FortiEDR’s Investigation Capabilities

By Sarbjeet posted Mar 17, 2022 11:36 AM


FortiEDR offers a single unified endpoint agent with machine learning Next Generation Anti-Virus (NGAV), application communication control, automated EDR, and XDR capabilities. All these features are configured and managed via an easy-to-use single unified management console. FortiEDR is the only solution in the market to offer real-time post-execution prevention, helping security analysts to perform forensic investigations at their own pace without racing with time. The solution offers comprehensive protection against advanced persistent threats and massively reduces mean time to detection (MTTD) and mean time to remediate (MTTR).

The FortiEDR management console has multiple tabs controlling different features. But the event viewer tab is the one that holds the most relevance for security analysts since each investigation begins from the event viewer tab which lists all the unhandled events in the default view. Users can filter events based on multiple criteria like unread, application control, device control events or even view the archived events. Furthermore, FortiEDR’s event viewer tab allows security analysts to group the incidents either based on devices or processes. The view in Figure 1 has aggregated all the incidents related to a single process observed across the entire organization whereas Figure 2 has an alert with incidents aggregated per device.

Figure 1:  Process view groups all incidents related to a particular process across an organization into a single alert


Figure 2: Device view aggregates all incidents observed per device into a single alert


The Event Viewer tab also offers an advanced data pane that contains an event graph with flow analyzer view and automated event analysis per alert. This aids in forensic investigations by providing quick insights into the events for security analysts. All this information is avaialble within the same window, thereby reducing investigation efforts and time. (Figure 3 & 4)

Figure 3: Automated Event Analysis

Figure 4: Event Graphs

The FortiEDR event viewer tab also guides the security analysts on next steps to follow to remediate the incident. Under the triggered rules pane, FortiEDR lists all the rules violated by an event and also provides remediation steps per rule. FortiEDR also maps the events to MITRE tactics and techniques for ease in investigations. The event viewer tab also provides easier navigation options to run forensics and threat hunting for the selected event. (Figure 5)

Figure 5: Guided Remediation, Threat Hunting, Forensics within Event Viewer Tab

Further security analysts can run forensics on an alert with multiple aggregated events at the same time. The forensics tab provides a detailed process-level view of each incident and accurately pinpoints the root cause (Figure 6).

Figure 6: Root Cause Analysis


To learn more about FortiEDR’s investigation capabilities, please watch this video on ransomware remediation, which is a great use case for the investigation capabilities mentioned above.