FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
chall_FTNT
Staff
Staff
Description
As part of a forensic analysis, it might be necessary to gather data and generate reports for specific users.

This article shows how a user filter can be applied to a report in order to show detailed activity for a specific user.

The article use as its example the "Bandwidth and Application Report".  Screen shots are taken from FortiAnalyzer 6.4.0.

Solution
Before applying a user filter, a sample "Bandwidth and Application Report" shows many users.

chall_faz64-gen-report-no-userfilter.PNG
 
And the top destinations for all users:

chall_faz64-gen-report-appendix-userfilter-destinations-chart.PNG


Steps to Apply a User Filter

1. Go to Logview.  Select Traffic for log type under FortiGate.
2. Add a filter to confirm that logs exist for a specific user (in this case "USER25")

chall_faz64-logview-adding-userfilter.PNG

chall_faz64-logview-userfilter.PNG

3. Go to Reports > All Reports.  Right-click on "Bandwidth and Application Report" & select Edit.
4. Select the Settings Tab. Expand the Filters option.
5. Add a Log Field of User (user) with value matching the user name from step 2 (in this case "USER25")

chall_faz64-report-setting-userfilter-original.PNG

6. Run the Report "Bandwidth and Application Report" & click on "HTML" to view generated report.

chall_faz64-gen-report-with-userfilter.PNG
chall_faz64-gen-report-with-userfilter.PNG
Observe that 
a. the chart "Top 30 Users by Bandwidth and Sessions" only shows the matched user USER25.
b. the chart "Destinations" only shows Destinations for traffic generated by USER25

chall_faz64-gen-report-appendix-userfilter.PNG
c. the appendix of the report shows which user this report is for

Contributors