Fortinet black logo

Administration Guide

Threat Hunting

Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:177933
Download PDF

Threat Hunting

Threat Hunting significantly expands and enhances the capabilities of the Legacy Threat Hunting feature, which is described in Legacy Threat Hunting. In addition to searching for activities based on a security event’s process or HASH, you can also search for these activities based on a variety of activity types (such as Process Creation, File Deletion, Registry Value change, Socket Connect, and so on), as well as by Process/File/Registry/Network or Event Log criteria.

Threat Hunting is ideal in situations where you have identified malware on one endpoint and want to search throughout your organization to determine whether this same malware exists on another endpoint, even though it may not be currently running (stealth mode) or in situations where you would like to hunt for the existence of a specific IoC within your organization.

Threat Hunting utilizes activity events, which specify an action taken by an entity. Each type of entity may be involved in a variety of types of actions. An activity event consists of a source (usually a process), an action (the activity event type) and a target (Process, file, Registry key/value, network item(, where the source performs the designated action on the target.

For example, when a process runs, it can perform various actions on files, such as File Open, File Read, File Delete and so on. In this case, the process is the source, and it performs an action such as File Open on a target File.

Note

Activity events are not the same as the security events identified in Event Viewer. Unlike Event Viewer security events, which are only reported in Event Viewer as they occur and are detected, activity events are continuously collected based on a wealth of data, activity and actions occurring in your system and the chosen Threat Hunting Profile. You may refer to Threat Hunting for more information.

FortiEDR categorizes the various actions that can be performed into the following categories:

Action

Description

Registry Key Actions All targets are either registry keys or registry values and all actions are registry-related, such as Key Created, Key Deleted, Value Set and so on.
File Actions All targets identify the target file on which the action was performed and all actions are file-related, such as File Create, File Delete, File Rename and so on.
Process Actions The target is another process and all actions are process related, such as Process Termination, Process Creation, Executable Loaded and so on.
Network Actions The target is a network item (such as connection or URL) and all actions are Network related, such as Socket Connect, Socket Close and Socket Bind.
Event Log Actions The only action is Log Entry Created and relates to the logs of the operating system - Windows and Linux.

Access the Threat Hunting page under the Forensics tab by selecting the Threat Hunting option under the Forensics tab. The following page displays:

The Threat Hunting page contains the following areas:

Note

This Threat Hunting page automatically becomes the only option available after all Collectors are V5.0 or above.

Threat Hunting

Threat Hunting significantly expands and enhances the capabilities of the Legacy Threat Hunting feature, which is described in Legacy Threat Hunting. In addition to searching for activities based on a security event’s process or HASH, you can also search for these activities based on a variety of activity types (such as Process Creation, File Deletion, Registry Value change, Socket Connect, and so on), as well as by Process/File/Registry/Network or Event Log criteria.

Threat Hunting is ideal in situations where you have identified malware on one endpoint and want to search throughout your organization to determine whether this same malware exists on another endpoint, even though it may not be currently running (stealth mode) or in situations where you would like to hunt for the existence of a specific IoC within your organization.

Threat Hunting utilizes activity events, which specify an action taken by an entity. Each type of entity may be involved in a variety of types of actions. An activity event consists of a source (usually a process), an action (the activity event type) and a target (Process, file, Registry key/value, network item(, where the source performs the designated action on the target.

For example, when a process runs, it can perform various actions on files, such as File Open, File Read, File Delete and so on. In this case, the process is the source, and it performs an action such as File Open on a target File.

Note

Activity events are not the same as the security events identified in Event Viewer. Unlike Event Viewer security events, which are only reported in Event Viewer as they occur and are detected, activity events are continuously collected based on a wealth of data, activity and actions occurring in your system and the chosen Threat Hunting Profile. You may refer to Threat Hunting for more information.

FortiEDR categorizes the various actions that can be performed into the following categories:

Action

Description

Registry Key Actions All targets are either registry keys or registry values and all actions are registry-related, such as Key Created, Key Deleted, Value Set and so on.
File Actions All targets identify the target file on which the action was performed and all actions are file-related, such as File Create, File Delete, File Rename and so on.
Process Actions The target is another process and all actions are process related, such as Process Termination, Process Creation, Executable Loaded and so on.
Network Actions The target is a network item (such as connection or URL) and all actions are Network related, such as Socket Connect, Socket Close and Socket Bind.
Event Log Actions The only action is Log Entry Created and relates to the logs of the operating system - Windows and Linux.

Access the Threat Hunting page under the Forensics tab by selecting the Threat Hunting option under the Forensics tab. The following page displays:

The Threat Hunting page contains the following areas:

Note

This Threat Hunting page automatically becomes the only option available after all Collectors are V5.0 or above.