Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiNDR Cloud Add-on for Splunk

    Home FortiNDR Cloud 2024.10.0 FortiNDR Cloud Add-on for Splunk
    2024.10.0
    2024.10.0

    Configuring the FortiNDR Cloud App

    Configuring the FortiNDR Cloud App

    Use the Configuration tab to configure the global parameters. These global parameters should only have to be set once after installation, during the initial configuration. There are three tabs on the configuration page:

    Updating the Proxy Configuration

    Use the Proxy tab to enable and configure a web proxy to send API requests to. The configuration settings include:

    Enable Enable/Disable proxy usage for the add-on.
    Proxy Type Set the proxy type: http, socks4, socks5.
    Host IP or hostname of the proxy.
    Port Port number of the proxy.
    Username Username for proxy authentication (if required).
    Password Password for proxy authentication (if required).
    Remote DNS resolution Perform DNS resolution through proxy.

    Updating the Logging Configuration

    Use the Logging tab to set the log level for logs generated by the add-on. By default, the add-on sends all its logs at the INFO logging level.

    Updating the Add-on Settings (FortiNDR Cloud API Token)

    Use the Add-on settings tab to configure the add-on global parameters. There is one (1) global parameter that must be configured for any of the input types to work:

    • API Token: This is a required global parameter and must be provided for the integration to work. All FortiNDR Cloud API calls require this token for authentication. Tokens never expire and will remain valid until revoked. For instructions on setting up a token , see the API Getting Started Guide.
    • Domain: This is an optional parameter. If no value is entered, FortiNDR Cloud will connect to the default US region (icebrg.io). If you are connecting to a version of FortiNDR Cloud in a different region, the domain may be found in the API Getting Started Guide.
    To configure the API Token and the API Domain:
    1. In the Apps list, select the FortiNDR Cloud app.
    2. Click the Configuration tab and then click Add-on Settings.
    3. Enter the API token you generated in the FortiNDR Cloud portal.

    4. Enter the appropriate API domain as per the API Getting Started Guide.

    5. Click Save. This token will be used for all API calls from the app.

    Setting up FortiNDR Cloud Inputs

    Use the Inputs tab to setup the available data inputs. The following sections provide detailed descriptions for each input type and the steps to create and configure each. There are three (3) distinct input types associated with the app that can be configured to pull data into Splunk from the FortiNDR Cloud backend:

    FortiNDR Cloud Detections Polls the FortiNDR Cloud Detections API at the specified interval for new detections since the last poll and creates Splunk events with the tg.
    FortiNDR Cloud Events Polls Observation and/or Suricata events from AWS S3 Buckets at the specified interval for new events since the last poll and create Splunk events with the results.
    FortiNDR Cloud Entities Polls the FortiNDR Cloud Entity API for particular entities’ information. New Splunk events are created with the results. This particular input is executed once and it can be deleted after the information is imported into Splunk.

    FortiNDR Cloud Detections

    The FortiNDR Cloud Detections input type polls the FortiNDR Cloud Detections API at the specified interval for new detections and creates events with the results. Detections are searched between the last poll and the configured delay from the current date. This delay is required to allow time for the detections to be processed by the FortiNDR Cloud service backend. The default and recommended values for the interval and the delay are (interval = 300 seconds (5 mins) and delay = 10 minutes).

    To create and configure the Detections input type:
    1. In the Splunk Apps list, select the FortiNDR Cloud app.
    2. Click Create New Input and select FortiNDR Cloud Detections from the drop-down list.
    3. Configure the data input Parameters.

      Name

      Description

      Example

      Name*

      Unique name for the input type

      My_Detections

      Interval*

      Interval to poll API to query for detections (in seconds). It is recommended to set the interval to no less than 300 seconds (5 minutes).

      300

      Index*

      Splunk location to store collected events

      default

      Start Date (Optional)

      This define if historical data is required. It could be relative (‘1 day’) or explicit (‘2024-08-01T00:00:00.000000Z’). By default, no historical data is retrieved.

