Fortinet black logo

Administration Guide

How does FortiEDR work?

Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:717228
Download PDF

How does FortiEDR work?

  1. The FortiEDR Collector collects OS metadata: A FortiEDR Collector runs on each communicating device in the organization and transparently collects OS metadata on the computing device.
  2. Communicating device makes a connection establishment request: When any connection establishment request is made on a device, the FortiEDR Collector sends a snapshot of the OS connection establishment to the FortiEDR Core, enriched with the collected OS metadata. Meanwhile, FortiEDR does not allow the connection request to be established.
  3. The FortiEDR Core identifies malicious requests: Using FortiEDR’s patented technology, the FortiEDR Core analyzes the collected OS metadata and enforces the policies.
  4. Pass or block: Only legitimate connections are allowed outbound communication. Malicious outbound connection attempts are blocked.
  5. Event Generation: Each FortiEDR policy violation generates a realtime security event (alert) that is packaged with an abundance of device metadata describing the internals of the operating system leading up to the malicious connection establishment request. This security event is triggered by the FortiEDR Core and is viewable in the FortiEDR Central Manager console. FortiEDR can also send email alerts and/or be integrated with any standard Security Information and Event Management (SIEM) solution via Syslog.
  6. Forensic analysis: The Forensic Analysis add-on enables the security team to use the various options provided by the FortiEDR Central Manager console to delve deeply into the actual security event and the internal stack data that led up to it.

How does FortiEDR work?

  1. The FortiEDR Collector collects OS metadata: A FortiEDR Collector runs on each communicating device in the organization and transparently collects OS metadata on the computing device.
  2. Communicating device makes a connection establishment request: When any connection establishment request is made on a device, the FortiEDR Collector sends a snapshot of the OS connection establishment to the FortiEDR Core, enriched with the collected OS metadata. Meanwhile, FortiEDR does not allow the connection request to be established.
  3. The FortiEDR Core identifies malicious requests: Using FortiEDR’s patented technology, the FortiEDR Core analyzes the collected OS metadata and enforces the policies.
  4. Pass or block: Only legitimate connections are allowed outbound communication. Malicious outbound connection attempts are blocked.
  5. Event Generation: Each FortiEDR policy violation generates a realtime security event (alert) that is packaged with an abundance of device metadata describing the internals of the operating system leading up to the malicious connection establishment request. This security event is triggered by the FortiEDR Core and is viewable in the FortiEDR Central Manager console. FortiEDR can also send email alerts and/or be integrated with any standard Security Information and Event Management (SIEM) solution via Syslog.
  6. Forensic analysis: The Forensic Analysis add-on enables the security team to use the various options provided by the FortiEDR Central Manager console to delve deeply into the actual security event and the internal stack data that led up to it.