Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide
5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Exclusion Manager

Exclusion Manager

Exclusions are needed for reducing the amount of Threat Hunting data that is collected and by doing so prolonging the data retention. The less data that is collected, the longer it will be stored in the databases.

Exclusions enable you to define certain types of activity events to be excluded from being collected by Threat Hunting data (even though should be collected according to the Threat Hunting Profile assigned to a Collector group, which was described in Threat Hunting Settings). For example, if you know that a certain process is legitimate, but it creates many activity events that are not relevant to your Threat Hunting investigation, you can use the Exclusion Manager to define that these activities are not collected.

The Exclusion Manager enables you to define and manage exclusion lists and the exclusions that they contain.

Note: Exclusions are different than security event exceptions, as follows:

  • Exclusions define which activity events should be collected. They are exclusions to the Threat Hunting Profile.
  • Security event exceptions are defined after a particular security event has occurred. They are an exception to the assigned Security Policy

To access the Exclusion Manager, select SECURITY SETTINGS > Exclusion Manager.

The Exclusion Manager page contains the following areas:

Previous
Next

Exclusion Manager

Exclusions are needed for reducing the amount of Threat Hunting data that is collected and by doing so prolonging the data retention. The less data that is collected, the longer it will be stored in the databases.

Exclusions enable you to define certain types of activity events to be excluded from being collected by Threat Hunting data (even though should be collected according to the Threat Hunting Profile assigned to a Collector group, which was described in Threat Hunting Settings). For example, if you know that a certain process is legitimate, but it creates many activity events that are not relevant to your Threat Hunting investigation, you can use the Exclusion Manager to define that these activities are not collected.

The Exclusion Manager enables you to define and manage exclusion lists and the exclusions that they contain.

Note: Exclusions are different than security event exceptions, as follows:

  • Exclusions define which activity events should be collected. They are exclusions to the Threat Hunting Profile.
  • Security event exceptions are defined after a particular security event has occurred. They are an exception to the assigned Security Policy

To access the Exclusion Manager, select SECURITY SETTINGS > Exclusion Manager.

The Exclusion Manager page contains the following areas:

Previous
Next