Technical Tip: How to Apply a User Filter to a Report for Forensic Analysis

chall_FTNT · ‎05-20-2020

Description

This article describes necessary steps to gather data and generate reports for specific users for forensic analysis, .

Scope

FortiAnalyzer

Solution

This article uses 'Bandwidth and Application Report' as an example. Before applying a user filter, a sample 'Bandwidth and Application Report' shows many users.

And the top destinations for all users:

chall_faz64-gen-report-appendix-userfilter-destinations-chart.PNG

Steps to Apply a User Filter

Go to Logview. Select Traffic for log type under FortiGate and add a filter to confirm that logs exist for a specific user (in this case 'USER25').

Go to Reports -> All Reports, 'right-click' on 'Bandwidth and Application Report', select Edit, select the Settings Tab. Expand the Filters option and add a Log Field of User (user) with value matching the user name from step 2 (in this case, 'USER25').

Run the Report 'Bandwidth and Application Report' and select 'HTML' to view the generated report.

The chart 'Top 30 Users by Bandwidth and Sessions' only shows the matched user USER25.
The chart 'Destinations' only shows Destinations for traffic generated by USER25

The appendix of the report shows for which user reports are generated

Related article:

Technical Note: How to create reports on a FortiAnalyzer based on single users IP address

Technical Tip: How to Apply a User Filter to a Report for Forensic Analysis

You are leaving our website