FortiRecon 23.1 User - Guide

User Guide
FortiRecon 23.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
February 01, 2023

FortiRecon 23.1 User Guide
75-231-874198-20230201
TABLE OF CONTENTS
Change Log 7
Introduction 8
Requirements 8
Acceptable FortiRecon use cases 9
Licensing 9
Getting started 10
Registering the FortiRecon license 10
Subscribing to FortiRecon 11
Accessing FortiRecon portal 14
EASM 15
Dashboard 15
Viewing discovered assets summary 16
Viewing security issues summary 16
Viewing a map of assets 17
Downloading the EASM dashboard details 18
Asset Discovery 18
Viewing asset details 19
Marking assets as false positives 21
Adding assets manually 21
Removing assets manually 22
Assigning tags 22
Security Issues 23
Viewing security issues 24
Filtering security issues 25
Changing the status of security issues 27
Adding a comment to a security issue 27
Asset Management 28
Creating a tag 28
Adding assets to a tag 29
Managing tags 30
Creating a group 31
Adding assets to a group 31
Managing groups 32
Filtering by group 33
Leaked Credentials 34
Viewing leaked credentials by year 34
Viewing breached datasets 34
Viewing leaked credential details 35
Exporting leaked accounts 36
Integrations 36
Adding integrations 36
Editing integrations 37
FortiRecon 23.1 User Guide 3

Fortinet Inc.
Brand Protection 39
Dashboard 39
Viewing typo-squatting domains summary 40
Viewing total alerts summary 40
Viewing rogue apps summary 41
Viewing takedown status summary 41
Viewing phishing summary 42
Alerts 42
Viewing flash reports 42
Filtering reports 43
Downloading reports 43
Sharing reports 45
Rating reports 46
Reviewing reports 46
Domains Typo-squatting 47
Viewing domain information 47
Filtering fraudulent domains 47
Taking down fraudulent domains 48
Stopping domain monitoring 49
Exporting domains 49
Phishing 50
Digital watermark 50
Exporting phishing results 52
Exporting phished users 53
Adding comments to compromised users 53
Rogue Mobile Apps 54
Viewing rogue applications 54
Filtering rogue applications 55
Assigning application status 55
Taking down rogue apps 56
Exporting rogue applications 56
Take Down 57
Filtering takedown requests 57
Adversary Centric Intelligence 59
Dashboard 59
Changing the dashboard date range 60
Viewing risk exposure summary 60
Viewing global threat report summary 61
Reports 63
Viewing reports 63
Filtering reports 65
Downloading reports and observables 66
Sharing reports 67
Exporting observables 68
Card Fraud 69
Viewing leaked card information 69
Filtering leaked card information 70
Exporting a list of leaked cards 70

Fortinet Inc.
Stealer Infections 71
Viewing stealer infection information 71
Filtering stealer infection information 72
Exporting market place data 73
Hiding affiliated domains 74
Unsubscribing from affiliated domain notifications 74
OSINT Cyber Threats 75
Reviewing threats 75
Pinning events 76
Subscribing to event notifications 77
Adding subscriptions 78
Vulnerability Intelligence 79
Vulnerability exposure 79
Global notable vulnerabilities 81
Viewing and filtering CVE reports 81
Exporting CVEs 83
Manually adding CVEs 83
Ransomware Intelligence 83
Viewing ransomware intelligence 84
Filtering ransomware intelligence 85
Exporting ransomware information 86
Managing My Watchlist 87
Vendor Risk Assessment 88
Adding a new vendor to the watchlist 89
Viewing the vendor risk assessment 89
Investigation 92
Reviewing IP address reputation 92
Reviewing domain reputation 93
Reviewing a file hash 93
Reviewing a CVE 93
Profile settings 94
Accessing profile settings 94
Changing the color theme 95
Profile 96
Editing user information 96
Opting in to daily digest reports 96
Opting out of daily digest reports 97
Viewing subscription details 97
Sharing the API key 98
Receiving custom email alerts 98
Users 99
Viewing user accounts 99
Adding users 100
Editing users 100
Deleting users 101
Access templates 101
Viewing access templates 102
Adding a template 102

Fortinet Inc.
Editing a template 103
Change password 103
Downloads 104
Viewing downloads 104
Retrieving downloads 104
Deleting downloads 105
Integrations 105
Viewing integration details 105
Adding integrations 106
Editing integrations 107
Disabling integrations 107
Deleting and disabling integrations 107
Seeds 108
Viewing your assets 108
Downloading a sample data file 109
Uploading a data file 109
Exporting global masters 110
Domains 110
Card BIN 112
Owned mobile applications 114

Fortinet Inc.
Change Log
Date Change Description
2023-01-12 Initial release.
2023-01-18 Updated Adding a comment to a security issue on page 27.
2023-02-01 Added Acceptable FortiRecon use cases on page 9.

Fortinet Inc.
Introduction
FortiRecon is a Digital Risk Protection (DRP) service that operates alongside existing security solutions to provide you
with the visibility that an adversary can have of your infrastructure. This early warning of any malicious activity targeted at
your organization enables swift detection and mitigation. Operating purely from outside the organizational boundary, the
service maps an organization’s digital footprint and monitors it for abnormal activity. The service gives organizations the
intelligence to mitigate credible security threats in a controlled manner as part of ongoing security efforts.
FortiRecon scans the organization's attack surface and identifies risks to assets while FortiGuard Threat Intelligence
delivers early warning of risks to the organization through targeted, curated intelligence to provide an early warning of
any malicious activity targeted to the organization.
The FortiRecon portal includes the following modules:
EASM The External Attack Surface Management (EASM) module provides an

adversary’s view of the organization digital attack surface and prioritizes risks and
exposures, enabling administrators to mitigate threats in a controlled manner
before the threats become a problem. See EASM on page 15.
Brand Protection The Brand Protection module continually monitors the organization’s public-
facing visibility for unauthorized changes, including web-based phishing attacks,
typo-squatting, rogue applications, credential leaks, and brand impersonation in
social media, which may impact brand value, integrity, and trust. See Brand
Protection on page 39.
ACI The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat
Analysts to provide comprehensive coverage of dark web, open source, and
technical threat intelligence, including threat actor insights. This information
enables administrators to proactively assess risks, respond faster to incidents,
better understand their attackers, and protect assets. See Adversary Centric
Intelligence on page 59.
Profile Settings The Profile Settings module allows you to personalize your FortiRecon account
and provide information on your organization. See Profile settings on page 94.
FortiRecon APIs are available on the Fortinet Developer Network (FNDN). You must first
register an account on FNDN to gain access.
Requirements
A FortiCloud account is required to access the FortiRecon portal. The FortiRecon Admin for your organization also
needs to create an account within FortiRecon. If either of these accounts is not created, you will not be able to log in to
the FortiRecon portal. See the FortiCloud New Account Onboarding document and Getting started on page 10 for more
information on registering your accounts.

Fortinet Inc.
Introduction
If you need to create a support ticket, the FortiCloud account must be linked to your entitled
license. There are two methods to link the FortiCloud account to your license:
l The account owner must create sub user accounts for all of the users in your
organization. See User permissions in the FortiCloud Asset Management Administration

Guide.
l Contact FortiCare support to request that your account be linked to the license in your
organization. See Creating support tickets in the FortiCloud Asset Management
Administration Guide.
Acceptable FortiRecon use cases
When using FortiRecon, there are certain acceptable use case requirements that must be followed to properly leverage
FortiRecon's capabilities. FortiRecon use case requirements include the following:
l The FortiRecon solution must only be used for the licensed entity and its brands. See Requirements on page 8 and
Licensing on page 9.
l Domains that are added for scanning and monitoring must be owned by the licensed entity.
l The licensed entity may not add the domains and apps of its customers, partners, or vendors to Profile Settings >
Seeds or the EASM module for monitoring. However, up to 25 of these assets may be added for vendor monitoring
in the Adversary Centric Intelligence module. See Vendor Risk Assessment on page 88.
l Bank identification numbers (BINs) should only be added for the licensed entity and brand. See Card Fraud on page
69.
Customer monitoring
Organizations, such as MSSPs, that want to set up monitoring for their customers can reach out to our account and sales
team for suitable options.
Licensing
FortiRecon requires a license. You can choose to purchase a license for one, two, or all three of the following FortiRecon
modules:
l External Attack Surface Management (EASM)
l Brand Protection (BP)
l Adversary Centric Intelligence (ACI)
In addition to the desired modules, the license also indicates the maximum number of assets to be monitored by
FortiRecon.
For details about the different modules and solution bundles, see the FortiRecon data sheet.

Fortinet Inc.
Getting started
This section explains how to get started with FortiRecon.

When you first start with FortiRecon, you can:
l Register your FortiRecon license. See Registering the FortiRecon license on page 10.
l Subscribe to FortiRecon and start the service. See Subscribing to FortiRecon on page 11.
Registering the FortiRecon license
You must purchase and register a FortiRecon license before you can subscribe to FortiRecon. After you purchase the
license, register the license using FortiCloud Account Services. For more information about registering products on
FortiCloud, see the FortiCloud Account Services > Registering products documentation.

Fortinet Inc.
Subscribing to FortiRecon
This section describes how to subscribe to FortiRecon and start the service. Before you can subscribe to FortiRecon,
you must register the license. See Registering the FortiRecon license on page 10.
To subscribe to FortiRecon:
1. After the license is registered on FortiCloud, go to FortiRecon at https://fortirecon.forticloud.com.
2. Click Login. The FortiCloud login page is displayed.
3. Enter your FortiCloud credentials.

After you log in to FortiRecon for the first time, the FortiRecon Provisioning Form is displayed.

Fortinet Inc.
4. Enter your contact information in the Technical Implementation Lead fields.
Fields marked with a red asterisks are required information. Other fields are considered
optional although it is suggested that you complete all of the fields provided to receive the
most accurate service.
5. Enter the email addresses of members of your organization in the Other Authorized Contacts and Service
Notification Contacts fields.
6. Enter the contact information of the billing contact in the Billing Contact fields.
7. Select the Company Information and External Attack Surface Management dropdowns. New information fields are
displayed.
8. Enter your organization's information in the Company Information fields.

9. Enter your organization's assets IP address and domain information in the External Attack Surface Management
fields.
10. Click Save. Your information will be sent to the FortiRecon team for review and provisioning.
A confirmation page is displayed.
11. Wait for the FortiRecon team to analyze your assets and populate the FortiRecon portal for you.

Fortinet Inc.
12. When you receive an email from the FortiRecon team, you can access the FortiRecon portal and review the
analysis. See Accessing FortiRecon portal on page 14.

Fortinet Inc.
Accessing FortiRecon portal
After you have subscribed to FortiRecon and received an email from the FortiRecon team, you are ready to access the
FortiRecon portal.
To access FortiRecon:
1. Go to FortiRecon at https://fortirecon.forticloud.com.
2. Click Login. The FortiCloud login page is displayed.
3. Enter your FortiCloud credentials.

4. Click Login. The FortiRecon Select Organization page is displayed.
5. Select the organization you want.

The EASM > Dashboard page is displayed. See EASM on page 15.

Fortinet Inc.
EASM
The External Attack Surface Management (EASM) module provides information about your digital assets, potential
security issues, and leaked credentials. You can use the EASM module to identify exposed known and unknown assets,
learn about associated vulnerabilities, and prioritize the remediation of critical issues.
FortiRecon scans your digital assets on a schedule and displays the results.
The EASM module displays scan results for your organization on the following tabs :
Dashboard Displays widgets that summarize your discovered assets and potential security
issues related to your assets. You can click some widgets to display more details
on the other tabs. See Dashboard on page 15.
Asset Discovery Displays a summary of all discovered assets and details about each asset. You
can mark assets as false positives, manually add assets, and manually remove
assets. See Asset Discovery on page 18.
Security Issues Displays a summary of all potential security issues and details about each issue.
You can filter security issues and change the status of security issues to reflect
action taken at your organization. See Security Issues on page 23.
Asset Management Displays tags and groups used to filter and link assets. See Asset Management
on page 28.
Leaked Credentials Displays a summary of leaked credentials by year and details about each
breached dataset or leaked credential incident. See Leaked Credentials on page
34.
Integrations Displays Azure and AWS integration that are tracked in Asset Discovery and
Security Issues. See Integrations on page 36.
Dashboard
The EASM > Dashboard page displays a number of widgets that summarize your discovered digital assets and potential
security issues. From the EASM > Dashboard page, you can:
l View a summary of your discovered digital assets. See Viewing discovered assets summary on page 16.
l View a summary of potential security issues related to your organization. See Viewing security issues summary on
page 16.
l View a global map of your assets and the number of potential security issues affecting your organization. See
Viewing a map of assets on page 17.
l Download the dashboard content to your hard drive. See Downloading the EASM dashboard details on page 18.

Fortinet Inc.
EASM
Viewing discovered assets summary
The EASM > Dashboard page displays the following widgets that summarize your discovered digital assets in the
Discovery section:
l Overall Entities
l Exposed Services
l Technologies Discovered
To view discovered assets summary:
1. Go to the EASM > Dashboard page. The list of assets discovered by FortiRecon is displayed in the Discovery
section.
2. Use the following widgets to review your discovered assets:
Overall Entities Displays the number of following entities discovered by FortiRecon:

l Previous: results of the previous FortiRecon scan.
l Domain: number of domains found by the latest scan.
l Sub-domain: number of sub-domains found by the latest scan.
l IP address: number of IP addresses found by the latest scan.
l IP block: number of IP blocks found by the latest scan.
l ASN (Autonomous System Number): number of ASNs found by the latest
scan.
l Org name: number of organizations found by the latest scan.
l Current: results of the current scan
Exposed Services Displays all the exposed services discovered by FortiRecon, including
exposed ports.
Technologies Discovered Displays all the technologies discovered by FortiRecon.
3. Click the Overall Entities widget or the Exposed Services widget to display more details on the Asset Discovery
page. See Asset Discovery on page 18.
Viewing security issues summary
The EASM > Dashboard page displays the following widgets that summarize potential security issues in the Issues
section:
l Total Issues
l Severe Issues
l Widely Exploited Vulnerabilities

Fortinet Inc.
EASM
l Issue Wise Status

l Credential Breaches
Use the Severe Issues tooltip to review information on the count of unique High and Critical
issues.
To view discovered assets summary:
1. Go to the EASM > Dashboard page, and scroll to the Issues section. The list of potential security issues is
displayed.
2. Use the following widgets to review your security issues:
Total Issues Displays the total number of issues discovered by the latest scan compared to
the results of the previous scan.
Severe Issues Displays the number of severe issues, and then lists the name, affected
assets, and severity rating of the issues.
Widely Exploited Vulnerabilities Displays the number of widely exploited vulnerabilities discovered, and then
lists the name, affected assets, and severity rating of the issues.
Credential Breaches Displays the number of exposed credentials and the number of indexed
credentials.
3. Click an issue or vulnerability to display more details on the Security Issues page. See Security Issues on page 23.
Viewing a map of assets
The EASM > Dashboard page displays a global map of your digital assets in the Asset Distribution section. The color of
the country aligns with the highest severity level of potential issues. If the country is blue, no issues are recorded.
To view a map of assets:
1. Go to the EASM > Dashboard page, and scroll to the Asset Distribution section. A global map of your discovered
assets is displayed.

