Configuring Fortinet FortiNDR Cloud Solution

Retrieve the FortiNDR Cloud API credentials

Before you begin, you will need to retrieve the Metastream and API credentials from the FortiNDR Cloud portal. You will need this information later.

Category	Event Type	Credentials
Metastream	Suricata and Observations	AWS Access Key AWS Secret Access Key Account Code
API	Detections	API Token Account UUID

To retrieve the account uuid, access keys and account code from the portal:

1. In the FortiNDR Cloud portal, click the gear icon in the top-right corner of the page and select Account Management. If you have multiple accounts, select an account.
2. Click Modules. In the banner, record the account code next to Code and record the account uuid next to UUID.

   

3. In the Metastream module, click Retrieve.
4. Record the Access Key Id and Secret Access Key.

   

To retrieve the API Token:

For an installation used by multiple users, an API-only user service key is recommended. See To create an API only user.

1. In the FortiNDR Cloud portal, click the gear icon in the top-right corner of the page and select Profile Settings.

   

2. Scroll down to the Token section and click Create new token.

   

3. Enter a description of the token and click Create.
4. Copy the token and save it in a secure location.

   

To create an API only user:

1. Go to Account Management.

   

2. .Click Create User.

   

3. Configure the new user and click Create.

   Email	Enter the user's email address.
   First name	Enter the user's first name.
   Last name	Enter the user's last name.
   Assign role	Select User from the dropdown.
   API Only	Select this option.

   

4. After the user is created, click the user to edit it. You can filter the list by clicking the filter icon and selecting User Type > API Only.

   

5. In the user details page, click Create Token to create an API token.

   

6. Enter a description for the token and click Create.

   

7. After the token is created, be sure to save it for use in the integration.

   

Configure Data Connector in Sentinel

The Data Connector is implemented with the Azure function app. Please keep the following consideration in mind. Azure function App Service Plan: Suricata data files are typically large which may exceed the memory and storage limitations of the default consumption plan. To avoid memory and storage errors, we recommend selecting a Premium service plan if you intend to pull Suricata data. For more information, see Azure function services plan.

To configure Data connecters in Sentinel:

1. In Microsoft Azure, search for Sentinel or select Microsoft Azure.

   

2. Select the workspace where FortiNDR Cloud integration is installed.

   

3. On the Microsoft Sentinel page select Data Connectors.

   

4. Select Fortinet FortiNDR Cloud (using Azure Functions) and click Open connector page.

   

5. Use one of the options to install the Data connector. The next step cover Option 1.
   • Option 1 - Azure Resource Manager ARM Template: Use this method for automated deployment of the FortiNDR Cloud connector.
   • Option 2 - Manual Deployment of Azure Functions: Use this option for step-by-step instructions for manual deployment via Visual Studio Code.
   1. If you are deploying using Option 1, click Deploy to Azure to open the Custom deployment page.

      

   2. In the Custom deployment page, configure the Subscription, Resource group, and Instance details settings. If you have not done so already, please retrieve the Access Key, Secret Access Key, and other credentials from the portal. See Retrieve the FortiNDR Cloud API credentials.

      Name	Description	Default Value
      WorkSpace Key	(Required) The Azure workspace key.
      WorkSpace Id	(Required) The Azure workspace ID.
      Fnc Terminate App	(Optional) If true, terminates the orchestrator function (true, false). Tasks already scheduled will still run to completion.	false
      Fnc Days To Collect Events	(Optional) The number of past days to collect data (0-7).	7
      Fnc Interval Minutes	(Optional) The number of minutes between fetching data (1-60).	5
      Fnc Account Code	(Required) The Customer ID
      Fnc Events	(Optional) Comma separated list of events to fetch and post (Suricata, observation, detection).	“observation,detection”
      Aws Access Key Id	(Required) The AWS access key ID.
      Aws Secret Access Key	(Required) The AWS secret access key.
      Fnc Bucket Name	(Optional) The Aws S3 Bucket name.
      Settings for Detections
      Fnc Api Token	(Required) The API Token to connect to FortiNDR Cloud API
      Fnc Account Uuid	(Required) The Account UUID for the customer account
      Fnc Api Domain	(Optional) API Domain when connect to the FortiNDR Cloud API
      Include Events	(Optional) Include Events when fetching detections	false
      Include Description	(Optional) Include Rule description when fetching detections	true
      Include Signature	(Optional) Include Rule signature when fetching detections	true
      Pull Muted	(Optional) To Fetch and post muted detections, not muted detections or both (true, false, all)	all
      Detection Status	(Optional) To Fetch and post active detections, resolved detections or both (active, resolved, all)	all
      Fnc Days To Collect Detections	(Optional) The number of past days to collect Detections.	7
      Polling Delay	(Optional) Polling delay to fetch and post detections	10
      Log Level	(Optional) Logging level of the Data Connector.	INFO
      Posting Limit	(Optional) Please do not change this setting unless instructed by the support team.	3000

      Events and detections history are fetched and posted piece-by-piece periodically with the Fnc Interval Minutes. If there is a large amount of historical data, or more days to retrieve history is provided, more time may be required to see the history data in Sentinel.

      

      If more than one Data Connectors are to be created, please use a different Function Name.

   3. Click Review + create. The summary page opens. Review the configurations and click Create.

      Once everything is configured and the Data Connector is started, please do not make any changes to the Environment Variables, as it may cause a data gap or data duplications. If any variables are wrong or need updates, please set up a new Sentinel environment and install a new Data Connector with the updated configurations.

      

6. If the data connector is installed manually using Option 2, search for the Function App in Microsoft Azure, and select the Function App to install the Data Connector.

   

7. On the Function app page, select Environment Variables, and then set or update the Application Settings.

   

8. After the application settings are saved, go to the Overview page and click Start if the function app is not running.

   

Configure Workbooks in Sentinel

In Sentinel, you can create your own workbook or use workbook templates as a base to build workbooks.

To build your own workbooks:

1. Go to the Microsoft Sentinel page and Select Workbooks, then click Add workbook. The New workbook page opens.

   

2. Click Edit to start building your workbook.

   

3. Click Edit in each section to add, remove or update your content.

   

4. Click Done Editing and then click Save.

   

To build a workbook using a template:

1. Go to the Microsoft Sentinel page.
2. Click Workbooks, then select Templates. Select the workbook template from FortiNDR Cloud Integration.

   

3. To preview the template, click View Template in the right-side panel.
4. To build a workbook using the template you are viewing, go back to the Workbook page, select the template and click Save. The workbook is saved to the My workbooks tab.

   

5. On the right-side panel, click View Saved workbook to open your workbook and make your customizations.

   

For more information: To build or edit workbooks, see the Microsoft Sentinel Workbooks tutorial. To use Kusto queries, see the Kusto Query Language tutorial.