Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide
5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Manually changing the classification of a security event

Manually changing the classification of a security event

You can manually change the classification of a security event, if needed.

  1. Select the rule’s checkbox and then click the Handle event button or just click the flag icon of the security event row. The EVENT HANDLING window displays.
  2. In the Classification dropdown list, change the classification for the security event, as needed.

  3. Click Save.
  4. (Optional) Click Save and Handled to mark the security event as handled after saving the event.
  5. (Optional) Once the event is handled, it is advised to archive the event. To do so, click the Archive button in the actions area. See Introducing communication control.

After changing the classification of a security event, the CLASSIFICATION DETAILS pane displays the history of any actions (Playbook policy-related actions and others) that were made automatically by FortiEDR, as shown below. For Playbook policy actions, the timestamp shows when the action was performed, as defined in the Playbook policy. For more details about Playbook policy actions, see Playbook policies.

When the Fortinet logo appears next to an entry in the CLASSIFICATION DETAILS pane, it indicates that the security event was automatically classified by FortiEDR. Security events that are manually classified do not display the Fortinet logo.

Note

Notifications for security events are not shown in the CLASSIFICATION DETAILS pane.
Previous
Next

Manually changing the classification of a security event

You can manually change the classification of a security event, if needed.

  1. Select the rule’s checkbox and then click the Handle event button or just click the flag icon of the security event row. The EVENT HANDLING window displays.
  2. In the Classification dropdown list, change the classification for the security event, as needed.

  3. Click Save.
  4. (Optional) Click Save and Handled to mark the security event as handled after saving the event.
  5. (Optional) Once the event is handled, it is advised to archive the event. To do so, click the Archive button in the actions area. See Introducing communication control.

After changing the classification of a security event, the CLASSIFICATION DETAILS pane displays the history of any actions (Playbook policy-related actions and others) that were made automatically by FortiEDR, as shown below. For Playbook policy actions, the timestamp shows when the action was performed, as defined in the Playbook policy. For more details about Playbook policy actions, see Playbook policies.

When the Fortinet logo appears next to an entry in the CLASSIFICATION DETAILS pane, it indicates that the security event was automatically classified by FortiEDR. Security events that are manually classified do not display the Fortinet logo.

Note

Notifications for security events are not shown in the CLASSIFICATION DETAILS pane.
Previous
Next