Security Analysis

Report Date: April 5, 2019 15:24

Data Range: 2019-03-31 00:00 2019-04-05 15:20 PDT (FAZ local)
 Table of Contents

Bandwidth and Applications 3

Traffic Bandwidth 3
Number of Sessions 3
Top Applications by Bandwidth 3
Top Applications by Sessions 4
Top Users by Bandwidth 4
Top Users by Sessions 4
Top Destination by Bandwidth 5
Top Destination by Sessions 5
DHCP Summary 5
Top Wifi Client by Bandwidth 6
Traffic History by Number of Active Users 6

Web Usage 7
Top 20 Most Active Users 7
Top 20 Most Visited Categories 7
Top 50 Most Visited Sites 8
Top 10 Online Users 9
Top 10 Categories 9
Top 50 Sites By Browsing Time 10
Top 20 Bandwidth Users 11
Top 20 Categories By Bandwidth 11
Top 50 Sites (and Category) by Bandwidth 11
Top 20 Most Blocked Users 13
Top 20 Most Blocked Categories 13
Top 50 Most Blocked Sites 13

Emails 14
Top Senders by Number of Emails 14
Top Recipients by Number of Emails 14
Top Senders by Combined Email Size 14
Top Recipients by Combined Email Size 15

Threats 16
Malware Detected 16
Malware Victims 16
Malware Source 16
Botnet Detected 17
Botnet Victims 17
Botnet C&C 18
Botnet C&C Detected by DNS Filtering 18
Intrusions Detected 18
Intrusion Victims 19
Intrusion Sources 19

VPN Usage 20
VPN Traffic Usage Trend 20
VPN User Logins 20
Authenticated Logins 20
Failed Login Attempts 20
Top Dial-up VPN Users 21
Top Sources of SSL VPN Tunnels by Bandwidth 21
Top SSL VPN Tunnel Users by Bandwidth 21
Top SSL VPN Web Mode Users by Duration 22
Top SSL VPN Users by Duration 22
Top Users of IPsec VPN Dial-up Tunnel by Bandwidth 22
Top Site-to-Site IPsec Tunnels by Bandwidth 22
Top Dial-up IPsec Tunnels by Bandwidth 22
Top Dial-up IPsec Users by Bandwidth 23

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 1 of 27

 Top Dial-up IPsec Users by Duration 23

Admin Login and System Events 24

Login Summary 24
Login Summary By Date 24
List of Failed Logins 25
Events by Severity 25
Events by Date 25
Critical Severity Events 26
High Severity Events 26
Medium Severity Events 26

Appendix A 27
Devices 27

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 2 of 27

Bandwidth and Applications
Traffic Bandwidth

300 GB
Sent

250 GB
200 GB
150 GB
100 GB
50 GB
0
50 GB
100 GB
Received

150 GB
200 GB
250 GB
300 GB
0

0
:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
00

12

00

12

00

12

00

12

00

12

00

12
1

5
-3

-3

-0

-0

-0

-0

-0

-0

-0

-0

-0

-0
03

03

04

04

04

04

04

04

04

04

04

04
Number of Sessions
Number of Sessions

4M

3M

2M

1M

0
0

0
:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
00

12

00

12

00

12

00

12

00

12

00

12
1

5
-3

-3

-0

-0

-0

-0

-0

-0

-0

-0

-0

-0
03

03

04

04

04

04

04

04

04

04

04

Top Applications by Bandwidth 04

# Application Bandwidth Sent Received

1 HTTPS 1.39 TB
2 HTTP 1,010.30 GB
3 SSH 379.10 GB
4 RTSP 324.45 GB
5 tcp/30303 267.50 GB
6 udp/443 183.07 GB
7 MYSQL 180.92 GB
8 HTTPS.BROWSER 137.14 GB
9 RSH 134.57 GB
10 DNS 72.88 GB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 3 of 27

Top Applications by Sessions
# Application Sessions
1 BGP 71,079,429
2 DNS 57,134,488
3 HTTPS 21,861,576
4 HTTP 15,908,644
5 netbios forward 8,039,696
6 tcp/8013 4,905,452
7 udp/5355 4,051,080
8 udp/5353 3,738,031
9 RSH 3,704,891
10 MYSQL 3,627,973

Top Users by Bandwidth

# User(or IP) Bandwidth Sent Received
1 172.16.100.40 324.56 GB
2 172.16.92.197 319.84 GB
3 172.17.158.10 317.55 GB
4 172.16.95.79 211.24 GB
5 192.168.100.73 129.84 GB
6 172.16.95.140 79.40 GB
7 172.18.74.39 60.15 GB
8 172.18.9.115 55.89 GB
9 172.16.93.120 50.62 GB
10 172.17.58.199 44.91 GB

Top Users by Sessions

# User (or IP) Sessions
1 172.18.18.57 70,941,187
2 172.16.95.102 17,588,909
3 172.18.54.101 7,222,357
4 172.17.48.200 6,010,187
5 172.17.93.19 6,005,137
6 172.16.95.17 4,443,070
7 172.18.29.14 4,290,613
8 172.16.94.229 3,275,152
9 172.18.3.250 2,503,699
10 172.17.93.68 2,095,058

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 4 of 27

Top Destination by Bandwidth
# Hostname(or IP) Bandwidth Sent Received
1 172.16.93.120 212.02 GB
2 172.17.67.198 188.63 GB
3 192.168.100.206 126.78 GB
4 172.16.92.36 119.75 GB
5 172.17.67.197 81.95 GB
6 172.17.45.61 79.84 GB
7 172.17.45.63 77.23 GB
8 172.17.45.64 74.59 GB
9 172.17.45.62 73.37 GB
10 172.16.93.70 67.56 GB

