ Performance Monitor widgets at the bottom, and use the monitors on the right as a workspace to display widgets showing the busiest network activity. You can move, add, or remove widgets.

Monitors dashboards and widgets are very flexible and have the following features:

  • You can create predefined or custom dashboards. l For both predefined and custom dashboards, you can add, delete, move, or resize widgets. l You can add the same dashboard multiple times on the same or different monitors. l Each widget monitors one activity.
  • You can add the same widget multiple times and apply different settings to each one. For example, you can add widgets to monitor the same activity using a different chart type, refresh interval, or time period.
  • You can resize widgets or display a widget in full screen.

SOC monitor dashboards

SOC monitors include predefined dashboards.

Both predefined and custom dashboards can be modified with widgets, including: Threats widgets, Compromised Hosts widgets, Traffic widgets, Applications & Websites widgets, VPN widgets, WiFi widgets, Endpoints widgets, System widgets, Threat Research widgets, Security Fabric widgets, and FortiClient Software widgets.

For example, the default Threat Monitor dashboard includes four widgets: Threat Map, Top Threat Destinations, Top Threats, and Top Virus Incidents OverTime. These widgets can be removed, enlarged, reduced, or customized, and new widgets can be added to the dashboard.

For more information, see Customizing the Monitors dashboard on page 96.

SOC Monitors includes the following predefined dashboards:

Threats Monitors the top security threats to your network.
Traffic Monitors the traffic on your network.
Applications & Websites Monitors the application and website traffic on your network.
Compromised Hosts Monitors compromises and suspicious web use in your network.
FortiSandbox Detections Monitors FortiSandbox detections on your network.
Endpoints Monitors endpoint activity on your network.
Fabric State of Security Monitors your network’s Security Fabric rating, score, and topology.

This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.

VPN Monitors VPN activity on your network.
WiFi Monitors WiFi access points and SSIDs.
Local System Performance Monitors the local system performance of the FortiAnalyzer unit.
FortiClient Software Inventory Monitors the FortiClient endpoints sending logs to FortiAnalyzer.
Archive Includes FortiAnalyzer NOC-SOC modules from versions prior to 6.2.0.

Threats widgets

Threats includes the following widgets:

Top Threat Destinations A world map, spinning 3D globe, or table showing the top 10, 20, 50, 100 threat destinations. On the map view, hover the cursor over data points to see the source device and IP address, destination IP address and country, threat level, and the number of incidents (blocked and allowed).
Top Threats The top threats to your network. Hover the cursor over data points to see the threat, category, threat level, threat score (blocked and allowed), and the number of incidents (blocked and allowed).

The following incidents are considered threats:

l Risk applications detected by application control l Intrusion incidents detected by IPS l Malicious web sites detected by web filtering l Malware/botnets detected by antivirus

Top Threats

(FortiClient)

The top threats to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets.

Only visible in a Fabric ADOM.

Top Threats Over

Time by Threat

Scores

The historical threats to your network from risk applications, intrusion incidents, malicious web sites, and malware/botnets.
Top Threats by Weight & Count The top threats by weight and count to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets.
FortiSandbox Detection FortiSandbox detection detail, including scan doc name, source user, destination IP, verdict level, action, and service.
FortiSandbox –

Scanning Statistics

The number of files detected by FortiSandbox by type: Malicious, Suspicious, Clean, and Others.
FortiSandbox – Top

Malicious &

Suspicious File

Users

Users or IP addresses that have the highest number of malicious and suspicious files detected by FortiSandbox.
Threat Map Threats happening right now across the world.

Compromised Hosts widgets

Compromised Hosts includes the following widget:

Compromised Hosts Suspicious web use compromises. By default, this widget includes two panes: Compromised Hosts and Compromised Hosts Incidents.

The Compromised Hosts pane automatically rotates through compromised hosts. You can pause autoplay or click > or < to manually move to another compromised host.

The Compromised Hosts Incidents pane displays a map of compromised hosts incidents.

Click Settings to change the number of top compromised hosts, Time Period, Refresh Interval, Autoplay Interval, and to show or hide Compromised Hosts Incidents.