Fortinet Inc.
EASM
2. Use the table to view the number of assets and potential security issues in each country.
Column Description
Country Lists countries where your digital assets were discovered.
Assets Displays the number of assets discovered in each country.
Issues Displays the number of potential security issues and indicates the severity
rating of the issues by color:
l Red indicates critical.
l Orange indicates high.
l Yellow indicates medium.
l Green indicates low.
The colors on the map align with the severity level of the issues.
3. Click a country or issue in the table to display more details on the Security Issues page. See Security Issues on
page 23.
Downloading the EASM dashboard details
The EASM dashboard details can be downloaded to your hard drive. The process downloads a zip file named
EASM Dashboard.zip that contains the following items:
l List of discovered assets in Microsoft Excel format
l List of issues in Microsoft Excel format
l An attack surface summary dashboard in PDF
To download the EASM dashboard:
1. Go to EASM > Dashboard, and click Download.

2. Retrieve the download from Profile Settings. See Retrieving downloads on page 104.
Asset Discovery
The EASM > Asset Discovery page provides a summary of all discovered assets and details about each asset. From the
Asset Discovery page, you can:

Fortinet Inc.
EASM
l View a summary about and details of your assets. See Viewing asset details on page 19.
l Mark discovered assets as false positives to remove them from the next scheduled FortiRecon scan. See Marking
assets as false positives on page 21.
l Manually add assets to FortiRecon to include them in the next scheduled scan. See Adding assets manually on
page 21.
l Manually remove assets from the next scheduled FortiRecon scan. See Removing assets manually on page 22.
l Assign tags to assets for focused filtering. See Assigning tags on page 22.
Tags are created in EASM > Asset Management. Assets can also be assigned to tags in
bulk in the Asset Management page. See Asset Management on page 28.
Viewing asset details
The EASM > Asset Discovery page displays the number of assets in an Overview section and in an Assets Discovered
list.
You can display details about an asset by clicking a number in the Overview section or a category in the Assets
Discovered list. When you are reviewing asset details, you can mark assets as False Positive as needed to remove them
from future FortiRecon scans.
To view asset details:
1. Go to EASM > Asset Discovery. The number of discovered assets display in an Overview section across the top and
in an Assets Discovered list on the left side of the page.
The following information is available:
Organizations The number of organizations that have been detected as belonging to you.
ASN The number of autonomous system numbers (ASNs) that are linked to the
detected organizations.
IP blocks The number of IP blocks associated with the ASNs.
IP address The number of IP addresses that are linked to the IP blocks.
Domains The number of domains linked to your organization.
Sub-domains The number of sub-domains linked to your organization.

Fortinet Inc.
EASM
2. In the Overview bar, click a number, or in the Assets Discovered list, click an asset category. Details about the
selected item are displayed on the right side of the page.
For example, click Domains. On the right side of the page, the names of the discovered domains are displayed.
3. Filter the assets from the dropdown menu:
a. Select Appeared Assets to show assets that appeared in the latest scan.
b. Select Disappeared Assets to show assets that disappeared in the latest scan.
c. Select Cloud Assets to show cloud-based assets.
Cloud assets can only be filtered if the AWS cloud environment has been integrated.
See Integrations on page 36.
4. Select Filter to define ports, technology, country, tag, and group filters.
5. Click the Expand icon. Details about the domain are displayed.

Fortinet Inc.
EASM
6. If an asset should be removed from the next scheduled FortiRecon scan, mark the asset as False Positive. See also
Marking assets as false positives on page 21.
Marking assets as false positives
You can manually mark any of the following discovered assets as false positives to remove them from the next
scheduled FortiRecon scan:
l ASN
l IP blocks
l IP addresses
l Domains
l Sub-domains
To mark false positives:
1. Go to EASM > Asset Discovery. The discovered assets are displayed.

2. Click one of the following assets to display its details:
l ASN
l IP Blocks
l IP Address
l Domains
l Sub-domains
3. Select an asset, and toggle on Mark as False Positive.
You can also select the Multiselect checkbox to select all or some assets, and then mark
them as false positives.
A confirmation dialog is displayed.

4. Click Yes.
Adding assets manually
FortiRecon discovers assets for you. You can also manually add assets to FortiRecon scans.
When you manually add assets to FortiRecon, results for the assets are visible after the next scheduled FortiRecon
scan.

Fortinet Inc.
EASM
To add assets:

2. Click Bulk Add / Remove Assets. The Bulk Add / Remove Assets dialog is displayed.
3. Enter the assets, and click Add Assets.
Removing assets manually
FortiRecon discovers assets for you. You can also manually remove assets from FortiRecon scans.
When you manually remove assets from FortiRecon, any associated assets are also removed. The changes are visible
within minutes or hours, depending on the change.
To remove assets:

2. Click Bulk Add / Remove Assets. The Bulk Add / Remove Assets dialog is displayed.
3. Enter the assets, and click Remove Assets.
Assigning tags
Tags can be assigned to assets for focused filtering in the EASM > Asset Discovery page. For more information on tags,
see Asset Management on page 28.

Fortinet Inc.
EASM
To assign a tag to an asset:
1. Go to EASM > Asset Discovery.

2. Find the asset you want to tag and click the + icon. The Add Tags dialog is displayed.
To create a new tag, click Create in the Add Tags dialog or go to EASM > Asset
Management page. See Creating a tag on page 28.
3. Select the tags you would like to assign.

4. Click Add.
Security Issues
The EASM > Security Issues page provides a summary of all potential security issues and details about each issue.
From the Security Issues page, you can:
l View a summary about and details of all potential security issues related to your assets. See Viewing security issues
on page 24.

Fortinet Inc.
EASM
l Apply filters to the list of security issues to hone in on specific issues. See Filtering security issues on page 25.
l Change the status of security issues to reflect changes made at your organization to address the issues. See
Changing the status of security issues on page 27.
l Add a comment to explain status changes made to security issues. See Adding a comment to a security issue on
page 27.
Viewing security issues
The EASM > Security Issues page displays the number of active security issues and how many of the active security
issues are rated critical, high, medium, and low. Color indicates the severity of a security issue:
Critical Security issues rated Critical are red.
High Security issues rated High are orange.
Medium Security issues rated Medium are yellow.
Low Security issues rated Low are green.
You can use search and filters to change the list of reports that are displayed, and then click each report to display its
details.
To view security issues:
1. Go to EASM > Security Issues. The security issues are displayed.

The Issues bar across the top displays the number of active security issues and the number of active security issues
that are rated critical, high, medium, and low security risk.
For each report, the number of affected assets is also displayed.
2. In the Issues section, click the number under Critical, High, Medium, or Low. The corresponding filter is selected
and only those reports are displayed.
3. For each report, click the i icon to display a description of the issue and suggested remediation steps.

Fortinet Inc.
EASM
4. Click the title of a report to display details about affected assets.
5. If available, view the path used to discover the issue:

a. Click the Discovery Path icon. The discovery path is displayed.
b. Click the X in the top-right corner to close the window.

6. When available, click the following icons:
Additional Information Displays additional information about the security issue.
Raw Data Displays raw data about the security issue.
Edit Click to change the status of a security issue to reflect action taken by your
organization to address the issue. See Changing the status of security issues
on page 27.
7. Click the Back button.
Filtering security issues
By default, the EASM > Asset Discovery page displays all potential security issues, starting with critical security issues.
You can use filters to display specific types of issues.

Fortinet Inc.
EASM
To filter security issues:
1. Go to EASM > Security Issues. The list of security issues is displayed.

2. Select one or more filters, and click Search:
Filter Options
Status Select one of the following statuses:

l Active
l Resolved
l Risk accepted
l False positive
Severity Select one or more of the following severity statuses:

l Critical
l High
l Medium
l Low
Category Select one or more of the categories. The list of categories changes based on
the displayed security issues.
Country Select one or more countries.
The list of filtered security issues is displayed.

3. (Optional) In the Filters list, toggle on False Positive. The list displays only issues marked with a status of False
Positive.
4. Click an issue title to display its details.
In the following example, the details for the IP found in blacklist dataset issue are displayed:
5. Click Edit in the top-right corner to change the status by selecting one of the following options:
l Mark as Resolved
l Risk Accepted
l False Positive
6. Click Back to display the list of issues again.

7. In the Filters list, click Clear to remove all filters.

Fortinet Inc.
EASM
Changing the status of security issues
As you review and address security issues reported by FortiRecon, you can change the status of each issue to reflect
your understanding and actions:
Mark as Active Available only after you change the status of a security issue from active to
another status.
Select to move an issue back to the active status.
Mark as Resolved Select to indicate actions taken at your organization have resolved the security
issue.
Risk Accepted Select to indicate actions taken at your organization have not fully resolved the
security issue, but the current level of risk is acceptable.
False Positive Select to indicate that the security issue is not an issue for your organization. The
issue is considered a False Positive issue.
To change the status of security issues:
1. Go to EASM > Security Issues. The discovered assets are displayed.

2. If necessary, select one or more filters, and click Search.
The list of filtered security issues is displayed.
3. Click an issue title to display its details.
In the following example, the IP found in blacklist dataset security issue is displayed:
4. Click Edit in the top-right corner to change the status by selecting one of the following options:
l Mark as Resolved
l Risk Accepted
l False Positive
5. Click Back to display the list of issues again.
Adding a comment to a security issue
When editing a security issue on EASM > Security Issues, the client can leave a comment to describe the changes and
why they were made.

Fortinet Inc.
EASM
Selecting the comment button will open all comments for that issue. This allows you to review
all changes and discussions related to the issue.
To add a comment to a security issue:
1. Go to EASM > Security Issues.

2. Select a type of security issue.
3. Locate the issue you would like to make a change to.
4. Click the comment button. A list of previous comments and a text box is displayed.
5. Enter a comment related to the status change.
6. Click Add.
Asset Management
You can create and manage asset tags and groups in the EASM > Asset Management page. From the Asset
Management page, you can:
l Create a new asset tag. See Creating a tag on page 28.
l Assign individual and bulk assets to an asset tag. See Adding assets to a tag on page 29.
l Manage, edit, and delete asset tags. See Managing tags on page 30.
l Create a new asset group. See Creating a group on page 31.
l Assign individual and bulk assets to an asset group. See Adding assets to a group on page 31.
l Manage, edit, and delete asset groups. See Managing groups on page 32.
l Filter EASM pages by group. See Filtering by group on page 33.
Tags and groups are integrated throughout the EASM pages. You can filter by tags in the
Asset Discovery and Security Issues pages; see Viewing asset details on page 19. Groups
can be filtered in all EASM pages.
Creating a tag
Asset tags can be used to mark specific assets for focused filtering in the Security Issues and Asset Discovery pages.
When creating a tag, a tag color is selected so that assets can be differentiated by tag. Tags must be configured in the
Tag Management tab before assets can be assigned.
Some tags are automatically generated and cannot be edited or deleted.

Fortinet Inc.
EASM
To create a tag:
1. Go to EASM > Asset Management.

2. Select the Tag Management tab.
3. Click Create. The Create Tag dialog is displayed.
4. Enter a Tag Name.
5. Enter a Tag Description.
6. Select the Theme Color icon to assign the tag color.
7. Click Submit. The new group is added to the Tag Management tab.
Adding assets to a tag
You can add individual or bulk assets to a tag from the Tag Management tab.
Assets must be included in EASM > Asset Discovery before they can be tagged. See Adding
assets manually on page 21.
Tags can also be assigned to assets in EASM > Asset Discovery. See Assigning tags on page
22.
To add assets to a tag:

3. Locate the tag you want to add assets to and click Manage Assets. A dropdown menu is displayed.
4. Select Add Assets.

5. Select the assets to add from the Validated Assets list.
6. Click the right arrow. The selected assets will be moved into the tag field.
7. Select Propagate the tag to asset to apply tags to the asset associations. Select the i icon for more information.
8. Click Save.
To add bulk assets to a tag:

3. Locate the tag you want to add assets to and click Manage Assets. A dropdown menu is displayed.

Fortinet Inc.
EASM
4. Select Add Bulk Assets.

5. Enter the asset information in the left field.
7. Click Validate. Once validated, assets are displayed in the right field. Any assets that failed validation are listed.
8. Click Save.
Managing tags
Asset tags can be managed from the Tag Management tab. You can remove assets from a tag, edit a tag, or delete a
tag.
To remove an asset from a tag:

3. Locate the tag you want to remove assets from and click Manage Assets. A dropdown menu is displayed.
4. Select Remove Assets.

5. Select the assets you want to remove or click Select All.
6. Click Remove Selected.
To edit a tag:

3. Locate the tag you want to edit and click the Edit icon.
4. Edit the fields.
5. Click Submit.
To delete a tag:

3. Locate the tag you want to delete and click the Delete icon. A confirmation message is displayed.

Fortinet Inc.
EASM
4. Click Yes.
Creating a group
Asset groups can be used to consolidate related assets. Groups can be viewed in the Dashboard, Asset Discovery, and
Security Issues pages. An asset group must be created in the Group Management tab before assets can be assigned.
Assets can also be grouped based on subsidiary hierarchy. This allows for separate reporting
and delegation of remediation responsibilities.
To create a group:

2. Select the Group Management tab.
3. Click Create. The Create Group dialog is displayed.
4. Enter a Group Name.
5. Enter a Group Description.
6. Click Submit. The new group is added to the Group Management tab.
Adding assets to a group
You can add individual or bulk assets to a group from the Group Management tab.
Assets must be included in Asset Discovery before they can be tagged. See Adding assets
manually on page 21.
To add assets to a group:

3. Locate the group you want to add assets to and click Manage Assets. A dropdown menu is displayed.

Fortinet Inc.
EASM
4. Select Add Assets.

5. Select the assets to add from the Validated Assets list.
6. Click the right arrow. The selected assets will be moved into the tag field.
8. Click Save.
To add bulk assets to a group:

3. Locate the group you want to add assets to and click Manage Assets. A dropdown menu is displayed.
4. Select Add Bulk Assets.

5. Enter the asset information in the left field.
7. Click Validate. Once validated, assets are displayed in the right field. Any assets that failed validation are listed.
8. Click Save.
Managing groups
Asset tags can be managed from the Group Management tab. You can remove assets from a group, edit a group, or
delete a group.
To remove an asset from a group:

3. Locate the group you want to remove assets from and click Manage Assets. A dropdown menu is displayed.
4. Select Remove Assets.

5. Select the assets you want to remove or click Select All.
6. Click Remove Selected.

Fortinet Inc.
EASM
To edit a group:

3. Locate the group you want to edit and click the Edit icon.
4. Edit the fields.
5. Click Submit.
To delete a group:

3. Locate the group you want to delete and click the Delete icon. A confirmation message is displayed.
4. Click Yes.
Filtering by group
Once a group has been created, you can filter by group in the EASM > Security Issues and EASM > Asset Discovery
pages using the Groups dropdown menu. The Groups filter will be set to all assets of the organization by default.
The following example demonstrates filtering by group in the EASM > Security Issues page.
To filter by group:
1. Go to EASM > Security Issues.