Top Destination by Sessions

# Hostname(or IP) Sessions
1 21.0.0.2 70,936,059
2 172.16.100.100 21,993,396
3 172.16.100.80 15,099,268
4 208.91.115.12 10,252,802
5 172.16.95.16 8,337,985
6 172.16.90.40 7,105,041
7 192.168.100.205 4,406,385
8 208.91.115.11 4,298,274
9 ff02::1:3 4,051,260
10 ff02::fb 3,713,286

DHCP Summary
# Interface Allocated IP (%) New Clients Count
1 04_Security4190.FGT37D4615801346 26.15 20
2 110-boardroom.FGT37D4615800568 12.87 1
3 111-WLAN.FGT37D4615800568 28.36 72
4 113_MeetingRoom.FGT37D4615801346 9.09 7
5 199_Guest.FGT37D4615801346 3.96 5
6 47_TME.FGT37D4615801346 5.45 3
7 48_QA.FGT37D4615801346 0.40 1
8 520_MIS.FGT37D4615801346 27.27 16
9 550_Tel.FGT37D4615801346 36.73 144
10 551_Tel_Vancouv.FGT37D4615801346 26.85 305

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 5 of 27

Top Wifi Client by Bandwidth
# User (or IP) SSID Hostname (or MAC) Bandwidth
1 harishv FTNT-Staff IND-HARISH-NB 15.15 GB
2 egoh FTNT-Staff Unknown DellXPS 13.20 GB
3 jhyang FTNT-Staff jinhai-carbon64 11.78 GB
4 172.17.245.139 FTNT-Guest alex-sp3 11.00 GB
5 tbali FTNT-Staff DESKTOP-FKP6J6E 10.73 GB
6 msingh FTNT-Staff iPhone 10.47 GB
7 harishv FTNT-Staff BensiMac 9.41 GB
8 qzhao FTNT-Staff Router/NAT Device b8:94:36:2d:6e 8.04 GB
:0b
9 zhongzhao FTNT-Staff zhongs-MacBook 8.03 GB
10 mgupta FTNT-Staff VAN-903421-LT1 8.02 GB

Traffic History by Number of Active Users

12 K
Active Users

10 K

8K

6K

4K

2K

0
0

0
:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
00

12

00

12

00

12

00

12

00

12

00

12
1

5
-3

-3

-0

-0

-0

-0

-0

-0

-0

-0

-0

-0
03

03

04

04

04

04

04

04

04

04

04

04

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 6 of 27

Web Usage
Top 20 Most Active Users
# User (or IP) Requests
1 172.18.81.254 318,457
2 172.18.74.105 133,793
3 172.17.91.201 88,564
4 172.17.87.130 63,764
5 172.18.74.20 44,097
6 172.18.75.11 39,803
7 172.18.74.122 39,694
8 172.18.75.13 39,641
9 172.18.74.89 39,551
10 172.18.74.17 39,349
11 172.18.74.27 39,290
12 172.18.74.28 39,099
13 172.18.74.12 31,967
14 172.18.74.24 31,301
15 172.18.75.227 31,144
16 172.18.74.31 31,003
17 172.17.87.16 30,992
18 172.18.74.47 30,932
19 172.18.74.104 30,896
20 172.18.74.66 30,855

Top 20 Most Visited Categories

# Category Requests
1 FortiGuard unrated 3,186
2 Unrated 1,196
3 Information Technology 173
4 Malicious Websites 163
5 Web Hosting 122
6 Search Engines and Portals 61
7 Reference 55
8 News and Media 54
9 Proxy Avoidance 53
10 File Sharing and Storage 49
11 Business 43
12 Sports 39
13 Dynamic Content 32
14 Global Religion 30
15 Drug Abuse 30
16 Domain Parking 29
17 Real Estate 29
18 Games 29
19 Freeware and Software Downloads 29
20 Travel 29

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 7 of 27

Top 50 Most Visited Sites
# Website Category Requests
1 172.18.32.108 FortiGuard unrated 2,973
2 64.18.20.10 Unrated 650
3 cl63amgstart.ru Malicious Websites 163
4 172.18.71.99 FortiGuard unrated 134
5 77.92.92.159 Unrated 93
6 66.155.58.73 Unrated 80
7 172.16.67.148 FortiGuard unrated 61
8 23.209.27.138 Unrated 35
9 61.135.218.26 Reference 34
10 174.142.162.241 Unrated 34
11 222.73.28.54 Unrated 33
12 www.thatrandomwebsite.com Dynamic Content 32
13 kproxy.com Proxy Avoidance 32
14 212.47.2.77 Unrated 31
15 npchurch.org Global Religion 30
16 www.magic-mushrooms.net Drug Abuse 30
17 www.findaproperty.com Real Estate 29
18 www.clcrc.com Domain Parking 29
19 www.games.com Games 29
20 www.download.com Freeware and Software Downloads 29
21 www.hostway.com.au Web Hosting 28
22 123.125.115.75 Information Technology 28
23 118.163.113.93 Unrated 28
24 23.3.105.200 Unrated 27
25 85.233.168.140 Web Hosting 27
26 157.166.249.10 News and Media 27
27 www.cnn.com News and Media 27
28 www.tata.com Business 27
29 www.facebook.com Social Networking 26
30 peeroton.com Medicine 26
31 www.yousendit.com File Sharing and Storage 26
32 www.toyota.com Personal Vehicles 26
33 www.gmail.com Web-based Email 26
34 winhundred.com Spam URLs 25
35 89.200.143.100 Unrated 25
36 groups.yahoo.com Newsgroups and Message Boards 25
37 www.yahoo.com Search Engines and Portals 25
38 www.itradecimb.com Brokerage and Trading 24
39 203.90.242.122 Unrated 24
40 www.skype.com Internet Telephony 24
41 www.carpenters310.org General Organizations 24
42 23.3.105.162 Unrated 23
43 doc.google.com Web-based Applications 23
44 204.107.28.181 File Sharing and Storage 23
45 91.216.139.205 Web Hosting 23
46 61.135.218.46 Unrated 23
47 www.emule.com Peer-to-peer File Sharing 22
48 205.250.85.97 Web Hosting 22
49 www.meebo.com Web Chat 22
50 www.miranda-im.org Instant Messaging 22

