Threat Hunting Overview
Threat Hunting in FortiEDR is an extremely powerful feature that sometimes can be overlooked because users spend most of their time in the Event Viewer or Communication Control sections of the console. Threat Hunting can provide insight into aspects of the hosts that aren’t seen within events that would show up in the Event Viewer. This information can be beneficial for a variety of use cases. Information that can be gleaned from Threat Hunting includes, but is not limited to: File Detected, Process Creations, Driver Loaded, File Creates, File Deletes, Socket Connects, Keys Deleted (Registry), etc. For a full list of selectable activity events, navigate to the Threat Hunting Settings by selecting Security Settings > Threat Hunting Settings and then the Comprehensive Profile.
Modifying Threat Hunting Settings
There are three profiles (Inventory, Standard Collection, and Comprehensive) present by default within the Threat Hunting Settings section of the console. These profiles are cannot be edited, so if you wish to collect a customer set of activity events, you’ll need to clone an existing profile. The Inventory Profile is the default profile for all collector groups, and only has three activity events selected for collection. (screenshot below)
To clone a profile, simply select the profile that you wish to clone and click the “stacked page” symbol in the top right of the profile. A new profile will show up at the bottom with a name of the profile you cloned and “(clone)” appended. This name can be changed to match whatever task that you’re trying to solve. You will then click the “+” and add the collector groups that you wish to be part of the new profile and then the “Assign” button (screenshot below). You’ll then receive a confirmation prompt asking if you’re sure you want to move the collector groups from one profile to another. Now that the new profile has been created, you can check or uncheck whichever activity events that you’d like. Once you save the profile (button in bottom right-hand corner of console), you’ll just need to give the collectors the opportunity to start sending the new activity events. This will take a couple minutes for activity events to start populating in the console.
Navigating Threat Hunting
Threat Hunting activity can be found by navigating to Forensics > Threat Hunting. When you first access Threat Hunting, the search results will be unfiltered and will show all activity even categories and all devices. You can filter results in a few different ways:
- Enter an expression in the search field (e.g. Type:”Process Creation” or Source.Process.Name:”svchost.exe”) – You can also change expressions together using AND/OR logic between expressions.
- Selecting individual entries (known as Facets) and selecting the green “+” button next to the entry (screenshot below). Once all desired facets have been selected, you will click the “Apply” button that appears on the right-hand side of the screen.
- Hovering over entries in the table on the bottom half of the screen (known as the Activity Events Table) and selecting the green “+” button (screenshot below). With this method, there is no need to apply the changes, as they will automatically be implemented.
If there is a particular query that you would like to be able to run in the future without needing to re-create a filter from scratch, you can save it by clicking the vertical ellipses on the right-hand side of the screen next to the time filter and then selecting “Save Query.” Saving queries also gives you the ability to schedule queries to run at set times in the future and flag as an event in the Event Viewer should it find something that matches the query (screenshot below). You can also view saved queries by navigating the vertical ellipses. This will not only let you view previously saved queries, but will allow you to run, edit, or remove them.
You can drill down into individual activity events by clicking on an row in the Activity Events Table. This will expand out a section on the right-hand side of the screen that provides more relevant information regarding the activity (screenshot below). The summary gives a quick view of the source process and target process, but you can drill down into each by clicking through the choices at the top of the pop-out.