2. Click the Groups dropdown menu.
3. Select the group you want to filter by. The page will displayed information related to the selected group.

Fortinet Inc.
EASM
Leaked Credentials
The FortiRecon team continually monitors for credential leaks and provides alerts to you through the FortiRecon portal. If
any leaked or breached credentials that involve email addresses of the organizations or the users of their systems are
detected, the FortiRecon portal automatically displays the information.
As part of consolidated collection, the leaked credentials are gathered from multiple sources:
l Publicly leaked or breached databases
l Privately shared databases
l Paste sites
l Malware infections
Leaked credentials are the primary source of Password Re-Use Attacks. It is important for any organization to quickly
neutralize leaked credentials.
On the EASM > Leaked Credentials page, you can:
l View leaked credentials by year. See Viewing leaked credentials by year on page 34.
l View breached datasets. See Viewing breached datasets on page 34.
l View leaked credential details. See Viewing leaked credential details on page 35.
l Export a list of leaked accounts. See Exporting leaked accounts on page 36.
Viewing leaked credentials by year
The EASM > Leaked Credentials page provides a calendar year of all breaches. You can change the year to view
previous year data.
To view leaked credentials by year:
1. Go to EASM > Leaked Credentials. The Credential Exposure year is displayed.

Colored blocks indicate a breach. Light colored blocks indicate few affected credentials, and dark colored blocks
indicate many affected credentials.
2. Hover over the block to display details about the breach.

3. From the Year menu, select a different year. The calendar changes to the selected year.
4. Click a color block to display details on the Leaked Credentials tab. See Viewing leaked credential details on page
35.
Viewing breached datasets
On the EASM > Leaked Credentials page, you can click the Breach Dataset tab to view results displayed on the following
tabs:

Fortinet Inc.
EASM
l The Relevant tab displays breach information that contains email addresses related to your organization's domains.
l The Other tab displays all breach information indexed in FortiRecon's database, including breach information
related to third-parties that does not contain email addresses related to your organization's domains.
You can filter the list of breached datasets by date, and you can search for keywords.
To view breached datasets:
1. Go to EASM > Leaked Credentials. The Breach Dataset tab is displayed with the Relevant tab selected. The
following columns of information are available:
Breach Name Displays the name of the breach. A red Includes passwords is displayed when
the breach includes passwords.
Breach Date Displays the date that the breach occurred.
Added On Displays the date that the information was made available to other malicious
actors.
Compromised Accounts Displays the number of known compromised accounts.
2. Click a breach to display more information about it.

3. On the Breached Dataset tab, filter reports by a date range:
a. Click Filter Report by Date Range. Two calendars are displayed.
b. In the left calendar, select a month, year, and day to specify the start date of the range.
c. In the right calendar, select a month, year, and day to specify the end date of the range.
Only reports from the date range are displayed.
d. Click the Filter Report by Date Range box, and click X to remove the date range filter.
4. In the Search box, type a term, and press Enter.
In the Search box, clear the term to remove it.
5. Click the Other tab. The most recent breaches added by FortiRecon are displayed.
On the Other tab, you can filter the data by date and use the Search box.
Viewing leaked credential details
On the EASM > Leaked Credentials page, click the Leaked Credentials tab to view the results.
You can filter the list of leaked credentials by date and domain, and you can search for keywords.
To view leaked credential details:
1. Go to EASM > Leaked Credentials, and click Leaked Credentials.

2. Filter reports by a date range:
3. In the Domain list, select one or more domains.
In the Domain box, delete the selected domain names to remove the filter.

Fortinet Inc.
EASM
4. Click a domain name to display more details.

5. Click the Other tab.
6. In the Search box, type a term, and press Enter.
In the Search box, delete the term to remove it.
Exporting leaked accounts
You can export a list of leaked accounts to Microsoft Excel format.
To export leaked accounts:
1. Go to EASM > Leaked Credentials, and click Leaked Credentials.

2. Click the Export Leaked Accounts. A file named Leaked Accounts.xlsx is exported to your computer.
Integrations
You can enable read only access to your environments and discover their cloud assets. Once assets are discovered,
they are added to the EASM > Asset Discovery and Security Issues pages. Click the i on the Integrations page for more
information.
On the EASM > Integrations page, you can:
l Add new integrations for AWS and Azure. See Adding integrations on page 36.
l Edit and delete existing integrations. See Editing integrations on page 37.
Adding integrations
The EASM > Integrations page displays all existing AWS and Azure integrations. You can manually add new integrations
as needed.
To add a new AWS integration:
1. Go to EASM > Integrations.

2. Click the + icon.
3. Select AWS. The Add AWS page is displayed.

Fortinet Inc.
EASM
For more information on creating an AWS IAM policy and role, click Need Help?.
4. Enter the account ID number in the Account ID field.

5. Enter a descriptive name in the Integration Name field.
6. Click Save.
To add a new Azure integration:

2. Click the + icon.
3. Select Azure. The Add Azure page is displayed.
4. Enter the relevant values in the Subscription ID, Client ID, Tenant ID, and Client Secret fields.
These four values are necessary to create read-only access for your Azure cloud account.
For information on generating these values, click Need Help?.
5. Enter a descriptive name in the Integration Name field.

6. Click Save.
Editing integrations
You can edit and delete existing integrations from the EASM > Integrations page.

Fortinet Inc.
EASM
To edit an integration:

2. Click Edit. The integration details are displayed.
3. Edit the fields you want to change.
You cannot edit the External ID field for an AWS integration. You cannot edit the Account
ID, Subscription ID, or Tenant ID for an Azure integration.
4. Click Save.
To delete an integration:

2. Click Delete. The Confirmation message is displayed.
3. Select Yes.

Fortinet Inc.
Brand Protection
The Brand Protection (BP) module uses proprietary algorithms to detect common techniques used by cyber threat
actors, such as web-based phishing attacks, typo-squatting, defacements, rogue apps, credential leaks, and brand
impersonation in social media. You can use the Brand Protection module to detect activity early and take action, such as
web site or application takedown, to protect your brand value, trust, integrity, and reputation.
The Brand Protection module contains the following tabs:
Dashboard Displays a summary of typo-squatting domains, flash alerts and reports, rogue
apps, phishing campaigns, and takedown requests. See Dashboard on page 39.
Alerts Displays a list of flash reports. You can review reports for more details, download
threat intelligence reports and observable Microsoft Excel files, and share links.
See Alerts on page 42.
Domains Typo-Squatting Displays all discovered domains that may be impersonating your organization's
domain. You can filter domains, initiate domain takedown or the suspension of
monitoring, and export a Microsoft Excel file containing domain details. See
Domains Typo-squatting on page 47.
Phishing Displays campaign information and phished users. You can export phishing
details and create digital watermarks for your assets. See Phishing on page 50.
Rogue Mobile Apps Displays all discovered apps that may be impersonating your organization's
assets. You can filter apps, assign status, initiate app takedown, and export a
Microsoft Excel file with app details. See Rogue Mobile Apps on page 54.
Take Down Displays a list of takedown request tickets and their current status. See Take
Down on page 57.
Dashboard
The Brand Protection > Dashboard page provides a history of flash alerts and flash reports about the latest threats that
are specific to your organization. From the Brand Protection > Dashboard page, you can:
l View a summary of domains that are potentially typo-squatting a domain of your organization. See Viewing typo-
squatting domains summary on page 40.
l View a summary of the most recent flash reports and the total number of alerts. See Viewing total alerts summary
on page 40.
l View a summary of the distribution of Official, Unofficial, and Rogue apps that may be impersonating your
organization. SeeViewing rogue apps summary on page 41.
l View a summary the current status of takedown requests. See Viewing takedown status summary on page 41.
l View a summary of current phishing campaigns against your organization. See Viewing phishing summary on page
42.

Fortinet Inc.
Brand Protection
Viewing typo-squatting domains summary
The Brand Protection > Dashboard page displays a summary of typo-squatting domains related to your organization in
the Typo Squatted Domains section.
To view typo-squatting domains summary:
1. Go to Brand Protection > Dashboard page and scroll to Typo Squatted Domains. The typo-squatting domains
discovered by FortiRecon are displayed.
2. View the distribution of all domains identified:

l Review the total number of domains identified in Total Domain.
l Hover your mouse over the Total Domain chart to see the distribution of Low, Medium, and High risk domains.
3. View the current status of the domains related to your organization:
l Offline: Lists the total number of identified domains that are offline.
l Online: Lists the total number of identified domains that are online.
l Non-Functional: Lists the number of domains that are currently not functioning online.
4. View the important distribution of typo-squatting domains identified in Highly Suspicious and Parked.
5. View the domains impersonating your organization in Brand Abuse.
Viewing total alerts summary
The Brand Protection > Dashboard page displays a summary of the total number of alerts and the most recent flash
reports.
To view the total alerts summary:
1. Go to Brand Protection > Dashboard page and scroll to Total Alerts. The most recent, important alerts created by
FortiRecon are displayed.
2. Select the number of Alerts to view more information.

Fortinet Inc.
Brand Protection
Viewing rogue apps summary
The Brand Protection > Dashboard page displays a summary of rogue mobile apps that may be impersonating your
organization.
Select the Apps value to see more information in the Rogue Mobile Apps tab.
To view the rogue apps summary:
1. Go to Brand Protection > Dashboard page and scroll to Rogue Apps. The total rogue mobile applications detected
by FortiRecon are displayed.
2. Review the distribution of app classifications:

l Hover your mouse over the Apps chart to see the distribution of Official, Unofficial, and Rogue apps.
l View the total apps identified for each classification in Official, Unofficial, and Rogue.
3. Select Apps to see more information on rogue mobile applications.
Viewing takedown status summary
The Brand Protection > Dashboard page displays a summary of the current status of takedown requests made and the
associated tracking Ticket.
To view the takedown status summary:
1. Go to Brand Protection > Dashboard page and scroll to Take Down Status. The status of takedown requests are
displayed.
2. View more information on takedown requests:

l Select the Credits Used to see all takedown requests.
l Select the Ticket number of a request to see information on that request.

Fortinet Inc.
Brand Protection
Viewing phishing summary
The Brand Protection > Dashboard page displays a summary of current phishing campaigns detected against your
organization, including potentially compromised employee and user accounts. Select a campaign to see more
information in the Phishing tab.
To view the phishing summary:
1. Go to Brand Protection > Dashboard page and scroll to Phishing. Current phishing campaigns are displayed.
2. View more information on a campaign:

l Select the name of a campaign for more information on the phishing campaign.
l Select Phished Users to see more information on potentially compromised employees and customers.
Alerts
FortiRecon lists flash reports on the Brand Protection > Alerts page. Flash reports are generated specifically for your
organization based on flash alerts. Flash alerts are reported as soon as they are discovered, but contain limited
information. Flash reports are developed following flash alerts to provide more detailed information on the threat
discovered by FortiRecon. The threat is also assessed and recommendations are made in the flash report.
From the Alerts page, you can:
l View flash reports. See Viewing flash reports on page 42.
l Filter through all flash reports available. See Filtering reports on page 43.
l Download flash reports as threat intelligence reports in PDF or as an observable Microsoft Excel file. See
Downloading reports on page 43.
l Email and share links to flash reports with others. SeeSharing reports on page 45
l Rate flash reports for relevance. See Rating reports on page 46.
l Review reports and send queries to FortiRecon. See Reviewing reports on page 46.
Viewing flash reports
The Brand Protection > Alerts tab displays all the flash reports available to you. By default all reports are displayed,
starting with the latest report. Reports include in depth information, such as:
l Threat summary
l Threat detail
l Assessment

Fortinet Inc.
Brand Protection
A Takedown button is included in the report details of reports related to brand abuse. Select
the button to begin the takedown process.
To view flash reports:
1. Go to Brand Protection > Alerts. The All Reports tab displays all flash reports.
2. Click a report title to open the report details.
Filtering reports
You can adjust the reports that display on the Alerts tab.
To filter reports:
1. Go to Brand Protection > Alerts.

3. Search for keywords:
a. In the Type and hit Enter to Search box, type a keyword, and press Enter.
The reports are filtered to display only reports with the keyword.
b. Click the X beside the keyword to remove the filter.
The reports that match the set filters display.
Downloading reports
You can download reports from the Alerts tab as brand protection alerts in PDF or as an observable Microsoft Excel file.
Brand protection alerts provide information from a flash report whereas observables outline any Indicators of
Compromise (IOCs) highlighted in the flash report.
Downloaded reports can be set to include:
l All reports available
l Several, specific reports
l Single reports

Fortinet Inc.
Brand Protection
To download all reports available:
1. Go to Brand Protection > Alerts, and select Downloads. A confirmation dialog is displayed.
2. Enter a name for the downloaded file in the File Name text box.
3. Select the format of the downloaded file:
l Select Generate PDF to download a brand protection alert in PDF.
l Select Generate Observable to download details in Microsoft Excel format.
The following message is displayed:
4. Click OK.
5. Retrieve the report. See Retrieving downloads on page 104.
To download specific reports:
1. Go to Brand Protection > Alerts.

2. Click the filter icon and set the desired report filters. See Filtering reports on page 43
3. Select Download Specific Reports, and select the reports to include in the report.
4. Select Downloads. A list of the selected reports is displayed with download options.
5. Enter a name for the downloaded file in the File Name text box.
6. Select the format of the downloaded file:
l Select Generate PDF to download a brand protection alert in PDF.
l Select Generate Observable to download details in Microsoft Excel format.
The following message is displayed:

Fortinet Inc.
Brand Protection
7. Click OK.
8. Retrieve the report. See Retrieving downloads on page 104.
To download a single report:
1. Go to Brand Protection > Alerts and click the desired report. The report details open in a new tab.
2. Click Download Report.

The report downloads to your computer in PDF.
Sharing reports
You can share a link so that other users can access details of the report without needing to download a file. You can
email the link or copy the link to share in a format of your choice.
Only recipients who have a FortiRecon account can access reports through a shared link.
The Traffic Light Protocol (TLP) level dictates who you can share a report with:
l TLP Red: The report cannot be shared outside of your organization and should be restricted only to personnel who
need to know.
l TLP Amber: The report can only be shared with members of your organization and clients who need to know the
information to protect themselves.
l TLP Green: The report can be shared with peers and partner organizations but cannot be shared on publicly
accessible channels.
l TLP White: The report can be shared without restriction.
To share a link to a report:
1. Go to Brand Protection > Alerts and select the report you want to share. The report details are displayed in a new
tab.
2. Hover your mouse over Share Link. Copy Link and Email display.
3. Select how you would like to share the link:

Fortinet Inc.
Brand Protection
a. Click Copy Link to share the link in a format of your choice.

The link is copied to your computer clipboard, and you can paste it into a message as needed.
b. Click Email to email the link.
Your personal email opens with a draft that includes the report link.
You cannot share Executive Summaries.
Rating reports
You can rate reports in a five star scale. The collection of ratings helps the FortiRecon team provide more relevant
reports.
The rating scale is based on five stars. The rating can range from one to five by moving left to
right along the stars, with the leftmost star representing one.
To rate a report:
1. Go to Brand Protection > Alerts and select the report you want to rate.
The report details are displayed in a new tab.
2. Hover your mouse over the stars in Ratings & Reviews.
The stars turn yellow as you move the mouse across them.
3. Click the star that corresponds to your rating out of five.

