Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Splunk-SOAR for FortiNDR Cloud

    Home FortiNDR Cloud 2024.10.0 Splunk-SOAR for FortiNDR Cloud
    2024.10.0
    2024.10.0

    Configuring an asset for the FortiNDR Cloud App

    Configuring an asset for the FortiNDR Cloud App

    This topic only covers configurations specific to the FortiNDR Cloud app. For more information about configuring assets, see the Splunk SOAR documentation.

    The FortiNDR Cloud integration, allows for the regular polling of detections from the FortiNDR Cloud backend into Splunk SOAR to perform several actions such as resolve detections, search for associated events and others. There are two arguments that are required in order to be able to communicate with the backend services:

    • API Token: This is a required global parameter and must be provided for the integration to work. All FortiNDR Cloud API calls require this token for authentication. Tokens never expire and will remain valid until revoked. For instructions on setting up a token, see the API Getting Started Guide.
    • Domain: This is an optional parameter. If no value is entered, FortiNDR Cloud will connect to the default US region(icebrg.io). If you are connecting to a version of FortiNDR Cloud in a different region, the domain may be found in the API Getting Started Guide.

    These arguments, and the rest of the arguments needed for the continuous polling of detections, can be specified in the asset configuration.

    Configuring a new asset

    To configure a new asset:
    1. Find the app in the Unconfigured Apps list, or the Configured Apps list if the asset has been configured already.

    2. Click Configure New Asset. The configuration page opens.
    3. Click the Asset Settings tab to configure the settings specific to the FortiNDR Cloud app.

    4. The first two arguments, API Token and API Domain are required for all the supported actions since they are used to connect with the FortiNDR Cloud services. Instructions on how to obtain these values can be found in the API Getting Started Guide. The rest of the arguments are only used when the Ingest is enabled.

      The following table describes the arguments required by the FortiNDR Cloud App.

      Variable

      Required

      Type

      Description

      api_key

      required

      password

      API Token to connect to FortiNDR Cloud RESTful APIs.

      first_poll

      required

      string

      This defines if historical data is required. It could be relative (‘1 day’) or explicit (‘2024-08-01T00:00:00.000000Z’). By default, no historical data is retrieved.

      polling_delay

      optional

      numeric

      Polling delay (in minutes). This is required to allow time for the detections to be processed by the FortiNDR Cloud service before polling them. Default is 10 minutes.

      account_uuid

      optional

      string

      Account UUID to filter retrieved detections. If none is entered, detections will be shown for all accounts you have access to. Your Account UUID can be found on your user profile page of the portal.

      muted

      optional

      boolean

      Set to true to include muted detections. Default to false

      muted_rule

      optional

      boolean

      Set to true to include muted rules. Default to false

      muted_device

      optional

      boolean

      Set to true to include muted devices. Default to false

      domain

      optional

      string

      Domain to direct any FortiNDR Cloud Request. By default, any request will be directed to the US region icebrg.io.
    Previous
    Next

    Configuring an asset for the FortiNDR Cloud App

    Configuring an asset for the FortiNDR Cloud App

    This topic only covers configurations specific to the FortiNDR Cloud app. For more information about configuring assets, see the Splunk SOAR documentation.

    The FortiNDR Cloud integration, allows for the regular polling of detections from the FortiNDR Cloud backend into Splunk SOAR to perform several actions such as resolve detections, search for associated events and others. There are two arguments that are required in order to be able to communicate with the backend services:

    • API Token: This is a required global parameter and must be provided for the integration to work. All FortiNDR Cloud API calls require this token for authentication. Tokens never expire and will remain valid until revoked. For instructions on setting up a token, see the API Getting Started Guide.
    • Domain: This is an optional parameter. If no value is entered, FortiNDR Cloud will connect to the default US region(icebrg.io). If you are connecting to a version of FortiNDR Cloud in a different region, the domain may be found in the API Getting Started Guide.

    These arguments, and the rest of the arguments needed for the continuous polling of detections, can be specified in the asset configuration.

    Configuring a new asset

    To configure a new asset:
    1. Find the app in the Unconfigured Apps list, or the Configured Apps list if the asset has been configured already.

    2. Click Configure New Asset. The configuration page opens.
    3. Click the Asset Settings tab to configure the settings specific to the FortiNDR Cloud app.

    4. The first two arguments, API Token and API Domain are required for all the supported actions since they are used to connect with the FortiNDR Cloud services. Instructions on how to obtain these values can be found in the API Getting Started Guide. The rest of the arguments are only used when the Ingest is enabled.

      The following table describes the arguments required by the FortiNDR Cloud App.

      Variable

      Required

      Type

      Description

      api_key

      required

      password

      API Token to connect to FortiNDR Cloud RESTful APIs.

      first_poll

      required

      string

      This defines if historical data is required. It could be relative (‘1 day’) or explicit (‘2024-08-01T00:00:00.000000Z’). By default, no historical data is retrieved.

      polling_delay

      optional

      numeric

      Polling delay (in minutes). This is required to allow time for the detections to be processed by the FortiNDR Cloud service before polling them. Default is 10 minutes.

      account_uuid

      optional

      string

      Account UUID to filter retrieved detections. If none is entered, detections will be shown for all accounts you have access to. Your Account UUID can be found on your user profile page of the portal.

      muted

      optional

      boolean

      Set to true to include muted detections. Default to false

      muted_rule

      optional

      boolean

      Set to true to include muted rules. Default to false

      muted_device

      optional

      boolean

      Set to true to include muted devices. Default to false

      domain

      optional

      string

      Domain to direct any FortiNDR Cloud Request. By default, any request will be directed to the US region icebrg.io.
    Previous
    Next