Fortinet FortiEDR
- Integration Points
- Event Types
- Rules
- Reports
- Configuration
- Settings for Access Credentials
- Sample Events
Integration Points
Method | Information discovered | Metrics collected | LOGs collected | Used for |
Syslog | Host name, Reporting IP | None | System and Security Events (e.g., file blocked) | Security monitoring |
Event Types
In ADMIN > Device Support > Event Types, and search for "FortiEDR" to see the event types associated with this device.
Rules
No specific rules are written for FortiEDR but generic end point rules apply
Reports
No specific reports are written for FortiEDR but generic end point rules apply
Configuration
Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample Events below)
Syslog Configuration
To configure syslog for FortiEDR, take the following steps:
Note: It is recommended you refer to the latest FortiEDR Administration Guide for the most current information. Steps provided here are based off the 5.0 FortiEDR Administration Guide (Refer to page 206).
-
Login to the FortiEDR Central Maanger.
-
Navigate to Administration > Export Settings > Syslog.
-
Click Define New Syslog and fill in the following fields.
Note: If logs must pass across an unprotected medium, see the FortiEDR guide for Configuring Syslog over TLS on FortiSIEM collectors, and set port to 6514, protocol TCP, with Use SSL checked.Field
Input
Name Input "FortiSIEM". Host Enter the IP address or FQDN of the FortiSIEM Collector. Port Input "514". Protocol Select UDP. Use SSL Make sure the checkbox is unchecked. -
Click the save icon to complete the configuration.
Settings for Access Credentials
None required
Sample Events
<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;
Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;
Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;
Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;
First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;
Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;
MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A