Monitor Attacks
Administrators can monitor attacks in two ways:
To monitor attacks using Incident pages:
- Incident > Analysis lists incidents and related events detected by FortiDeceptor. l Incident > Campaign lists attacks and related events detected by FortiDeceptor. l Incident > Attack Map shows attacks and related events detected by FortiDeceptor.
To monitor attacks using Dashboard widgets:
- Use the Dashboard Incidents & Events Distribution See Incidents and Events Distribution on page 18. l Use the Dashboard Incidents & Events Count widget.
Analysis
Incident > Analysis lists the Incidents detected by FortiDeceptor.
To use the Analysis page:
- Go to Incident > Analysis.
- The Analysis page displays the list of events:
| Severity | Severity of the event. | ||
| Last Activity | Date and time of the last activity. | ||
| Type | Type of event. | ||
| Attacker IP | Attacker IP mask. | ||
| Attacker User | Attacker username. | ||
| Victim IP | IP address of the victim. | ||
| Victim Port | Port of the victim. | ||
| Lure | Name of the lure service. | ||
| Decoy ID | Unique ID of the Decoy VM. | ||
| ID | ID of the incident. | ||
| Attacker Port | Port where the attack originated. | ||
| Tag Key | Unique key string for the incident. | ||
| Attacker Password | Password used by the attacker. | ||
| Start | Date and time when the attack started. | ||
- To refresh the data, click Refresh.
- To download the detailed analysis report in PDF format, click Export to PDF.
- To mark items as read, expand the incident details or click Mark all as read.
Newly-detected incidents are in bold to indicate they are unread.
- To display specific types of events, click Show All, IPS Events Only, or Web FilterEvents Only.
- To specify columns and table settings, use the Settings icon at the bottom right.
Campaign
Incident > Campaign lists the Attacks detected by FortiDeceptor. An Attack consists of multiple Incidents.
To use the Campaign page:
- Go to Incident > Campaign.
- The Campaign page displays the list of attacks:
| Severity | Severity of the event. | |
| Start | Date and time when the attack started. | |
| Last Activity | Date and time of the last activity. | |
| Attacker IP | IP mask of the attacker. | |
| ID | ID of the campaign record. | |
| Timeline | Click Timeline to see the timeline of the Attack from start to finish. | |
| Table | Click Table to see all the Events in table view. |
- To refresh the data, click Refresh.
- To export the data, click Export to PDF.
- To specify columns and table settings, use the Settings icon at the bottom right.
Attack Map
Incident > Attack Map is a visual representation of the entire network showing real endpoints, Decoy VMs, and ongoing attacks.
To work with the Attack Map:
- Go to Incident > Attack Map. l To change the display, drag items to another location. l Scroll to zoom in or out. l Click a node to see its information.
- At the bottom of the Attack Map, use the timeline indicator to set the start and end time.
- Click Click to begin filtering to select a different filter type and type values. Filter types include AttackerIP, Victim IP, and Decoy IP.
You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.
- To locate the node on the map, use the LOCATE BY IP
- To save a snapshot of the map, click Save view .
Incidents and Events Distribution
This dashboard widget displays the number of incidents and events with the following risk level information and options.
| Unknown | Incident or Event where the risk level is unknown. Entries are in grey. |
| Low Risk | Incident or Event where the risk level is low. Entries are in green. |
| Medium Risk | Incident or Event where the risk level is medium. Entries are in yellow. |
| High Risk | Incident or Event where the risk level is high. Entries are in orange. |
| Critical | Incident or Event where the risk level is critical. Entries are in red. |
Hover over the pie chart to see the number of Incidents or Events and their percentage.
To customize this widget:
- Click the edit icon to make the following changes:
l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.
Incidents and Events Count
This dashboard widget displays the number of Incidents and Events.
| Event | Click Event to show or hide the number of events in the time period. Events are in blue. |
| Incidents | Click Incident to show or hide the number of incidents in the time period. Incidents are in orange. |
| Time/Date | The time or date the Incident or Event occurred. |
To customize this widget:
- Click the edit icon to make the following changes:
l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.
Top 10 Attackers by Events
This dashboard widget displays the top ten attackers by the number of events.
| IP Address | IP address of the attacker. |
| Number of Events | Hover over an IP address to see the total number of Events. |
Top 10 Attackers by Incidents
This dashboard widget displays the top ten attackers by the number of incidents.
| IP Address | IP address of the attacker. |
| Number of Incidents | Hover over an IP address to see the total number of Incidents. |
Top 10 IPS Attacks
This widget displays the top 10 IPS attacks by the number of attack events.
| IPS attack name | IP address of the attacker. |
| Number of attack events | Hover over an IPS attack name to see the total number of attack events. |
Incidents Distribution by Service
This dashboard widget displays the number of Incidents by service with the following information and options.
| SSH | Number of incidents occurring on SSH service with the percentage on a pie chart. | |
| SAMBA | Number of incidents occurring on SAMBA service with the percentage on a pie chart. | |
| SMB | Number of incidents occurring on SMB service with the percentage on a pie chart. | |
| RDP | Number of incidents occurring on RDP service with the percentage on a pie chart. | |
| HTTP | Number of incidents occurring on HTTP service with the percentage on a pie chart. | |
| FTP | Number of incidents occurring on FTP service with the percentage on a pie chart. | |
| TFTP | Number of incidents occurring on TFTP service with the percentage on a pie chart. | |
| SNMP | Number of incidents occurring on SNMP service with the percentage on a pie chart. | |
| MODBUS | Number of incidents occurring on MODBUS service with the percentage on a pie chart. | |
| S7COMM | Number of incidents occurring on S7COMM service with the percentage on a pie chart. | |
| BACNET | Number of incidents occurring on BACNET service with the percentage on a pie chart. | |
| IPMI | Number of incidents occurring on IPMI service with the percentage on a pie chart. | |
| TRICONEX | Number of incidents occurring on TRICONEX service with the percentage on a pie chart. | |
| GUARDIAN-AST | Number of incidents occurring on GUARDIAN-AST service with the percentage on a pie chart. | |
| IEC104 | Number of incidents occurring on IEC104 service with the percentage on a pie chart. | |
Global Attacker Distribution
This widget displays the number of Attackers by country on a global map.