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 8 of 27

Top 10 Online Users
# User (or IP) Browsing Time(hh:mm:ss)
1 10.2.60.141 02:23:02
2 172.18.28.153 01:16:59
3 172.18.3.250 00:52:20
4 172.16.175.115 00:28:13
5 172.16.110.104 00:24:44
6 172.18.3.229 00:10:03
7 172.18.25.96 00:03:17
8 yfeng 00:03:01
9 VAN-200420$ 00:03:00
10 jeanli 00:02:08

Top 10 Categories
# Category Browsing Time(hh:mm:ss)
1 Unrated 02:33:46
2 Information Technology 00:45:09
3 FortiGuard unrated 00:38:14
4 Search Engines and Portals 00:13:32
5 Web Hosting 00:12:34
6 News and Media 00:09:54
7 Proxy Avoidance 00:08:13
8 Malicious Websites 00:03:22
9 Newly Observed Domain 00:03:01
10 Entertainment 00:01:59

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 9 of 27

Top 50 Sites By Browsing Time
# Sites Category Browsing Time(hh:mm:ss)
1 64.18.20.10 Unrated 01:16:59
2 77.92.92.159 Unrated 00:52:20
3 172.18.32.108 FortiGuard unrated 00:28:13
4 connectivity-check.ubuntu.com Information Technology 00:18:05
5 212.47.2.77 Unrated 00:10:55
6 174.142.162.241 Unrated 00:10:31
7 172.16.67.148 FortiGuard unrated 00:10:03
8 157.166.249.10 News and Media 00:09:25
9 23.3.105.200 Unrated 00:09:23
10 118.163.113.93 Unrated 00:09:09
11 85.233.168.140 Web Hosting 00:08:37
12 61.135.218.46 Unrated 00:08:11
13 134.170.0.216 Information Technology 00:07:39
14 www.gravatar.com Information Technology 00:07:32
15 87.106.215.227 Proxy Avoidance 00:07:27
16 173.194.33.69 Search Engines and Portals 00:07:20
17 140.211.11.131 Information Technology 00:06:54
18 109.200.4.26 Information Technology 00:06:34
19 173.194.33.86 Search Engines and Portals 00:05:57
20 221.179.190.205 Unrated 00:05:21
21 cl63amgstart.ru Malicious Websites 00:03:22
22 66.155.58.73 Unrated 00:03:17
23 222.73.28.54 Unrated 00:03:02
24 www.mamakeish.com Newly Observed Domain 00:03:01
25 ocsp.pki.goog FortiGuard unrated 00:03:01
26 172.18.4.105 FortiGuard unrated 00:03:00
27 103.4.19.166 Unrated 00:02:58
28 23.209.27.138 Unrated 00:02:38
29 23.3.105.162 Unrated 00:02:24
30 188.165.210.111 Unrated 00:02:14
31 54.172.88.125 Unrated 00:02:08
32 104.198.98.38:10405 Unrated 00:02:07
33 91.216.139.205 Web Hosting 00:02:01
34 47.74.232.99 Unrated 00:02:01
35 www.lacoope.com Entertainment 00:01:59
36 172.18.34.238 FortiGuard unrated 00:01:59
37 17.154.66.47 Unrated 00:01:40
38 www.associatedgunclubs.org Sports 00:01:08
39 www.hostway.com.au Web Hosting 00:00:58
40 61.135.218.26 Reference 00:00:50
41 123.125.115.75 Information Technology 00:00:50
42 203.90.242.122 Unrated 00:00:49
43 www.tata.com Business 00:00:48
44 kproxy.com Proxy Avoidance 00:00:46
45 89.200.143.100 Unrated 00:00:44
46 www.findaproperty.com Real Estate 00:00:43
47 npchurch.org Global Religion 00:00:43
48 www.itradecimb.com Brokerage and Trading 00:00:41
49 www.magic-mushrooms.net Drug Abuse 00:00:41
50 www.facebook.com Social Networking 00:00:39

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 10 of 27

Top 20 Bandwidth Users
# User (or IP) Bandwidth
1 niiyoshi 10.46 GB
2 172.18.74.24 10.30 GB
3 vkondratiuk 9.83 GB
4 172.17.91.201 7.47 GB
5 172.18.81.254 7.36 GB
6 172.18.74.7 6.25 GB
7 172.18.74.105 4.67 GB
8 CAN_Ops 4.51 GB
9 172.18.75.200 4.49 GB
10 Rachel Siu 4.22 GB
11 172.17.87.119 3.75 GB
12 azarud 3.10 GB
13 knip 3.07 GB
14 hphun 2.97 GB
15 vkhalfina 2.87 GB
16 lsean 2.75 GB
17 rwieland 2.74 GB
18 richardwu 2.71 GB
19 mchen 2.63 GB
20 Emmanuel Romero 2.61 GB

