This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers this feature.
This example shows how to in-depth view the threat of the whole network and analyze the threat evidence.
Forensic Analysis provides evidence chain of network threats to collect, multi-perspective analysis and the depth of integration.
- Evidence Collection: Through the configuration of Forensic Analysis function (packet capture), detect the attack generated at the same time evidence collection.
- Evidence Analysis: Analyze the collected evidence.
- Evidence Presentation: Display the threat details, logs, evidence pacp via iCenter, to achieve the threat of visualization.
At present, the system only supports the Forensic Analysis function of three threat detection engines (Advanced Threat Detection, Intrusion Prevention System, Anti Virus)
Enable the packet capture for Anti Virus rules.
Select Object > Antivirus, click New, Select the Enable check box before Capture Packet to enable the capture function.
Forensic Analysis Configuration Example
As follows, taking advanced threat detection (ATD) as an example to demonstrate the process of Forensic Analysis
|Step 2: Evidence Collection|
When ATD attacks occurred, the system will generate a relevant threat log and capture evidence, sent to the system database.
According to the source IP, Advanced threat detection engine capture relational pacp at the same time, it is the HTTP traffic data (including TCP interaction) in 5 minutes or 64K size package, and used to assist in the analysis.
|Step 3: Evidence Analysis|
|1. Analyze and get the threat detail information .|
|2. Collect the analysis of evidence.|