Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide
5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Facets

Facets

As expected, the continuous, realtime collection of Threat Hunting data produces numerous activity events. The sheer volume of activity data makes working directly with these activity events almost unmanageable. Therefore, FortiEDR uses facets to summarize the data displayed in the results tables. Facets are predefined in FortiEDR and represent the same data that is displayed in the results tables, but in an aggregated form. As such, facets represent the aggregation of the values in the results tables.

Each individual facet pane summarizes the top five items for that facet. For example, in the Type (action) facet below, the facet lists the top five actions, based on the filters applied in the query. The number at the top in parentheses () indicates the total number of different values for this facet in the results table, in this case 24. In this case, the top five actions are Socket Close, Socket Connect, Library Loaded, Key created and Socket ind.

Facet can show the bottom five instead of the top five. In order to switching from the top five to the bottom five for this specific facet, click on the arrow on the right side of the number .

The filters applied in the Filters area affect the results displayed in the Facets and Results Tables areas.

The displayed facets vary according to the filters used in the Filters area.

You can click the More link to display additional facets.

You can click the button to minimize the Facets area.

Filtering Using Facets

Facets provide an easy-to-use mechanism to aggregate the results in the Activity Events tables. In addition, you can also further narrow the results in the Activity Events table directly from the facets by including or excluding specific values. For example, when you hover over an item in a facet pane, a green and red button appear in its row. Click the green plus button to include that item as a filter or click the red minus button to exclude that item as a filter.

Then, click the Apply button.

An item highlighted in green indicates that it has been marked as an inclusion filter, but has not yet been applied by clicking the Apply button. An item highlighted in red indicates that it has been marked as an exclusion filter, but has not yet been applied by clicking Apply.

Clicking the Apply button applies the additional filtering criteria to the threat hunting query. In addition, it creates a chip (indicated by the arrow in the following picture), which represents that additional filter and displays it at the top of the Facets area. In the example below, the query has been further filtered to only show the File Create type of action. Each chip is also part of the threat hunting query.

Each chip has either a green or red border on its left side to indicate whether it was defined to include (green) or exclude (red) that item in the filter.

Each Facet pane may have a green or red left border to indicate whether it has been applied in the query, meaning that the displayed results are filtered by it.

You can define an unlimited number of chip filters, with an AND relationship between multiple filters. Each facet can create up to two chips, one for the inclusion of values and one for the exclusion of values.

If two values have been added to the query from the same Facet pane, the relationship between the values in the chip is OR. The following example shows that the query includes activity events in which their Target Process Name is either chrome.exe or teams.exe, which is shown below in both the chip and in the facet.

Hovering over a chip enables you to remove, disable or copy it, as follows:

Tool

Definition
Remove The chip is removed and the Facets and Result tables are updated accordingly.
Disable

A disabled chip no longer affects the results. The Facets and the Results tabs are updated as if the chip was removed and the chip appears as follows:
Copy The chip content is copied to memory and can be pasted into the query for further editing.

In order to enable a disabled chip and update the results according to its criteria, click the Enable icon.

Previous
Next

Facets

As expected, the continuous, realtime collection of Threat Hunting data produces numerous activity events. The sheer volume of activity data makes working directly with these activity events almost unmanageable. Therefore, FortiEDR uses facets to summarize the data displayed in the results tables. Facets are predefined in FortiEDR and represent the same data that is displayed in the results tables, but in an aggregated form. As such, facets represent the aggregation of the values in the results tables.

Each individual facet pane summarizes the top five items for that facet. For example, in the Type (action) facet below, the facet lists the top five actions, based on the filters applied in the query. The number at the top in parentheses () indicates the total number of different values for this facet in the results table, in this case 24. In this case, the top five actions are Socket Close, Socket Connect, Library Loaded, Key created and Socket ind.

Facet can show the bottom five instead of the top five. In order to switching from the top five to the bottom five for this specific facet, click on the arrow on the right side of the number .

The filters applied in the Filters area affect the results displayed in the Facets and Results Tables areas.

The displayed facets vary according to the filters used in the Filters area.

You can click the More link to display additional facets.

You can click the button to minimize the Facets area.

Filtering Using Facets

Facets provide an easy-to-use mechanism to aggregate the results in the Activity Events tables. In addition, you can also further narrow the results in the Activity Events table directly from the facets by including or excluding specific values. For example, when you hover over an item in a facet pane, a green and red button appear in its row. Click the green plus button to include that item as a filter or click the red minus button to exclude that item as a filter.

Then, click the Apply button.

An item highlighted in green indicates that it has been marked as an inclusion filter, but has not yet been applied by clicking the Apply button. An item highlighted in red indicates that it has been marked as an exclusion filter, but has not yet been applied by clicking Apply.

Clicking the Apply button applies the additional filtering criteria to the threat hunting query. In addition, it creates a chip (indicated by the arrow in the following picture), which represents that additional filter and displays it at the top of the Facets area. In the example below, the query has been further filtered to only show the File Create type of action. Each chip is also part of the threat hunting query.

Each chip has either a green or red border on its left side to indicate whether it was defined to include (green) or exclude (red) that item in the filter.

Each Facet pane may have a green or red left border to indicate whether it has been applied in the query, meaning that the displayed results are filtered by it.

You can define an unlimited number of chip filters, with an AND relationship between multiple filters. Each facet can create up to two chips, one for the inclusion of values and one for the exclusion of values.

If two values have been added to the query from the same Facet pane, the relationship between the values in the chip is OR. The following example shows that the query includes activity events in which their Target Process Name is either chrome.exe or teams.exe, which is shown below in both the chip and in the facet.

Hovering over a chip enables you to remove, disable or copy it, as follows:

Tool

Definition
Remove The chip is removed and the Facets and Result tables are updated accordingly.
Disable

A disabled chip no longer affects the results. The Facets and the Results tabs are updated as if the chip was removed and the chip appears as follows:
Copy The chip content is copied to memory and can be pasted into the query for further editing.

In order to enable a disabled chip and update the results according to its criteria, click the Enable icon.

Previous
Next