Top 20 Categories By Bandwidth

# Category Bandwidth
1 FortiGuard unrated 22.79 MB
2 Unrated 4.74 MB
3 Dynamic Content 2.97 MB
4 Web Hosting 2.57 MB
5 Advertising 1.30 MB
6 Personal Websites and Blogs 808.64 KB
7 Proxy Avoidance 799.91 KB
8 Health and Wellness 511.45 KB
9 Information Technology 382.74 KB
10 Illegal or Unethical 359.70 KB
11 Child Education 307.92 KB
12 Restaurant and Dining 235.96 KB
13 Instant Messaging 191.57 KB
14 Drug Abuse 145.18 KB
15 Alcohol 129.60 KB
16 Marijuana 127.58 KB
17 Newsgroups and Message Boards 124.58 KB
18 Gambling 114.99 KB
19 Sports Hunting and War Games 114.84 KB
20 Tobacco 110.78 KB

Top 50 Sites (and Category) by Bandwidth

# Site Category Bandwidth
1 96.45.33.73 22.99 GB
2 fortinet-ca2.fortinet.com 14.08 GB
3 209.52.189.79 8.02 GB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 11 of 27

 # Site Category Bandwidth

4 96.45.33.64 6.29 GB
5 208.91.113.35 5.75 GB
6 96.45.33.88 4.29 GB
7 209.52.146.14 3.95 GB
8 173.243.138.197 3.95 GB
9 209.52.146.45 3.36 GB
10 13.107.4.50 3.32 GB
11 72.21.81.240 3.21 GB
12 65.210.95.253 2.81 GB
13 r2---sn-5aanugx5h-t0ae.googlevideo. 2.44 GB
com
14 172.217.129.106 2.05 GB
15 93.184.215.201 1.96 GB
16 23.212.75.32 1.92 GB
17 173.243.138.194 1.83 GB
18 r3---sn-5aanugx5h-t0ae.googlevideo. 1.69 GB
com
19 173.243.138.200 1.51 GB
20 173.243.138.198 1.43 GB
21 tlu.dl.delivery.mp.microsoft.com 1.40 GB
22 208.91.113.75 1.39 GB
23 173.243.138.196 1.33 GB
24 support.fortinet.com 1.31 GB
25 205.185.216.10 1.19 GB
26 209.52.146.13 1.03 GB
27 r2---sn-uxa0n-t8gs.gvt1.com 1,012.49 MB
28 209.52.146.238 962.10 MB
29 www.googleapis.com 954.33 MB
30 r3---sn-uxa0n-t8gz.gvt1.com 907.15 MB
31 173.243.138.195 876.21 MB
32 71.19.176.204 847.18 MB
33 r3---sn-5aanugx5h-t0ae.gvt1.com 824.25 MB
34 r2---sn-5aanugx5h-t0ae.gvt1.com 818.53 MB
35 209.52.189.81 812.50 MB
36 209.52.146.51 805.44 MB
37 96.45.36.210 750.75 MB
38 173.243.138.201 632.09 MB
39 35.185.229.24 629.42 MB
40 209.52.144.77 624.89 MB
41 filestore.fortinet.com 618.84 MB
42 35.236.110.47 617.85 MB
43 partnerweb.vmware.com 598.33 MB
44 au.download.windowsupdate.com 597.80 MB
45 209.52.146.46 578.31 MB
46 205.185.216.42 566.04 MB
47 8.253.133.91 557.44 MB
48 r4---sn-uxa0n-t8gl.googlevideo.com 525.71 MB
49 probitools.gallerycdn.vsassets.io 503.52 MB
50 209.52.146.18 502.41 MB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 12 of 27

Top 20 Most Blocked Users
# User (or IP) Requests
1 10.2.60.141 164
2 172.18.4.117 27
3 172.18.4.116 25
4 172.18.4.161 12
5 172.18.25.100 2
6 172.18.4.114 2
7 172.18.25.160 2
8 172.18.4.111 2
9 172.18.4.119 1

Top 20 Most Blocked Categories

# Category Requests
1 Marijuana 32
2 Alcohol 30
3 Gambling 28
4 Sports Hunting and War Games 27
5 Tobacco 26
6 Alternative Beliefs 22
7 Abortion 22
8 Lingerie and Swimsuit 20
9 Malicious Websites 16
10 Drug Abuse 6
11 Spam URLs 5
12 Extremist Groups 2
13 Explicit Violence 1

Top 50 Most Blocked Sites

# Website Category Requests
1 www.ganja.co.uk Marijuana 32
2 merchantduvin.com Alcohol 30
3 www.bodoglife.com Gambling 28
4 www.paintballgames.co.uk Sports Hunting and War Games 27
5 www.cigoutlet.net Tobacco 26
6 www.spellsandmagic.com Alternative Beliefs 22
7 www.abortionno.org Abortion 22
8 www.wonderbra.com Lingerie and Swimsuit 20
9 cdn.backupgrid.net Malicious Websites 12
10 www.magic-mushrooms.net Drug Abuse 6
11 winhundred.com Spam URLs 5
12 res.qhcdn.com Malicious Websites 2
13 www.alternativa-antagonista.com Extremist Groups 2
14 www.remote88.com Malicious Websites 2
15 ihwf.8k.com Explicit Violence 1

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 13 of 27

Emails
Top Senders by Number of Emails
# Sender Number of Emails
1 10.106.132.21 56,484
2 172.16.92.69 26,861
3 172.16.97.43 11,025
4 172.16.94.226 9,004
5 172.30.142.5 7,632
6 172.30.142.8 7,389
7 172.16.95.17 7,285
8 172.16.97.64 6,394
9 172.16.97.16 5,798
10 172.16.97.74 5,552