Your rating is saved, and you can change it at any time by selecting a different star.
Reviewing reports
You can send reviews and queries to the FortiRecon team. Any questions or reviews on reports can be sent using the
write to us feature.
To review a report:
1. Go to Brand Protection > Alerts and select the report you want to review.
The report details are displayed in a new tab.
2. In Ratings & Reviews, select write to us.
Your personal email opens with a draft that is ready to be sent to the FortiRecon team.

Fortinet Inc.
Brand Protection
Domains Typo-squatting
FortiRecon continuously monitors for typo squatting attacks on the Brand Protection > Domains Typo-squatting page to
detect when a threat actor registers domain names similar to the monitored organization and uses them for malicious
activity.
FortiRecon continuously monitors a domain, unless you take an action against the domain. If the detected domain is
determined to be fraudulent or malicious, you can initiate the takedown of the domain. If a domain is determined to
belong to your organization or another legitimate company, you can stop monitoring it.
From the Brand Protection > Domains Typo-squatting page, you can:
l View information on identified domains. See Viewing domain information on page 47.
l Filter for specific identified domains. See Filtering fraudulent domains on page 47.
l Initiate takedown of a rogue domain that is impersonating your organization. See Taking down fraudulent domains
on page 48.
l Stop monitoring domains that are safe or legitimate. See Stopping domain monitoring on page 49.
l Export a Microsoft Excel file that contains information on monitored domains. See Exporting domains on page 49.
Viewing domain information
You can view more information on monitored domains on the Domains Typo-squatting tab.
To view more information on a domain:
1. Go to Brand Protection > Domains Typo-squatting.

2. Filter for the domain you want to review. See Filtering fraudulent domains on page 47.
3. Select the domain you want to review. The domain information is displayed in a new tab.
Filtering fraudulent domains
You can filter for specific domains being monitored on the Domains Typo-squatting tab. You can filter domains by:

Fortinet Inc.
Brand Protection
l Start & End Date

l Fuzzer Logic
l Status
l Suspicious Status
l Original Domain
By default, the reports display in Grid View. Toggle Table View to have the reports appear in a table organized by date.
To filter domains:

2. Filter domains by a date range:
a. Click Filter By Date Range. Two calendars are displayed.
Only domains from the date range are displayed.
d. Click the Filter By Date Range box, and click X to remove the date range filter.
The domains are filtered to display only domains with the keyword.
4. Select the filter icon. The filter categories display with Critical and High chosen by default.
a. Select options from the Fuzzer and Status dropdowns.

b. Select options in the Suspicious Status and Original Domain dropdowns to add them as filters.
c. Click the X beside the Suspicious Status or Original Domain filters to remove them.
The domains that match the set filters are displayed.
Taking down fraudulent domains
Potentially fraudulent sites with similar domains are monitored on the Domains Typo-squatting tab. If a site is determined
to be fraudulent or damaging to the company, you can initiate the takedown of the site. Once takedown is initiated, the
FortiRecon team works with external agencies to take corrective action.
Takedown can be initiated when the domain hosts content infringing on your organization's
intellectual property, such as a logo, or is impersonating your organization's website. A domain
cannot be taken down if the domain is similar to that of your organization but there is no
content infringement.
To initiate takedown:
1. Go to Brand Protection > Domain Typo-squatting and find the domain you want to take down.
2. Select Takedown. A confirmation message is displayed.

Fortinet Inc.
Brand Protection
3. Click Yes.
The FortiRecon team initiates the takedown process, and a tracking Ticket with the domain information is displayed.
4. Go to Brand Protection > Take Down to review the status of the domain takedown.
Stopping domain monitoring
If a site listed on the Domain Typo-squatting tab is determined to be legitimate or safe, you can stop monitoring it with the
other domains.
To stop monitoring a domain:
1. Go to Brand Protection > Domain Typo-squatting and find the domain you want to stop monitoring.
2. Select Stop Monitoring. A confirmation message is displayed.
3. Click Yes.
The FortiRecon team no longer monitors the domain.
You can restore domain monitoring using Start Monitoring button. Likewise, the domain can be
marked for takedown using the Takedown button. See Taking down fraudulent domains on
page 48
Exporting domains
You can export a Microsoft Excel file that lists information on domains that are being monitored. The Microsoft Excel file
includes the:
l Similar Domain name
l DNS A
l Registration Date
l Online Status
l Original Domain
l Suspicious Status
l Suspicious Category
l Suspicious Keyword
To export domain information:

2. Set any desired filters. See Filtering fraudulent domains on page 47

Fortinet Inc.
Brand Protection
3. Click Export Domains Typo-squatting.

4. Enter a name for the Microsoft Excel file in the File Name text box.
5. Click Generate Excel. A confirmation message is displayed.
6. Click OK.
7. Retrieve the download. See Retrieving downloads on page 104.
Phishing
FortiRecon tracks potential phishing campaigns on the Brand Protection > Phishing page. When a phishing attempt is
detected against your organization, a campaign is created to track potentially compromised employees and clients.
Through the use of digital watermarks, FortiRecon can track when a web page has been cloned and hosted on another
IP address. Therefore, information can be gathered on potentially compromised users and the web page clone can be
taken down.
From the Brand Protection > Phishing page, you can:
l Create digital watermarks to add to your organization's assets. See Adding watermarks on page 50.
l Edit existing digital watermarks. See Editing watermarks on page 51.
l Delete existing digital watermarks. See Deleting watermarks on page 52.
l Export a Microsoft Excel file with information on the phishing campaign. See Exporting phishing results on page 52.
l Export a list of employees and customers who may have been victimized by the phishing campaign. See Exporting
phished users on page 53.
l Add comments to the potentially compromised employees and clients for internal notetaking. See Adding
comments to compromised users on page 53.
Digital watermark
FortiRecon uses digital watermarks on official login and sensitive pages to track cloning and re-hosting of the web pages
as phishing sites on another IP address. A small script that helps the FortiRecon research team track the cloning or re-
hosting of the site is provided for you to embed into your website. This process also helps you identify whether any of
your customers have been victims of phishing on any cloned pages, and then take remedial actions.
Adding watermarks
You can create a digital watermark to be embedded into your website on the Phishing tab. You can download the digital
watermark in two formats:

Fortinet Inc.
Brand Protection
l CDN Link: The JavaScript code is hosted on Fortinet's server, and you must embed the link into the index or login
page of your web application using the <script> tag.
l JavaScript file: The code is hosted on your own server, and you must embed the file using the <script> tag, or
paste the code into the index or login page of your web application.
To create a digital watermark:
1. Go to Brand Protection > Phishing and select Digital Watermark. A list of current watermarks are displayed.
2. Click Add Watermark. The Code Preview pane is displayed.
3. Enter a name for the watermark in the Digital Watermark Name text box.
4. Under Select Domains, select the domains you want to include. The Generate button is displayed.
5. Review the code in Code Preview and click Generate. The list of watermarks is displayed after the new watermark is
generated.
6. Download the watermark:
a. Click Copy CDN Link to copy the CDN Link to your computer's clipboard.
b. Click Download Digital Watermark to download the JavaScript file to your computer.
The digital watermark can be added to your website.
A maximum of 10 domains can be added to a digital watermark when choosing domains in

Select Domains.
Editing watermarks
You can edit digital watermarks through the Brand Protection > Phishing tab.
To edit a digital watermark:
1. Go to Brand Protection > Phishing and select Digital Watermark. A list of current watermarks is displayed.
2. Find the watermark you want to edit and select View & Regenerate. The Code Preview is displayed.

Fortinet Inc.
Brand Protection
3. Make changes to Digital Watermark Name and Select Domains as needed.

Review the changed code in Code Preview and select Regenerate. A confirmation message is displayed.
4. Click Yes.
Deleting watermarks
You can delete digital watermarks through the Brand Protection > Phishing tab.
To delete a digital watermark:
1. Go to Brand Protection > Phishing and select Digital Watermark. A list of current watermarks is displayed.
2. Find the watermark you want to remove and click Delete. A confirmation message is displayed.
3. Click Yes.
Exporting phishing results
When FortiRecon detects that your web page has been cloned and hosted on a new IP address, a campaign is
automatically created on the Phishing tab. A campaign tracks information on compromised users and allows you to add
notes for internal tracking as needed.
You can download a Microsoft Excel file to your computer with information on the phishing campaign. Campaign
information includes details on the URL and IP address where the phishing page is hosted. This information is important
for initiating web page takedown.
To export phishing campaign information:
1. Go to Brand Protection > Phishing and select a campaign.

2. Filter for the information you want:
a. Filter users by a date range:
i. Click Date Range. Two calendars are displayed.
ii. In the left calendar, select a month, year, and day to specify the start date of the range.
iii. In the right calendar, select a month, year, and day to specify the end date of the range.
Only users from the date range are displayed.

Fortinet Inc.
Brand Protection
iv. Click the Date Range box, and click X to remove the date range filter.
b. Search for email addresses:
i. In the Type and hit Enter to Search box, type a full or partial email address, and press Enter.
The users are filtered to display only users with the email address information provided.
ii. Click the X beside the email address to remove the filter.
3. Select the Compromised Users you want to include in the report.
4. Click the Export Result dropdown.
5. Select Export Campaign IOC. A Microsoft Excel file is downloaded to your computer.
You can also export the file using the Export Result button.
Exporting phished users
You can download a list of email addresses of potentially victimized users. This information is important for contacting
the listed users to inform them of the phishing campaign and any suggested next steps.
To export phished users:
1. Go to Brand Protection > Phishing and select the campaign you want.
2. Filter for the information you want:
a. Filter users by a date range:
i. Click Date Range. Two calendars are displayed.
ii. In the left calendar, select a month, year, and day to specify the start date of the range.
iii. In the right calendar, select a month, year, and day to specify the end date of the range.
Only users from the date range are displayed.
iv. Click the Date Range box, and click X to remove the date range filter.
b. Search for email addresses:
i. In the Type and hit Enter to Search box, type a full or partial email address, and press Enter.
The users are filtered to display only users with the email address information provided.
ii. Click the X beside the email address to remove the filter.
3. Select the Compromised Users to include in the report.
4. Click the Export Result dropdown.
5. Select Export Phished Users. A Microsoft Excel file is downloaded to your computer.
Adding comments to compromised users
Notes can be added to individual users or a group of users. You can review the most recent note in the Comment section
or all notes in View History.

Fortinet Inc.
Brand Protection
To add a comment to a compromised user:
2. Find the Compromised User you want to add a comment to and select Add Comment. The Add Comment window
opens.
3. Enter your comment in the Add Comment text box.
4. Click Save. The comment is added to View History.
To add a comment to multiple compromised users:
2. Select Multiselect to select all Compromised Users, or select specific Compromised Users.
3. Select Add Comment. The Add Comment dialog is displayed.
4. Enter your comment in the Add Comment text box.
5. Click Save. The comment is added to View History.
Rogue Mobile Apps
On the Brand Protection > Rogue Mobile Apps page, the FortiRecon research team continuously monitors a number of
application stores to identify newly created applications that appear similar to your organization's official application.
From the Brand Protection > Rogue Mobile Apps page, you can:
l View information on monitored applications. See Viewing rogue applications on page 54.
l Filter for specific mobile applications. See Filtering rogue applications on page 55.
l Assign an app status. See Assigning application status on page 55.
l Initiate takedown of a rogue application. See Taking down rogue apps on page 56.
l Export information on applications. See Exporting rogue applications on page 56.
Viewing rogue applications
You can view more information on monitored applications on the Rogue Mobile Apps tab.
To view more information on a domain:
1. Go to Brand Protection > Rogue Mobile Apps.

2. Filter for the application you want to review. See Filtering rogue applications on page 55.

Fortinet Inc.
Brand Protection
3. Select the application you want to review. The app information is displayed in a new tab.
Filtering rogue applications
You can filter the apps that appear on the Rogue Mobile Apps tab by App Status and Start & End Date.
To filter apps:

Only apps from the date range are displayed.
The apps are filtered to display only apps with the keyword.
4. Select the App Status dropdown.
5. Select the status to filter by, or select Select All to see all applications.
The apps that match the set statuses are displayed.
Rogue and Unofficial app statuses are set by default.
Assigning application status
You can use the following status designations to define app status on the Rogue Mobile Apps tab:
l Official: The app is published by officially recognized users.
l Unofficial: The app is not published by officially recognized users.
l Rogue: The app is unofficial and potentially malicious. If an application is marked as Rogue, the Takedown function
becomes available.

Fortinet Inc.
Brand Protection
To assign a new application status:
1. Go to Brand Protection > Rogue Mobile Apps and find the app.
2. Click the dropdown and select the new application status. A confirmation message is displayed.
3. Click Yes.
Taking down rogue apps
If an app is determined to be malicious and rogue, you can initiate the takedown process in the Rogue Mobile Apps tab.
To initiate takedown of a malicious application:
1. Go to Brand Protection > Rogue Mobile Apps and find the app.
2. If the application is assigned to Official or Unofficial, change the application status to Rogue. See Assigning
application status on page 55.
3. Click Takedown. A confirmation message is displayed.
4. Click Yes. A tracking Ticket appears.

5. Go to Brand Protection > Take Down to review the status of the application takedown.
Exporting rogue applications
You can export details on potentially rogue mobile applications in the Rogue Mobile Apps tab. Information included in
exported file includes:
l App name and size
l Description
l Developer name and URL
l Download count and URL
l Date the app was discovered
l Listing URL
l Package name
l Source name
l Status

Fortinet Inc.
Brand Protection
To export rogue application details:

2. Set the desired filters. See Filtering rogue applications on page 55
3. Click Export Rogue Apps. A confirmation dialog is displayed.
4. Enter a name for the export file in the File Name text box.
5. Select Generate Excel. A confirmation message is displayed.
6. Click the menu in the top-right corner and select Profile Settings.
7. Go to the Downloads tab. The list of available downloads are displayed.
8. Click the download. A file with the name you set is downloaded to your computer in Microsoft Excel format.
Take Down
The FortiRecon team uses a proprietary Digital Millennium Copyright Act (DMCA) process to execute the takedown.
During the takedown process, notices are sent to the offending parties, hosting providers, and registrars with provisions
of local and international laws to demand that the account be taken down on account of impersonation, phishing, and so
on.
You can review the current status of takedown requests in the Brand Protection > Take Down page.
From the Brand Protection > Take Down page, you can:
l Filter for specific takedown requests by date, category, status, and ticket number. See Filtering takedown requests
on page 57.
Filtering takedown requests
You can filter the takedown requests or search for specific Ticket numbers on the Take Down tab.
To filter requests by category and status:
1. Go to Brand Protection > Take Down.

