Technical Tip: FortiEDR threat hunting overview and best practices

Solution

1. Data Retention.

Threat Hunting (TH) data retention depends on:

• The amount of data collected.

• The size of the cloud repository database.

• The assigned collection profile.

• Configured collection exclusions.

The repository size can be expanded through additional repository add-ons.
After modifying collection settings, retention recalculation may take several hours.

2. Collection Profiles.

Collection profiles define which types of activity data are collected for Threat Hunting.
They are assigned at the collector-group level.

Available profile types:

• Comprehensive: Collects all supported event types.

• Standard / Inventory: Collect very limited types of events.

• Custom: Duplicate an existing profile and adjust as needed.

The best approach to assign Threat Hunting profiles is to use the Standard profile at a minimum. If possible, use more extensive profiles to collect as much activity data as possible for forensics purposes.

3. Collection Exclusions.

Collection exclusions reduce the amount of data ingested into the TH repository.
They can be applied to:

• Specific source or target attributes.

• Certain event types.

• Windows, Linux, and macOS collectors.

Practical example:

Tools such as TeamViewer or remote-control utilities typically produce very high event volumes.
Excluding these paths/processes can significantly reduce data load and extend retention.

4. Search Queries.

Threat Hunting queries support:

• Free-text search (1).

• Field-specific conditions (2) (FEDR will automatically provide field name suggestions).

• Wildcards (1).

• Logical operators: AND / OR / NOT.

For file paths, use double backslashes (3) (e.g., Users\\example\\file.exe).

5. Filters and Facets.

Filters and facets help refine Threat Hunting results:

• Filters (1) narrow down results by categories, devices, or time.

• Facets (2) can be used to specify the search using 'quick' filters.

Facet values are filled automatically based on the content of the TH repository.

Applied facets can be converted into query syntax.

6. Scheduled Queries.

Any Threat Hunting query can be saved and scheduled.

Playbook actions can be set as a response to the scheduled query detection.
If new TH events are detected with a scheduled query, FortiEDR will raise a new incident with the configured classification.

7. Threat Intelligence Feed Integration.

FortiEDR supports importing external threat intelligence feeds through TAXII v1 and v2.

Once the configuration is complete, FortiEDR will fetch the IOCs from the configured source and import them.

• Imported IOCs are automatically converted into Threat Hunting queries and saved in the 'saved queries' list with 'Threat Intelligence Feed' tag (1).

• Each 'Threat Intelligence Feed' query can be configured to run as the 'scheduled' one (2).