Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Fortinet FortiEDR

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event, Search for "FortiEDR" to see the event types associated with this device.

Rules

No specific rules are written for FortiEDR but generic end point rules apply

Reports

No specific reports are written for FortiEDR but generic end point rules apply

Configuration

Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample events below)

Settings for Access Credentials

None required

Sample Events

<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;

Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;

Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;

Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;

First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;

Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;

MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A

Fortinet FortiEDR

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event, Search for "FortiEDR" to see the event types associated with this device.

Rules

No specific rules are written for FortiEDR but generic end point rules apply

Reports

No specific reports are written for FortiEDR but generic end point rules apply

Configuration

Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample events below)

Settings for Access Credentials

None required

Sample Events

<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;

Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;

Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;

Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;

First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;

Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;

MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A