Attack View

The INCIDENTS Attack View maps security incidents detected by FortiSEIM into attack categories defined by MITRE Corporation (MITRE ATT&K). Go to INCIDENT > Attack to see this view. Attack can set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and Attack from the Incident Home drop-down list.

The following table briefly describes the attack categories. See https://attack.mitre.org/matrices/enterprise/ for more detailed information.

Category	Description
Initial Access	The adversary is trying to get into your network.
Execution	The adversary is trying to run malicious code.
Persistence	The adversary is trying to maintain their foothold.
Privilege Escalation	The adversary is trying to gain higher-level permissions.
Defense Evasion	The adversary is trying to avoid being detected.
Credential Access	The adversary is trying to steal account names and passwords.
Discovery	The adversary is trying to figure out your environment.
Lateral Movement	The adversary is trying to move through your environment.
Collection	The adversary is trying to gather data of interest to their goal.
Command and Control	The adversary is trying to communicate with compromised systems to control them.
Exfiltration	The adversary is trying to steal data.
Impact	The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Using the Attack View

To open the Incident Attack View, click the Attack icon ( ) on the INCIDENTS tab. The table at the top of the Incident Attack View displays the devices experiencing the security incidents and the MITRE ATT&CK categories into which the incidents fall. The circles in the table indicate:

• Number - The number in the middle of the circle indicates the number of incidents in that category. Click the number to get more detail on the incidents. See Getting Detailed Information on an Incident.
• Size - The size of the circle is relative to the number of incidents.
• Color - The color of the circle indicates the severity of the incident: Red=HIGH severity, Yellow=MEDIUM severity, and Green=LOW severity.

Filtering in the Incident Attack View

You can filter the incident data by attack category, whether the incident is active or cleared, and the time range when the incident occurred.

• The Subcategory drop–down list allows you to filter on one or more of the attack categories. You can also display All of the categories.
• The Status drop-down list allows you to filter on Active and/or Cleared incidents.
• The Time Range dialog box allows you to choose a relative or absolute time range. For relative times, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For absolute times, use the calendar dialog to specify From and To dates.

Getting Detailed Information on an Incident

The lower pane of the Incident Attack View provides a table with more detailed information about a security incident. You can populate the table in any of these ways:

• Click a device to see all of the incidents associated with the device.
• Open the Subcategory drop-down list and choose one of the attack categories. All of the incidents associated with the selected category or categories are displayed. You can also choose to display All of the categories.
• Click the heading in the table of the attack category you are interested in (for example, Execution, Persistence, Collection, and so on). All of the incidents associated with the selected category are displayed.
• Click the number in the middle of the circle. All of the incidents associated with the selected device and category are displayed.
• Click an incident and all of the actions in the Action drop-down list that you can perform on the event become available. See Acting on Incidents.

For more information on the column headings that appear in the lower pane of the Attack View, see Viewing Incidents.

Displaying Triggering Events for an Incident

Click an incident in the lower table to display its triggering events. Another pane opens below the Incident table. It displays information related to the event that triggered the incident, such as Host Name, Host IP, and so on.