Traffic widgets

Traffic includes the following widgets:

User Data Flow Bandwidth breakdown of top user destination country/region or application usage.
Top Sources Today Near real-time network traffic by blocked and allowed sessions.
Top Sources The highest network traffic by source IP address and interface, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top Source

Address Objects

The highest network traffic by source address objects, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top

Country/Region

The highest network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top

Country/Region

Over Time by

Sessions

The historical network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top Policy Hits Top policy hits from recent traffic.
Policy Hits Over

Time by Bandwidth

The historical policy hits from recent traffic.
Top Destinations Top destinations from recent traffic.
Top Destination Address Objects Top destination address objects from recent traffic.
Traffic Over Time by Sessions The historical destinations from recent traffic.
Top Cloud Users Top cloud users from recent traffic.
DNS Logs Top DNS logs from recent traffic.
Top Source (FortiDDoS) Top source IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Destination (FortiDDoS) Top destination IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Type

(FortiDDoS)

Top types from recent traffic.

Only available in a Fabric ADOM.

Applications & Websites widgets

Applications & Websites includes the following widgets:

Top Applications The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications

Over Time by

Sessions

The historical sessions of applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications

(FortiClient)

The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).

Only available in a Fabric ADOM.

Top Cloud

Applications

Top cloud applications from recent traffic.
Cloud Applications

Over Time by

Sessions

The historical sessions of cloud applications used on the network.
Top Website Domains Top website domains from recent traffic.
Top Website

Categories

Top website categories from recent traffic.
Top Website

(FortiClient)

Top website domains from recent traffic. Only available in a Fabric ADOM.
Website Browsing

Over Time by

Sessions

The historical websites browsing sessions from recent traffic.
Top Browsing User Top browsing users from recent traffic.
Browsing User

Over Time by

Bandwidth

The historical browsing users from recent traffic.

VPN widgets

VPN includes the following widgets:

Top Dialup VPN The users accessing the network using SSL or IPsec over a VPN tunnel.
VPN Site-to-Site The names of VPN tunnels with Internet protocol security (IPsec) that are accessing the network.

WiFi widgets

WiFi includes the following widgets:

Authorized APs The names of authorized WiFi access points on the network.
Top SSID The top SSID (service set identifiers) of authorized WiFi access points on the network. Hover the cursor over data points to see the SSID and bytes (sent and received).
Top SSID Over

Time by Bandwidth

The historical SSID (service set identifiers) traffic of authorized WiFi access points on the network.
Top Rogue APs The top SSID (service set identifiers) of unauthorized WiFi access points on the network. Hover the cursor over data points to see the SSID and total live time.
WiFi Clients The top WiFi access points on the network by bandwidth/sessions.

Endpoints widgets

Endpoints includes the following widgets:

Top Endpoint

Vulnerabilities

Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID.
Top Endpoint

Vulnerabilities

(FortiClient)

Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID.

Only available in a Fabric ADOM.

Top Endpoint

Devices with

Vulnerabilities

Vulnerability information about FortiClient endpoints including source IP address and device.
Top Endpoint

Devices with

Vulnerabilities

(FortiClient)

Vulnerability information about FortiClient endpoints including source IP address and device. Only available in a Fabric ADOM.
User

Vulnerabilities

Summary

User vulnerabilities summary.
All Endpoints All endpoints.
All Endpoints

(FortiClient)

All endpoints.
Top Endpoint

Threats

Top threats from all endpoints.
Top Endpoints

Applications

Top applications from all endpoints. Only available in a Fabric ADOM.

System widgets

This dashboard monitors the system performance of the FortiAnalyzer unit running SOC and not the logging devices. It includes the following widgets:

CPU & Memory

Usage

The usage status of the CPU and memory.
Multi Core CPU Usage The usage status of a multi-core CPU.
Insert Rate vs Receive Rate The number of logs received vs the number of logs actively inserted into the database, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Insert rate: how many logs are being actively inserted into the database.

If the insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of logs waiting to be inserted.

Receive Rate vs Forwarding Rate The number of logs received vs the number of logs forwarded out, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Forward rate: how many logs are being forwarded out.
Disk I/O The disk Transaction Rate (I/Os per second), Throughput (KB/s), or Utilization (%). The Transaction Rate and Throughput graphs also show the maximum and minimum disk activity.
Resource Usage Average Overview of average resource usage history across all devices.
Resource Usage Peak Overview of peak resource usage history across all devices.
Admin Logins Top admin logins from recent traffic.
System Events Top system events from recent traffic.
Failed

Authentication

Attempts

Top unauthorized connections from recent traffic.

Threat Research widgets

Threat Research includes the following widgets:

Worldwide Threat

Prevalence – Today

(UTC)

The top virus, IPS, botnet, and application threats globally today based on UTC. This data is from FortiGuard and not from FortiGate.
Top Virus

Incidents Over

Time

Local virus incidents in the last one month.

