Description
This article describes how to delete a file using FortiEDR Threat Hunting Remediation, and Playbooks action configuration.
Scope
FortiEDR.
Solution
Deleting files from registered devices using Threat Hunting Queries:
In most cases, there is no dedicated tool designed specifically to delete files from registered devices. However, organizations can leverage Threat Hunting Queries to track and monitor specific files based on their attributes and activity.
How Threat Hunting Queries can help:
Threat Hunting Queries make it possible to detect files by analyzing file-related attributes, such as:
- File names.
- Hash values (e.g., MD5, SHA256).
- File locations.
If a file is detected engaging in suspicious or malicious activities, the query will trigger a security event that is automatically logged in the Event Viewer.
Steps to track suspicious files:
- Create a Threat Hunting Query targeting the specific file(s) or their related attributes.
- Monitor the activity logs for any matches in the Event Viewer.
- Investigate the triggered security events to confirm whether the file requires further action (Forensics action – Remediate), or configure an action using Playbook action.
Event viewer integration:
When a file triggers an event through Threat Hunting, it will appear as a security event in the Event Viewer. By selecting the event ID and opening the selected event under 'Investigation View', the user can choose a specific file from the process tree, and perform file deletion by selecting 'Remediation'.
Another effective approach to deleting files from registered devices is through Playbook configuration. While there is not a dedicated tool specifically designed to delete files directly from endpoints, leveraging Playbooks and Threat Hunting Queries offers a practical solution for managing and addressing unwanted or suspicious files.
Playbook configuration for file deletion:
Delete file action:
This action ensures that the file does not attempt to exfiltrate data again, as the file is permanently removed from the device. This action can also be performed manually using the Forensics add-on, as described on Remediating a device upon malware detection
A checkmark in a classification column here means that the affected file is automatically removed on the device when a security event is triggered that has that classification.
In the management console, go to Security Settings -> Playbooks. Locate and edit the desired playbook. Ensure that the configured playbook is properly associated with the corresponding collector group to guarantee effective execution.
Important notice:
When a file is deleted using the Remediate option, it is permanently removed from the disk. This action is irreversible, and no recovery of the deleted file will be possible. Make sure to thoroughly verify the file's status and necessity before proceeding with this option to avoid unintentional data loss.
Related documents:
