When reviewing security events, it is essential to have enough information to determine an appropriate course of action -without being overwhelmed by excessive detail. FortiEDR addresses this challenge by aggregating security event data, allowing analysts to begin with high-level alerts and drill down into detailed information only when necessary.

For example, imagine a piece of malware is triggered on three separate devices. Each time the malicious process runs on a new device, a separate event is generated. When events are aggregated by process, all related activity is consolidated into a single alert—three individual events rolled up into one.

Similarly, if that malware attempts to communicate over the network, it may try to connect to multiple destinations. Each connection attempt to a new destination generates a separate raw event. These raw events are then aggregated into a single event, and at the highest level, those events are further consolidated into alerts.

This layered aggregation model helps security teams quickly identify significant threats, reduce alert fatigue, and efficiently investigate incidents with the appropriate level of detail.

The picture below shows the Alerts/Events correlation in a high level detail.