Fortinet black logo

Administration Guide

eXtended Detection Source Integration

Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:176732
Download PDF

eXtended Detection Source Integration

To connect to external systems in order to collect activity data, you must add a new connector for extended detection, which will automatically collect activity logs and activity data from external systems. Currently, this feature connects to a FortiAnalyzer device type, which collects the logs from other systems, such as firewalls, Active Directory and other security products. The aggregated data is then being sent to Fortinet Cloud Services (FCS) where it is correlated and analyzed to detect malicious indications that will result in security events of eXtended Detection policy rule violations.

Before you start configuring FortiAnalyzer configuration, verify that:

  • Your FortiEDR deployment includes a JumpBox that has connectivity to FortiAnalyzer. Details about how to install a FortiEDR Core and configure it as a JumpBox are provided in Installing the FortiEDR Core. You may refer to Cores for more information about configuring a JumpBox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS).
  • You have a FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.
To set up an extended detection connector with FortiEDR:
  1. Click the button and select eXtended Detection Source in the Connectors dropdown list.

    The following displays:

  2. Fill in the following fields: eXtended Detection Source Enabled: Check this checkbox to enable blocking of malicious IP addresses by FortiAnalyzer.

    Field

    Definition

    JumpBoxSelect the FortiEDR JumpBox that will communicate with the sandbox.
    NameSpecify a name of your choice which will be used to identify this sandbox.
    TypeSelect the type of sandbox to be used in the dropdown list.
    HostSpecify the IP or DNS address of your sandbox.
    PortSpecify the port that is used for API communication with your sandbox.
    API Key/CredentialsSpecify authentication details of your sandbox. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the sandbox API username and password.
  3. Click Save.

In order to complete eXtended Detection Source integration, the eXtended Detection rules must be enabled with the FortiEDR Central Manager, as follows.

Enabling eXtended Detection Rules
To enable the eXtended Detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended Detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

FortiEDR is now configured to issue eXtended Detection alerts.

eXtended Detection Source Integration

To connect to external systems in order to collect activity data, you must add a new connector for extended detection, which will automatically collect activity logs and activity data from external systems. Currently, this feature connects to a FortiAnalyzer device type, which collects the logs from other systems, such as firewalls, Active Directory and other security products. The aggregated data is then being sent to Fortinet Cloud Services (FCS) where it is correlated and analyzed to detect malicious indications that will result in security events of eXtended Detection policy rule violations.

Before you start configuring FortiAnalyzer configuration, verify that:

  • Your FortiEDR deployment includes a JumpBox that has connectivity to FortiAnalyzer. Details about how to install a FortiEDR Core and configure it as a JumpBox are provided in Installing the FortiEDR Core. You may refer to Cores for more information about configuring a JumpBox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS).
  • You have a FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.
To set up an extended detection connector with FortiEDR:
  1. Click the button and select eXtended Detection Source in the Connectors dropdown list.

    The following displays:

  2. Fill in the following fields: eXtended Detection Source Enabled: Check this checkbox to enable blocking of malicious IP addresses by FortiAnalyzer.

    Field

    Definition

    JumpBoxSelect the FortiEDR JumpBox that will communicate with the sandbox.
    NameSpecify a name of your choice which will be used to identify this sandbox.
    TypeSelect the type of sandbox to be used in the dropdown list.
    HostSpecify the IP or DNS address of your sandbox.
    PortSpecify the port that is used for API communication with your sandbox.
    API Key/CredentialsSpecify authentication details of your sandbox. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the sandbox API username and password.
  3. Click Save.

In order to complete eXtended Detection Source integration, the eXtended Detection rules must be enabled with the FortiEDR Central Manager, as follows.

Enabling eXtended Detection Rules
To enable the eXtended Detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended Detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

FortiEDR is now configured to issue eXtended Detection alerts.