Fortinet black logo

Release Notes

Home FortiEDR/XDR 6.2.0 Release Notes
6.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.3
5.0.2
5.0.1
4.2.2
4.1.1
4.1.0

What's new

What's new

The FortiEDR 6.2.0 GA build includes the following features, enhancements, and changes:

eXtended detection with FortiAnalyzer Cloud and FortiSIEM

FortiEDR 6.2.0 adds support for the following external systems as eXtended detection source:

  • FortiAnalyzer Cloud

  • FortiSIEM

Forensics functionality relocated under Investigation View

To have one pane of glass for events analysis and handling, FortiEDR 6.2.0 consolidates forensics functionality and stacks view capability in the investigation view, accessible from the Advanced Data tab under Event Viewer. See next section for details.

As a result, the following forensics tabs and pages are revoked:

  • Forensics tab—With the removal of the Forensics tab, the Threat Hunting sub-page is promoted to be its own tab. The compare view in the Forensics tab is removed completely with no equivalent function in the investigation view.

  • Forensics > Events menu page

  • Forensics toolbar option in the Event Viewer page

Investigation View enhancements

FortiEDR 6.2.0 includes the following enhancements to the investigation view (accessible from the Advanced Data tab under Event Viewer):

  • Access an enhanced version of stacks view by selecting an edge that is part of a security event. Compared with the stacks view in the Forensics tab in previous versions, the new stacks view supports additional analysis and response actions, such as retrieving memory and remediating files. The interface is also more flexible and interactive.

  • Export the event as a JSON file:

  • Connect to a device, isolate a device, or move a device to high security group:

  • Filter the results in the Activity Events table to include or exclude a specific value using the green plus () and red minus () icons that appear when you hover over the value. Multiple filters are supported.

    This feature is also added to the investigation view launched from the Details Pane under Threat Hunting.

  • Navigate between raw data items using the new navigation bar at the bottom-left of the investigation view graph.

Pre-defined application control groups

To better organize and group applications in the application control manager, FortiEDR 6.2.0 introduces predefined groups of applications, such as Network Scanning Tool, Remote Access Tool, and Disk Encryption Tool. The predefined application groups are always at the top of the application list and are indicated by the Fortinet logo by the group name. Predefined application groups are read-only and can be modified by Fortinet from time to time.

All applications added by the user are now grouped under the User defined group.

New Application Name field in application control

Starting from FortiEDR 6.2.0, each application has a name that is unique per group. You must specify the application name when manually adding an application to be blocked. The application name is also included when you export the list of applications.

Exporting and importing exclusion lists

FortiEDR 6.2.0 allows you to export or import exclusion lists for Process Exclusions and Execution Prevention Exclusions in the exclusion manager, which is handy in a muiti-tenant environment where you can easily duplicate the exclusion lists for some or all organizations without the need to re-define exclusions for each organization separately.

FortiEDR Connect (Remote Shell) commands auditing

In FortiEDR 6.2.0, the FortiEDR Audit Trail feature records every action that was performed in a FortiEDR Connect session, rather than just the connection of a FortiEDR Connect session.

Filter by FortiGate or VDOM for FortiAnalyzer and FortiAnalyzer Cloud eXtended detection

In FortiEDR 6.2.0, when you create an eXtended detection source connector for FortiAnalyzer or FortiAnalyzer Cloud, you can configure the FortiGate and VDOM logs to be correlated with FortiEDR data by specifying the FortiGate or VDOM name in the corresponding field. If both fields are empty, FortiEDR uses the default value, which is All.

Support for CEF and LEEF format Syslog

FortiEDR 6.2.0 introduces two new formats for Syslog messages: Common Event Format (CEF) and Log Event Extended Format (LEEF), allowing more effective management and correlation of FortiEDR events in your SIEM device.

For the field mapping between FortiEDR security event format and CEF/LEEF format, refer to the FortiEDR 6.2 Syslog Message Reference guide.

Control access to new license functionality in multi-tenant environments

When applying a new license functionality in a multi-tenant environment, the MSSP manager can now configure which tenants will receive the new functionality for more granular access control, as opposed to the old behavior of having to open new license functionality to all tenants. Refer to the FortiEDR 6.2.0 Administration Guide for detailed instructions.

Certificate renamed Signature

The Certificate field is renamed Signature throughout the FortiEDR console, such as the Event Viewer, Investigation View and Threat Hunting pages, etc. Possible values:

  • Signed

  • Unsigned

  • Self-signed

  • Invalid timestamp

  • Signed (no timestamp)

Refer to Resolved issues for a list of resolved issues and Known issues for a list of known issues.

