Enforcement
Enforcement provides an extra layer of logic to deal with the detection discovered by FortiNDR and delivers follow-up actions to Security Fabric devices. FortiNDR periodically evaluates the latest batch of detection based on enforcement settings. If any detection satisfies the criteria for the next cause of action, the system then looks at which automation profile the detection falls under and performs the response action accordingly.
The system uses the webhook registered to the automation profiles or predefined APIs to carry out different enforcement strategies. FortiNDR supports the following action types:
- FortiGate Quarantine (Previously known as Ban IP action)
- FortiNAC Quarantine (FortiNAC version v9.2.0+ support)
- FortiSwitch Quarantine via FortiLink
- Generic Webhook
FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.
Enforcement Settings
Enforcement Settings are policies for FortiNDR to filter out malicious detections and NDR anomaly detections when executing enforcement. These policies include Event Category, NDR Detection Severity Level, Malware Risk Level, Malware Confidence Level, and Allow List.
Register the automation stitches webhook you created in FortiGate so that FortiNDR can execute the enforcement. FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.
To create and enforcement profile:
- Go to Security Fabric > Enforcement Settings.
- In the toolbar, click Create New. The General Settings page opens.
- Configure the profile settings.
Profile Name Enter a name for the profile. Event Category Select one of the following options:
- Malware Detection
- NDR: Botnet Detection
- NDR: Encryption Attack Detection
- NDR: Network Attack Detection
- NDR: Indication of Compromise Detection
- NDR: Weak Cipher and Vulnerable Protocol Detection
NDR Detection Severity Level Select Critical, High, Medium or Low severity from the dropdown.
Malware Risk Level Select Critical, High, Medium or Low severity from the dropdown. Malware Confidence Level Enter a numeric value for the confidence level and click either Medium or High. White List Enter the IP address you want to exclude as a trigger.
If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.
- Click OK.