Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide

Defining security event exceptions

5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:182447
Download PDF

Defining security event exceptions

The following describes how to create a new exception and how to edit an existing one.

Exceptions enable you to limit the enforcement of a rule, meaning to create a white list for a specific flow of security events that was used to establish a connection request or perform a specific operation.

FortiEDR exception management is highly flexible and provides various options that enable you to define pinpointed, granular exceptions.

Details describing how to edit an existing exception are described in Editing security event exceptions. You can access the Exception Manager by clicking the Exception Manager button at the top of the Events pane or by selecting SECURITY SETTINGS > Exception Manager. Additional options for managing exceptions are provided in the SECURITY SETTINGS tab, as described in Exception Manager.

An exception that applies to a security event can result in the creation of several exception pairs.

An exception pair specifies the rule that was violated and the process on which the violation occurred, including or excluding its entire location path. For more details, see Playbook policies

Note

After an exception is defined for a security event, new identical events are not triggered.

Security events that occurred in the past appear with an icon to indicate that an exception has been defined for them, even though at the time they were triggered, the exception did not exist. This icon on past security events serves as an indication to you that there is no need to create an exception for it, since one was already created (but after the event occurred).

In cases where an exception was defined for the security event but it does not fully cover all the existing occurrences or raw data items of this event, a slightly different icon is displayed, as described and shown below.

Note

When defining an exception for Listen on Port Attempt events, listening on 0.0.0.0 means listening on all interfaces. In such cases, you should use All Destinations.
Previous
Next

Defining security event exceptions

The following describes how to create a new exception and how to edit an existing one.

Exceptions enable you to limit the enforcement of a rule, meaning to create a white list for a specific flow of security events that was used to establish a connection request or perform a specific operation.

FortiEDR exception management is highly flexible and provides various options that enable you to define pinpointed, granular exceptions.

Details describing how to edit an existing exception are described in Editing security event exceptions. You can access the Exception Manager by clicking the Exception Manager button at the top of the Events pane or by selecting SECURITY SETTINGS > Exception Manager. Additional options for managing exceptions are provided in the SECURITY SETTINGS tab, as described in Exception Manager.

An exception that applies to a security event can result in the creation of several exception pairs.

An exception pair specifies the rule that was violated and the process on which the violation occurred, including or excluding its entire location path. For more details, see Playbook policies

Note

After an exception is defined for a security event, new identical events are not triggered.

Security events that occurred in the past appear with an icon to indicate that an exception has been defined for them, even though at the time they were triggered, the exception did not exist. This icon on past security events serves as an indication to you that there is no need to create an exception for it, since one was already created (but after the event occurred).

In cases where an exception was defined for the security event but it does not fully cover all the existing occurrences or raw data items of this event, a slightly different icon is displayed, as described and shown below.

Note

When defining an exception for Listen on Port Attempt events, listening on 0.0.0.0 means listening on all interfaces. In such cases, you should use All Destinations.
Previous
Next