Threat Hunting Profiles Data vs Length? Which one do you want
Only collect what you want to collect. There can be legitimate processes that take up space due to the number of events generated and are of no interest. You can create exclusions for these
There are 3 default profiles, Inventory, Standard and Comprehensive Inventory Profile – Data retention is approximately 30 Days
Standard Profile – Approximately 50% less than Inventory profiles (10-15 days) More sensitive machines (servers)
Comprehensive Profile – Approximately 50% less than Standard Profile (<7 days) Should not be used except for extremely critical computers, High Security Collector Group, or noticing strange events on collectors (IoC (Indicators of Compromise))
Recommended: Please define your own profile with only the activity event types that are needed.
Collection Exclusions (This is only for Threat Hunting collection and not system/security events) This allows you to configure rules for events that are of no interest (such as known processes that are noisy) You know that these are legitimate application that generates many events that is not useful for security analysis or depletes the storage.
If you export the events in Threat Hunting to csv or are looking at the Threat Hunting Events look for repetitive events. It's normal to see the same process a few times in a second; however, if you see the same process multiple times in a second (like 50 times a second), this is excessive, and you can create an exclusion for it.
Please go to Security Settings > Threat Hunting > Collection Exclusions
Please review the admin guide on how to Define Collection Exclusions: https://docs.fortinet.com/document/fortiedr/5.2.0/administration-guide/633468/defining-collection-ex...
|