Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide

Defining Exclusions

5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:551508
Download PDF

Defining Exclusions

All exclusions must belong to an Exclusion List. Select an Exclusion List on the left to display the exclusions that are defined in it. Exclusions can be defined for a

  • Source (process) – Which is identified by a source attribute, such as a Signer.
  • Type/Action – Activity event types, as described in Defining Exclusions.
  • Target – Which is identified by a target attribute, such as IP & Port

Exclusion can include all of these three or any combination. However, defining an exclusion that only contains a Type is not valid, because this kind of exclusion should be defined in a Threat Hunting Profile.

For example, you can define to exclude activity events of a specific Type that have a specific source and a specific target or to exclude (for example) activity events that have a specific source and any activity or target.

Adding an Exclusion

  1. In the left pane, click the Exclusion List to which to add the exclusion.
  2. In the right pane, click the + Add Exclusion button. The following displays:

  3. To define that an exclusion includes a specific Activity Event Type, select the type of action(s) to exclude from the displayed dropdown list. Alternatively, select the Any option (the default option), which means that you are not specifying a specific action type.

    All action types for collection are listed according to Category. You can select one or more actions from a single Category. Actions cannot be selected from different categories. For example, you can select the Process Termination and the Process Start options from the Process Category in the same exclusion. However, you cannot select the Key Created option together and the Thread Created options in the same exclusion – to do this you must create two different exclusions.

  4. To define that an exclusion includes a Source attribute condition, from the Select box, select Source attribute, which can be identified by file name, path, hash and signer for Source Process or Event Log Name for event log related activity events, as shown below:

    If you select Hash, then specify the hash, as shown below:

    If you select Path, then specify the Path, as shown below. A path can include wild cards. If you wish to include sub-folders as well, check the Select sub folders checkbox.

    If you select File Name, then enter the file name.

    If you select Signer, then either upload the Signer’s Certificate, provide its thumbprint or provide the Signer’s name.

  5. To define that an exclusion includes a Target attribute condition, click the + button, select the target Attribute and then define the target criteria, as described below: Targets can be identified by various criteria, depending on the selected Activity Event Category.
    • A process Category event is identified by hash, path, file name or Signer.
    • A network Category event is identified by network-related properties, such as a remote IP and port.
    • A registry Category event is identified by a registry key path, value name, value type or value size.
    • An Event log Category event is identified by the Event Log ID. When defining an exclusion that contains multiple conditions, an AND relationship exists between the conditions.

      Note: If an OR relationship is needed between the conditions that you define, simply create another exclusion.

Setting the State of an Exclusion

The Set State button enables you to enable or disable the selected exclusion(s). By default, an exclusion is enabled.

Deleting an Exclusion

The Delete button enables you to delete the selected exclusion(s).

Previous
Next

Defining Exclusions

All exclusions must belong to an Exclusion List. Select an Exclusion List on the left to display the exclusions that are defined in it. Exclusions can be defined for a

  • Source (process) – Which is identified by a source attribute, such as a Signer.
  • Type/Action – Activity event types, as described in Defining Exclusions.
  • Target – Which is identified by a target attribute, such as IP & Port

Exclusion can include all of these three or any combination. However, defining an exclusion that only contains a Type is not valid, because this kind of exclusion should be defined in a Threat Hunting Profile.

For example, you can define to exclude activity events of a specific Type that have a specific source and a specific target or to exclude (for example) activity events that have a specific source and any activity or target.

Adding an Exclusion

  1. In the left pane, click the Exclusion List to which to add the exclusion.
  2. In the right pane, click the + Add Exclusion button. The following displays:

  3. To define that an exclusion includes a specific Activity Event Type, select the type of action(s) to exclude from the displayed dropdown list. Alternatively, select the Any option (the default option), which means that you are not specifying a specific action type.

    All action types for collection are listed according to Category. You can select one or more actions from a single Category. Actions cannot be selected from different categories. For example, you can select the Process Termination and the Process Start options from the Process Category in the same exclusion. However, you cannot select the Key Created option together and the Thread Created options in the same exclusion – to do this you must create two different exclusions.

  4. To define that an exclusion includes a Source attribute condition, from the Select box, select Source attribute, which can be identified by file name, path, hash and signer for Source Process or Event Log Name for event log related activity events, as shown below:

    If you select Hash, then specify the hash, as shown below:

    If you select Path, then specify the Path, as shown below. A path can include wild cards. If you wish to include sub-folders as well, check the Select sub folders checkbox.

    If you select File Name, then enter the file name.

    If you select Signer, then either upload the Signer’s Certificate, provide its thumbprint or provide the Signer’s name.

  5. To define that an exclusion includes a Target attribute condition, click the + button, select the target Attribute and then define the target criteria, as described below: Targets can be identified by various criteria, depending on the selected Activity Event Category.
    • A process Category event is identified by hash, path, file name or Signer.
    • A network Category event is identified by network-related properties, such as a remote IP and port.
    • A registry Category event is identified by a registry key path, value name, value type or value size.
    • An Event log Category event is identified by the Event Log ID. When defining an exclusion that contains multiple conditions, an AND relationship exists between the conditions.

      Note: If an OR relationship is needed between the conditions that you define, simply create another exclusion.

Setting the State of an Exclusion

The Set State button enables you to enable or disable the selected exclusion(s). By default, an exclusion is enabled.

Deleting an Exclusion

The Delete button enables you to delete the selected exclusion(s).

Previous
Next