Defining a security event as an exception
- Click the security event row to be defined as an exception.
- Click the Create Exception button. The following window displays:
- Specify whether this exception applies to all the Collector Groups or only to the Collectors in the same Collector Group as the one for which this security event was triggered.
The All groups and Collector groups options only apply to the current organization in which the security event occurred.
For a multi-organization FortiEDR system, an Administrator can also specify whether the exception applies to all organizations. The All organizations option applies the exception to all organizations, regardless of whether or not the security event already occurred.
The All organizations option does not display for Local Administrators or regular users. Only an Administrator can set the All organizations option.
If an Administrator wants to define an exception that applies to one or more, but not all organizations, then he/she must define the exception separately for each organization.
Exceptions defined by an Administrator (Hoster) that apply to all organizations display as Locked by the administrator to other users, and cannot be changed by a user other than the Administrator who created it, as shown below:
Exceptions can only be defined for Collector Groups. If you would like to define an exception for a specific Collector, then create a Collector Group that only contains that Collector.
-
Specify whether this exception applies to all destinations or only to specific destinations. For events that are not of the network type, such as File Read/Execution Attempt or Modify OS Settings, select All destinations.
When you specify destinations, the IP addresses listed in the dropdown menu are those IP addresses that generated connections for this security event. Use the dropdown menu to select the specific IP addresses to exclude that were triggered on this security event, which can be either internal or external.
To apply the exception to a specific destination(s), select from the following options:
Option
Description
Select All Applies the exception on all destinations that were seen as part of this security event. If there will be an identical violation (the same set of rules will be violated on this process) but the connection attempt will be to a different IP, than the security event will be triggered. To exclude this security event completely from being triggered in the future you can select the All Destinations radio button. Internal Destinations Applies the exception on all internal destinations. Internal destinations are internal IP addresses that are defined in TCP/IP standard definitions for internal networks. These IP addresses include the following:
- Loopback addresses: 127.X.X.X, 0:0:0:0:0:0:0:1 and 0:0:0:0:0:FFFF:7f
- 10.0.0.0 –10.255.255.255
- 192.168.0.0–192.168.255.255
- 169.254.0.0–169.254.255.255
- 172.16.0.0 - 172.31.255.255
- IPV6: fc00:: – fd00:: :: or fe80
This option is useful when an application is allowed for use within the organization, but you do not want it to be used for external communications. Using this option enables the application to communicate internally without triggering alerts. However, the application might still trigger alerts when attempting to connect to an external IP.
<IP Address> Applies the exception to the selected IP address. You can select multiple IP addresses.
<IP Set> An IP set defines a set of IP addresses to be included or excluded from a security event. When you select an IP set here, it means that an exception is applied only to a device that has one of the IP addresses specified in the IP set. IP sets can only be defined by an Administrator, as described in IP sets.
- Specify whether this exception applies to all users or to a specific user.
- In the Triggered Rules area, specify the path on which to apply the exception. You can select either the Current Path or Any Path. By default, all options are set to Any Path. In this context, the path indicates the entire path of the [folder name] in which the process’s file is located. The Current Path is the path used in this security event, as displayed in the window. When you select Any Path, the process triggers the exception no matter from where it is running.
You can define an exception so that a security event is triggered, based on a complex set of conditions. For example, you can define an exception so that a security event is triggered when a specific process (B) is executed by another process (A). For example, you can limit an exception so that it applies only when process B is executed by process A, or every time that process B is executed.
You can also define an exception that specifies that an exception is triggered only when one of the two process triggers is running, as shown below:
You can also define an exception specifying that it is triggered only when both processes are running.
You can click the Help button to view relevant help information, as shown below:
FortiEDR enables you any to specify any of the processes in a security event’s stack when defining an exception, including child and parent processes.
Let’s look at an example in more detail. Let’s say that you want to define an exception that allows the
SurSvc.exe
executable to run, but only when it is created from theservices.exe
executable. Therefore, in order to define this exception, you would select theSurSvc.exe
process in the Apply exception field and select theservices.exe
process in the When created by field. Based on this security event’s ancestry chain,wininit.exe
, which is the grandparent of theSurSvc.exe
executable, would not be selected in the When created by field.The immediate child of the
SurSvc.exe
executable iscompany.exe
, which listed at the top of the When created by field dropdown list. The immediate parent of theSurSvc.exe
executable isservices.exe
, which is listed aftercompany.exe
in the dropdown list. TheSurSvc.exe
executable’s grandparent iswininit.exe
, which is listed at the bottom of the list. The order in which the processes run in a security event chain is always maintained. This means that the oldest ancestor is shown at the bottom of the list of processes in this window and the child is at the top.You can edit the process path and file name. Wildcards can be used for this purpose.
To use wildcards as part of a process path or file name definition, all Collectors must be V3.0.0.0 or above. If you attempt to use wildcards with older Collectors, the following error message displays:
You can only edit the process path or file name when selecting the Current Path option. To do so, click the adjacent Edit button, and then edit the process/file name as needed. When doing so, the following conditions apply:
Field
Condition
Path - Only an asterisk (*) character(s) can be added.
- Do not change the displayed path. Otherwise, it will no longer match. However, you can replace a piece of the string with an asterisk (*).
- Only a single asterisk character (*) is permitted between two consecutive path separators (/).
- The number of separators (/) in the displayed path must remain the same.
File Name - Only an asterisk (*) character(s) can be added.
- Do not change the file name. Otherwise, it will no longer match. However, you can replace a piece of the string with an asterisk (*).
- Only a single asterisk character (*) is permitted.
When a wildcard is used as part of the process path or file name definition, the entry displays in green, as shown below:
- (Optional) Enter any comments in the Comments box.
- Click the Create Exception button.
- (Optional) You can define another exception for this same security event by clicking the plus button at the top of the window. Then, define the exception in the same manner as described in the previous steps.
If this exception was created previously, the Remove Exception button appears enabling you to delete the exception.