      2 days

      Polling Delay

      Polling delay (in minute). This is required to allow time for the detections to be processed by the FortiNDR Cloud service before polling them. (Default 10 minutes)

      10

      Account UUID (Optional)

      Filter results to show only detections for the specified account UUID. If none is entered, detections will be shown for all accounts you have access to. Your Account UUID can be found on your user profile page of the portal.

      0a7dae9g-6f74-4c75-78ef-856483763e1d4

      Status (Optional)

      Choose to pull detections that are active, resolved, or all (detections of any status).

      Active

      Severity (Optional)

      Choose to pull detections for rules of a particular severity level. Default is to pull detections for all severities (high, moderate, and low)

      High, Moderate, Low

      Confidence (Optional)

      Choose to pull detections for rules of a particular confidence level. Default is to pull detections for all confidences (high, moderate, and low)

      High, Moderate, Low

      Muted Rules (Optional)

      Choose to pull detections for rules that are muted, unmuted, or all (both muted and unmuted rules). Default is to pull only detections for unmuted rules.

      Unmuted

      Muted Devices (Optional)

      Choose to pull detections for devices that are muted for the account, unmuted devices, or all (both muted and unmuted devices for the account). Default is to pull only detections for unmuted devices.

      Unmuted

      Muted Detections (Optional)

      Choose to pull detections that are muted, unmuted, or all (both muted and unmuted detections). Default is to pull only unmuted detections.

      Unmuted

      Include Description (Optional)

      Enable this option if you want to include the detection description with the results. (Default is unchecked)

      Include Signature (Optional)

      Enable this option if you want to include the detection signature with the results. (Default is unchecked)

      Include Events

      Enable this option if you want to import the events associated with each detection. NOTE: This may pull a large amount of events into Splunk (up to 1000).

      Filter Training Detections

      Filter out detections from the training environment. This is enabled by default and recommended.

      enabled

    4. Click Add.

    FortiNDR Cloud Events

    The FortiNDR Cloud Events input type polls Observation and/or Suricata events from AWS S3 Buckets at the specified interval for new events since the last poll and create Splunk events with the results. The FortiNDR Cloud Entity API is targeted for entity enrichment information. The default and recommended collection interval is 900 seconds (15 mins).

    Create MetaStream credentials and Retrieve AWS S3 Credentials from the FNC Portal for configuring a FortiNDR Cloud Events input. For more information, see Create MetaStream credentials and Retrieve S3 credentials.

    To configure the Events input type:
    1. In the Splunk Apps list, select the FortiNDR Cloud App.
    2. Click Create New Input and select FortiNDR Cloud Events from the drop-down menu.
    3. Configure the data input Parameters.

      Name

      Description

      Example

      Name*

      Unique name for the input type

      My_Detections

      Interval*

      Interval to poll API to query for detections (in seconds). It is recommended to set the interval to no less than 900 seconds (15 minutes).

      900

      Index*

      Splunk location to store collected events

      default

      AWS Access Key*

      AWS Access Key required to connect to the AWS S3 Buckets.

      AWS Secret Key*

      AWS Secret Key required to connect to the AWS S3 Buckets.

      AWS Bucket Name

      Name of the AWS S3 Bucket where the events are stored. Defaults to fortindr-cloud-metastream.

      fortindr-cloud-metastream

      Account Code*

      Customer account code. This is required to determine the buckets we need to search for events.

      Event Types

      Event types to be retrieved. Either Observation, Suricata or both.

      Days to Collect (Optional)

      The amount of days (maximum 7) worth of historical data to be retrieved. By default, no historical data is retrieved.

      5

      *Required

    4. Click Add.
    Note

    The Account Code, Bucket Name, AWS Secret and Access keys are required and can be retrieved from the FortiNDR Cloud Portal. For information, see Retrieve S3 credentials

    FortiNDR Cloud Entities

    The FortiNDR Cloud Entities input type polls the Entity API for entity enrichment information. This input is executed just one time and can be deleted after the information is retrieved.

