Time to time, threat hunters are alerted to a new threat and will run a query within FortiEDR to see if it is present on any of their devices. They can simply add a title, a description, add applicable tags, and select the organization to apply this search. Further on they can select which category and devices to search, and input the search in Lucene syntax. They can also choose to share this search with the community before they create a schedule for that query. Along the way, they will select the classification they would like it to fall under along with when they would like to have it repeat the search (e.g. Daily, every hour, etc.).
Fig 1. Creating a custom and scheduled query
Now that this custom search is created it will alert the team by placing the alert in the event viewer when it sees a hit. It will inform the threat hunting team that the alert was generated from a “Scheduled Threat Hunting Query” in the “Triggered Rules” box on the right of the screen. These same threat hunters can see the related activity events by drilling down via the threat hunting tab, which appears on the right side of the green bar when one places the mouse over an alert. It is in that next screen that one can remediate any related issues quickly. With these tools at their fingertips, your threat hunting team can be proactive in response to a new issue that management is asking about.
Fig 2. A schedule and customized query generates a hit and filters it to the events view in FortiEDR
If you have been doing this long enough, you know that threats come and go. So instead of wading through old queries or ones that were not created correctly (e.g. incorrect Lucene syntax), an administrator can easily go and review and clean up their repository of custom and scheduled queries.