Configuring security event exceptions allows to whitelist specific processes and behaviors, reducing false positives and enhancing threat detection accuracy.

Follow these steps to configure a security event exception in FortiEDR:

1. Review Security Event: In the FortiEDR GUI, review the security event where to create an exception. In this example, 'Event ID 924458' will be used corresponding to the 'winhttp.dll' process.
2. Navigate to Exception Manager: Select the specific event, in this case, 'Event ID 924458', and select 'Exception Manager' to access the exception configuration.
3. Configure Exception Parameters: In the Exception Manager, configure the following parameters:

•  Collector Group: Select the appropriate collector group to which this exception should apply.
•  Destination: Specify the destination for this exception.
•  User: This option may be greyed out in certain cases, such as when the process is triggered by the system itself and not by a logged-in user. FortiEDR learns parameters, including users, from collected events.
•  Apply exception to Define the specific process and path for the exception. In this example, specify 'winhttp.dll' and set the path to '\Windows\System32' when created by 'explorer.exe'.
• After configuring the exception parameters, select 'Save' or 'Apply' to save the exception configuration.
• Additional Considerations: is important to select the parent process, 'explorer.exe', in cases where known malware may disguise itself as 'winhttp.dll', especially when not located in the C:\Windows\System32 folder.

Configuring security event exceptions in FortiEDR allows administrators to whitelist specific processes and behaviors, improving threat detection accuracy and reducing false positives.

By following these steps FortiEDR administrators can create exceptions for events triggered by legitimate processes while maintaining robust endpoint security.