    Note

    The interval argument is required by Splunk but it will be ignored by this input. Any instance of this input will retrieve the information the first time it is triggered; but, any subsequent time Splunk triggers it no information will be retrieved. The instance can be deleted once the information has been imported.
    Note

    Editing this input’s instance won’t have any effect. Once the input instance retrieves the information can be deleted. A new instance can be created if additionals entities need to be retrieved.
    To create the Entities input type:
    1. In the Splunk Apps list, select the FortiNDR Cloud App.
    2. Click Create New Input and select FortiNDR Cloud Entities from the drop-down menu.
    3. Configure the data input Parameters.

      Name

      Description

      Example

      Name*

      Unique name for the input type

      My_Reports

      Interval*

      Interval to poll API to query for detections (in seconds). It is recommended to set the interval to no less than 900 seconds (15 minutes).

      900

      Index*

      Splunk location to store collected events

      default

      Entity(s)*

      Enter one or more entities (IP address or domain) separated by commas to search for entity enrichment information.

      192.168.1.100, 1.1.1.1, domain.com

      Fetch Passive DNS (Optional)

      Include passive DNS enrichment data in the response (default is unchecked).

      Disabled

      Fetch DHCP (Optional)

      Include DHCP enrichment data in the response (default is unchecked).

      Disabled

      Fetch Virus Total (Optional)

      Include Virus Total enrichment data in the response (default is unchecked).

      Disabled

      Filter Training Data

      Filter data from the training environment. This is checked by default and recommended.

      Enabled

      *Required

    4. Click Add.

    Deleting or Disabling an Input

    To delete or disable a previously defined input, you need to look for it on the Inputs tab.

    To disable an input:

    Look for the input value in the Status column and turn it off to disable the input. Turn it back on to re-enable it.

    To delete an input:

    In the Actions column, look for the allowed actions for the input and click on the delete icon.

    Previous
    Next

    Configuring the FortiNDR Cloud App

    Configuring the FortiNDR Cloud App

    Use the Configuration tab to configure the global parameters. These global parameters should only have to be set once after installation, during the initial configuration. There are three tabs on the configuration page:

    Updating the Proxy Configuration

    Use the Proxy tab to enable and configure a web proxy to send API requests to. The configuration settings include:

    Enable Enable/Disable proxy usage for the add-on.
    Proxy Type Set the proxy type: http, socks4, socks5.
    Host IP or hostname of the proxy.
    Port Port number of the proxy.
    Username Username for proxy authentication (if required).
    Password Password for proxy authentication (if required).
    Remote DNS resolution Perform DNS resolution through proxy.

    Updating the Logging Configuration

    Use the Logging tab to set the log level for logs generated by the add-on. By default, the add-on sends all its logs at the INFO logging level.

    Updating the Add-on Settings (FortiNDR Cloud API Token)

    Use the Add-on settings tab to configure the add-on global parameters. There is one (1) global parameter that must be configured for any of the input types to work:

    • API Token: This is a required global parameter and must be provided for the integration to work. All FortiNDR Cloud API calls require this token for authentication. Tokens never expire and will remain valid until revoked. For instructions on setting up a token , see the API Getting Started Guide.
    • Domain: This is an optional parameter. If no value is entered, FortiNDR Cloud will connect to the default US region (icebrg.io). If you are connecting to a version of FortiNDR Cloud in a different region, the domain may be found in the API Getting Started Guide.
    To configure the API Token and the API Domain:
    1. In the Apps list, select the FortiNDR Cloud app.
    2. Click the Configuration tab and then click Add-on Settings.
    3. Enter the API token you generated in the FortiNDR Cloud portal.