Top Recipients by Number of Emails

# Recipient Number of Emails
1 10.106.132.21 259,592
2 johnlu 10,917
3 172.30.142.8 10,422
4 172.30.142.5 9,813
5 172.17.245.67 7,447
6 172.17.245.12 6,197
7 sliang 5,800
8 Edward Hong 5,448
9 btao 3,962
10 Android 3,949

Top Senders by Combined Email Size

# Sender Combined Email Size
1 172.16.92.69 8.02 GB
2 172.16.92.51 359.97 MB
3 172.16.92.47 310.37 MB
4 172.17.63.12 181.68 MB
5 172.17.158.139 158.55 MB
6 172.16.95.17 103.50 MB
7 172.16.92.107 83.14 MB
8 172.16.92.129 50.59 MB
9 172.16.68.236 49.03 MB
10 172.16.97.43 25.35 MB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 14 of 27

Top Recipients by Combined Email Size
# Recipient Combined Email Size
1 johnlu 5.39 GB
2 172.17.20.101 1.59 GB
3 172.17.20.201 1.50 GB
4 jamesgu 1.44 GB
5 172.16.93.119 996.48 MB
6 ebentley 947.02 MB
7 mis 897.80 MB
8 Local Admin 831.45 MB
9 PERRY_CHENG 737.19 MB
10 172.16.93.150 714.70 MB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 15 of 27

Threats
Malware Detected
# Malware Name Malware Type Counts
1 Adware/TEST_FILE Adware 240
2 EICAR_TEST_FILE Virus 226
3 Andromeda Virus 139
4 ETDB_TEST_FILE Virus 123
5 Fareit Virus 122
6 Kelihos Virus 99
7 ISRstealer Virus 36
8 LimeRAT Virus 18
9 ImminentRAT Virus 18
10 dofoil Virus 12

Malware Victims
# Victim Name (or IP) Counts
1 10.2.60.141 589
2 172.17.52.18 163
3 172.17.52.30 157
4 172.17.58.123 78
5 172.17.52.31 40
6 172.16.92.252 14
7 172.17.48.150 6
8 FORTINET-US\dzhou 2

Malware Source
# Malware Source Hostname (or IP) Counts
1 10.2.60.141 172.18.4.110 589
2 172.17.52.18 82.146.37.129 55
3 172.17.52.30 82.146.37.129 53
4 172.17.52.30 62.76.187.171 36
5 172.17.52.18 62.76.187.171 33
6 172.17.52.30 85.143.166.119 26
7 172.17.52.18 85.143.166.119 26
8 172.17.52.31 77.122.174.33 20
9 172.17.58.123 193.161.193.99 18
10 172.17.58.123 3.122.54.170 18
11 172.17.58.123 104.211.162.1 18
12 172.17.58.123 13.82.16.195 18
13 172.17.52.18 62.76.47.5 14
14 172.17.52.31 194.85.183.2 12
15 172.17.52.30 62.76.46.249 9
16 172.17.52.18 62.76.46.249 9
17 172.17.58.123 180.76.140.130 6
18 172.17.48.150 43.255.37.10 6
19 172.17.52.18 176.37.119.19 6
20 172.17.52.18 212.66.58.173 4
21 172.17.52.30 176.37.119.19 4
22 172.17.52.30 89.41.251.197 3
23 172.16.92.252 72.174.188.138 3

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 16 of 27

 # Malware Source Hostname (or IP) Counts
24 172.17.52.18 77.122.174.33 3

25 172.17.52.18 78.139.185.21 3
26 172.17.52.18 89.28.105.205 3
27 172.17.52.18 89.32.243.102 3
28 172.17.52.18 94.45.107.96 3
29 172.17.52.30 212.66.58.173 3
30 172.17.52.30 77.122.174.33 3
31 172.17.52.30 78.139.185.21 3
32 172.17.52.30 78.154.7.95 3
33 172.17.52.30 82.211.189.25 3
34 172.17.52.30 89.28.105.205 3
35 172.17.52.30 89.32.243.102 3
36 172.17.52.30 94.45.107.96 3
37 172.17.52.31 213.111.246.38 3
38 172.17.52.31 46.185.25.11 3
39 172.17.250.110 43.255.29.67 2
40 172.17.52.31 176.121.227.65 2
41 172.16.92.252 212.66.58.105 1
42 172.16.92.252 95.111.208.123 1
43 172.16.92.252 198.50.27.162 1
44 172.16.92.252 88.135.244.53 1
45 172.17.52.30 37.57.34.66 1
46 172.17.52.18 93.170.39.42 1
47 172.16.92.252 95.87.81.28 1
48 172.16.92.252 188.239.8.160 1
49 172.17.52.30 77.123.246.19 1
50 172.16.92.252 88.135.230.16 1
51 172.16.92.252 95.57.133.152 1
52 172.16.92.252 95.213.139.105 1
53 172.16.92.252 213.111.68.4 1
54 172.16.92.252 212.80.60.156 1

Botnet Detected
# Botnet Name Counts
1 Necurs.Botnet 293
2 Asprox.Botnet 196
3 TorrentLocker.Botnet 7

Botnet Victims
# Victim Name (or IP) Counts
1 10.2.60.141 196
2 172.30.142.5 164
3 172.30.142.8 129
4 172.16.92.237 7

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 17 of 27

Botnet C&C
# C&C IP Hostname Counts
1 23.203.180.198 cl63amgstart.ru 32
2 184.27.30.29 cl63amgstart.ru 30
3 54.183.57.55 cl63amgstart.ru 18
4 13.56.55.78 cl63amgstart.ru 16
5 172.217.3.100 cl63amgstart.ru 14
6 23.213.102.78 cl63amgstart.ru 11
7 23.56.123.188 cl63amgstart.ru 10
8 172.217.10.228 cl63amgstart.ru 8
9 172.30.142.8 7
10 172.16.92.234 172.16.92.234 7

