Events pane
Clicking a security event expands it to show more details and enables the buttons at the top of the window. The following information is provided for each security event:
The Extended Detection policy provides detection features (meaning that events are logged and displayed in the Event Viewer). No protection (blocking) features are provided. The exceptions and forensics options are not available in the Event Viewer for security events triggered by the Extended Detection policy, because these events were not collected by a FortiEDR Collector. |
Information Field |
Description |
---|---|
View Indicator | Indicates the view context for the security event aggregation. displays for a device and displays for a process. |
Handled/Not Handled | Specifies whether any FortiEDR Central Manager user handled this security event, as described on Marking a security event as handled/unhandled |
ID | Specifies an automatically assigned unique identifier for each security event generated by FortiEDR. This identifier is particularly useful for security event tracking purposes when monitoring security events using an external system, such as a SIEM. |
Device | Specifies the device name on which the security event has occurred. |
Process | Specifies the process that is infected. This is not necessarily the process that made the connection establishment request (such as Firefox, which might be being controlled by the infected application). If the security event was triggered by a script, then the script name is specified. |
Classification |
Specifies how malicious the security event is, if at all. Classifications are initially determined by FortiEDR. They can be changed either automatically as the result of additional post-processing, deep, thorough analysis and investigation by the FortiEDR Cloud Service (FCS) or manually. The FCS is a cloud-based, software-only service that determines the exact classification of security events and acts accordingly based on that classification – all with a high degree of accuracy. All Playbook policy actions are based on the final determination of the FCS. For more details, see Playbook policies. Classifications are:
|
Destinations | Specifies the IP address to which the malicious entity requested to establish a connection. |
Received | Specifies the first time that this security event was triggered. For aggregations, the earliest received time is displayed. |
Last Updated |
Specifies the last time that the security event was triggered. For aggregations, the most-recent time is displayed. |
Action |
Specifies the action that was enforced:
|
For raw data items, the following information is available:
Information |
Description |
||
---|---|---|---|
Device | Specifies the device name on which the security event has occurred. | ||
First Seen |
The Event Viewer aggregates the occurrences of the same security events into a single row when it represents the same attack on the same device. This timestamp specifies the first time this security event occurred. The row of this security event pops to the top of the list in the Event Viewer each time it occurs again.
|
||
Last Seen | Specifies the most recent time this same security event occurred. See FIRST SEEN described above. | ||
Destinations | Specifies the external address for connection attempt security events. | ||
Process Owner | Specifies the user who ran the process that triggered the security event. | ||
Process Type | Specifies whether the infected process is 32-bit or 64-bit. | ||
Use | Specifies the domain of the computer/user of the device. | ||
Certificate | Specifies whether the process or application have a certificate – Signed or Unsigned. You may refer to http://en.wikipedia.org/wiki/Authorization_certificate for general information about the subject. | ||
Process Path |
Specifies the path of the infected process. |
||
Count |
Specifies the number of occurrences of the same raw event on the same device. |