Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide

Using FortiEDR - Workflow

5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:198310
Download PDF

Using FortiEDR - Workflow

The following is a general guideline for the general workflow of using FortiEDR and specifies which steps are optional.

Setup Workflow Overview

The following describes the workflow for getting FortiEDR up and running in your organization:

  1. Installing: Install all FortiEDR components, as described in Deploying FortiEDR Collectors and Appendix C – ON PREMISE DEPLOYMENTS.
  2. Reviewing the Inventory: Review the health status and details of all the FortiEDR components in the Dashboard and Inventory FortiEDR Collectors are automatically assigned FortiEDR’s default policies.
  3. [Optional] Modifying the FortiEDR Policies: By default, the FortiEDR policies are ready to log out-of-the-box. If needed, use the Security Settings to modify the default policies for blocking and/or to create additional policies.
  4. [Optional] Defining Collector Groups: By default, the FortiEDR default policies are assigned to a default Collector Group that contains all FortiEDR Collectors. Policies in FortiEDR are assigned per Collector Group. You can define additional Collector Groups in Inventory. You can then assign the required policy to each Collector Group (see Assigning a Security Policy to a Collector Group)
  5. [Optional] Administration: The FortiEDR system installs with a single administrator user. This user can:
    • Create additional users of the FortiEDR Central Manager.
    • Define the recipients to receive email notifications of FortiEDR events.
    • Configure a SIEM to receive notifications of FortiEDR events via Syslog.

Ongoing Workflow Overview

The following is the workflow for monitoring and handling FortiEDR security events on an ongoing basis:

  • Monitoring: Monitor and analyze the events triggered by FortiEDR in the:
  • [Optional] Creating Event Exceptions: FortiEDR precisely pinpoints interesting system events. However, if needed, you can create exceptions in order to stop certain events from being triggered for certain IP addresses, applications, protocols and so on. See Playbook Policies.
  • [Optional] Handling Events: Mark security events that you have handled and optionally describe how they were handled. See Marking a Security Event as Handled/Unhandled.
  • [Optional] Forensics (page 153): This licensed add-on enables deep investigation into a security event, including the actual internals of the communicating devices’ operating system.
Previous
Next

Using FortiEDR - Workflow

The following is a general guideline for the general workflow of using FortiEDR and specifies which steps are optional.

Setup Workflow Overview

The following describes the workflow for getting FortiEDR up and running in your organization:

  1. Installing: Install all FortiEDR components, as described in Deploying FortiEDR Collectors and Appendix C – ON PREMISE DEPLOYMENTS.
  2. Reviewing the Inventory: Review the health status and details of all the FortiEDR components in the Dashboard and Inventory FortiEDR Collectors are automatically assigned FortiEDR’s default policies.
  3. [Optional] Modifying the FortiEDR Policies: By default, the FortiEDR policies are ready to log out-of-the-box. If needed, use the Security Settings to modify the default policies for blocking and/or to create additional policies.
  4. [Optional] Defining Collector Groups: By default, the FortiEDR default policies are assigned to a default Collector Group that contains all FortiEDR Collectors. Policies in FortiEDR are assigned per Collector Group. You can define additional Collector Groups in Inventory. You can then assign the required policy to each Collector Group (see Assigning a Security Policy to a Collector Group)
  5. [Optional] Administration: The FortiEDR system installs with a single administrator user. This user can:
    • Create additional users of the FortiEDR Central Manager.
    • Define the recipients to receive email notifications of FortiEDR events.
    • Configure a SIEM to receive notifications of FortiEDR events via Syslog.

Ongoing Workflow Overview

The following is the workflow for monitoring and handling FortiEDR security events on an ongoing basis:

  • Monitoring: Monitor and analyze the events triggered by FortiEDR in the:
  • [Optional] Creating Event Exceptions: FortiEDR precisely pinpoints interesting system events. However, if needed, you can create exceptions in order to stop certain events from being triggered for certain IP addresses, applications, protocols and so on. See Playbook Policies.
  • [Optional] Handling Events: Mark security events that you have handled and optionally describe how they were handled. See Marking a Security Event as Handled/Unhandled.
  • [Optional] Forensics (page 153): This licensed add-on enables deep investigation into a security event, including the actual internals of the communicating devices’ operating system.
Previous
Next