Botnet C&C Detected by DNS Filtering

No matching log data for this report

Intrusions Detected
# Attack Name Severity CVE-ID Counts
1 Primetek.Primefaces.5.Rem Critical 4,092
ote.Code.Execution
2 Apache.Struts.2.Jakarta.Mul Critical CVE-2017-5638 2,962
tipart.Parser.Code.Execution
3 Oracle.WebLogic.Server.wls Critical CVE-2017-3506,CVE-2017 1,781
-wsat.Component.Code.Injecti -10271
on
4 Apache.Struts.2.REST.Plugin Critical CVE-2016-4438,CVE-2017 1,700
.Remote.Code.Execution -12611
5 Apache.Struts.2.OGNL.Scrip Critical CVE-2012-0391,CVE-2012 1,209
t.Injection -0393,CVE-2012-0394,CV
E-2013-1966,CVE-2013-2
115,CVE-2018-11776
6 OpenSSL.TLS.Heartbeat.Inf Critical 553
ormation.Disclosure.Custom-te
st
7 Cisco.IOS.HTTP.Remote.Co Critical CVE-2000-0984,CVE-2001 491
mmand.Execution -0537
8 ThinkPHP.Controller.Param Critical CVE-2019-9082,CVE-2018 322
eter.Remote.Code.Execution -20062
9 SWEditServlet.DirectoryTrav Critical CVE-2001-0555 310
ersal
10 Necurs.Botnet Critical 293

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 18 of 27

Intrusion Victims
# Attack Victim Counts
1 172.16.92.234 4,639
2 172.16.92.242 2,016
3 172.16.92.207 1,926
4 172.16.92.174 1,668
5 172.16.92.179 1,641
6 172.16.92.67 1,528
7 172.16.92.157 1,432
8 172.16.92.185 1,407
9 172.16.92.163 1,249
10 172.16.92.70 1,238

Intrusion Sources
# Attack Source Counts
1 172.30.142.5 37,452
2 172.30.142.8 35,626
3 10.2.60.141 1,715
4 64.39.103.100 1,094
5 172.18.4.120 269
6 172.18.3.250 248
7 172.18.34.137 78
8 172.18.3.184 67
9 172.18.34.238 42
10 172.16.94.51 30

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 19 of 27

VPN Usage
VPN Traffic Usage Trend
600 GB SSL
500 GB IPSEC
400 GB

300 GB

200 GB

100 GB

0
0

0
:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
00

12

00

12

00

12

00

12

00

12

00

12
1

5
-3

-3

-0

-0

-0

-0

-0

-0

-0

-0

-0

-0
03

03

04

04

04

04

04

04

04

04

04

04
VPN User Logins
3
Users

0
0

0
:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
00

12

00

12

00

12

00

12

00

12

00

12
1

5
-3

-3

-0

-0

-0

-0

-0

-0

-0

-0

-0

-0
03

03

04

04

04

04

04

04

04

04

04

Authenticated Logins 04

Total Duration
# User Type First Used Total Number of Connections
Connected(HH:MM:SS)
1 209.87.240.230 ipsec 2019-04-05 10:42:26 6 04:31:00
2 81.201.100.226 ipsec 2019-04-04 20:54:44 4 18:17:35
3 kolawale ssl-tunnel 2019-04-05 10:22:09 4 02:20:43
4 bktew ssl-tunnel 2019-04-05 13:13:36 2 01:00:22
5 fgutierrez ssl-tunnel 2019-04-05 14:44:22 2 00:30:10
6 vforoushani ssl-tunnel 2019-04-05 10:30:59 2 01:10:23
7 60.247.121.226 ipsec 2019-04-03 07:26:32 2 06:29:57
8 bharikumar ssl-tunnel 2019-04-05 14:50:43 2 00:20:05
9 Riley ipsec 2019-04-03 13:48:13 1 00:13:57
10 90.85.83.108 ipsec 2019-04-04 15:10:30 1
24:06:07

Failed Login Attempts

# User Type Total Number of Failed Attempts
1 jseanor ssl-web 6
2 chrislin ssl-web 2
3 kolawale ssl-web 2
4 pprodi ssl-web 2

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 20 of 27

Top Dial-up VPN Users
Aggregated Dialed
# User Type First Used Aggregated Bytes
Time(hh:mm:ss)
1 jseanor ssl-tunnel 2019-04-05 10:18:03 1.56 GB
09:17:34
2 yyli ssl-tunnel 2019-04-05 10:16:39 04:51:44 44.41 MB
3 jdua ssl-tunnel 2019-04-05 10:23:17 04:51:44 19.07 MB
4 ktao ssl-tunnel 2019-04-05 10:25:12 04:41:40 342.26 MB
5 pprodi ssl-tunnel 2019-04-05 10:23:42 03:51:22 20.30 MB
6 bktew ssl-tunnel 2019-04-05 10:25:00 03:48:32 40.68 MB
7 eyu ssl-tunnel 2019-04-05 10:20:58 03:17:19 48.32 MB
8 sbevan ipsec 2019-04-05 12:36:05 02:30:01 92.09 MB
9 kolawale ssl-tunnel 2019-04-05 10:22:09 02:20:43 22.67 MB
10 kterashita ssl-tunnel 2019-04-04 22:14:32 01:30:34 7.16 MB

