Introducing the Event Viewer
Upon connection establishment attempt, each FortiEDR Collectors sends relevant metadata to the FortiEDR Core, which sends it on to the FortiEDR Aggregator so that it can be displayed in the FortiEDR Central Manager Event Viewer. The Event Viewer enables you to view, investigate and acknowledge handling of each such security event. A row is displayed for each event.
The Event Viewer enables you to display two different slices or views of the event data collected by FortiEDR:
- Device View: This view presents information by device, and shows all the security events detected on a given device.
- Process View: This view presents information by process, and shows all the security events detected for a given process.
Click the applicable view button at the top center of the window to display that view.
Note: Security events that were triggered by Saved Queries appear slightly different in the Event Viewer, as Event Viewer
Event Aggregation
For convenience and easier navigation, FortiEDR aggregates security events in both the Device view and the Process view in the Event Viewer, as follows:
- Each primary-level row represents a device/process.
Note: The All filter also displays expired security events.
- You can drill down on a device/process to display the security events for that device/process. Each security event row is marked with a flag indicator.
In the Process view, the Destinations column indicates the number of destinations to which the process attempted to connect. If only one destination was accessed, its IP address is shown. If more than one destination was accessed, the number of destination IPs is shown in the Destinations column.
In the Process view, the Device column indicates the number of devices the malware attempted to attack. If only one device was attacked, its device name is shown. If more than one device was attacked, the number of devices is shown in the Device column.
- You can drill down further in a security event row to view the raw data items for that event by clicking on the icon. Raw data items display the relevant information collected by FortiEDR from the device. For example, if a specific process was connecting to 500 destinations, then 500 raw data item rows display for that security event. For example, in the figure below, the security event comprises 2 raw data items, coming from different devices and going to different destinations. You can click the icon to return to the aggregated security event view.
Examine the data in both the Device view and the Process view to identify the source of a problem. In this way, you can determine whether the issue is organization-wide or if only specific devices are infected.
A security event is triggered when one or more rules in a policy are violated. For example, let’s assume that people in your organization using the Adobe PDF application modified this application to meet their individual needs, and that FortiEDR detected this as malware that appeared on 1,000 devices in the organization. In this case, when the same security event occurs on multiple devices for the same process, you see the following in the Event Viewer:
- In the Device view, you see 1,000 aggregation security events, each with one security event under it.
- In the Process view, you see one security event aggregation named adobe.exe. Under it, there is one security event for the adobe.exe process. That security event shows the number 1000 in the Devices column and 1,000 raw data items.
The Event Viewer is divided into the following areas of information:
The following actions can be performed in the Event Viewe:
- Marking a Security Event as Handled/Unhandled
- Manually Changing the Classification of a Security Event
- Marking a Security Event as Read/Unread
- Viewing Relevant Activity Events
- Viewing Expired Security Events
- Viewing Application Control Security Events
- Viewing Device Control Security Events
- Other Options in the Event Viewer
When a new security event is generated by FortiEDR, an indicator number displays or is incremented.
Hovering over this number indicates the number of new unread security events, shown below:
In some cases, Updated displays next to the number of new unread security events indicator. Updated means that FortiEDR originally classified one of the unread events, but that classification was later changed by the user. After more data for this security event was received, FortiEDR overrode the manual classification of the event by the user and changed the classification for the event again, based on the newly received data.