Fortinet black logo

Administration Guide

eXtended detection source integration

Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:176732
Download PDF

eXtended detection source integration

To connect to external systems in order to collect activity data, you must add a new connector for extended detection, which will automatically collect activity logs and activity data from external systems. Currently, this feature connects to a FortiAnalyzer device type, which collects the logs from other systems, such as firewalls, Active Directory and other security products. The aggregated data is then being sent to Fortinet Cloud Services (FCS) where it is correlated and analyzed to detect malicious indications that will result in security events of eXtended Detection policy rule violations.

Prerequisites

Before you start configuring an eXtended detection source connector, verify you have the following:

  • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

  • A JumpBox with connectivity to the external detection source, such as FortiAnalyzer. Details about how to install a FortiEDR Core and configure it as a JumpBox are provided inSetting up the FortiEDR Core. You may refer to Cores for more information about configuring a JumpBox.
  • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS).
  • A FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.
Setting up an extended detection connector with FortiEDR
  1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list.

    The following displays:

  2. Fill in the following fields: eXtended Detection Source Enabled: Check this checkbox to enable blocking of malicious IP addresses by FortiAnalyzer.

    Field

    Definition

    JumpBoxSelect the FortiEDR JumpBox that will communicate with the sandbox.
    NameSpecify a name of your choice which will be used to identify this sandbox.
    TypeSelect the type of sandbox to be used in the dropdown list.
    HostSpecify the IP or DNS address of your sandbox.
    PortSpecify the port that is used for API communication with your sandbox.
    API Key/CredentialsSpecify authentication details of your sandbox. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the sandbox API username and password.
  3. Click Save.
Setting up FortiEDR Central Manager

In order to complete eXtended detection source integration, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

To enable eXtended detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

To enable FortiEDR Threat Hunting events collection:
  1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
  2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
  3. Select the following event types on that profile:
    • Socket Connect

    • Process Creation

    • File Create

    • File Detected

FortiEDR is now configured to issue eXtended detection alerts.

eXtended detection source integration

To connect to external systems in order to collect activity data, you must add a new connector for extended detection, which will automatically collect activity logs and activity data from external systems. Currently, this feature connects to a FortiAnalyzer device type, which collects the logs from other systems, such as firewalls, Active Directory and other security products. The aggregated data is then being sent to Fortinet Cloud Services (FCS) where it is correlated and analyzed to detect malicious indications that will result in security events of eXtended Detection policy rule violations.

Prerequisites

Before you start configuring an eXtended detection source connector, verify you have the following:

  • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

  • A JumpBox with connectivity to the external detection source, such as FortiAnalyzer. Details about how to install a FortiEDR Core and configure it as a JumpBox are provided inSetting up the FortiEDR Core. You may refer to Cores for more information about configuring a JumpBox.
  • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS).
  • A FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.
Setting up an extended detection connector with FortiEDR
  1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list.

    The following displays:

  2. Fill in the following fields: eXtended Detection Source Enabled: Check this checkbox to enable blocking of malicious IP addresses by FortiAnalyzer.

    Field

    Definition

    JumpBoxSelect the FortiEDR JumpBox that will communicate with the sandbox.
    NameSpecify a name of your choice which will be used to identify this sandbox.
    TypeSelect the type of sandbox to be used in the dropdown list.
    HostSpecify the IP or DNS address of your sandbox.
    PortSpecify the port that is used for API communication with your sandbox.
    API Key/CredentialsSpecify authentication details of your sandbox. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the sandbox API username and password.
  3. Click Save.
Setting up FortiEDR Central Manager

In order to complete eXtended detection source integration, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

To enable eXtended detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

To enable FortiEDR Threat Hunting events collection:
  1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
  2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
  3. Select the following event types on that profile:
    • Socket Connect

    • Process Creation

    • File Create

    • File Detected

FortiEDR is now configured to issue eXtended detection alerts.