2. Filter requests by a date range:
Only requests from the date range are displayed.

Fortinet Inc.
Brand Protection

a. In the Type and hit Enter to Search box, type a Ticket number, and press Enter.
The requests are filtered to display only requests with the keyword.
4. Select the request category in the Category dropdown.
5. Select the current status of the request from the Status dropdown:
a. Requested: You have requested that the fraudulent product be taken down.
b. Acknowledged: The FortiRecon team has acknowledged that they have received the request for takedown.
c. Work In Progress: The FortiRecon team is currently working on taking down the fraudulent product.
d. Closed: The fraudulent product has been taken down and the ticket has been closed.
The tickets that match the set filters are displayed.

Fortinet Inc.
Adversary Centric Intelligence
The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive
coverage of dark web, open source, and technical threat intelligence, including threat actor insights. This information
enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and
protect assets
The Adversary Centric Intelligence module contains the following tabs:
Dashboard Displays a summary of your organization's risk exposure to overall global threats.
See Dashboard on page 59.
Reports Displays all the intelligence reports available to you. See Reports on page 63.
Card Fraud Displays information about credit or debit cards that are for sale on darknet
marketplaces. See Card Fraud on page 69.
Stealer Infections Displays information about possible infected systems that are affiliated with your
employees or end-users and are for sale on darknet market places. See Stealer
Infections on page 71.
OSINT - Cyber Threats Displays OSINT-based intelligence reports about threat events. See OSINT
Cyber Threats on page 75.
Vulnerability Intelligence Displays information on monitored CVEs. See Vulnerability Intelligence on page
79.
Ransomware Intelligence Displays information on total and potential ransomware incidents. See
Ransomware Intelligence on page 83.
Vendor Risk Assessment Displays information on a vendor watchlist and the vendor's security hygiene. See
Vendor Risk Assessment on page 88.
Investigation Displays tabs to let you search for and investigate the reputation of an IPv4
address, domain, file hash, or CVE. See Investigation on page 92.
Dashboard
The Adversary Centric Intelligence > Dashboard page provides a summary of your organization's risk exposure to global
threats. From the Adversary Centric Intelligence > Dashboard page, you can:
l Change the date range for the dashboard content. See Changing the dashboard date range on page 60.
l View your organization's risk exposure. See Viewing risk exposure summary on page 60.
l View global threat reports. See Viewing global threat report summary on page 61.

Fortinet Inc.
Changing the dashboard date range
By default, the Adversary Centric Intelligence > Dashboard page displays information for the last 90 days. You can
change the date range.
To change the dashboard date range:
1. Go to the Adversary Centric Intelligence > Dashboard page.

The banner identifies the date range for the displayed information. In the following example, the date range is From
Feb 11, 2022 to May 12, 2022.
2. From the calendar dropdown list, select a different date range.
Viewing risk exposure summary
The Adversary Centric Intelligence > Dashboard page displays the following widgets in the Risk Exposure section that
summarize the risk exposure of your organization to global threats:
l Credential Exposure
l Stealer Infection
l Associated Threats
l Global Event Exposure
l Card Fraud
To view risk exposure summary:
1. Go to the Adversary Centric Intelligence > Dashboard page, and scroll to the Risk Exposure section. A summary of
your organization's risk exposure is displayed.
2. Use the following widgets to review your exposure to risk:
Credential Exposure Displays the number of email addresses related to your organization's
domains that are part of third-party credential breaches.

Fortinet Inc.
The number of exposed credentials and the number of indexed credentials are
displayed.
Hover your mouse over a dot on the chart to view the number of exposed email
addresses on a specific date.
Stealer Infection Displays data from potentially infected systems that are affiliated with your
employees or end-users and are for sale on credential stealer marketplaces
on the darknet.
The number of compromised systems and the number of stealers found are
displayed.
Hover your mouse over a dot on the chart to view the number of compromised
systems on a specific date.
Hover your mouse over a section of the Top Affiliated Domains circle to view
the name of the affiliated domain.
Associated Threats Displays information about threats reported against your industry and
geographical area.
The number of reported threats that are specific to your industry and the
number of reported threats in your geographic area are displayed.
Click the widget to display more details on the Adversary Centric Intelligence >
Reports page.
High Relevance Reports Displays the reports that are flagged as highly relevant to your organization.
Reports must meet certain criteria to be considered relevant. The newest
reports are displayed at the top.
Click a report to display more details on the Adversary Centric Intelligence >
Reports page.
Global Event Exposure Displays the latest, published intelligence reports related to notable cyber
events from around the globe.
Automatically scrolls through the reports, or click the blue bars at the bottom of
the widget to view specific reports.
Card Fraud Displays statistics related to credit or debit cards that are listed for sale on
This widget is only displayed for darknet marketplaces.
banking organizations that The number of cards for sale is displayed as well as how many of the cards are
issue credit or debit cards. credit cards and how many are debit cards. Click the Cards for Sale number to
display more details on the Adversary Centric Intelligence > Card Fraud page.
Hover your mouse over the bars in the chart to view the number of card frauds
on a specific date.
The top card bin numbers are also displayed.
Viewing global threat report summary
The Adversary Centric Intelligence > Dashboard page displays the following widgets in the Global Threats section that
summarize latest intelligence reports related to ongoing, notable, global cyber events:
l Relevance
l Categories

Fortinet Inc.
l Motivational Tags
l Latest Intelligence
l Actively Exploited CVEs
l Top Actors
l Notable Category Reporting
To view global threat report summary:
1. Go to the Adversary Centric Intelligence > Dashboard page, and scroll to the Global Threats section. The number of
global threat reports is displayed as well as several widgets.
2. Use the following widgets to review the global threat intelligence reports:
Relevance Displays the number of reports that are relevant to your organization and are
rated high, medium, or low risk. Reports must meet certain criteria to be
considered high, medium, or low risk.
Reports page.
Categories Displays the number of reports for each category, such as Darknet, TechINT,
OSINT, and HUMINT.
Click a category to display more details on the Adversary Centric Intelligence >
Reports page.
Motivational Tags Displays the available motivational tag filters for reports.
Click a tag to display the Adversary Centric Intelligence > Reports page filtered
on the tag.
Latest Intelligence Displays the latest, published intelligence reports organized into the following
categories:
l Flash Alert
l Flash Report
l Threat Alert
l Threat Report
Automatically scrolls through the reports, or you can click the blue bars at the
bottom of the widget to view specific reports.
Actively Exploited CVEs Displays the number of currently and previously exploited CVEs and identifies
a list of newly exploited CVEs.

Fortinet Inc.
Investigation page.
Top Actors Displays the number of actors being tracked as well as the number of reports
on the actors.
Displays a summary of top actors. Click the name of a top actor to display
more details on the Adversary Centric Intelligence > Reports page.
Notable Category Reporting Click a report to display more details on the Adversary Centric Intelligence >
Reports page.
Reports
The Adversary Centric Intelligence > Reports page displays all the intelligence reports available to you. By default all
reports are displayed, starting with the latest report. From the Adversary Centric Intelligence > Reports page, you can:
l View the details of each report. See Viewing reports on page 63.
l Apply filters to the list of reports to hone in on specific reports. See Filtering reports on page 65.
l Download a PDF of reports. See Downloading reports and observables on page 66.
l Share reports. See Sharing reports on page 67.
l Export observables to Microsoft Excel format. See Exporting observables on page 68.
Viewing reports
The Adversary Centric Intelligence > Reports page displays all the reports available to you on the All Reports tab. By
default all reports are displayed, starting with the latest report.
You can filter the list of reports, and search the list of reports using a keyword. See Filtering reports on page 65.
When you open a report, its details are displayed on a separate tab, and you can download a PDF of the report, share
the report with another person, and access related reports. When the report contains associated observables, you can
download them in Microsoft Excel format.
From an open report, you can also click associated tags to filter the list of reports on the All Reports tab, and then access
additional related reports.
See also Rating reports on page 46.

Fortinet Inc.
To view reports:
1. Go to Adversary Centric Intelligence > Reports. All reports are displayed in the All Reports tab.
2. On the All Reports tab, toggle between Grid View and Table View.
In the following example, Table View is selected, and you can click the Grid View button to change to Grid View.
3. Click a report title to display the report details in a new tab.
From the report details page, you can:

l Hover over various icons and words to view tooltips of information.
l Click some words to display more information. For example, click TLP (traffic light protocol) to display
definitions of the different TLPs and rules around sharing the information.
l Click the Share Link button to share a link to the report with another person who has a FortiRecon account.
l Click the Download Report link to download a PDF of the report to your computer.
l View and search associated observables as well as click Export Observables to download the list of
observables in Microsoft Excel format.

Fortinet Inc.
From Associations area on the right, you can:

l View what is associated with the report, such as the reliability rating, adversary, motivation, tags, and so on.
l Click the i icon to view information about reliability ratings.
l Click a tag to return to the All Reports tab to view the list of reports filtered on the selected tag.
From Related Reports area on the right, you can:
l View a list of reports related to the open report.
l Click a related report to open it in a new tab.
l Click a tag to return to the All Reports tab to view the list of reports filtered on the selected tag.
Filtering reports
Reports can by filtered by date range, keywords, categories of filters, and relevance to your organization.
To filter reports:
1. Go to Adversary Centric Intelligence > Reports.

The reports are filtered to display only reports with the keyword.
4. Filter reports by categories:
a. On the right side, click the Filters button. The following filter categories are displayed:

Fortinet Inc.
l Target Industry
l Motivation & Tags
l Actors
l Target Geography
l Category
l Report Type
b. Under the Target Industry, Motivation & Tags, Actors, and Target Geography categories, click Filter <category
name>, and select one or more filters.
c. Under Category and Report Types, select checkboxes to enable the filters, and clear checkboxes to disable
filters.
d. Under Report Type > Relevance, click High, Medium, and/or Low to enable the filters, and clear the filters to
disable them.
Downloading reports and observables
You can download a PDF of the reports displayed on the Adversary Centric Intelligence > Reports page to your hard
drive. A maximum of 300 reports can be downloaded at one time.
When the report includes Indicators of Compromise (IOCs), you can click the Generate Observable button to download
the IOCs in Microsoft Excel format.
When you open a report, you can download a PDF of the open report.
To download reports:

2. Filter the reports. See Filtering reports on page 65.
The filtered list of reports is displayed.
3. (Optional) Select which of the filtered reports to download:
a. Click the Download Specific Reports button. Checkboxes are displayed beside each report title.
b. Select the checkbox beside each report you want to download.
4. Click the Downloads button. A confirmation dialog is displayed.
5. In the File Name box, type a name.

Fortinet Inc.
6. (Optional) If the report contains IOC information, you can click Generate Observable to download IOC information in
Microsoft Excel format.
7. Click Generate PDF.
A dialog is displayed.
8. Click OK.
9. Retrieve the download. See Retrieving downloads on page 104.
To download a PDF from an open report:

2. Click a report to display its details.
3. Click the Download Report button.

A PDF of the report is downloaded to your computer.
Sharing reports
You can share reports by using a link or an email.

Fortinet Inc.
To share a report:

2. Click a report to display its details.
3. Click the Share Link button.

The Email and Copy Link buttons are displayed.
Exporting observables
When a report has associated observables, they are displayed at the bottom of the report in the Associated Observables
section.
You can download the list of observables in Microsoft Excel format. The downloaded file is password protected.
FortiRecon provides the password you need to open the file in Microsoft Excel.
To export observables:
1. View a report. See Viewing reports on page 63.

2. Scroll down to the Associated Observables section.
In the following example, the report has 741 associated observables:
3. On the right, click the Download Observables button.

The password for the download is displayed. In the following example, the password is intel@ioc!.

Fortinet Inc.
The excel file is downloaded to your computer.

4. Open the Excel file.
You are prompted for the password.
5. Type the password from FortiRecon, and click OK. The Excel file opens.
Card Fraud
The Adversary Centric Intelligence > Card Fraud page widget is only displayed for banking
organizations that issue credit or debit cards.
The Adversary Centric Intelligence > Card Fraud page displays information about credit or debit cards that are for sale
on darknet marketplaces. From the Card Fraud page, you can:
l View a summary of the total number of leaked cards as well as information about each leaked card. See Viewing
leaked card information on page 69.
l Filter the information. See Filtering leaked card information on page 70.
l Download the list of leaked cards to Microsoft Excel format. See Exporting a list of leaked cards on page 70.
Viewing leaked card information
The Adversary Centric Intelligence > Card Fraud page displays information about the number of leaked cards as well as
details about the leaked cards for a specific date range.
To view leaked card information:
1. Go to Adversary Centric Intelligence > Card Fraud. The Card Fraud page is displayed.
The Total Leaked Card, Credit Cards, and Debit Cards numbers are for the default date range. Details about the
leaked cards are displayed below.

Fortinet Inc.
2. You can filter the displayed information. See Filtering leaked card information on page 70.
Filtering leaked card information
You can filter information about leaked cards by year, date range, and bank identification number (BIN).
To filter leaked card information:
1. Go to Adversary Centric Intelligence > Card Fraud.

3. Filter by year:
a. In the Leaked Cards widget, select a year from the dropdown list.
4. Filter by card BIN:

a. In the Search Card Bin box, type a BIN, and press Enter.
Exporting a list of leaked cards
You can download the list of leaked cards to a Microsoft Excel file.

Fortinet Inc.
To export leaked cards:
1. Go to Adversary Centric Intelligence > Card Fraud.

2. Beside the Search Card Bin box, click the Export Leaked Cards button.
The Leaked Card.xlsx file is downloaded.

3. Open the file in Microsoft Excel.
Stealer Infections
The Adversary Centric Intelligence > Stealer Infection page includes information about possible infected systems that
are affiliated with your employees or end-users that are listed for sale on credential stealer darknet marketplaces.
On the Stealer Infection page, you can:
l View information about stealer infections. See Viewing stealer infection information on page 71.
l Filter stealer infection information. See Filtering stealer infection information on page 72.
l Export market place data. See Exporting market place data on page 73.
l Move affiliated domains to the hidden tab. See Hiding affiliated domains on page 74.
l Unsubscribe from affiliated domain notifications. See Unsubscribing from affiliated domain notifications on page 74.
Viewing stealer infection information
The Adversary Centric Intelligence > Stealer Infections page displays information about possible infected systems that
are affiliated with your employees or end-users and are for sale on darknet market places.
To view stealer infection information:
1. Go to Adversary Centric Intelligence > Stealer Infections. The Stealer Infections page is displayed.
2. Use the following widgets to review information about stealer infections:

Fortinet Inc.
Total compromised systems Displays the total number of compromised systems affiliated with your
affiliated with <organization organization.
name>
Stealers Found Display the number of stealers found and the names of the stealers.
Latest Displays the latest number of stealer events and the date that the event was
discovered.
Market Place Calendar Displays a summary of the stealer events in the selected calendar year.
Colored blocked indicate a stealer event. Light colors blocks indicate few
affected credentials, and dark colored blocks indicate many affected
credentials.
Hover your mouse over each block to view the discovery date and the number
of affected credentials.
Affiliated Domains Lists the domain names affiliated with the stealer events and the number of
affected systems.
Click the Click to Hide icon to move the affiliated domain to the hidden tab.
Systems Infected Displays a list of infected systems. Expand the affiliated domain to view a list of
identified sites.
Filtering stealer infection information
You can use several methods to filter information in the Stealer Infections tab.
To filter stealer infection information:
1. Go to Adversary Centric Intelligence > Stealer Infections.

