Technical Tip: How to Apply a User Filter to a Report for Forensic Analysis
Description
This article describes necessary steps to gather data and generate reports for specific users for forensic analysis, .
Scope
FortiAnalyzer
Solution
This article uses 'Bandwidth and Application Report' as an example. Before applying a user filter, a sample 'Bandwidth and Application Report' shows many users.
And the top destinations for all users:
Steps to Apply a User Filter
Go to Logview. Select Traffic for log type under FortiGate and add a filter to confirm that logs exist for a specific user (in this case 'USER25').
Go to Reports -> All Reports, 'right-click' on 'Bandwidth and Application Report', select Edit, select the Settings Tab. Expand the Filters option and add a Log Field of User (user) with value matching the user name from step 2 (in this case, 'USER25').
Run the Report 'Bandwidth and Application Report' and select 'HTML' to view the generated report.
- The chart 'Top 30 Users by Bandwidth and Sessions' only shows the matched user USER25.
- The chart 'Destinations' only shows Destinations for traffic generated by USER25
- The appendix of the report shows for which user reports are generated
Related article: