Activity events tables
The results presented in the tables in this area are activity events. The activity events table area contains six tabs, each representing one category of activity events, as follows:
Category |
Definition |
||
---|---|---|---|
All Activity |
This tab lists all activity events, based on the filters defined for the Threat Hunting query. The number in parentheses () specifies the total number of activity events, based on your query criteria. This total equals the sum of the activity events in the other five tabs. Each Category of activity events is represented by a different icon, as follows:
You can hover over the icon in the Process and Attributes column to temporarily display additional details about the source process, including whether it is signed, its signature, issuer and so on.
|
||
Process | This tab shows all matching activity events of category Process. | ||
File |
This tab shows all matching activity events of category File.
|
||
Network | This tab shows all matching activity events of type Network. | ||
Registry | This tab shows all matching activity events of type Registry. | ||
Event Log | This tab shows all matching activity events of type Event Log. |
Each table contains a row for each matching activity event and each table includes different columns according to the category.
You can select which columns should appear in any of the tables using the Choose Columns option at the far right of the page. You can type in the Search box to help narrow the list of columns that display.
Each activity event may also be a part of a behavior and/or a MITRE Technique. A behavior indicates that this activity event is part of a specific behavior as determined by FortiEDR. A MITRE type (Technique or Tactic) indicates that the activity event is part of specification of a technique and tactic as classified by MITRE.
The activity events that have such behaviors and/or MITRE indications have values in the related columns in the activity events tables, as shown below:
When an activity event has a related MITRE indication, it is indicated in the Details pane (see below). You can hover over the associated icon to display more details.
Filtering using activity events tables
The activity events tables area can be used to add filters to the query in a similar manner as facets.
When you hover over an item in the table, a green and red button appear to its right. Click the green plus button ()to include that item as a filter or click the red minus button () to exclude that item as a filter. For more details, see Filtering using facets.