Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
Luke_FTNT
Staff
Staff

Created on ‎11-26-2025 11:31 AM Edited on ‎11-26-2025 10:02 PM By Community Manager

Article Id 420624

Technical Tip: How to use Incident view in FortiEDR version 7

Description This article describes how to use Incident view, formerly known as Event Viewer, in FortiEDR Manager.
Scope FortiEDR Manager version 7.2+.
Solution

This article covers several elements of the Incident view, including:

  1. Incident Statuses.
  2. Incident Type.
  3. Understanding Incident Aggregations.
  4. Incident Classifications.
  5. Security Rules.
  6. Incident Analysis.
  7. Exceptions.
  8. Incident Handling.
  9. Useful links for further information.

 

Incident Status Meanings:

  • Unhandled: New incident, no actions have been taken so far.
  • Handled: The incident has been handled.
  • In progress: The incident has been assigned to a member of the security team and is under review.

 

Incident Statuses.png

 

Incident Types:

  • All types: Displays all types of incidents.
  • Device Control: Will only display USB-based Device Control events.
  • Application Control: Application control events only.
  • Threat Hunting Detection: Incidents that were generated via a Scheduled Query in Threat Hunting.

 

incident-types.png

 

Understanding Incident Aggregation:

Incidents are now aggregated into a hieratical structure based on the process name. It is important to note that the top-level incident no longer represents sub-incidents and instead is represented as its own incident entity. It is no longer 'aggregated' based on classification or rules, as seen in FortiEDR version 6.2 and earlier.

 

The drop-down button (1) will expand the incident, offering more insights into the incident itself.

 

The classification (2) represents the individual incident. When expanding the incident to display its child incidents, it is expected that the severity level may differ among them. This is normal behavior because each incident may be triggered by different rules, resulting in different classifications:

 

incidents-aggregations.png

 

Incident Classification:

 

Classifications can come from two sources: an administrator or Fortinet (FortiEDR Core and/or Fortinet Cloud Services(FCS)).

 

Classifications are a guide for incident analysis and prioritization. An event classified as likely safe is not as urgent as an event that has received a 'Malicious' classification from Fortinet Cloud Services, for example.

 

'Fortinet' (aka Core) will likely be the first classification source. Later on, Fortinet Cloud Services will provide a classification verdict. This can be changed by a security administrator.

 

Each incident may be reclassified at a later time by selecting the 'Handle Incident' button.

 

incidents-classifications.png

 

The following classification levels can be applied:

 

  • Malicious: events that are verified to have malicious capability are intended to harm the infected device.
  • Suspicious: an event that behaves in ways that strongly indicate malware, but is not verified as malware.
  • Inconclusive: further investigation is required to determine if the event is malicious.
  • PUP: an event triggered by applications that are bundled with legitimate software that can be used for malicious purposes.
  • Likely safe: events that probably carry no risk, and are most likely safe.
  • Safe: events triggered by legitimate software that was intentionally used.

 

incident-classifications-2.png

incident-classification-search.png

 

Security Rules:

Security rules are divided into two groups: pre-execution (included in execution prevention policy), post-execution (included in exfiltration prevention and ransomware prevention policies)

  • Pre-execution protection prevents the execution of the threat.
  • Post-execution protection stops the execution of the detected activity after the activity execution.
  • A list of triggered security rules is provided.

 

incident-security-rules-overview.png

 

Incidents-security-rules-audit.png

 

Incident Analysis:

The Incident analysis pane contains the following data: event graph, automated analysis information, and general information.

  • The general information pane contains data about the source device, the source process, time and date details, incident response log.
  • The Investigation View graph visualizes the execution chain
  • Automated analysis contains file/memory/network reputation data, acquired from Fortinet Cloud Services for XDR events, as well as data fetched from the data lake.

 

incident-analysis.png

 

The event analysis view provides extended event details, based on the Threat Hunting data:

  • Event analysis view provides manual response capabilities: device isolation, process termination, file removal, etc.
  • The Event analysis view graph can be enriched with events stored in the Threat Hunting Repository.

 

Incident-Analysis-pt2.png

 

Exceptions:

Exceptions are used to whitelist false positive incidents:

  • Exceptions are applied to the specific rule/rules triggered in the event.
  • It is recommended to make each exception as specific as possible.
  • Exceptions set up in the system are stored under the exceptions manager.
  • In some cases, Fortinet Cloud Services may automatically create an exception for the event and move it into the archive.
  • Exceptions created by Fortinet Cloud Services are marked 'by: FortinetCloudServices'.

 

exception-manager.png

 

Exceptions Setup:

It is recommended to define the path for the selected exception processes:

  • The 'When created by' (1) field represents the parent process that triggered the detected one.
  • If the event was triggered with a script, set the script as an additional exception condition.
  • If legitimate scripts are generated with random names, it is possible to use * (2) to whitelist various scripts.

 

exceptions-setup.png

 

Exception Setup:

If the event was triggered with the command execution, the command line should be selected as a condition.

Conditions support two options: 'exact match' and 'contains'.

  • With 'exact match', the system automatically populates the whole command as a condition.
  • With 'contains', part of the command can be specified as a condition.

 

exceptions-setup-pt2.png

 

It is recommended to set up each exception to be as specific as possible: define the exception application scope with collector, groups, destinations, and users:

  • For non-network events, select 'all destinations'.
  • For network events, instead of single IP addresses, IP sets can be used (under Administration -> IP sets).

 

exceptions-setup-pt3.png

 

If the exception does not cover all events, a specific icon for the exception will be shown (1).

  • This icon means that one or several events included in the incident are not covered with the exception, and the events will be triggered in the future.
  • Adjust the exception or add another exception to cover all events.

 

exceptions-setup-pt4.png

 

Event Handling:

Events reclassification is optional, but considered good practice.

  • 'Safe' classification must be coupled with an exception (1).

 

Exceptions are required to prevent recurrence of the same events:

  • Once event processing is finished, set the event status to 'Handled'.
  • Events reclassification is not propagated to Fortinet Cloud Services.
  • If a recurring false positive is encountered, contact Fortinet technical support for assistance.

 

event-handling.png

 

Related documents:
3174
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.