Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide

Collection Exclusions

5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:59186
Download PDF

Collection Exclusions

Exclusions are needed for reducing the amount of Threat Hunting data that is collected and by doing so prolonging the data retention. The less data that is collected, the longer it will be stored in the databases.

Exclusions enable you to define certain types of activity events to be excluded from being collected by Threat Hunting data (even though should be collected according to the Threat Hunting Collection Profile assigned to a Collector group, which was described in Collection Profiles). For example, if you know that a certain process is legitimate, but it creates many activity events that are not relevant to your Threat Hunting investigation, you can use the Collection Exclusions to define that these activities are not collected.

The Collection Exclusions enables you to define and manage exclusion lists and the exclusions that they contain.

Note Exclusions are different than security event exceptions, as follows:
  • Exclusions define which activity events should be collected. They are exclusions to the Threat Hunting Profile.
  • Security event exceptions are defined after a particular security event has occurred. They are an exception to the assigned Security Policy.

To access the Collection Exclusions, select SECURITY SETTINGS > Threat Hunting > Collection Exclusions.

The Collection Exclusions page contains the following areas:

Previous
Next

Collection Exclusions

Exclusions are needed for reducing the amount of Threat Hunting data that is collected and by doing so prolonging the data retention. The less data that is collected, the longer it will be stored in the databases.

Exclusions enable you to define certain types of activity events to be excluded from being collected by Threat Hunting data (even though should be collected according to the Threat Hunting Collection Profile assigned to a Collector group, which was described in Collection Profiles). For example, if you know that a certain process is legitimate, but it creates many activity events that are not relevant to your Threat Hunting investigation, you can use the Collection Exclusions to define that these activities are not collected.

The Collection Exclusions enables you to define and manage exclusion lists and the exclusions that they contain.

Note Exclusions are different than security event exceptions, as follows:
  • Exclusions define which activity events should be collected. They are exclusions to the Threat Hunting Profile.
  • Security event exceptions are defined after a particular security event has occurred. They are an exception to the assigned Security Policy.

To access the Collection Exclusions, select SECURITY SETTINGS > Threat Hunting > Collection Exclusions.

The Collection Exclusions page contains the following areas:

Previous
Next