Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide
5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Stack View

Stack View

The Stack View displays the following sections of information:

Field

Description
Events Shows the same information as in the Event Viewer.
Stacks A control toolbar that depicts the stacks that were collected in each step prior to the connection establishment requestor file access. A red dot means that a rule violation was observed in this stack. You can click the different stack names to see the collected stack data.
Stack Content Details

The bottom of the window displays each stack in the flow of the selected step. The stack entries represent the executable files that resided in the stack upon collecting the stack data. Click the stack node to filter the display to show that stack. The selected stack appears with a red line below it.

Click the Process Hash link to check whether this hash was seen elsewhere. This involves searching another external website (VirusTotal). Clicking the link runs the query in VirusTotal. Alternatively, you can go to www.virustotal.com, click the Search tab, paste the hash from FortiEDR and then click Search It.

For each executable, you can see the following information:

  • Executable File Name
  • Writeable: Specifies whether the executable code can be modified.
  • Certificate: Specifies whether or not the certificate was signed.
  • Repetitions: Specifies how many times this executable was detected in the stack.
  • Base Address of this entry in memory.
  • End Address of this entry in memory.
  • Hash: Specifies the file hash.

The row of the executable that triggered the FortiEDR security event is highlighted with a red dot . This indicates the row that you may want to investigate further.

You can click an executable row to display an even deeper level of information describing that process, as shown below:

Previous
Next

Stack View

The Stack View displays the following sections of information:

Field

Description
Events Shows the same information as in the Event Viewer.
Stacks A control toolbar that depicts the stacks that were collected in each step prior to the connection establishment requestor file access. A red dot means that a rule violation was observed in this stack. You can click the different stack names to see the collected stack data.
Stack Content Details

The bottom of the window displays each stack in the flow of the selected step. The stack entries represent the executable files that resided in the stack upon collecting the stack data. Click the stack node to filter the display to show that stack. The selected stack appears with a red line below it.

Click the Process Hash link to check whether this hash was seen elsewhere. This involves searching another external website (VirusTotal). Clicking the link runs the query in VirusTotal. Alternatively, you can go to www.virustotal.com, click the Search tab, paste the hash from FortiEDR and then click Search It.

For each executable, you can see the following information:

  • Executable File Name
  • Writeable: Specifies whether the executable code can be modified.
  • Certificate: Specifies whether or not the certificate was signed.
  • Repetitions: Specifies how many times this executable was detected in the stack.
  • Base Address of this entry in memory.
  • End Address of this entry in memory.
  • Hash: Specifies the file hash.

The row of the executable that triggered the FortiEDR security event is highlighted with a red dot . This indicates the row that you may want to investigate further.

You can click an executable row to display an even deeper level of information describing that process, as shown below:

Previous
Next