    4. Enter the appropriate API domain as per the API Getting Started Guide.

    5. Click Save. This token will be used for all API calls from the app.

    Setting up FortiNDR Cloud Inputs

    Use the Inputs tab to setup the available data inputs. The following sections provide detailed descriptions for each input type and the steps to create and configure each. There are three (3) distinct input types associated with the app that can be configured to pull data into Splunk from the FortiNDR Cloud backend:

    FortiNDR Cloud Detections Polls the FortiNDR Cloud Detections API at the specified interval for new detections since the last poll and creates Splunk events with the tg.
    FortiNDR Cloud Events Polls Observation and/or Suricata events from AWS S3 Buckets at the specified interval for new events since the last poll and create Splunk events with the results.
    FortiNDR Cloud Entities Polls the FortiNDR Cloud Entity API for particular entities’ information. New Splunk events are created with the results. This particular input is executed once and it can be deleted after the information is imported into Splunk.

    FortiNDR Cloud Detections

    The FortiNDR Cloud Detections input type polls the FortiNDR Cloud Detections API at the specified interval for new detections and creates events with the results. Detections are searched between the last poll and the configured delay from the current date. This delay is required to allow time for the detections to be processed by the FortiNDR Cloud service backend. The default and recommended values for the interval and the delay are (interval = 300 seconds (5 mins) and delay = 10 minutes).

    To create and configure the Detections input type:
    1. In the Splunk Apps list, select the FortiNDR Cloud app.
    2. Click Create New Input and select FortiNDR Cloud Detections from the drop-down list.
    3. Configure the data input Parameters.

      Name

      Description

      Example

      Name*

      Unique name for the input type

      My_Detections

      Interval*

      Interval to poll API to query for detections (in seconds). It is recommended to set the interval to no less than 300 seconds (5 minutes).

      300

      Index*

      Splunk location to store collected events

      default

      Start Date (Optional)

      This define if historical data is required. It could be relative (‘1 day’) or explicit (‘2024-08-01T00:00:00.000000Z’). By default, no historical data is retrieved.

      2 days

      Polling Delay

      Polling delay (in minute). This is required to allow time for the detections to be processed by the FortiNDR Cloud service before polling them. (Default 10 minutes)

      10

      Account UUID (Optional)

      Filter results to show only detections for the specified account UUID. If none is entered, detections will be shown for all accounts you have access to. Your Account UUID can be found on your user profile page of the portal.

      0a7dae9g-6f74-4c75-78ef-856483763e1d4

      Status (Optional)

      Choose to pull detections that are active, resolved, or all (detections of any status).

      Active

      Severity (Optional)

      Choose to pull detections for rules of a particular severity level. Default is to pull detections for all severities (high, moderate, and low)

      High, Moderate, Low

      Confidence (Optional)

      Choose to pull detections for rules of a particular confidence level. Default is to pull detections for all confidences (high, moderate, and low)

      High, Moderate, Low

      Muted Rules (Optional)

      Choose to pull detections for rules that are muted, unmuted, or all (both muted and unmuted rules). Default is to pull only detections for unmuted rules.

      Unmuted

      Muted Devices (Optional)

      Choose to pull detections for devices that are muted for the account, unmuted devices, or all (both muted and unmuted devices for the account). Default is to pull only detections for unmuted devices.

      Unmuted

      Muted Detections (Optional)

      Choose to pull detections that are muted, unmuted, or all (both muted and unmuted detections). Default is to pull only unmuted detections.

      Unmuted

      Include Description (Optional)

      Enable this option if you want to include the detection description with the results. (Default is unchecked)

      Include Signature (Optional)

      Enable this option if you want to include the detection signature with the results. (Default is unchecked)

      Include Events

      Enable this option if you want to import the events associated with each detection. NOTE: This may pull a large amount of events into Splunk (up to 1000).

