Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiEDR/XDR 6.2.0 Administration Guide
    6.2.0
    6.2.0
    6.0.0
    5.2.1
    5.2.0
    5.1.0
    5.0.0
    4.2.0
    4.1.1
    4.1.0

    FortiAnalyzer or FortiAnalyzer Cloud

    FortiAnalyzer or FortiAnalyzer Cloud

    You can integrate FortiEDR with FortiAnalyzer or FortiAnalyzer Cloud to correlate data between FortiEDR and the Fortinet Security Fabric and issue eXtended detection alerts. To complete the integration, you must configure an eXtended detection source connector for FortiAnalyzer or FortiAnalyzer Cloud and enable the eXtended detection rules and FortiEDR Threat Hunting events collection.

    Prerequisites

    Before you start integrating FortiEDR with FortiAnalyzer or FortiAnalyzer Cloud, verify you have the following:

    • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

    • A Jumpbox with connectivity to FortiAnalyzer.
      • Refer to Setting up the FortiEDR Core for details about how to install a FortiEDR Core and configure it as a Jumpbox.
      • Refer to Cores for more information about configuring a Jumpbox.
    • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.

    • (FortiAnalyzer) A FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.

    • (FortiAnalyzer Cloud) A valid FortiCloud API user under a permission profile with read/write access to the FortiAnalyzer Cloud portal. See the FortiCloud IAM documentation for detailed instructions about creating a permission profile and an API user.

    Setting up a connector for FortiAnalyzer or FortiAnalyzer Cloud

    1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list. The following displays:

    2. Fill in the following fields:

      Field

      Definition

      EnabledCheck this checkbox to enable blocking of malicious IP addresses by the FortiAnalyzer or FortiAnalyzer Cloud.
      JumpboxSelect the FortiEDR Jumpbox that will communicate with the FortiAnalyzer or FortiAnalyzer Cloud.
      NameSpecify a name of your choice to identify the connector.
      TypeSelect FortiAnalyzer.
      HostSpecify the IP or DNS address of the FortiAnalyzer or FortiAnalyzer Cloud.
      PortSpecify the port that is used for API communication with the FortiAnalyzer or FortiAnalyzer Cloud.
      API Key/Credentials/Authentication

      Specify authentication details of the FortiAnalyzer or FortiAnalyzer Cloud.

      • (FortiAnalyzer) To use an API token, select API Key and copy the token value into the text box. To use credentials, select Credentials and fill in the FortiAnalyzer username and password.

      • (FortiAnalyzer Cloud) Specify the username and password of the FortiCloud API user with read/write access to the FortiAnalyzer Cloud portal.

      Actions

      Configure the FortiGate and VDOM logs to be correlated with FortiEDR data by specifying the FortiGate or VDOM name in the following fields. If both fields are empty, FortiEDR uses the default value, which is All.

    3. Click Save.

    Setting up FortiEDR Central Manager

    In order to complete the integration with FortiAnalyzer or FortiAnalyzer Cloud, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

    To enable eXtended detection rules:
    1. Navigate to the SECURITY SETTINGS > Security Policies page.
    2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

    To enable FortiEDR Threat Hunting events collection:
    1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
    2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
    3. Select the following event types on that profile:

      • Socket Connect

      • Process Creation

      • File Create

      • File Detected

    FortiEDR is now configured to issue eXtended detection alerts from FortiAnalyzer or FortiAnalyzer Cloud.

    Previous
    Next

    FortiAnalyzer or FortiAnalyzer Cloud

    FortiAnalyzer or FortiAnalyzer Cloud

    You can integrate FortiEDR with FortiAnalyzer or FortiAnalyzer Cloud to correlate data between FortiEDR and the Fortinet Security Fabric and issue eXtended detection alerts. To complete the integration, you must configure an eXtended detection source connector for FortiAnalyzer or FortiAnalyzer Cloud and enable the eXtended detection rules and FortiEDR Threat Hunting events collection.

    Prerequisites

    Before you start integrating FortiEDR with FortiAnalyzer or FortiAnalyzer Cloud, verify you have the following:

    • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

    • A Jumpbox with connectivity to FortiAnalyzer.
      • Refer to Setting up the FortiEDR Core for details about how to install a FortiEDR Core and configure it as a Jumpbox.
      • Refer to Cores for more information about configuring a Jumpbox.
    • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.

    • (FortiAnalyzer) A FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.

    • (FortiAnalyzer Cloud) A valid FortiCloud API user under a permission profile with read/write access to the FortiAnalyzer Cloud portal. See the FortiCloud IAM documentation for detailed instructions about creating a permission profile and an API user.

    Setting up a connector for FortiAnalyzer or FortiAnalyzer Cloud

    1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list. The following displays:

    2. Fill in the following fields:

      Field

      Definition

      EnabledCheck this checkbox to enable blocking of malicious IP addresses by the FortiAnalyzer or FortiAnalyzer Cloud.
      JumpboxSelect the FortiEDR Jumpbox that will communicate with the FortiAnalyzer or FortiAnalyzer Cloud.
      NameSpecify a name of your choice to identify the connector.
      TypeSelect FortiAnalyzer.
      HostSpecify the IP or DNS address of the FortiAnalyzer or FortiAnalyzer Cloud.
      PortSpecify the port that is used for API communication with the FortiAnalyzer or FortiAnalyzer Cloud.
      API Key/Credentials/Authentication

      Specify authentication details of the FortiAnalyzer or FortiAnalyzer Cloud.

      • (FortiAnalyzer) To use an API token, select API Key and copy the token value into the text box. To use credentials, select Credentials and fill in the FortiAnalyzer username and password.

      • (FortiAnalyzer Cloud) Specify the username and password of the FortiCloud API user with read/write access to the FortiAnalyzer Cloud portal.

      Actions

      Configure the FortiGate and VDOM logs to be correlated with FortiEDR data by specifying the FortiGate or VDOM name in the following fields. If both fields are empty, FortiEDR uses the default value, which is All.

    3. Click Save.

    Setting up FortiEDR Central Manager

    In order to complete the integration with FortiAnalyzer or FortiAnalyzer Cloud, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

    To enable eXtended detection rules:
    1. Navigate to the SECURITY SETTINGS > Security Policies page.
    2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

    To enable FortiEDR Threat Hunting events collection:
    1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
    2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
    3. Select the following event types on that profile:

      • Socket Connect

      • Process Creation

      • File Create

      • File Detected

    FortiEDR is now configured to issue eXtended detection alerts from FortiAnalyzer or FortiAnalyzer Cloud.

    Previous
    Next