2. Filter information by a date range:
Only information from the date range is displayed.
d. Click the X in the Start & End Date box to remove the date range filter.
The information is filtered.

Fortinet Inc.
4. Click All, Active, or Hidden to use those filters.

For example, click Hidden to display only information from the hidden tab.
5. Filter reports by categories:
a. On the right-side, click the Filters button. The following filter categories are displayed:
l Stealer
l Country
l State
l ISP
l MarketPlace
b. Click Filter <category> , and select one or more filters.
6. Filter the Market Place Calendar by year:
Exporting market place data
You can download all the market place information to download an All Market Place.xlsx file in Microsoft Excel format.
Alternately you can limit the export to infected systems and download a Market Place.xlsx file.
To export market place:

2. (Optional) Filter the data. See Filtering stealer infection information on page 72.
3. Click the Export to Market Place button.
An All Market Place.xlsx file is downloaded.

Fortinet Inc.
To export infected systems:
1. Go to Adversary Centric Intelligence > Stealer Infections, and scroll down to the Systems Infected widget.
2. Select the checkmark for the systems to include in the export. The Export Market Place button becomes available.
3. Click the Export to Market Place button.

A Market Place.xlsx file is downloaded.
Hiding affiliated domains
You can move affiliated domains to the Hidden tab. You can view the Hidden tab by clicking Hidden at the top-right of the
page.
To hide affiliated domains:

2. Scroll down to the Affiliated Domains section, and click the Click to Hide icon for the domains you want to hide.
The domain is moved to the hidden tab.
Unsubscribing from affiliated domain notifications
You can unsubscribe from affiliated domain notifications.
To unsubscribe from affiliated domain notifications:

2. Scroll down to the Affiliated Domains section, and click the Click to Unsubscribe and Stop Email Notifications icon.

Fortinet Inc.
OSINT Cyber Threats
Open Source Intelligence (OSINT) is method of gathering threat intelligence from publicly available sources. Over time,
OSINT coverage has changed to a great extent. Previously, it only covered sources such as Blogs, news, business
websites, social networks, and so on.
The Adversary Centric Intelligence > OSINT - Cyber Threats page provides you the ability to stay up to date with
information published in open source platforms, such as social media, GitHub repositories, and so on. Information for
review is based on specific criteria, including:
l Exploited vulnerabilities
l Zero day vulnerabilities
l Global events
On the OSINT - Cyber Threats page, you can:
l Review threat events. See Reviewing threats on page 75.
l Pin threat events to the top of the list. See Pinning events on page 76.
l Subscribe to threat event notifications. See Subscribing to event notifications on page 77.
l Subscribe other FortiRecon users to event notifications. See Adding subscriptions on page 78.
Reviewing threats
You can view more information about each threat.
To review threats:
1. Go to Adversary Centric Intelligence > OSINT - Cyber Threats. The list of events is displayed.
2. Click an event title, such as Cyber-Crime. The list of events is displayed on the right side.
In the following example, Cyber-Crime is selected:

Fortinet Inc.
3. On the right, click the event to display more information about it outside the FortiRecon portal.
A confirmation dialog is displayed.
4. Click Yes to open the link in a new tab in your browser.
Pinning events
You can pin events to the top of the list. Pinned events have an orange Pin icon. Unpinned events have a white Pin icon.
To pin events:
2. Click the Pin icon beside an event to turn the pin orange and pin the event to the top of the list.
In the following example, Cyber-Crime is pinned to the top of the list.
Click the Pin icon again to turn the pin white and unpin the event from the top of the list.

Fortinet Inc.
Subscribing to event notifications
You can enable subscriptions to receive notifications for one or more threat events. You can also change subscriptions
and unsubscribe.
To subscribe to event notifications:
2. For an event, click the Subscribe icon. The subscription options are displayed for the event.
In the following example, subscription options are displayed for the Advisory event:
3. Select one of the following options to specify when to receive the notification:
Real time Select to receive a notification when a new threat event is published.
Daily Select to specify the time each day to receive a notification about new threat
events.
4. Click Subscribe.
The Subscribe icon turns blue.

Fortinet Inc.
To change event notifications:
2. Click a blue Subscribe icon. The subscription options are displayed.
3. Change when you get notified, and click Update.
To unsubscribe from event notifications:
2. Click a blue Subscribe icon. The subscription options are displayed.
3. Click Unsubscribe.
The Subscribe icon turns white, and notifications are turned off.
Adding subscriptions
FortiRecon users with Admin privilege can set up subscriptions for other FortiRecon users to receive notifications about
events.
To add subscriptions:
1. Go to Adversary Centric Intelligence > OSINT - Cyber Threats, and click the Add Subscription button. The Cyber
Threats Get Notified dialog is displayed.
2. Click the Widget box, and select the threat events.

In the following example, Cyber-Crime is selected.

Fortinet Inc.
The Select User box is displayed.
3. In the Select User box, select a user.
The Daily check box is displayed. By default users receive notifications in real-time as events occur.
4. Select Daily specify what time each day the user should receive the notification.
Clear the Daily check box to receive notifications in real time.
5. Click Subscribe.
Vulnerability Intelligence
The Adversary Centric Intelligence > Vulnerability Intelligence page displays information on vulnerability exposure to
help prioritize vulnerability patching. From the Vulnerability Intelligence page, you can:
l Review known CVEs. See Vulnerability exposure on page 79.
l Review the notable global CVEs. See Global notable vulnerabilities on page 81.
l View specific CVE reports. See Viewing and filtering CVE reports on page 81.
l Export a list of CVEs. See Exporting CVEs on page 83.
l Bulk add CVEs to monitor. See Manually adding CVEs on page 83.
Vulnerability exposure
Monitored CVEs can be reviewed at a high level from the Adversary Centric Intelligence > Vulnerability Intelligence page
in the Vulnerability exposure section:

Fortinet Inc.
l Total CVEs Monitored: This tile displays the total count of monitored CVEs.
When the severity status of a CVE is changed, a flash tile will appear to show the updates.
l Distribution of CVEs by severity: This tile displays a graph of CVEs to show the total count of CVEs per rating, from
Low to Critical.
l Top 10 vendors by CVEs: Displays a list of the vendors with the most CVEs monitored and the severity range from
Low to Critical. Select a Vendor Name or Severity to view more information.
l CVEs from EASM Module: Displays a list of automatically monitored CVEs. Select the CVE ID or Show More button
to view more information.
l CVEs added Manually: Displays a list of CVEs added by the user.

Fortinet Inc.
Global notable vulnerabilities
Monitored CVEs can be reviewed at a high level from the Adversary Centric Intelligence > Vulnerability Intelligence page
in the Global notable vulnerabilities section:
l Total Notable CVEs: This tile displays the total count of notable CVEs.
l Top 5 vendors by CVEs: Displays a list of the vendors with the most notable CVEs monitored and the severity range
from Low to Critical. Select a Vendor Name to view more information.
l Top 10 Notable CVEs: Displays a list of the notable CVE monitored and the severity range from Low to Critical.
Select the CVE ID or Show More button to view more information.
Viewing and filtering CVE reports
You can review detailed CVE reports in the Adversary Centric Intelligence > Vulnerability Intelligence page by:
l Selecting the CVE ID from the Vulnerability exposure > CVEs from EASM Module and CVEs added Manually tabs.
l Selecting the CVE ID from the Global notable vulnerabilities > Top 10 Notable CVEs.
l Filtering the vendor reports from Vulnerability exposure > Top 10 vendor by CVEs or Global notable vulnerabilities >
Top 5 vendor by CVEs.
l Filtering all reports with the Show More button.

Fortinet Inc.
To filter reports:
1. Go to Adversary Centric Intelligence > Vulnerability Intelligence.

2. Select a Vendor Name or the Show More button. The CVE cards page is displayed.
3. Filter information by a date range:

a. Click Date Range. Two calendars are displayed.
d. Click the X to remove the date range filter.
a. In the Search box, type a keyword.
5. Enable Elevated to search for CVEs that have had the severity increased.
6. Filter reports by information:
a. Select the information dropdown menus:
l By Category
l By Addition
l By Severity
l By CVE Year
l By Vendor
l By Products
b. Select one or more filters.
7. Click Search. The CVE reports that match the filters are displayed.
8. Select the CVE ID to view the full, detailed report.

Fortinet Inc.
Exporting CVEs
You can export a list of all or specific CVEs from the CVE cards page to an Excel file. Information in the file includes:
l CVE ID
l Truview Score
l Truview Severity
l NVD Severity
l Description
l Published date
To export CVEs:

2. Select a Vendor Name or the Show More button. The CVE cards page is displayed.
3. Filter for the reports you want included in the Excel file. See Viewing and filtering CVE reports on page 81.
4. Click Export CVE List. An Excel file is downloaded to your device.
Manually adding CVEs
You can bulk add CVEs to monitor in the Vulnerability Exposure > CVEs added Manually tab on the Adversary Centric
Intelligence > Vulnerability Intelligence page.
To manually add CVEs:

2. Click Manage CVEs Watchlist. The Manage CVEs dialog is displayed.
3. Enter the CVE IDs in the text field.

4. Click Submit.
Ransomware Intelligence
The Adversary Centric Intelligence > Ransomware Intelligence page helps with supply chain monitoring and displays
information on past and potential ransomware incidents. From the Ransomware Intelligence page, you can:
l View past and potential ransomware incidents. See Viewing ransomware intelligence on page 84.
l Filter ransomware incident information. See Filtering ransomware intelligence on page 85.

Fortinet Inc.
l Export information on ransomware incidents to an Excel file. See Exporting ransomware information on page 86.
l Create, edit, and monitor a ransomware watchlist. See Managing My Watchlist on page 87.
Viewing ransomware intelligence
The Ransomware Intelligence page contains multiple sections that display high level information on the ransomware
threat landscape. Sections include:
l Summary: A summary to total incidents, groups currently being tracked, and the top sector, country, and active
ransomware. Select a card to view more information in the Ransomware Trends.
l Ransomware Trends: Graphical representations of ransomware trends, including top targeted sectors and
victimized countries. The trends will adjust to reflect a particular trend if a card is selected in the Summary.
l Watchlist: A list of monitored organization and vendors. If an asset matches a monitor, an alert will be triggered. Add
or edit your watchlist by selecting Manage.
l Active Ransomware: A list of known, active ransomware and the current victim count for each.
l Latest Ransomware Victims: A list of the most recent victims of ransomware victims, including information on the
victim revenue, sector, and country. Select an entry for more information on a specific victim. Click Show More to
view more victims.

Fortinet Inc.
l Potential Ransomware Victims: A list of targets identified as potential victims of ransomware, including information
on revenue, sector, and country. Select an entry for more information on a specific target. Click Show More to view
more potential targets.
Filtering ransomware intelligence
You can filter the information displayed on the Ransomware Intelligence, Ransomware Intelligence > Latest
Ransomware Victims, Ransomware Intelligence > Potential Ransomware Victims, and My Watchlist pages.
To filter the high level ransomware information:
1. Go to Adversary Centric Intelligence > Ransomware Intelligence.

2. Specify your filters:

Fortinet Inc.
l Select a card from the Summary section.

l Select the filter icon and select the filter fields you want to include.
The Ransomware Trends section will update.
To filter information on the latest ransomware victims:

2. In the Latest Ransomware Victims section, click Show More. The Latest Ransomware Victims page is displayed.
l Enter a keyword in the Search field.
l Select a start and end range from the Date Range field.
l Select specific filters from the list of categories.
4. Click Search. The list of victims that match your filters are displayed.
To filter information on potential ransomware victims:

2. In the Potential Ransomware Victims section, click Show More. The Potential Ransomware Victims page is
displayed.
l Enter a keyword in the Search field.
l Select a start and end range from the Date Range field.
l Select specific filters from the list of categories.
4. Click Search. The list of victims that match your filters are displayed.
To filter your watchlist:

2. In the Watchlist section, click Manage. The My Watchlist page is displayed.
3. Select a watchlist to filter:
l Organization Watchlist
l Vendor Watchlist
4. Click the filter icon and select how you would like to filter the results:
l EASM: Show only assets that were automatically added to the watchlist by EASM.
l Manual: Show only assets that were manually added to the watchlist.
The watchlist will display any assets that match the set filters.
Exporting ransomware information
You can export a list of recent ransomware victims into an Excel file. The spreadsheet will include information on:
l Victim Name
l Affected Domains
l Revenue
l Sector
l Country

Fortinet Inc.
l Date
l Description
To export all of the ransomware victims:

2. Scroll to the victim list you want to export:
l Latest Ransomware Victims
l Potential Ransomware Victims
3. Click Show More. The list of victims is displayed.
4. Click the Export List icon. The file is downloaded to your computer.
To export specific ransomware victims:

2. Scroll to the victim list you want to export:
l Latest Ransomware Victims
l Potential Ransomware Victims
3. Click Show More. The list of victims is displayed.
4. Specify your filters. See Filtering ransomware intelligence on page 85.
5. Click the Export List icon. The file is downloaded to your computer.
Managing My Watchlist
Users can monitor certain vendor and organization names in the My Watchlist page in the Vendor Watchlist and
Organization Watchlist, respectively. If a match for a monitored asset appears, it triggers an alert. Vendors and
organizations can be added to the watchlist manually by users or automatically by EASM.
To filter the monitored assets, see Filtering ransomware intelligence on page 85.
To create a new asset to manage:

3. Click Create. The Create Watchlist dialog is displayed.

Fortinet Inc.
4. Select the watchlist to add to from the Select Watchlist dropdown.

5. Enter a name for the monitored asset.
6. Enter the domain name of the monitored asset.
7. Click Submit. The asset is displayed on the assigned watchlist.
To edit a monitored asset:

3. Find the asset you want to edit and click Edit. The Edit Watchlist dialog is displayed.
4. Edit the asset details and click Submit.
To delete a monitored asset:

3. Click Delete. A confirmation dialog is displayed.
4. Select Delete.
Vendor Risk Assessment
The Adversary Centric Intelligence > Vendor Risk Assessment page is designed to create a watchlist of vendors that
allows you to assess the security hygiene level of each vendor. From the Vendor Risk Assessment page, you can:
l Add new vendors to the watchlist. See Adding a new vendor to the watchlist on page 89.
l View the security hygiene assessment of a vendor. See Viewing the vendor risk assessment on page 89.

Fortinet Inc.
Adding a new vendor to the watchlist
You can add new vendors to the watchlist to generate a risk assessment report and identify the overall estimate risk
exposure rating. Vendors can be added to the watchlist using the primary domain. Once the domain name has been
submitted, collecting data and generating the risk assessment can take up to 24 hours.
If the overall estimated risk exposure rating of a vendor changes to High, an alert notification
will be sent.
To add a new vendor to the watchlist:
1. Go to Adversary Centric Intelligence > Vendor Risk Assessment.

2. Click Add Vendor. The Add new Vendor dialog is displayed.
3. Enter the vendor domain in the Primary Domain Name field.

