Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide
5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Events pane

Events pane

Clicking a security event expands it to show more details and enables the buttons at the top of the window. The following information is provided for each security event:

Note

The Extended Detection policy provides detection features (meaning that events are logged and displayed in the Event Viewer). No protection (blocking) features are provided. The exceptions and forensics options are not available in the Event Viewer for security events triggered by the Extended Detection policy, because these events were not collected by a FortiEDR Collector.

Information Field

Description
View Indicator Indicates the view context for the security event aggregation. displays for a device and displays for a process.
Handled/Not Handled Specifies whether any FortiEDR Central Manager user handled this security event, as described on Marking a security event as handled/unhandled
ID Specifies an automatically assigned unique identifier for each security event generated by FortiEDR. This identifier is particularly useful for security event tracking purposes when monitoring security events using an external system, such as a SIEM.
Device Specifies the device name on which the security event has occurred.
Process Specifies the process that is infected. This is not necessarily the process that made the connection establishment request (such as Firefox, which might be being controlled by the infected application). If the security event was triggered by a script, then the script name is specified.
Classification

Specifies how malicious the security event is, if at all. Classifications are initially determined by FortiEDR. They can be changed either automatically as the result of additional post-processing, deep, thorough analysis and investigation by the FortiEDR Cloud Service (FCS) or manually. The FCS is a cloud-based, software-only service that determines the exact classification of security events and acts accordingly based on that classification – all with a high degree of accuracy. All Playbook policy actions are based on the final determination of the FCS. For more details, see Playbook policies. Classifications are:

  • Malicious
  • Suspicious
  • Inconclusive
  • Likely Safe
  • PUP (Potentially Unwanted Program)
  • Safe
Destinations Specifies the IP address to which the malicious entity requested to establish a connection.
Received Specifies the first time that this security event was triggered. For aggregations, the earliest received time is displayed.

Last Updated

Specifies the last time that the security event was triggered. For aggregations, the most-recent time is displayed.

Action

Specifies the action that was enforced:

  • Block : The exfiltration attempt was blocked and this blocking event was generated.
  • Simulated Block: The policy that protected this device was set to Simulation mode. Therefore, the exfiltration attempt was NOT blocked and this blocking event was generated. FortiEDR would have blocked this exfiltration security event if the policy had been set to Prevention mode.
  • Log . The security event was only logged and was not blocked.

For raw data items, the following information is available:

Information

Description
Device Specifies the device name on which the security event has occurred.
First Seen

The Event Viewer aggregates the occurrences of the same security events into a single row when it represents the same attack on the same device. This timestamp specifies the first time this security event occurred. The row of this security event pops to the top of the list in the Event Viewer each time it occurs again.

Note

If a change is made to the FortiEDR policy used by a specific FortiEDR Collector, then the security events before and after that change are not aggregated together.
Last Seen Specifies the most recent time this same security event occurred. See FIRST SEEN described above.
Destinations Specifies the external address for connection attempt security events.
Process Owner Specifies the user who ran the process that triggered the security event.
Process Type Specifies whether the infected process is 32-bit or 64-bit.
Use Specifies the domain of the computer/user of the device.
Certificate Specifies whether the process or application have a certificate – Signed or Unsigned. You may refer to http://en.wikipedia.org/wiki/Authorization_certificate for general information about the subject.

Process Path

Specifies the path of the infected process.

Count

Specifies the number of occurrences of the same raw event on the same device.
Previous
Next

Events pane

Clicking a security event expands it to show more details and enables the buttons at the top of the window. The following information is provided for each security event:

Note

The Extended Detection policy provides detection features (meaning that events are logged and displayed in the Event Viewer). No protection (blocking) features are provided. The exceptions and forensics options are not available in the Event Viewer for security events triggered by the Extended Detection policy, because these events were not collected by a FortiEDR Collector.

Information Field

Description
View Indicator Indicates the view context for the security event aggregation. displays for a device and displays for a process.
Handled/Not Handled Specifies whether any FortiEDR Central Manager user handled this security event, as described on Marking a security event as handled/unhandled
ID Specifies an automatically assigned unique identifier for each security event generated by FortiEDR. This identifier is particularly useful for security event tracking purposes when monitoring security events using an external system, such as a SIEM.
Device Specifies the device name on which the security event has occurred.
Process Specifies the process that is infected. This is not necessarily the process that made the connection establishment request (such as Firefox, which might be being controlled by the infected application). If the security event was triggered by a script, then the script name is specified.
Classification

Specifies how malicious the security event is, if at all. Classifications are initially determined by FortiEDR. They can be changed either automatically as the result of additional post-processing, deep, thorough analysis and investigation by the FortiEDR Cloud Service (FCS) or manually. The FCS is a cloud-based, software-only service that determines the exact classification of security events and acts accordingly based on that classification – all with a high degree of accuracy. All Playbook policy actions are based on the final determination of the FCS. For more details, see Playbook policies. Classifications are:

  • Malicious
  • Suspicious
  • Inconclusive
  • Likely Safe
  • PUP (Potentially Unwanted Program)
  • Safe
Destinations Specifies the IP address to which the malicious entity requested to establish a connection.
Received Specifies the first time that this security event was triggered. For aggregations, the earliest received time is displayed.

Last Updated

Specifies the last time that the security event was triggered. For aggregations, the most-recent time is displayed.

Action

Specifies the action that was enforced:

  • Block : The exfiltration attempt was blocked and this blocking event was generated.
  • Simulated Block: The policy that protected this device was set to Simulation mode. Therefore, the exfiltration attempt was NOT blocked and this blocking event was generated. FortiEDR would have blocked this exfiltration security event if the policy had been set to Prevention mode.
  • Log . The security event was only logged and was not blocked.

For raw data items, the following information is available:

Information

Description
Device Specifies the device name on which the security event has occurred.
First Seen

The Event Viewer aggregates the occurrences of the same security events into a single row when it represents the same attack on the same device. This timestamp specifies the first time this security event occurred. The row of this security event pops to the top of the list in the Event Viewer each time it occurs again.

Note

If a change is made to the FortiEDR policy used by a specific FortiEDR Collector, then the security events before and after that change are not aggregated together.
Last Seen Specifies the most recent time this same security event occurred. See FIRST SEEN described above.
Destinations Specifies the external address for connection attempt security events.
Process Owner Specifies the user who ran the process that triggered the security event.
Process Type Specifies whether the infected process is 32-bit or 64-bit.
Use Specifies the domain of the computer/user of the device.
Certificate Specifies whether the process or application have a certificate – Signed or Unsigned. You may refer to http://en.wikipedia.org/wiki/Authorization_certificate for general information about the subject.

Process Path

Specifies the path of the infected process.

Count

Specifies the number of occurrences of the same raw event on the same device.
Previous
Next