Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiEDR/XDR 6.2.0 Administration Guide
    6.2.0
    6.2.0
    6.0.0
    5.2.1
    5.2.0
    5.1.0
    5.0.0
    4.2.0
    4.1.1
    4.1.0

    Defining security event exceptions

    Defining security event exceptions

    Exceptions enable you to limit the enforcement of a rule, meaning to create an allowlist for a specific flow of security events that was used to establish a connection request or perform a specific operation.

    FortiEDR exception management is highly flexible and provides various options that enable you to define pinpointed, granular exceptions. You can access the Exception Manager by clicking the Exception Manager button at the top of the Events pane or by selecting SECURITY SETTINGS > Exception Manager. Additional options for managing exceptions are provided in the SECURITY SETTINGS tab, as described in Exception Manager.

    An exception that applies to a security event can result in the creation of several exception pairs. An exception pair specifies the rule that was violated and the process on which the violation occurred, including or excluding its entire location path. For more details, see Playbook policies

    After an exception is defined for a security event, new identical events will no longer be triggered and different indication icons are added to existing events, depending on the exception's coverage of the raw data items in the events:

    • Security events fully covered by the exception have the icon to indicate that an exception has already been defined (although the exception was created after the event occurred) and there is no need to create another exception for them. The indication icon does not refresh afterward when new raw data items uncovered by the exception come in.

    • If the exception does not fully cover all the existing occurrences or raw data items of an event, the icon is displayed.

    The following sections describe how to create a new exception and how to edit an existing one:

    Previous
    Next

    Defining security event exceptions

    Defining security event exceptions

    Exceptions enable you to limit the enforcement of a rule, meaning to create an allowlist for a specific flow of security events that was used to establish a connection request or perform a specific operation.

    FortiEDR exception management is highly flexible and provides various options that enable you to define pinpointed, granular exceptions. You can access the Exception Manager by clicking the Exception Manager button at the top of the Events pane or by selecting SECURITY SETTINGS > Exception Manager. Additional options for managing exceptions are provided in the SECURITY SETTINGS tab, as described in Exception Manager.

    An exception that applies to a security event can result in the creation of several exception pairs. An exception pair specifies the rule that was violated and the process on which the violation occurred, including or excluding its entire location path. For more details, see Playbook policies

    After an exception is defined for a security event, new identical events will no longer be triggered and different indication icons are added to existing events, depending on the exception's coverage of the raw data items in the events:

    • Security events fully covered by the exception have the icon to indicate that an exception has already been defined (although the exception was created after the event occurred) and there is no need to create another exception for them. The indication icon does not refresh afterward when new raw data items uncovered by the exception come in.

    • If the exception does not fully cover all the existing occurrences or raw data items of an event, the icon is displayed.

    The following sections describe how to create a new exception and how to edit an existing one:

    Previous
    Next