Fortinet white logo
Fortinet white logo

Administration Guide

FortiAnalyzer

FortiAnalyzer

You can integrate FortiEDR with FortiAnalyzer to correlate data between FortiEDR and the Fortinet Security Fabric and issue eXtended detection alerts. To complete the integration, you must configure an eXtended detection source connector for FortiAnalyzer and enable the eXtended detection rules and FortiEDR Threat Hunting events collection.

Prerequisites

Before you start integrating FortiEDR with FortiAnalyzer, verify you have the following:

  • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

  • A Jumpbox with connectivity to FortiAnalyzer.
  • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • A FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.

Setting up a connector for FortiAnalyzer

  1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list. The following displays:

  2. Fill in the following fields:

    Field

    Definition

    EnabledCheck this checkbox to enable blocking of malicious IP addresses by the FortiAnalyzer.
    JumpboxSelect the FortiEDR Jumpbox that will communicate with the FortiAnalyzer.
    NameSpecify a name of your choice to identify the connector.
    TypeSelect FortiAnalyzer.
    HostSpecify the IP or DNS address of the FortiAnalyzer.
    PortSpecify the port that is used for API communication with the FortiAnalyzer.
    API Key/Credentials

    Specify authentication details of the FortiAnalyzer:

    • To use an API token, select API Key and copy the token value into the text box.

    • To use API credentials, select Credentials and fill in the FortiAnalyzer username/password or Access key ID/Secret access key.

  3. Click Save.

Setting up FortiEDR Central Manager

In order to complete the integration with FortiAnalyzer, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

To enable eXtended detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

To enable FortiEDR Threat Hunting events collection:
  1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
  2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
  3. Select the following event types on that profile:
    • Socket Connect

    • Process Creation

    • File Create

    • File Detected

FortiEDR is now configured to issue eXtended detection alerts from FortiAnalyzer.

FortiAnalyzer

FortiAnalyzer

You can integrate FortiEDR with FortiAnalyzer to correlate data between FortiEDR and the Fortinet Security Fabric and issue eXtended detection alerts. To complete the integration, you must configure an eXtended detection source connector for FortiAnalyzer and enable the eXtended detection rules and FortiEDR Threat Hunting events collection.

Prerequisites

Before you start integrating FortiEDR with FortiAnalyzer, verify you have the following:

  • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

  • A Jumpbox with connectivity to FortiAnalyzer.
  • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • A FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.

Setting up a connector for FortiAnalyzer

  1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list. The following displays:

  2. Fill in the following fields:

    Field

    Definition

    EnabledCheck this checkbox to enable blocking of malicious IP addresses by the FortiAnalyzer.
    JumpboxSelect the FortiEDR Jumpbox that will communicate with the FortiAnalyzer.
    NameSpecify a name of your choice to identify the connector.
    TypeSelect FortiAnalyzer.
    HostSpecify the IP or DNS address of the FortiAnalyzer.
    PortSpecify the port that is used for API communication with the FortiAnalyzer.
    API Key/Credentials

    Specify authentication details of the FortiAnalyzer:

    • To use an API token, select API Key and copy the token value into the text box.

    • To use API credentials, select Credentials and fill in the FortiAnalyzer username/password or Access key ID/Secret access key.

  3. Click Save.

Setting up FortiEDR Central Manager

In order to complete the integration with FortiAnalyzer, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

To enable eXtended detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

To enable FortiEDR Threat Hunting events collection:
  1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
  2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
  3. Select the following event types on that profile:
    • Socket Connect

    • Process Creation

    • File Create

    • File Detected

FortiEDR is now configured to issue eXtended detection alerts from FortiAnalyzer.