- Integration Points
- Event Types
- Settings for Access Credentials
- Sample Events
|Method||Information discovered||Metrics collected||LOGs collected||Used for|
|Syslog||Host name, Reporting IP||None||System and Security Events (e.g., file blocked)||Security monitoring|
In ADMIN > Device Support > Event Types, and search for "FortiEDR" to see the event types associated with this device.
No specific rules are written for FortiEDR but generic end point rules apply
No specific reports are written for FortiEDR but generic end point rules apply
Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample Events below)
To configure syslog for FortiEDR, take the following steps:
Note: It is recommended you refer to the latest FortiEDR Administration Guide for the most current information. Steps provided here are based off the 5.0 FortiEDR Administration Guide (Refer to page 206).
Login to the FortiEDR Central Maanger.
Navigate to Administration > Export Settings > Syslog.
Click Define New Syslog and fill in the following fields.
Note: If logs must pass across an unprotected medium, see the FortiEDR guide for Configuring Syslog over TLS on FortiSIEM collectors, and set port to 6514, protocol TCP, with Use SSL checked.
Name Input "FortiSIEM". Host Enter the IP address or FQDN of the FortiSIEM Collector. Port Input "514". Protocol Select UDP. Use SSL Make sure the checkbox is unchecked.
Click the save icon to complete the configuration.
Settings for Access Credentials
<133>1 2019-09-18T06:42:18.000Z 220.127.116.11 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;
Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;
Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;
Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;
First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;
Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;
MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A