Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.1 Administration Guide
5.2.1
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Classification Details

Classification Details

After you click a security event in the Events pane, the CLASSIFICATION DETAILS pane displays detailed information about the classification, policy, and rules assigned to the FortiEDR Collector that triggered this security event.

Click the History down arrow to display the classification history of a security event. The classification history shows the chronology for classifying the security event, and the actions performed by FortiEDR for that event. This area also displays relevant details when the FortiEDR Cloud Service (FCS) reclassifies a security event after its initial classification by the Core.

All FortiEDR actions are based on the final classification of a security event by the FCS. The FCS is a cloud-based, software only service that determines the exact classification of security events and acts accordingly based on that classification – all with a high degree of accuracy. All Playbook policy actions are based on the final determination of the FCS. For more details, see Playbook policies.

For example, the following example shows that the security event was reclassified by the FCS and given a notification status of Suspicious at 15:44:51.

In the Triggered Rules pane, only rules that were violated are displayed. The rule’s configured action is displayed for each rule, as defined in POLICIES. The Action that was actually executed is displayed in the action column of the EVENTS pane of this window. The action taken is determined by the rule with the highest priority.

Each entry in the CLASSIFICATION DETAILS pane displays the threat name, threat family, and threat type. If threat intelligence data is available for the threat, it displays as well.

When the Fortinet logo appears next to an entry in the CLASSIFICATION DETAILS pane, it indicates that the security event classification is the one that was automatically added by FortiEDR. Security events that were manually classified do not display the Fortinet logo.

Contact Fortinet Support for more details about the third-party tool used by Fortinet for the classification process.

Note that when the Playbook policy that relates to a security event is set to Simulation mode, then the event action is documented in the Event Viewer, but is not performed. Such security events display (simulation) in the History section of the CLASSIFICATION DETAILS pane, as shown below:

Note

Notification actions are not shown in the Event Viewer, but Investigation and Remediation actions are. For more details, see Playbook policy actions.

When expanding triggered rules, you can see the techniques that were used in this security event, based on the MITRE ATT&CK common techniques scheme. Clicking the technique opens the MITRE web page, providing additional details, as shown below.

Previous
Next

Classification Details

After you click a security event in the Events pane, the CLASSIFICATION DETAILS pane displays detailed information about the classification, policy, and rules assigned to the FortiEDR Collector that triggered this security event.

Click the History down arrow to display the classification history of a security event. The classification history shows the chronology for classifying the security event, and the actions performed by FortiEDR for that event. This area also displays relevant details when the FortiEDR Cloud Service (FCS) reclassifies a security event after its initial classification by the Core.

All FortiEDR actions are based on the final classification of a security event by the FCS. The FCS is a cloud-based, software only service that determines the exact classification of security events and acts accordingly based on that classification – all with a high degree of accuracy. All Playbook policy actions are based on the final determination of the FCS. For more details, see Playbook policies.

For example, the following example shows that the security event was reclassified by the FCS and given a notification status of Suspicious at 15:44:51.

In the Triggered Rules pane, only rules that were violated are displayed. The rule’s configured action is displayed for each rule, as defined in POLICIES. The Action that was actually executed is displayed in the action column of the EVENTS pane of this window. The action taken is determined by the rule with the highest priority.

Each entry in the CLASSIFICATION DETAILS pane displays the threat name, threat family, and threat type. If threat intelligence data is available for the threat, it displays as well.

When the Fortinet logo appears next to an entry in the CLASSIFICATION DETAILS pane, it indicates that the security event classification is the one that was automatically added by FortiEDR. Security events that were manually classified do not display the Fortinet logo.

Contact Fortinet Support for more details about the third-party tool used by Fortinet for the classification process.

Note that when the Playbook policy that relates to a security event is set to Simulation mode, then the event action is documented in the Event Viewer, but is not performed. Such security events display (simulation) in the History section of the CLASSIFICATION DETAILS pane, as shown below:

Note

Notification actions are not shown in the Event Viewer, but Investigation and Remediation actions are. For more details, see Playbook policy actions.

When expanding triggered rules, you can see the techniques that were used in this security event, based on the MITRE ATT&CK common techniques scheme. Clicking the technique opens the MITRE web page, providing additional details, as shown below.

Previous
Next