Previous
Next

What's new

The FortiEDR 6.2.0 GA build includes the following features, enhancements, and changes:

eXtended detection with FortiAnalyzer Cloud and FortiSIEM

FortiEDR 6.2.0 adds support for the following external systems as eXtended detection source:

  • FortiAnalyzer Cloud

  • FortiSIEM

Forensics functionality relocated under Investigation View

To have one pane of glass for events analysis and handling, FortiEDR 6.2.0 consolidates forensics functionality and stacks view capability in the investigation view, accessible from the Advanced Data tab under Event Viewer. See next section for details.

As a result, the following forensics tabs and pages are revoked:

  • Forensics tab—With the removal of the Forensics tab, the Threat Hunting sub-page is promoted to be its own tab. The compare view in the Forensics tab is removed completely with no equivalent function in the investigation view.

  • Forensics > Events menu page

  • Forensics toolbar option in the Event Viewer page

Investigation View enhancements

FortiEDR 6.2.0 includes the following enhancements to the investigation view (accessible from the Advanced Data tab under Event Viewer):

  • Access an enhanced version of stacks view by selecting an edge that is part of a security event. Compared with the stacks view in the Forensics tab in previous versions, the new stacks view supports additional analysis and response actions, such as retrieving memory and remediating files. The interface is also more flexible and interactive.

  • Export the event as a JSON file:

  • Connect to a device, isolate a device, or move a device to high security group:

  • Filter the results in the Activity Events table to include or exclude a specific value using the green plus () and red minus () icons that appear when you hover over the value. Multiple filters are supported.

    This feature is also added to the investigation view launched from the Details Pane under Threat Hunting.

  • Navigate between raw data items using the new navigation bar at the bottom-left of the investigation view graph.

Pre-defined application control groups

To better organize and group applications in the application control manager, FortiEDR 6.2.0 introduces predefined groups of applications, such as Network Scanning Tool, Remote Access Tool, and Disk Encryption Tool. The predefined application groups are always at the top of the application list and are indicated by the Fortinet logo by the group name. Predefined application groups are read-only and can be modified by Fortinet from time to time.

All applications added by the user are now grouped under the User defined group.

New Application Name field in application control

Starting from FortiEDR 6.2.0, each application has a name that is unique per group. You must specify the application name when manually adding an application to be blocked. The application name is also included when you export the list of applications.

Exporting and importing exclusion lists

FortiEDR 6.2.0 allows you to export or import exclusion lists for Process Exclusions and Execution Prevention Exclusions in the exclusion manager, which is handy in a muiti-tenant environment where you can easily duplicate the exclusion lists for some or all organizations without the need to re-define exclusions for each organization separately.

FortiEDR Connect (Remote Shell) commands auditing

In FortiEDR 6.2.0, the FortiEDR Audit Trail feature records every action that was performed in a FortiEDR Connect session, rather than just the connection of a FortiEDR Connect session.

Filter by FortiGate or VDOM for FortiAnalyzer and FortiAnalyzer Cloud eXtended detection

In FortiEDR 6.2.0, when you create an eXtended detection source connector for FortiAnalyzer or FortiAnalyzer Cloud, you can configure the FortiGate and VDOM logs to be correlated with FortiEDR data by specifying the FortiGate or VDOM name in the corresponding field. If both fields are empty, FortiEDR uses the default value, which is All.

Support for CEF and LEEF format Syslog

FortiEDR 6.2.0 introduces two new formats for Syslog messages: Common Event Format (CEF) and Log Event Extended Format (LEEF), allowing more effective management and correlation of FortiEDR events in your SIEM device.

For the field mapping between FortiEDR security event format and CEF/LEEF format, refer to the FortiEDR 6.2 Syslog Message Reference guide.

Control access to new license functionality in multi-tenant environments

When applying a new license functionality in a multi-tenant environment, the MSSP manager can now configure which tenants will receive the new functionality for more granular access control, as opposed to the old behavior of having to open new license functionality to all tenants. Refer to the FortiEDR 6.2.0 Administration Guide for detailed instructions.

Certificate renamed Signature

The Certificate field is renamed Signature throughout the FortiEDR console, such as the Event Viewer, Investigation View and Threat Hunting pages, etc. Possible values:

  • Signed

  • Unsigned

  • Self-signed

  • Invalid timestamp

  • Signed (no timestamp)

Refer to Resolved issues for a list of resolved issues and Known issues for a list of known issues.

Previous
Next