Security Fabric widgets

Security Fabric includes the following widgets.

This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.

Security Fabric Rating Report A report showing the security rating details of connected Security Fabric devices. Click a milestone to drill down and hover the cursor over data points to see more details.
Security Fabric Score The current and historical Security Fabric scores. The Historical Security Fabric Scores pane displays your Security Fabric score over time and how it compares to the industry average and the industry score range. You can hide the Historical Security Fabric Scores pane.
Security Fabric Topology A topology map showing the logical structure of connected Security Fabric devices.
Best Practices Overview Overview of the device best practices across regions of North America, Latin America, EMEA, and APAC.

FortiClient Software widgets

FortiClient Software includes the following widget:

FortiClient

Software Inventory

The total number of apps installed, top apps, new apps installed, top apps by installs, and top hosts by number of apps.

Using the Monitors dashboard

SOC monitors dashboards contain widgets that provide network and security information. Use the controls in the dashboard toolbar to work with a dashboard.

Add Widget Add widgets to a predefined or custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Dashboard Create a new dashboard or reset a predefined dashboard to its default settings. For custom dashboards, you can rename or delete the custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Create New Create a new dashboard.
Reset Reset a predefined dashboard to its default widgets and settings.
Rename Rename a custom dashboard.
Delete Delete a custom dashboard.
Devices Select the devices to include in the widget data.

The device list will also include a Security Fabric if available.

To select a Security Fabric, you need to first create a Security Fabric group in FortiGate and add the Security Fabric group in FortiAnalyzer.

Time Period Select a time period from the dropdown menu, or set a custom time period.
Refresh Refresh the data in the widgets.
Background color Change the background color of the dashboard to make widgets easier to view in different room lighting. l Day shows a brighter gray background color. l Night shows a black background. l Ocean shows a blue background color.
Hide Side-menu or Show Side-menu Hide or show the tree menu on the left. In a typical SOC environment, the side menu is hidden and dashboards are displayed in full screen mode.

Use the controls in the widget title bar to work with widgets.

Settings icon Change the settings of the widget. Widgets have settings applicable to that widget, such as how many of the top items to display, Time Period, Refresh Interval, and Chart Type.
View different chart types Some widget settings let you choose different chart types such as the Disk I/O and Top Countries widget. You can add these widgets multiple times and set each widget to show a different chart type.
Hide or show a data type For widgets that show different data types, click a data type in the title bar to hide or show that data type in the graph.

For example, in the Insert Rate vs Receive Rate widget, click Receive Rate or Insert Rate in the title bar to hide or show that data. In the Disk I/O widget, click Read or Write in the title bar to hide or show that data type.

Remove widget icon Delete the widget from a predefined or custom dashboard.
Move widget Click and drag a widget’s title bar to move it to another location.
Resize widget Click and drag the resize button in the bottom-right of the widget.
View more details Hover the cursor over a widget’s data points to see more details.
View a narrower time period Some widgets have buttons below the graph. Click and drag the buttons to view a narrower time period.
Zoom in and out For widgets that show information on a map such as the Top Threat Destinations widget, use the scroll wheel to change the zoom level. Click and drag the map to view a different area.

Customizing the Monitors dashboard

You can add any widget to a predefined dashboard. You can also move, resize, or delete widgets. You cannot rename or delete a predefined dashboard. To reset a predefined dashboard to its default settings, click Dashboard > Reset.

You can add the same widget multiple times and configure each one differently, such as showing a different Time Period, Refresh Interval, or Chart Type.

To create a dashboard:

  1. In the toolbar, click Dashboard > Create New.
  2. Specify the Name and whether you want to create a blank dashboard or use a template.

If you select From Template, specify which predefined dashboard you want to use as a template.

  1. Click OK. The new dashboard appears In the tree menu.

To display Security Fabric in Monitors:

  1. Create a Security Fabric in FortiGate.
  2. Add the Security Fabric in FortiAnalyzer.
  3. Go to SOC > Monitors > Dashboards.
  4. Select the Fabric State of Security dashboard.
  5. Select the Security Fabric from the Devices

To add a widget:

  1. Select the predefined or custom dashboard where you want to add a widget.
  2. Click Add Widget to expand the menu; then locate the widget you want to add.
  3. Click the + button to add widgets.
  4. When you have finished adding widgets, click the close button to close the Add Widget

 

This entry was posted in Administration Guides, FortiAnalyzer on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.