4. Click the search icon. Vendor information will be displayed.
5. Click Save. The vendor risk assessment will begin to generate.
Removing a vendor from the watchlist
You can have a maximum of 25 individual vendors in the watchlist. To remove a vendor from the watchlist, click Remove
on its watchlist card.
Viewing the vendor risk assessment
The vendor risk assessment organizes the generated vendors data into:
l Attack Surface Exposure: Provides an overview of the vendor company's assets and current security hygiene to
assess the estimated risk exposure.

Fortinet Inc.
l Darknet Exposure: Provides an overview of potential activity in hacker communities and darkweb marketplaces
toward the vendor company. The estimated risk can be used to assess the likelihood of threat actors' interest in
targeting the vendor company.
l Security Incidents: Provides an overview of ransomware incidences and intelligence reporting so that action can be
taken if the vendor company suffers a ransomware attack or is targeted by a threat actor.
Each of these sections is further divided into widgets that allow you to review detailed risk data in order to make informed
decisions.

Fortinet Inc.
To view a vendor risk assessment:
1. Go to Adversary Centric Intelligence > Vendor Risk Assessment.
2. Select the vendor that you want to review. The Vendor Risk Assessment opens.
You cannot review vendor information while the Status is Pending.
3. Review the banner for high-level information on the vendor and the Overall Estimated Risk Exposure.
4. Review the Attack Surface Exposure:
Issue by Severity The distribution of security issues by severity on the vendor's attack surface.
Security Issues The type of security issues identified and the assets affected, distributed by
severity. Select a dropdown arrow in the Issue Category for further breakdown
of the assets.
Commonly Targeted Services The services on the vendor's attack surface that are commonly targeted and
the number of assets exposing the service.
Asset Distribution A geographical distribution of the vendor's assets.

Fortinet Inc.
5. Review the Darknet Exposure:
Darknet Mentions The number of mentions of the vendor's name or domain on platforms where
threat actors perform active discussions.
Dataleak Mentions The number of mentions of the vendors name or domain on datasets leaked
by threat actors.
Credential Breaches An overview of credentials affiliated with the vendor's domain that have been
identified in third party data breaches.
Botnet Infections An overview of botnet campaigns used to steal credentials from end users:
l Compromised Employee Systems: The number of usernames from the
shared infected system logs containing the email address domain

affiliated with the vendor.
l Compromised Users Systems: The number of credentials shared from
the infected system logs containing the URL or application visited on the
infected system matching the vendor's domain. These systems can be
end users or employees.
l Stealer Marketplace: The number of credentials stolen by threat actors
containing the URL or application visited on the infected system matching
the vendor's domain. These logs are being listed for sale on prominent
stealer marketplaces.
6. Review the Security Incidents:
Ransomware Incident The vendor name or domain appeared on the victim list by a ransomware
group.
FortiRecon Intelligence FortiRecon ACI reporting contains mention of the vendor's name or domain.
Reporting
Investigation
The Adversary Centric Intelligence > Investigation page displays information about investigations into security events.
From the Investigation page, you can:
l Review the reputation of IPv4 addresses. See Reviewing IP address reputation on page 92.
l Review the reputation of a domain. See Reviewing domain reputation on page 93.
l Review a file hash. See Reviewing a file hash on page 93.
l Review a CVE. See Reviewing a CVE on page 93.
Reviewing IP address reputation
You can use the IP Reputation search bar to search for IPv4 addresses.

Fortinet Inc.
To review IP address reputation:
1. Go to Adversary Centric Intelligence > Investigation > IP Reputation. The IP Reputation tab is displayed.
2. Type the IPv4 address, and press Enter.
Reviewing domain reputation
You can use the Domain Reputation search bar to search for domains.
To review domain reputation:
1. Go to Adversary Centric Intelligence > Investigation > Domain Reputation. The Domain Reputation tab is displayed.
2. Type the domain name, and press Enter.
Reviewing a file hash
You can use the File Hash search bar to search for a file hash.
To review a file hash:
1. Go to Adversary Centric Intelligence > Investigation > Hash Lookup. The Hash Lookup tab is displayed.
2. Type the file hash, and press Enter. The results are displayed.
Reviewing a CVE
You can use the CVE search bar to search for a CVE.
To review a CVE:
1. Go to Adversary Centric Intelligence > Investigation > CVE. The CVE tab is displayed.
2. Type the CVE, and press Enter. Information about the CVE is displayed.

Fortinet Inc.
Profile settings
The Profile Settings page allows you to personalize your FortiRecon account and provide information on your
organization.
You can access Profile Settings from the menu in the top-right corner of FortiRecon. See Accessing profile settings on
page 94. The menu appears as three vertical dots:
From the menu, you can also change the color theme of the FortiRecon pages. See Changing the color theme on page
95.
The Profile Settings module contains the following tabs:
Profile Displays information about your personal FortiRecon account. You can edit
details of your account, configure daily digest reports, and enable custom email
alerts. See Profile on page 96.
Users Displays account information for members of your organization. Administrators

can add, edit, and delete user accounts. See Users on page 99
Access Templates Allows the creation and editing of access templates. Access templates control the
modules and sub modules available to users on FortiRecon. See Access
templates on page 101.
Change Password Allows you to change your personal account password. See Change password on
page 103.
Downloads Displays a list of all the files downloaded from FortiRecon in that last 30 days. You
can download the files to your computer or delete unnecessary files. See
Downloads on page 104.
Integrations Displays the webhook integrations with Microsoft Teams and Slack. You can
create, edit, disable, and delete integrations. See Integrations on page 105.
Seeds Displays the domains, card BINs, and mobile applications of your organization
that are being monitored by FortiRecon. See Seeds on page 108.
Accessing profile settings
You can access the Profile Settings from any page by selecting the menu in the top-right corner.

Fortinet Inc.
Profile settings
To access profile settings:
1. Hover over the profile menu in the top-right corner, and select Profile Settings.
The Profile tab is displayed.
Changing the color theme
You can choose between a light and dark color for the pages of the FortiRecon portal.
Following is an example of the dark theme:
Following is an example of the light theme:
To change the color theme:
1. Click the menu in the top-right corner, and select Change Theme.

Fortinet Inc.
Profile settings
Profile
The Profile tab provides information on your personal account information and allows you to customize settings. From
the Profile Settings > Profile tab, you can:
l Edit personal account information. See Editing user information on page 96.
l Configure daily reports on recent FortiRecon activity. See Opting in to daily digest reports on page 96.
l Opt-out of daily reports on recent FortiRecon activity. See Opting out of daily digest reports on page 97.
l View information about your subscription, such as registered domains, target industries and geography, keywords,
and your API key. See Viewing subscription details on page 97.
l Copy your API key for sharing. See Sharing the API key on page 98.
l Configure personalized email notifications when specific keywords occur in FortiRecon reports. See Receiving
custom email alerts on page 98.
Editing user information
You can edit your personal user information on the Profile tab. To edit other FortiRecon account users, see Editing users
on page 100.
To edit personal user information:
1. Go to Profile Settings > Profile.

2. Click the edit icon in User Info. The Cancel and Update buttons display.
3. Enter new information into Name, Email, and Mobile as needed.

4. Click Update. Your personal user information is updated.
Opting in to daily digest reports
You can receive emailed daily digest reports that include important information and highlights on reports and alerts that
occurred in the past 24 hours.
To opt-in to daily digest reports:

2. Click Opt-in in Daily Digest Settings. The Category and Report Type fields become active.

Fortinet Inc.
Profile settings
3. Select the options to include, and clear the options to exclude from the daily digest report.
4. Use the up and down Daily At arrows, or manually enter the hour you want to receive the daily digest report.
5. Toggle AM and PM to decide the hour in the 12-hour time convention.
6. Click Save. The daily digest report is sent to your email each day at the time specified.
The Daily At feature uses the 12-hour time convention by default. If you enter a time in 24-hour
format, the time is automatically adjusted to the 12-hour format. For example, if you enter 15
AM, the time is adjusted to 3 PM.
Opting out of daily digest reports
Daily digest reports are enabled by default, but you can stop the emails by opting-out in the Profile tab.
To opt-out of daily digest reports:

2. Click Opt-out in Daily Digest Settings. You will no longer receive daily digest reports.
Viewing subscription details
Subscription Details provides information on your subscription, including domains, license serial number, contract
information, and your API key.

Fortinet Inc.
Profile settings
To view subscription details:

2. Scroll to Subscription Details to view information on your:
l Subscription
l Customer Tag
l API Key
l Domains
l License Serial
l Keywords
l Contract
l Target Industry
l Target Geography
Sharing the API key
You can copy your API key to your clipboard to share with others or use in other software.
To copy your API key:

2. Click Copy in Subscription Details. The API key is copied to your clipboard.
Receiving custom email alerts
You can configure custom email alerts so that you receive email notifications whenever there is a report that relates to
the categories you set.

Fortinet Inc.
Profile settings
To configure custom email alerts:

2. In Custom Email Alerts, select alert inputs by clicking and choosing from:
l Target Industry
l Motivation & Tags
l Actors
l Target Geography
3. Click Save. Email alerts are configured and are sent when a set input occurs in a report.
Users
Multiple FortiRecon accounts can be created for an organization in the Users tabs. The following roles are available for
FortiRecon accounts:
l User: Has access limited to what is included in the assigned access template.
l Admin: Has administrative access over other accounts.
Only administrators can add and make changes to other accounts.
From the Profile Settings > Users tab, you can:

l View all user accounts for your organization. See Viewing user accounts on page 99.
l Add new users. See Adding users on page 100.
l Edit existing users. See Editing users on page 100.
l Delete users. See Deleting users on page 101.
Viewing user accounts
You can view all of the current users for your organization on the Users tab. User information listed for all users includes:
l Name
l Role
l Email
l Phone Number
To view user accounts:
1. Go to Profile Settings > Users.

a. In the Type and hit Enter to Search box, type a name or email, and press Enter.

Fortinet Inc.
Profile settings
The user accounts are filtered to display only accounts with the keyword.
Adding users
Administrators can add new user accounts. Before you add new users, define access templates to select in the user
accounts. See Access templates on page 101.
To add a user account:
1. Access Profile Settings, and click the Users tab. The users are displayed.
2. Click the Add User button. The Client Info page is displayed.
3. On the Client Info page, complete the following options, and click Next.
Name Type a name for the user.
Mobile Type the mobile phone number for the user.
API Key Displays the automatically generated API key for the user.
Email Type the email address, and select the domain for the user.
Role Select one of the following roles:

l User: gives the user access to the modules defined to their account.
l Admin: gives the user access to the modules defined to their account and
administrative access over other accounts.
The Permissions page is displayed

4. Select a User Template from the dropdown. The Main Modules, Sub Modules, and Access are adjusted to the
template's settings.
5. Click Save. The user is created.
Editing users
All organization members with FortiRecon accounts are listed on the Users tab. Administrators can edit the information
of other members.
You cannot edit an email address.

Fortinet Inc.
Profile settings
To edit a user account:
1. Go to Profile Settings > Users and find the account you want to edit.
2. Click Edit. The Client Info page is displayed.
3. On the Client Info page, complete any of the following options as needed, and click Next.
Name Type a new name for the user.
Mobile Type a new mobile phone number for the user.
API Key Select Re-generate API to create a new API Key. This can be done when it is suspected
that the API Key has been compromised or leaked.
Role Select a new role from the Role dropdown.
The Permissions page is displayed.

4. Select a new User Template from the dropdown, if needed. The Main Modules, Sub Modules, and Access are
adjusted to the template's settings.
5. Click Save. The user information and access permissions are updated.
Deleting users
Administrators can delete the account of another member on the Users tab.
To delete a user account:
1. Go to Profile Settings > Users and find the account you want to delete.
2. Click Delete. A confirmation message is displayed.
3. Click Yes. The account is deleted.
Access templates
Access templates are used for controlling user accounts. When you create an access template, you can define what
modules and sub modules a user can access, and then you can assign the access template to user accounts. See
Adding users on page 100

Fortinet Inc.
Profile settings
From the Profile Settings > Access Template tab, you can:
l View available access templates. See Viewing access templates on page 102.
l Add a new access template. See Adding a template on page 102.
l Edit an existing access template. See Editing a template on page 103.
Viewing access templates
You can view the settings assigned to an access template in the Access Templates tab. Assigned Main Modules, Sub
Modules, and Access settings appear in the following formats:
l Grey: The Sub Module is a default setting that is always included if the Main Module is selected.
l Blue: The feature has been intentionally selected from the optional features.
To view an access template:
1. Go to Profile Settings > Access Templates.

2. Click the Select Template dropdown. A list of existing access templates is displayed.
3. Select the template you want to view. The template is displayed.
Adding a template
You can create new templates in the Access Templates tab, and they can include any of the Main Modules, specific Sub
Modules, and Access settings.
While all Access settings are optional, the following Sub Modules are mandatory when the associated Main Module has
been selected:
Main Module Mandatory Sub Modules
EASM Dashboard
Brand Protection Dashboard and Alerts
Adversary Centric Intelligence Dashboard and Reports
To create an access template:

2. Click Add Template. The Add Template page is displayed.

Fortinet Inc.
Profile settings
3. Enter a name in the Template Name text box.

4. Select the Main Modules, Sub Modules, and Access fields to enable user access to them.
5. Clear the Main Modules, Sub Modules, and Access fields to disable user access to them.
6. Click Add. The template is created.
Editing a template
You can edit a template that has previously been created to add or remove Modules, Sub Modules, and Access settings.
To edit an access template:

2. From the Select Template dropdown, select the template you want to edit . The template is displayed.
3. Enter a new name in the Template Name text box, if needed.
4. Select the new Main Modules, Sub Modules, and Access fields to enable access to them.
5. Clear the Main Modules, Sub Modules, and Access fields to disable access to them.
6. Click Save. The template is updated.
Change password
You can change your personal account password. The new password must:
l Contain at least one lower case letter
l Contain at least one upper case letter
l Contain at least one special character
l Be at least 10 characters long
To change your password:
1. Go to Profile Settings > Change Password.

2. Enter your existing password in the Current password box.
3. Enter the new password in the New password box.
4. Enter the new password again in the Confirm password box. The Set Password button becomes available.
5. Click Set Password. Your password is updated.

Fortinet Inc.
Profile settings
Passwords entered into New password and Confirm password boxes must match. The fields
are case sensitive. If the passwords do not match, the Set Password button remains
unavailable.
Downloads
Files downloaded from EASM, Brand Protection, and Adversary Centric Intelligence are saved in the Downloads tab.
Files are saved in a list with the most recently downloaded files at the top.
From the Profile Settings > Downloads tab, you can:
l View all downloads from the past 30 days. See Viewing downloads on page 104.
l Retrieve downloads from the past 30 days. See Retrieving downloads on page 104.
l Delete downloads. See Deleting downloads on page 105.
Viewing downloads
You can view all of your downloads from the past 30 days.
To view downloads:
1. Go to Profile Settings > Downloads. The most recent downloads are displayed.
2. From the Records per page dropdown list, select the number of downloads to display on the page.
3. Navigate between pages by selecting Previous and Next.
Retrieving downloads
You can retrieve downloaded files in the Downloads tab.
To retrieve a downloaded file:
1. Go to Profile Settings > Downloads and find the file you want.
2. Click the file in the Download column. The file is downloaded to your computer.
If a file is not finished downloading, an update message is displayed when you hover your
mouse over the file. You cannot click the file until it is finished downloading.

