Fortinet black logo

Administration Guide

Home FortiEDR/XDR 6.0.0 Administration Guide
6.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Out-of-the-box policies

Out-of-the-box policies

FortiEDR provides the following out-of-the-box policies. Each policy comes with multiple highly intelligent rules that enforce it.

Note

You will receive one or all policies, depending on your FortiEDR license.
  • Execution Prevention: This policy blocks the execution of files that are identified as malicious or suspected to be malicious. For this policy, each file is analyzed to find evidence for malicious activity. One of the following rules is triggered, based on the analysis result:

    • Most Likely a Malicious File: A Malicious File Execution rule is triggered with a critical severity. By default, the file is blocked.

    • Probably a Malicious File: A Suspicious File Execution rule is triggered with a high severity. By default, the file is blocked.

    • Show Evidence of Malicious File: An Unresolved file rule is triggered with a medium severity. By default, the file is logged, but is not blocked.

  • Exfiltration Prevention: This policy enables FortiEDR to distinguish which connection establishment requests are malicious ones.
  • Ransomware Prevention: This policy enables FortiEDR to detect and block malware that prevents or limits users from accessing their own system.
  • Device Control: This policy enables FortiEDR to detect and block the usage of USB devices, such as USB mass storage devices. In this policy, detection is based on the device type.
    Note

    This feature is a license-dependent and requires the Vulnerability Management add-on (meaning License Type that is either Discover and Protect or Discover, Protect and Response). Device Control security events are displayed under dedicated Device Control filter in the Events page and are not listed as part of the All filter.

  • Application Control: This policy enables FortiEDR to block user-defined applications from running, so that they do not launch. Blocklist management is done on the Application Control Manager page.
    Note

    Application Control security events are displayed under dedicated Application Control filter in the Events page and are not listed as part of the All filter.

  • eXtended Detection Policy: This policy provides visibility into data across multiple security systems and identifies abnormal or malicious activity by applying analytics and correlating data from various systems. Events are logged and displayed in the Event Viewer. No blocking options are provided. The exceptions and forensics options are not available in the Event Viewer for security events triggered by this policy.
    Note

    This policy requires that you configure an XDR source connector in the ADMINISTRATION > INTEGRATIONS section. This feature is a license-dependent add-on. You may contact Fortinet Support for more information.

All security policies can run simultaneously. However, these security policies detect rule violations at different places and points in time in the operating system. When multiple security policies are triggered, FortiEDR uses the following guidelines to avoid generating duplicate security events:

  • For connection establishment attempts, the Exfiltration Prevention rule violation is detected.
  • For attempts to lock files or access their data (for example, by encrypting the data), the Ransomware rule violation is detected.
  • When a malicious file is being executed by the user or by the operation system, the Execution Prevention rule violation is detected.
  • For attempts to use a USB device, such as a mass storage device, the Device Control rule violation is detected. It is supported on Windows devices only.
  • For execution attempts of an application that is included in the blocklist, the Application Control rule violation is detected.
  • When malicious activity is identified across network, endpoints, and cloud, an Extended Detection rule violation is detected.
Previous
Next

Out-of-the-box policies

FortiEDR provides the following out-of-the-box policies. Each policy comes with multiple highly intelligent rules that enforce it.

Note

You will receive one or all policies, depending on your FortiEDR license.
  • Execution Prevention: This policy blocks the execution of files that are identified as malicious or suspected to be malicious. For this policy, each file is analyzed to find evidence for malicious activity. One of the following rules is triggered, based on the analysis result:

    • Most Likely a Malicious File: A Malicious File Execution rule is triggered with a critical severity. By default, the file is blocked.

    • Probably a Malicious File: A Suspicious File Execution rule is triggered with a high severity. By default, the file is blocked.

    • Show Evidence of Malicious File: An Unresolved file rule is triggered with a medium severity. By default, the file is logged, but is not blocked.

  • Exfiltration Prevention: This policy enables FortiEDR to distinguish which connection establishment requests are malicious ones.
  • Ransomware Prevention: This policy enables FortiEDR to detect and block malware that prevents or limits users from accessing their own system.
  • Device Control: This policy enables FortiEDR to detect and block the usage of USB devices, such as USB mass storage devices. In this policy, detection is based on the device type.
    Note

    This feature is a license-dependent and requires the Vulnerability Management add-on (meaning License Type that is either Discover and Protect or Discover, Protect and Response). Device Control security events are displayed under dedicated Device Control filter in the Events page and are not listed as part of the All filter.

  • Application Control: This policy enables FortiEDR to block user-defined applications from running, so that they do not launch. Blocklist management is done on the Application Control Manager page.
    Note

    Application Control security events are displayed under dedicated Application Control filter in the Events page and are not listed as part of the All filter.

  • eXtended Detection Policy: This policy provides visibility into data across multiple security systems and identifies abnormal or malicious activity by applying analytics and correlating data from various systems. Events are logged and displayed in the Event Viewer. No blocking options are provided. The exceptions and forensics options are not available in the Event Viewer for security events triggered by this policy.
    Note

    This policy requires that you configure an XDR source connector in the ADMINISTRATION > INTEGRATIONS section. This feature is a license-dependent add-on. You may contact Fortinet Support for more information.

All security policies can run simultaneously. However, these security policies detect rule violations at different places and points in time in the operating system. When multiple security policies are triggered, FortiEDR uses the following guidelines to avoid generating duplicate security events:

  • For connection establishment attempts, the Exfiltration Prevention rule violation is detected.
  • For attempts to lock files or access their data (for example, by encrypting the data), the Ransomware rule violation is detected.
  • When a malicious file is being executed by the user or by the operation system, the Execution Prevention rule violation is detected.
  • For attempts to use a USB device, such as a mass storage device, the Device Control rule violation is detected. It is supported on Windows devices only.
  • For execution attempts of an application that is included in the blocklist, the Application Control rule violation is detected.
  • When malicious activity is identified across network, endpoints, and cloud, an Extended Detection rule violation is detected.
Previous
Next