Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.7.6 External Systems Configuration Guide
    6.7.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Crowdstrike

    CrowdStrike Endpoint Security

    Support Added: FortiSIEM 5.2.1

    Last Modification: FortiSIEM 6.2.0

    Vendor Version Tested: Not Provided

    Vendor: CrowdStrike

    Product: Endpoint Security

    Product Information: https://www.crowdstrike.com/endpoint-security-products/

    Configuration

    CrowdStrike Server Configuration

    To configure the CrowdStrike server, take the following steps:

    caution icon For CrowdStrike GovCloud Customers Only - If the CrowdStrike tenant is in one of the GovCloud regions, you must open a support ticket so CrowdStrike Support can enable the streaming API. See CrowdStrike reference article here for more information.

    1. Sign in to the Falcon console.

    2. Navigate to Support > API Clients and Keys > OAuth2 API Clients.

    3. Click Add new API client.

    4. In the Client name field, enter a descriptive client name.

    5. For API SCOPES, select Event streams.

    6. Click Add.

      Keep a record of your API client secret. For security purposes, it is only shown when you create or reset the API client. If you lose your secret, you must reset it, which cuts off access for any integrations that still use the previous secret.


    FortiSIEM Configuration
    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a CrowdStrike Falcon Credential:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
      3. Settings Description
        Name Enter a name for the credential
        Device Type CrowdStrike Falcon
        Access Protocol Falcon Streaming API
        UUIDEnter the Client ID from the CrowdStrike Server Configuration for the UUID.
        API Secret KeyEnter the Secret from the CrowdStrike Server Configuration for the API Secret Key.
        Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
        Description Description of the device.
    3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the host name in base URL from the CrowdStrike Server Configuration in the IP/Host Name field. For example, https://api.crowdstrike.com.
      2. Select the name of the credential created in step 2 from the Credentials drop-down list.
      3. Click Save.
    4. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. Proceed to step 5 when connectivity succeeds.
    5. An entry is created in ADMIN > Setup > Pull Events corresponding to the event pull job. FortiSIEM will start to pull events from the CrowdStrike Cloud service using the Falcon Streaming API.

    To test for events received via CrowdStrike:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the CrowdStrike entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.

    Protocol Information Discovered Used For
    Falcon Streaming API Detection Summary, Authentication Log, Detection Status Update, Indicators of Compromise, Containment Audit Events, IP White-listing events, Sensor Grouping Events. Security and Compliance
    Falcon Data Replicator Detection Summary, User Activity, Authentication Activity. Security and Compliance
    Previous
    Next

    Crowdstrike

    CrowdStrike Endpoint Security

    Support Added: FortiSIEM 5.2.1

    Last Modification: FortiSIEM 6.2.0

    Vendor Version Tested: Not Provided

    Vendor: CrowdStrike

    Product: Endpoint Security

    Product Information: https://www.crowdstrike.com/endpoint-security-products/

    Configuration

    CrowdStrike Server Configuration

    To configure the CrowdStrike server, take the following steps:

    caution icon For CrowdStrike GovCloud Customers Only - If the CrowdStrike tenant is in one of the GovCloud regions, you must open a support ticket so CrowdStrike Support can enable the streaming API. See CrowdStrike reference article here for more information.

    1. Sign in to the Falcon console.

    2. Navigate to Support > API Clients and Keys > OAuth2 API Clients.

    3. Click Add new API client.

    4. In the Client name field, enter a descriptive client name.

    5. For API SCOPES, select Event streams.

    6. Click Add.

      Keep a record of your API client secret. For security purposes, it is only shown when you create or reset the API client. If you lose your secret, you must reset it, which cuts off access for any integrations that still use the previous secret.


    FortiSIEM Configuration
    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a CrowdStrike Falcon Credential:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
      3. Settings Description
        Name Enter a name for the credential
        Device Type CrowdStrike Falcon
        Access Protocol Falcon Streaming API
        UUIDEnter the Client ID from the CrowdStrike Server Configuration for the UUID.
        API Secret KeyEnter the Secret from the CrowdStrike Server Configuration for the API Secret Key.
        Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
        Description Description of the device.
    3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the host name in base URL from the CrowdStrike Server Configuration in the IP/Host Name field. For example, https://api.crowdstrike.com.
      2. Select the name of the credential created in step 2 from the Credentials drop-down list.
      3. Click Save.
    4. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. Proceed to step 5 when connectivity succeeds.
    5. An entry is created in ADMIN > Setup > Pull Events corresponding to the event pull job. FortiSIEM will start to pull events from the CrowdStrike Cloud service using the Falcon Streaming API.

    To test for events received via CrowdStrike:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the CrowdStrike entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.

    Protocol Information Discovered Used For
    Falcon Streaming API Detection Summary, Authentication Log, Detection Status Update, Indicators of Compromise, Containment Audit Events, IP White-listing events, Sensor Grouping Events. Security and Compliance
    Falcon Data Replicator Detection Summary, User Activity, Authentication Activity. Security and Compliance
    Previous
    Next