      Filter Training Detections

      Filter out detections from the training environment. This is enabled by default and recommended.

      enabled

    4. Click Add.

    FortiNDR Cloud Events

    The FortiNDR Cloud Events input type polls Observation and/or Suricata events from AWS S3 Buckets at the specified interval for new events since the last poll and create Splunk events with the results. The FortiNDR Cloud Entity API is targeted for entity enrichment information. The default and recommended collection interval is 900 seconds (15 mins).

    Create MetaStream credentials and Retrieve AWS S3 Credentials from the FNC Portal for configuring a FortiNDR Cloud Events input. For more information, see Create MetaStream credentials and Retrieve S3 credentials.

    To configure the Events input type:
    1. In the Splunk Apps list, select the FortiNDR Cloud App.
    2. Click Create New Input and select FortiNDR Cloud Events from the drop-down menu.
    3. Configure the data input Parameters.

      Name

      Description

      Example

      Name*

      Unique name for the input type

      My_Detections

      Interval*

      Interval to poll API to query for detections (in seconds). It is recommended to set the interval to no less than 900 seconds (15 minutes).

      900

      Index*

      Splunk location to store collected events

      default

      AWS Access Key*

      AWS Access Key required to connect to the AWS S3 Buckets.

      AWS Secret Key*

      AWS Secret Key required to connect to the AWS S3 Buckets.

      AWS Bucket Name

      Name of the AWS S3 Bucket where the events are stored. Defaults to fortindr-cloud-metastream.

      fortindr-cloud-metastream

      Account Code*

      Customer account code. This is required to determine the buckets we need to search for events.

      Event Types

      Event types to be retrieved. Either Observation, Suricata or both.

      Days to Collect (Optional)

      The amount of days (maximum 7) worth of historical data to be retrieved. By default, no historical data is retrieved.

      5

      *Required

    4. Click Add.
    Note

    The Account Code, Bucket Name, AWS Secret and Access keys are required and can be retrieved from the FortiNDR Cloud Portal. For information, see Retrieve S3 credentials

    FortiNDR Cloud Entities

    The FortiNDR Cloud Entities input type polls the Entity API for entity enrichment information. This input is executed just one time and can be deleted after the information is retrieved.

    Note

    The interval argument is required by Splunk but it will be ignored by this input. Any instance of this input will retrieve the information the first time it is triggered; but, any subsequent time Splunk triggers it no information will be retrieved. The instance can be deleted once the information has been imported.
    Note

    Editing this input’s instance won’t have any effect. Once the input instance retrieves the information can be deleted. A new instance can be created if additionals entities need to be retrieved.
    To create the Entities input type:
    1. In the Splunk Apps list, select the FortiNDR Cloud App.
    2. Click Create New Input and select FortiNDR Cloud Entities from the drop-down menu.
    3. Configure the data input Parameters.

      Name

      Description

      Example

      Name*

      Unique name for the input type

      My_Reports

      Interval*

      Interval to poll API to query for detections (in seconds). It is recommended to set the interval to no less than 900 seconds (15 minutes).

      900

      Index*

      Splunk location to store collected events

      default

      Entity(s)*

      Enter one or more entities (IP address or domain) separated by commas to search for entity enrichment information.

      192.168.1.100, 1.1.1.1, domain.com

      Fetch Passive DNS (Optional)

      Include passive DNS enrichment data in the response (default is unchecked).

      Disabled

      Fetch DHCP (Optional)

      Include DHCP enrichment data in the response (default is unchecked).

      Disabled

      Fetch Virus Total (Optional)

      Include Virus Total enrichment data in the response (default is unchecked).

      Disabled

      Filter Training Data

      Filter data from the training environment. This is checked by default and recommended.

      Enabled

      *Required

    4. Click Add.

    Deleting or Disabling an Input

    To delete or disable a previously defined input, you need to look for it on the Inputs tab.

    To disable an input:

    Look for the input value in the Status column and turn it off to disable the input. Turn it back on to re-enable it.

    To delete an input:

    In the Actions column, look for the allowed actions for the input and click on the delete icon.

    Previous
    Next