(866) 978-3698
There have already been some announcements sent previously about the FortiEDR 5.0 console and we wanted to provide more detail on writing more secure exceptions. In 5.0 FortiEDR introduced the new concept of selecting a User along with the Collector Group and Destination. This can be especially useful if you’re writing an exception for Powershell and only have certain users that run Powershell scripts. Now we’ll give a brief overview of the importance of dependencies for triggered events.

These additional features are only usable if all the collectors that belong to a specific OS have been upgraded to 5.0. (i.e. – All Windows OS collectors need to be at 5.0 regardless of what group they belong to in an organization. Mac OS and Linux distros don’t need to be at 5.0 when writing exceptions for Windows collectors though).

Everyone who has written an exception so far is familiar with the triggered rule section. This allows you to decide the executable or DLL, path, and possibly script where the exception will be defined. In the 5.0 console, you can now place dependencies on these, meaning you can say “I want to allow cscript.exe to run in the \Windows\System32 path, using test123.vbs for the script and only when it’s been created by svchost.exe.” Previously you could only say “I want to allow cscript.exe to run on a given path or test123.vbs for the script” Writing exceptions using dependencies ultimately makes them more secure, so please try to use them when possible.  

Below is a screenshot showing an example of one of these next to the flow graph where you can see regsvr32.exe was created by helper.exe.

If you have questions about writing exceptions or need assistance with anything else related to FortiEDR, open a support case a https://myaccount.eatel.com and we’ll be happy to help.

Your VENYU Team