Top Sources of SSL VPN Tunnels by Bandwidth

# Remote Host Bandwidth
1 37.156.75.174 1.56 GB
2 173.180.123.16 353.27 MB
3 73.162.180.207 342.26 MB
4 23.16.134.205 83.89 MB
5 172.103.151.147 79.51 MB
6 205.250.190.200 61.33 MB
7 208.91.115.11 44.41 MB
8 174.7.40.179 22.67 MB
9 2.26.135.132 20.30 MB
10 70.79.39.17 19.07 MB

Top SSL VPN Tunnel Users by Bandwidth

# User IP First Used Bandwidth Sent Received
1 jseanor 37.156.75.174 2019-04-05 10:18:03 1.56 GB
2 ktao 73.162.180.207 2019-04-05 10:25:12 342.26 MB
3 nanxiao 173.180.123.16 2019-04-05 10:20:52 327.99 MB
4 vforoushani 172.103.151.147 2019-04-05 10:30:59 79.51 MB
5 eyu 205.250.190.200 2019-04-05 10:20:58 48.32 MB
6 yyli 208.91.115.11 2019-04-05 10:16:39 44.41 MB
7 bktew 23.16.134.205 2019-04-05 10:25:00 40.68 MB
8 kolawale 174.7.40.179 2019-04-05 10:22:09 22.67 MB
9 pprodi 2.26.135.132 2019-04-05 10:23:42 20.30 MB
10 jdua 70.79.39.17 2019-04-05 10:23:17 19.07 MB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 21 of 27

Top SSL VPN Web Mode Users by Duration
# User IP First Used Aggregated Dialed Time(HH:MM:SS)
1 kolawale 174.7.40.179 2019-04-05 10:22:09 01:51:29
2 bktew 23.16.134.205 2019-04-05 13:13:10 00:00:26
3 dchaves 172.103.163.250 2019-04-05 11:45:36 00:00:00
4 eyu 205.250.190.200 2019-04-05 13:38:16 00:00:00
5 fgutierrez 98.148.65.34 2019-04-05 14:44:21 00:00:00
6 jhyang 70.71.170.40 2019-04-04 21:45:01 00:00:00
7 jseanor 37.156.75.174 2019-04-05 10:18:03 00:00:00
8 nanxiao 173.180.123.16 2019-04-05 11:39:36 00:00:00
9 FORTINET- 209.52.88.209 2019-04-05 12:35:26 00:00:00
US.com\\sspoor
10 vforoushani 172.103.151.147 2019-04-05 10:30:57 00:00:00

Top SSL VPN Users by Duration

# User Type Aggregated Dialed Time(HH:MM:SS) Aggregated Bytes
1 jseanor ssl-tunnel 09:17:34 1.56 GB
2 yyli ssl-tunnel 04:51:44 44.41 MB
3 jdua ssl-tunnel 04:51:44 19.07 MB
4 ktao ssl-tunnel 04:41:40 342.26 MB
5 pprodi ssl-tunnel 03:51:22 20.30 MB
6 bktew ssl-tunnel 03:48:32 40.68 MB
7 eyu ssl-tunnel 03:17:19 48.32 MB
8 kolawale ssl-tunnel 02:20:43 22.67 MB
9 kterashita ssl-tunnel 01:30:34 7.16 MB
10 rainxiao ssl-tunnel 01:30:26 3.90 MB

Top Users of IPsec VPN Dial-up Tunnel by Bandwidth

# User First Used Bandwidth
1 Riley 2019-04-03 13:48:13 251.06 MB
2 sbevan 2019-04-05 12:36:05 92.09 MB

Top Site-to-Site IPsec Tunnels by Bandwidth

# Site-to-Site IPsec Tunnel Bandwidth Sent Received
1 gw_Van_IDC_FW2 473.41 GB
2 gw_Sunn_Off 46.37 GB
3 gw_Ottawa_TAC3 44.06 GB
4 gw_Van_Office 28.14 GB
5 gw-sun-office 14.45 GB
6 gw_Van_IDC_FW1 8.82 GB
7 gw_Van 4.76 GB
8 gw_KL_Office 4.40 GB
9 peer-4a 3.39 GB
10 peer-4 1.42 GB

Top Dial-up IPsec Tunnels by Bandwidth

# Dial-up IPsec Tunnel Bandwidth Sent Received
1 dialup-5 243.88 MB
2 dial_sbevan 92.09 MB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 22 of 27

Top Dial-up IPsec Users by Bandwidth
# User IP First Used Bandwidth Sent Received
1 Riley 172.18.4.163 2019-04-03 13:48:13 251.06 MB
2 sbevan 47.72.235.3 2019-04-05 12:36:05 92.09 MB

Top Dial-up IPsec Users by Duration

# User First Used Aggregated Dialed Time(HH:MM:SS) Aggregated Bytes
1 sbevan 2019-04-05 12:36:05 02:30:01 92.09 MB
2 Riley 2019-04-03 13:48:13 00:13:57
251.06 MB

