Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide

Exception Manager

5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:332165
Download PDF

Exception Manager

Exceptions enable you to limit the enforcement of a rule, meaning to create a white list for a specific flow of events that was used to establish a connection request or perform a specific operation.

An exception can be made for a Collector Group (several specific ones or for all) and a destination IP (a specific one, IP-set or all). The event is then no longer triggered for that specific Collector Group or destination IP. This exception can be added on part or the entire set of rules and the process that triggered this event.

When an exception is defined, it results in one or more exception pairs. An exception pair specifies the rule that was violated, and the process on which the violation occurred, including its entire location path. For example, the following shows several examples of exception pairs:

  • Rule – File encryptor with Process – c:\users\root\Desktop\ransom\RnsmTOX.exe
  • Rule – Process hollowing with Process – c:\users\root\AppData\Local\hipmiav.exe

An exception that applies to a security event can result in the creation of several exception pairs. Each exception is associated with a specific process path. You determine whether the exception pair can run from the event-specific path or whether to apply the exception for this process so that it can run from any path.

If the exception pair includes more than one process, you can include the other processes too, as well as determine whether they can run from the event-specific path or from any path.

Any exception that you define applies to all policies.

Exceptions are created in the Event Viewer, as described onDefining security event exceptions

Note

Fortinet Cloud Services (FCS) may push an automated exception in cases where extended analysis and investigation of a security event leads to its reclassification as Safe. This prevents the security event from triggering again. In such cases, the security event is moved under archived events and the exception that was set is added in the Exception Manager with FortiEDRCloudServices as the handling user.
To manage exceptions:
  1. Select SECURITY SETTINGS > Security Events > Exception Manager. Alternatively, in the EVENT VIEWER page, click the Exception Manager button. The following window displays, showing the list of previously created exceptions:

    Tip

    If the exception includes a free-text comment, you can hover over the Event ID in the Exception Manager to display it.

    Tip

    You can delete one or more exceptions simultaneously by selecting the checkbox at the beginning of its row and then clicking the Delete button.

  2. To filter the exception list, click the Advanced button. The window displays various filter boxes at the top of the window, which you can use to filter the list by specific criteria.

    Click the Basic search button to access the standard search options.

    Click the Edit Exception button in an exception row to edit that exception. For more details, see Editing Security Event Exceptions on Editing security event exceptions.

    Click the Delete button in an exception row to delete that exception.

    Changes can be made on multiple exceptions at the same time by checking the Exceptions that you would like to edit and then clicking on the Edit tool, as shown below:

    The following window displays in the which you can choose to add new Collector Groups in addition to existing ones or to replace all Collector Groups with the new Collector Group values that you select:

    This same procedure can be used to edit the IP sets of the destination addresses of the selected exceptions.

Previous
Next

Exception Manager

Exceptions enable you to limit the enforcement of a rule, meaning to create a white list for a specific flow of events that was used to establish a connection request or perform a specific operation.

An exception can be made for a Collector Group (several specific ones or for all) and a destination IP (a specific one, IP-set or all). The event is then no longer triggered for that specific Collector Group or destination IP. This exception can be added on part or the entire set of rules and the process that triggered this event.

When an exception is defined, it results in one or more exception pairs. An exception pair specifies the rule that was violated, and the process on which the violation occurred, including its entire location path. For example, the following shows several examples of exception pairs:

  • Rule – File encryptor with Process – c:\users\root\Desktop\ransom\RnsmTOX.exe
  • Rule – Process hollowing with Process – c:\users\root\AppData\Local\hipmiav.exe

An exception that applies to a security event can result in the creation of several exception pairs. Each exception is associated with a specific process path. You determine whether the exception pair can run from the event-specific path or whether to apply the exception for this process so that it can run from any path.

If the exception pair includes more than one process, you can include the other processes too, as well as determine whether they can run from the event-specific path or from any path.

Any exception that you define applies to all policies.

Exceptions are created in the Event Viewer, as described onDefining security event exceptions

Note

Fortinet Cloud Services (FCS) may push an automated exception in cases where extended analysis and investigation of a security event leads to its reclassification as Safe. This prevents the security event from triggering again. In such cases, the security event is moved under archived events and the exception that was set is added in the Exception Manager with FortiEDRCloudServices as the handling user.
To manage exceptions:
  1. Select SECURITY SETTINGS > Security Events > Exception Manager. Alternatively, in the EVENT VIEWER page, click the Exception Manager button. The following window displays, showing the list of previously created exceptions:

    Tip

    If the exception includes a free-text comment, you can hover over the Event ID in the Exception Manager to display it.

    Tip

    You can delete one or more exceptions simultaneously by selecting the checkbox at the beginning of its row and then clicking the Delete button.

  2. To filter the exception list, click the Advanced button. The window displays various filter boxes at the top of the window, which you can use to filter the list by specific criteria.

    Click the Basic search button to access the standard search options.

    Click the Edit Exception button in an exception row to edit that exception. For more details, see Editing Security Event Exceptions on Editing security event exceptions.

    Click the Delete button in an exception row to delete that exception.

    Changes can be made on multiple exceptions at the same time by checking the Exceptions that you would like to edit and then clicking on the Edit tool, as shown below:

    The following window displays in the which you can choose to add new Collector Groups in addition to existing ones or to replace all Collector Groups with the new Collector Group values that you select:

    This same procedure can be used to edit the IP sets of the destination addresses of the selected exceptions.

Previous
Next