Legacy Threat Hunting
If your FortiEDR environment has recently upgraded and one or more Collectors in your system run a FortiEDR version earlier than 5.0, Legacy Threat Hunting allows you to hunt for files and hashes on those Collectors that were collected before you upgrade to 5.0 from earlier versions. Access the Threat Hunting Legacy page by clicking Forensics > Threat Hunting Legacy. If all Collectors run FortiEDR 5.0 or later, the Legacy Threat Hunting option is unavailable. Use the FortiEDR’s Threat Hunting feature instead in this case, which has more extensive collected data.
The following shows the Legacy Threat Hunting page. In this case, the Hash/Process field is empty.
To search for malware using Threat Hunting (legacy):
- Select the basis for the search by clicking the Hash () or File Name () button. When you select the Hash button, the search results represent matching HASH values. When you select the File Name button, the search results represent matching filenames.
When accessing the Threat Hunting page using Method 1, the relevant HASH value appears in the field adjacent to the Hash button, as shown below.
When accessing the Threat Hunting page using Method 2, the field adjacent to the Hash and File Name buttons is empty.
- If the field adjacent to the Hash and File Name buttons is empty, copy and paste the applicable filename or HASH value into the empty field.
- Specify the time range for the search using the timeline buttons at the top of the window.
- Click the Search button. The system searches for matching files in all devices in your environment. When the search completes, the search results display in the window. The example below shows a search by process.
The row directly above the results table summarizes the results of the search. For example, in the window above, the system found 2 unique devices and one unique path created in the same one week. The example below shows the results of a search by HASH.
The labels row directly above the summary row identifies common, shared data elements. For example, Sha-1, vendor, and so on. The identified elements are shared by all files. Note that typically you see more common data elements when searching by HASH than by process.