Sandbox integration
When a sandbox such as FortiSandbox is configured and the Sandbox Analysis Policy rule is enabled, files that meet several conditions and that have not been previously analyzed trigger a sandbox analysis event on FortiEDR and are sent to the sandbox. The conditions are a combination of several items, such as the file was downloaded from the Internet and was not signed by a known vendor. If the file is found to be clean, the event is automatically classified as safe and is archived. If the file is determined by the sandbox to be suspicious or malicious, then the event is classified as non-safe and any future execution attempt of the file in the environment is blocked by one of the Pre-execution (NGAV) Policy rules. Note that in all cases the first file execution is not delayed or blocked.
For more details about integrating FortiEDR with FortiSandbox, refer to the FortiSandbox Integration Guide.
Before you start sandbox configuration, make sure that:
- Your FortiEDR deployment includes a Jumpbox that has connectivity to the sandbox.
Refer to Setting up the FortiEDR Core for details about how to install a FortiEDR Core and configure it as a Jumpbox.
Refer to Cores for more information about configuring a Jumpbox.
- The FortiEDR Central Manager has connectivity to Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
- (FortiSandbox) A FortiSandbox administrator account with JSON API access enabled. Refer to the FortiSandbox Integration Guide for detailed instructions.
-
(FortiSandbox Cloud) A valid FortiCloud API user under a permission profile with read/write access to the FortiSandbox Cloud portal. See the FortiCloud IAM documentation for detailed instructions about creating a permission profile and an API user.
To set up a sandbox connector with FortiEDR:
- Click the Add Connector button and select Sandbox in the Connectors dropdown list. The following displays:
- Fill in the following fields:
Field
Definition
Jumpbox Select the FortiEDR Jumpbox that will communicate with this sandbox. Name Specify a name of your choice which will be used to identify this sandbox. Type Select the type of sandbox to be used in the dropdown list, for example: FortiSandbox. Host Specify the IP or DNS address of you sandbox. Port Specify the port that is used for API communication with your sandbox. API Key / Credentials Specify authentication details of the FortiSandbox or FortiSandbox Cloud.
(FortiSandbox) To use an API token, select API Key and copy the token value into the text box. To use credentials, select Credentials and fill in the FortiSandbox username and password.
(FortiSandbox Cloud) Specify the username and password of the FortiCloud API user with read/write access to the FortiSandbox Cloud portal.
- Click Save.
In order to complete sandbox integration, the Sandbox Scan rule must be enabled with the FortiEDR Central Manager.
To enable the Sandbox scan rule:
- Navigate to the SECURITY SETTINGS > Security Policies page.
- Open the Execution Prevention policy that is applied on devices for which you want the sandbox scan to apply and click the Disabled button next to the Sandbox Analysis rule to enable it, as shown below:
FortiEDR is now configured to send unknown files to the sandbox.
You can check file analysis on your sandbox console.
In addition, you can see sandbox analysis events in the Events page. Events of files that were found to be clean appear under the Archived Events filter and events of files that were found to be risky are displayed under the All filter, such as shown below. A sandbox analysis digest is added to the security event’s handling comment.