Fortinet black logo

External Systems Configuration Guide

Fortinet FortiEDR

Fortinet FortiEDR

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event Types, and search for "FortiEDR" to see the event types associated with this device.

Rules

No specific rules are written for FortiEDR but generic end point rules apply

Reports

No specific reports are written for FortiEDR but generic end point rules apply

Configuration

Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample Events below)

Syslog Configuration

To configure syslog for FortiEDR, take the following steps:

Note: It is recommended you refer to the latest FortiEDR Administration Guide for the most current information. Steps provided here are based off the 5.0 FortiEDR Administration Guide (Refer to page 206).

  1. Login to the FortiEDR Central Maanger.

  2. Navigate to Administration > Export Settings > Syslog.

  3. Click Define New Syslog and fill in the following fields.
    Note: If logs must pass across an unprotected medium, see the FortiEDR guide for Configuring Syslog over TLS on FortiSIEM collectors, and set port to 6514, protocol TCP, with Use SSL checked.

    Field

    Input

    Name Input "FortiSIEM".
    Host Enter the IP address or FQDN of the FortiSIEM Collector.
    Port Input "514".
    Protocol Select UDP.
    Use SSL Make sure the checkbox is unchecked.
  4. Click the save icon to complete the configuration.

Settings for Access Credentials

None required

Sample Events

<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;

Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;

Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;

Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;

First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;

Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;

MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A

Fortinet FortiEDR

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event Types, and search for "FortiEDR" to see the event types associated with this device.

Rules

No specific rules are written for FortiEDR but generic end point rules apply

Reports

No specific reports are written for FortiEDR but generic end point rules apply

Configuration

Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample Events below)

Syslog Configuration

To configure syslog for FortiEDR, take the following steps:

Note: It is recommended you refer to the latest FortiEDR Administration Guide for the most current information. Steps provided here are based off the 5.0 FortiEDR Administration Guide (Refer to page 206).

  1. Login to the FortiEDR Central Maanger.

  2. Navigate to Administration > Export Settings > Syslog.

  3. Click Define New Syslog and fill in the following fields.
    Note: If logs must pass across an unprotected medium, see the FortiEDR guide for Configuring Syslog over TLS on FortiSIEM collectors, and set port to 6514, protocol TCP, with Use SSL checked.

    Field

    Input

    Name Input "FortiSIEM".
    Host Enter the IP address or FQDN of the FortiSIEM Collector.
    Port Input "514".
    Protocol Select UDP.
    Use SSL Make sure the checkbox is unchecked.
  4. Click the save icon to complete the configuration.

Settings for Access Credentials

None required

Sample Events

<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;

Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;

Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;

Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;

First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;

Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;

MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A