Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide

Legacy Threat Hunting

5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:866968
Download PDF

Legacy Threat Hunting

FortiEDR’s Legacy Threat Hunting is available in FortiEDR environments that have been upgraded to v5.0 and above from previous versions. This feature enables you to hunt for files and hashes that were collected before the upgrade to v5.0.

Use the Legacy Threat Hunting feature when there are Collectors in your system that have not been upgraded to FortiEDR V5.0 in order to search for files/hashes on those Collectors. After all Collectors have been upgraded to V5.0 or above, you can use FortiEDR’s Threat Hunting feature instead, which has more extensive collected data. For more details, seeThreat Hunting

.Access the Threat Hunting Legacy page under the Forensics tab.

Click the Threat Hunting option under the Forensics tab. This action opens the Threat Hunting page. In this case, the Hash/Process field is empty.

To search for malware using Threat Hunting (Legacy):
  1. Select the basis for the search by clicking the or button. When you select the button, the search results represent matching HASH values. When you select the button, the search results represent matching file names.

    When accessing the Threat Hunting page using Method 1, the relevant HASH value appears in the field adjacent to the button, as shown below.

    When accessing the Threat Hunting page using Method 2, the field adjacent to the and buttons is empty.

  2. If the field adjacent to the and buttons is empty, copy and paste the applicable file name or HASH value into the empty field.
  3. Specify the time range for the search using the timeline buttons at the top of the window.

  4. Click the Search button. The system searches for matching files in all devices in your environment. When the search completes, the search results display in the window. The example below shows a search by process.

    The row directly above the results table summarizes the results of the search. For example, in the window above, the system found 2 unique devices and one unique path created in the same one week. The example below shows the results of a search by HASH.

    The labels row directly above the summary row identifies common, shared data elements. For example, Sha-1, vendor and so on. The identified elements are shared by all files. Note that typically you see more common data elements when searching by HASH than by process.

Previous
Next

Legacy Threat Hunting

FortiEDR’s Legacy Threat Hunting is available in FortiEDR environments that have been upgraded to v5.0 and above from previous versions. This feature enables you to hunt for files and hashes that were collected before the upgrade to v5.0.

Use the Legacy Threat Hunting feature when there are Collectors in your system that have not been upgraded to FortiEDR V5.0 in order to search for files/hashes on those Collectors. After all Collectors have been upgraded to V5.0 or above, you can use FortiEDR’s Threat Hunting feature instead, which has more extensive collected data. For more details, seeThreat Hunting

.Access the Threat Hunting Legacy page under the Forensics tab.

Click the Threat Hunting option under the Forensics tab. This action opens the Threat Hunting page. In this case, the Hash/Process field is empty.

To search for malware using Threat Hunting (Legacy):
  1. Select the basis for the search by clicking the or button. When you select the button, the search results represent matching HASH values. When you select the button, the search results represent matching file names.

    When accessing the Threat Hunting page using Method 1, the relevant HASH value appears in the field adjacent to the button, as shown below.

    When accessing the Threat Hunting page using Method 2, the field adjacent to the and buttons is empty.

  2. If the field adjacent to the and buttons is empty, copy and paste the applicable file name or HASH value into the empty field.
  3. Specify the time range for the search using the timeline buttons at the top of the window.

  4. Click the Search button. The system searches for matching files in all devices in your environment. When the search completes, the search results display in the window. The example below shows a search by process.

    The row directly above the results table summarizes the results of the search. For example, in the window above, the system found 2 unique devices and one unique path created in the same one week. The example below shows the results of a search by HASH.

    The labels row directly above the summary row identifies common, shared data elements. For example, Sha-1, vendor and so on. The identified elements are shared by all files. Note that typically you see more common data elements when searching by HASH than by process.

Previous
Next