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 23 of 27

Admin Login and System Events
Login Summary
Total Number of Total Number of Total Duration
# User Name Login Interface
Logins Configuration Changes (hh:mm:ss)
1 admin ssh(172.16.209.12) 0 00:06:41
31,173
2 FortiAP:4_10 ssh(172.16.100.7) 10 0 00:00:00
3 FortiAP:4_21 ssh(172.16.100.7) 10 0 00:00:00
4 FortiAP:2_new_04 ssh(172.16.100.7) 10 0 00:00:00
5 FortiAP:2_14_by_dEdmonds_hongweiLi ssh(172.16.100.7) 10 0 00:00:00
6 FortiAP:2_07 ssh(172.16.100.7) 10 0 00:00:00
7 FortiAP:2_new_10 ssh(172.16.100.7) 10 0 00:00:00
8 FortiAP:3_01 ssh(172.16.100.7) 10 0 00:00:00
9 FortiAP:3_New_01 ssh(172.16.100.7) 10 0 00:00:00
10 FortiAP:4_15 ssh(172.16.100.7) 10 0 00:00:00
11 FortiAP:4_12 ssh(172.16.100.7) 10 0 00:00:00
12 FortiAP:4_16 ssh(172.16.100.7) 10 0 00:00:00
13 FortiAP:3_08 ssh(172.16.100.7) 10 0 00:00:00
14 FortiAP:MIS_office ssh(172.16.100.7) 10 0 00:00:00
15 FortiAP:4260_2A_AP271 ssh(172.16.100.7) 10 0 00:00:00
16 FortiAP:4260_2nd_A_270 ssh(172.16.100.7) 10 0 00:00:00
17 FortiAP:2_new_12 ssh(172.16.100.7) 10 0 00:00:00
18 FortiAP:2_new_08_dayong_office ssh(172.16.100.7) 10 0 00:00:00
19 FortiAP:3_New_03 ssh(172.16.100.7) 10 0 00:00:00
20 FortiAP:2_16 ssh(172.16.100.7) 10 0 00:00:00

Login Summary By Date

400 # Logins
320 # Config Changes

240

160

80

0
0

0
:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
00

12

00

12

00

12

00

12

00

12

00

12
1

5
-3

-3

-0

-0

-0

-0

-0

-0

-0

-0

-0

-0
03

03

04

04

04

04

04

04

04

04

04

04

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 24 of 27

List of Failed Logins
# Login Source User Name Total Number of Failed Logins
1 ssh(172.16.100.43) admin 6,284
2 ssh(218.92.0.189) root 134
3 ssh(172.16.100.80) admin 39
4 https(127.0.0.1) scao 18
5 ssh(218.92.0.207) root 17
6 telnet(172.18.4.119) Richie 8
7 telnet(172.18.4.119) John 8
8 telnet(172.18.4.111) Rosie 7
9 telnet(172.18.4.111) Ivan 7
10 telnet(172.18.4.119) Steven 7
11 telnet(172.18.4.119) Sandy 7
12 telnet(172.18.4.111) Steven 7
13 telnet(172.18.4.111) Ellen 6
14 telnet(172.18.4.111) Ryan 6
15 telnet(172.18.4.119) Alan 6
16 telnet(172.18.4.111) Alan 5
17 telnet(172.18.4.119) Andrew 5
18 telnet(172.18.4.111) Rachel 5
19 telnet(172.18.4.111) Frank 5
20 telnet(172.18.4.119) Henry 4

Events by Severity

80.12% Info (634,097 )

14.04% Low (111,151 )
4.94% Medium (39,106 )
0.90% Critical (7,088 )
0.00% High (1 )

Events by Date

1400 Critical
1200 High
1K Medium
800
600
400
200
0
0

0
:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
00

12

00

12

00

12

00

12

00

12

00

12
1

5
-3

-3

-0

-0

-0

-0

-0

-0

-0

-0

-0

-0
03

03

04

04

04

04

04

04

04

04

04

04

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 25 of 27

Critical Severity Events
# Event Name (Description) Level Counts
1 Admin login failed Critical 6,649
2 Admin login disabled Critical 152
3 FortiAnalyzer connection failed Critical 147
4 FortiSwitch system Critical 78
5 FortiGate update failed Critical 32
6 Configuration changed Critical 11
7 Scan disk is needed Critical 10
8 FortiSwitch link Critical 6
9 FortiSwitch PoE Critical 3

High Severity Events

# Event Name (Description) Level Counts
1 Switch-Controller Switch Sync Error High 1

Medium Severity Events

# Event Name (Description) Level Counts
1 Files dropped due to poor network Medium 35,071
connection
2 Disk log file deleted Medium 2,853
3 Interface status changed Medium 489
4 FortiSwitch PoE Medium 180
5 FortiSwitch system Medium 144
6 Switch-Controller Tunnel Down Medium 117
7 SNMP query failed Medium 64
8 Files dropped by quarantine daemon Medium 58
9 SSL Message Authentication Code Medium 57
corrupted
10 FortiSwitch spanning Tree Medium 38
11 FortiSwitch switch Medium 12
12 DHCP lease usage high Medium 12
13 DHCP lease usage full Medium 6
14 FortiSwitch link Medium 3
15 Disk full Medium 2

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 26 of 27

Appendix A
Devices

Corp_SMTP_Master
FCTEMS0000097517
FCTEMS0573290902[fcm_root]
FCTEMS0573290902[root]
FCTEMS3897481880[fcm_root]
FCTEMS3897481880[root]
FG101E4Q17003734
FI400B3913000032
FI800B3913000032
FL-1KD3A15000422
FSA1KD3A14000038
FSA1KD3A14000106[None]
FSA1KD3A14000106[one]
FSA1KD3A14000106[root]
FSA3KD3R15000021
FSA3KD3R16000215
FWB-Srv172_16_100_FV-1KD
New_Van_Office_Wifi
PM-Sandbox
Van_Office_FW2[fcm_root]
Van_Office_FW2[roo]
Van_Office_FW2[root]
Van_Office_Floor_1
Van_Office_Floor_2
Van_Office_QA
Weixiang_WiFi[lab]
Weixiang_WiFi[root]
Weixiang_WiFi[tp]
Weixiang_WiFi[vd1]
CorpFW
csf-v62

Security Analysis (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 27 of 27