This article describes how to locate blocked processes in Event Viewer using the event’s Raw ID in the FortiEDR Collector Tray App.
Scope
FortiEDR/
Solution
FortiEDR collector has the option to notify users with a pop-up message when any prevention activity is detected.
This message contains details about the blocked process including PID and relevant messages.
The PID is specific to the detected process managed by the machine and it is not sent to the Central Manager. For this reason, the blocked event cannot be found in the Event Viewer when searching with the PID.
To locate the detected events in Event Viewer, you need to use the RAW ID to search for the matched events.
Steps to Locate Events in Event Viewer Based on the RAW ID in FortiEDR Tray App:
Step 1: Note the process and PID from the pop-up message.
Step 2: ‘Double-click’ the FortiEDR icon in the system tray to open the FortiEDR Tray App:
Step 3: Identify the detected event based on PID and note the RAW ID:
Step 4: Go to the Event Viewer to search the RAW ID and locate the corresponding events:
Step 5: If the event is not found in the All view, switch to the Archived view (All view does not include Archived events):
Note: The option ‘Show a Pop-up Message for Any Prevention Activity’ must be enabled to display a pop-up message.