Fortinet Inc.
Profile settings
Deleting downloads
Downloaded files are automatically deleted after 30 days. However, you can manually delete files if needed.
To delete downloaded files:
1. Go to Profile Settings > Downloads and find the file.

2. Click the delete icon in the Actions column. A confirmation message is displayed.
3. Click Yes. The file is deleted.
Integrations
You can use webhook integration to receive automated alert and report notifications over Microsoft Teams and Slack.
For example, if you have flash reports configured for a Slack integration, when a flash report appears on FortiRecon, you
receive an automated notification on your Slack account.
From the Profile Settings > Integrations tab, you can:
l View the details of existing integrations. See Viewing integration details on page 105.
l Create new integrations. See Adding integrations on page 106.
l Edit existing integrations. See Editing integrations on page 107.
l Disable integrations. See Disabling integrations on page 107.
l Delete integrations. See Deleting and disabling integrations on page 107.
Viewing integration details
You can view the details of an integration in the Integrations tab.
To view the details of an integration:
1. Go to Profile Settings > Integrations.

2. Find the integration you want to view:
a. Search for keywords:
i. In the Type and hit Enter to Search box, type a keyword, and press Enter.
The integrations are filtered to display only integrations with the keyword.
ii. Click the X beside the keyword to remove the filter.
b. Search by platform:

Fortinet Inc.
Profile settings
i. Select the Platform dropdown. A list of available integration platforms is displayed.
ii. Select the platform you want to view.

The integrations are filtered to display only integrations for that platform.
3. Click the name or icon of the integration. The Update Integration page displays the integration details.
Adding integrations
You can add multiple webhook integrations to your account in FortiRecon.
You must retrieve the webhook URL from Microsoft Teams and Slack before adding an
integration to FortiRecon. See Microsoft Teams Webhooks and Connectors and Slack API
Sending messages using Incoming Webhooks for more information.
To add an integration:
1. Go to Profile Settings > Integrations.

2. Click Add Integrations. The Choose Your Integration page is displayed.
3. Select the software you want to integrate with. The Add Integration page is displayed.
4. Enter the name of the integration in the Title text box.

5. Paste the webhook URL from the software into the WebHook URL text box.
6. Select the Category and Report Type fields that you want to include in the integration.

Fortinet Inc.
Profile settings
7. Clear any fields that you want to exclude from the integration.
8. Click Save. The integration is added.
Editing integrations
You can change the features and details of a webhook integration from the Integrations tab.
To edit an integration:
1. Go to Profile Settings > Integrations and locate the integration.

2. Click the name or icon of the integration. The Update Integration page is displayed.
3. Edit the Title and WebHook URL text boxes, as needed.

4. Select the Category and Report Type fields that you want to include in the integration.
5. Clear any fields that you want to exclude from the integration.
6. Click Update. The webhook integration is updated.
Disabling integrations
You can temporarily disable unused integrations, and then enable them again in the future. The integration toggle allows
you to enable and disable an integration as needed.
To disable an integration:
1. Go to Profile Settings > Integrations and find the integration.
2. Select the toggle to disable the integration. The notifications are no longer sent to the software.
3. Select the toggle again to enable the integration.
Deleting and disabling integrations
You can delete unneeded webhook integrations.

Fortinet Inc.
Profile settings
To delete an integration:
1. Go to Profile Settings > Integrations and find the integration.

2. Click Delete. A confirmation message is displayed.
3. Click Yes. The integration is deleted.
Seeds
You can input your organization's information in the Seeds tab to enable FortiRecon to track any malicious activity
against your assets or impersonating your assets.
From the Profile Settings > Seeds tab, you can:
l View your organization's registered assets. See Viewing your assets on page 108.
l Download a sample Microsoft Excel file to determine the format needed to upload data. See Downloading a sample
data file on page 109.
l Upload a Microsoft Excel file to simultaneously upload your organization's data in bulk. See Uploading a data file on
page 109.
l Export a global master file containing all of your organization's registered assets. See Exporting global masters on
page 110.
l Add, edit, and delete domain names. See Domains on page 110.
l Add, edit, and delete all BIN numbers used by your organization to issue credit, debit, and gift cards. See Card BIN
on page 112.
l Add, edit, and delete all mobile applications belonging to your company. See Owned mobile applications on page
114.
Viewing your assets
On the Seeds tab, you can view the domain names, card BINs, and mobile apps of your organization that are being
monitored by FortiRecon. You can toggle between the following tabs to view your organization's assets:
l Domains
l Card BIN
l Owned Mobile Applications
To view your organization's assets:
1. Go to Profile Settings > Seeds.

2. Navigate between asset types by selecting the:
l Domains tab
l Card BIN tab
l Owned Mobile Applications tab

Fortinet Inc.
Profile settings
3. Search for assets:

l Enter a keyword in the Global Search box to search simultaneously for Domains, Card BINs, and Owned
Mobile Applications.
l Navigate to one of the tabs, and search for a keyword in the Search box to look for entries specific to that asset
type.
Downloading a sample data file
You can use a Microsoft Excel file to upload bulk information to the Seeds tab. The Microsoft Excel file requires a specific
format, and you can download a sample file to review the needed format.
If you intend to upload data for Domains, Card BIN, and Owned Mobile Applications
simultaneously, select the global sample file.
To download a global sample file:

2. Select Download Sample XLS in the top right.
The global sample file is downloaded to your computer.
To download a sample file for a specific entry type:

2. Select the entry type you want:
l Domains
l Card BIN
3. Select Download Sample XLS in the tab.
The sample file is downloaded to your computer.
Uploading a data file
You can upload a Microsoft Excel file of your organization's information to FortiRecon. You can upload information in one
global file for all entry types, or you can upload multiple, individual files.
The Microsoft Excel file requires a specific format. See Downloading a sample data file on
page 109.

Fortinet Inc.
Profile settings
To upload a global sample file:

2. Select Upload XLS in the top right.
Your computer file explorer is displayed.

3. Select the file and click Open. The data entries are displayed in the Seeds tabs.
To upload a sample file for a specific entry type:

2. Select the entry type you want:
l Domains
l Card BIN
3. Select Upload XLS in the tab.
Your computer file explorer is displayed.

4. Select the file and click Open. The data entries are displayed in the selected Seeds tab.
Exporting global masters
You can download a master list in Microsoft Excel format from FortiRecon that contains all domains, card BINs, and
owned mobile applications. The file contains three tabs, with each tab dedicated to one of the three Seeds tabs.
To download a global master list:

2. Click Export Global Masters. The master list is downloaded to your computer as a Microsoft Excel file.
Domains
Providing domains allows FortiRecon to monitor for typo-squatting and phishing by actors that may be trying to
impersonate your organization. See Domains Typo-squatting on page 47 and Phishing on page 50.
From the Profile Settings > Seeds > Domains tab, you can:
l Add new domain names. See Adding domains on page 111.
l Edit existing domain names. See Editing domains on page 111.
l Delete domain names. See Deleting domains on page 111.

Fortinet Inc.
Profile settings
Adding domains
You can add new domains in the Domains tab, as needed.
To add a new domain:
1. Go to Profile Settings > Seeds > Domains.

2. Click Add. The Domains dialog is displayed.
3. Enter the domain name in the Add text box.

4. Click Save. The domain is added.
You must include a top-level domain when entering the domain name, such as .com or .org.
Editing domains
You can edit a pre-existing domain name in the Domains tab.
To edit a domain name:
1. Go to Profile Settings > Seeds > Domains and find the domain name.
2. Click the edit icon in the Actions column. The Edit Domains dialog is displayed.
3. Edit the text in the Domains text box.

4. Click Save. The domain name is changed.
Deleting domains
You can delete domain names from the Domains tab. You can delete single domain names or groups of domain names.
To delete a single domain name:
1. Go to Profile Settings > Seeds > Domains and find the domain name.

Fortinet Inc.
Profile settings
3. Click Yes. The domain name is deleted from the list.
To delete multiple domain names:
1. Go to Profile Settings > Seeds > Domains.

2. Select the domain names by using one of the following methods:
l Select the checkbox in the first row to select all domain names, and then clear the checkbox beside any domain
names that you want to keep.
l Select the checkbox beside specific domain names to mark them for deletion.
The Delete Rows icon becomes available.
3. Click Delete Rows. A confirmation message is displayed and lists the number of selected domains.
4. Click Yes. The domain names are deleted from the list.
Card BIN
Providing your organization's card bank identification numbers (BINs) allows FortiRecon to monitor for card fraud by
actors that may be trying to steal credit, debit, or gift card information. See Card Fraud on page 69.
Card BIN information is needed only when your organization issues credit, debit, or gift cards.
From the Profile Settings > Seeds > Card BIN tab, you can:
l Add new card BINs. See Adding a card BIN on page 112.
l Edit existing card BINs. See Editing a card BIN on page 113.
l Delete existing card BINs. See Deleting a card BIN on page 113.
Adding a card BIN
You can add new BINs in the Card BIN tab, as needed. BINs must be at least six characters long.

Fortinet Inc.
Profile settings
To add a new card BIN:
1. Go to Profile Settings > Seeds > Card BIN.

2. Click Add. The Card BIN window is displayed.
3. Enter the BIN in the Add text box.

4. Click Save. The card BIN is added.
Editing a card BIN
You can edit a pre-existing card BIN in the Card BIN tab.
To edit a card BIN:
1. Go to Profile Settings > Seeds > Card BIN and find the card BIN.
2. Click the edit icon in the Actions column. The Edit Card BIN window is displayed.
3. Edit the text in the Card BIN text box.

4. Click Save. The card BIN is edited.
Deleting a card BIN
You can delete BINs from the Card BIN tab. You can delete a single BIN or groups of BINs.
To delete a single card BIN:
1. Go to Profile Settings > Seeds > Card BIN and find the BIN.
3. Click Yes. The BIN is deleted from the list.
To delete multiple card BINs:
1. Go to Profile Settings > Seeds > Card BIN.

2. Select the BINs by using one of the following methods:
l Select the checkbox in the first row to select all BINs, and clear the checkbox beside any BINs that you want to
keep.

Fortinet Inc.
Profile settings
l Select the checkbox next to specific BINs to mark them for deletion.
3. Click Delete Rows. A confirmation message is displayed and lists the number of selected BINs.
4. Click Yes. The BINs are deleted from the list.
Owned mobile applications
Providing app information allows FortiRecon to monitor for rogue mobile apps that are trying to impersonate your
organization. See Rogue Mobile Apps on page 54.
From the Profile Settings > Seeds > Owned Mobile Applications tab, you can:
l Add new mobile apps. See Adding an owned mobile application on page 114.
l Edit existing mobile apps. See Editing an owned mobile application on page 114.
l Delete mobile apps. See Deleting an owned mobile application on page 115.
Adding an owned mobile application
You can add new apps in the Owned Mobile Applications tab, as needed.
To add a new app:
1. Go to Profile Settings > Seeds > Owned Mobile Applications.

2. Click Add. The Owned Mobile Applications dialog is displayed.
3. Click the text boxes to enter text for Name, Developer, Hosted On, and URL.
4. Click Save. The app is added.
Editing an owned mobile application
You can edit app information in the Owned Mobile Applications tab.

Fortinet Inc.
Profile settings
To edit an app:
1. Go to Profile Settings > Seeds > Owned Mobile Applications and find the app.
2. Click the edit icon in the Actions column. The Owned Mobile Applications dialog is displayed.
3. Edit the Name, Developer, Hosted On, or URL boxes.

4. Click Save. The app information is edited.
Deleting an owned mobile application
You can delete apps from the Owned Mobile Applications tab. You can delete a single app or groups of apps.
To delete a single app:
1. Go to Profile Settings > Seeds > Owned Mobile Applications and find the app.
3. Click Yes. The app is deleted from the list.
To delete multiple apps:
1. Go to Profile Settings > Seeds > Owned Mobile Apps.

2. Select the apps by using one of the following methods:
l Select the checkbox in the first row to select all apps, and clear the checkbox beside any apps that you want to
keep.
l Select the checkbox beside specific apps to mark them for deletion.
3. Click Delete Rows. A confirmation message is displayed and lists the number of selected apps.
4. Click Yes. The apps are deleted from the list.

Fortinet Inc.
www.fortinet.com
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiRecon 23.1 User - Guide

Uploaded by

Copyright:

Available Formats

FortiRecon 23.1 User - Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiRecon 23.1 User - Guide

Uploaded by

Copyright:

Available Formats

User Guide

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

February 01, 2023

FortiRecon 23.1 User Guide 3

FortiRecon 23.1 User Guide 4

FortiRecon 23.1 User Guide 5

FortiRecon 23.1 User Guide 6

Date Change Description

2023-01-12 Initial release.

2023-01-18 Updated Adding a comment to a security issue on page 27.

2023-02-01 Added Acceptable FortiRecon use cases on page 9.

FortiRecon 23.1 User Guide 7

EASM The External Attack Surface Management (EASM) module provides an

FortiRecon 23.1 User Guide 8

organization. See User permissions in the FortiCloud Asset Management Administration

Acceptable FortiRecon use cases

FortiRecon 23.1 User Guide 9

This section explains how to get started with FortiRecon.

Registering the FortiRecon license

FortiRecon 23.1 User Guide 10

1. After the license is registered on FortiCloud, go to FortiRecon at https://fortirecon.forticloud.com.

2. Click Login. The FortiCloud login page is displayed.

3. Enter your FortiCloud credentials.

FortiRecon 23.1 User Guide 11

8. Enter your organization's information in the Company Information fields.

FortiRecon 23.1 User Guide 12

FortiRecon 23.1 User Guide 13

2. Click Login. The FortiCloud login page is displayed.

3. Enter your FortiCloud credentials.

5. Select the organization you want.

FortiRecon 23.1 User Guide 14

FortiRecon 23.1 User Guide 15

Viewing discovered assets summary

To view discovered assets summary:

2. Use the following widgets to review your discovered assets:

Overall Entities Displays the number of following entities discovered by FortiRecon:

l Domain: number of domains found by the latest scan.

l Sub-domain: number of sub-domains found by the latest scan.

l IP address: number of IP addresses found by the latest scan.

l IP block: number of IP blocks found by the latest scan.

l ASN (Autonomous System Number): number of ASNs found by the latest

l Current: results of the current scan

Technologies Discovered Displays all the technologies discovered by FortiRecon.

Viewing security issues summary

FortiRecon 23.1 User Guide 16

l Issue Wise Status

To view discovered assets summary:

2. Use the following widgets to review your security issues:

Viewing a map of assets

To view a map of assets:

FortiRecon 23.1 User Guide 17

Country Lists countries where your digital assets were discovered.

Assets Displays the number of assets discovered in each country.

l Orange indicates high.

l Yellow indicates medium.

l Green indicates low.