Fortinet FortiNDR Cloud
Support Added: FortiSIEM 7.1.0
Vendor Version Tested: Not Provided
Vendor: Fortinet
Product Information: https://www.fortinet.com/products/network-detection-and-response
FortiNDR Cloud is a cloud-native network detection and response solution built for the rapid detection of threat activity, investigation of suspicious behavior, proactive hunting for potential risks, and directing a fast and effective response to active threats.
What is Collected
Object Collected |
Description |
---|---|
Detections – via FortiNDR Cloud API Key integration | FortiNDR Cloud Detections is an alert mechanism that notifies you when events matching a specific criteria appear in your account. Detections allow you to quickly identify and respond to suspicious or known malicious activity in your network. |
Signals – via FortiNDR Cloud Metastream S3 bucket integration | Underlying sensor traffic logs that comprise one or more detections. |
Devices – via FortiNDR Cloud Metastream S3 bucket integration | This is simply a host IP of a device seen on your network, detected by FortiNDR sensor. |
Sensor Data – via FortiNDR Cloud Metastream S3 bucket integration | This is verbose sensor data collected in the customer environment. It is generally not recommended to pull this data unless required. |
S3 bucket data is optional, and it is generally recommended that only signals data be ingested.
For more information on what a detection is in FortiNDR, see here.
Configuration
Setup in FortiNDR
-
Create API Key
-
Enable MetaStream for FortiNDR Cloud (S3 bucket data ingestion – optional )
Create API Key
An API key is required so that FortiSIEM can use to query FortiNDR Cloud. To create an API key, take the following steps:
-
Login to FortiNDR Cloud portal.
-
Click the username icon on top right hand corner of FortiNDR Cloud Portal.
-
On the My Profile page, in the Token section, click Create new token.
-
Store the created token in a password management utility as this will be later used in FortiSIEM. It is strongly recommended to copy it directly into FortiSIEM integration in FortiSIEM Credential Definition, and to not store the key anywhere else.
-
Follow the steps in Setup in FortiSIEM to continue, or follow the optional steps Enable MetaStream for FortiNDR Cloud.
Enable MetaStream for FortiNDR Cloud (S3 bucket data ingestion – optional )
Take the following steps to enable MetaStream for FortiNDR Cloud.
-
Login to FortiNDR Cloud as an administrator.
-
Go to Account Management.
-
Select an account.
-
Click the Modules tab.
-
Find the MetadataStream block.
If the feature is inactivated, click Contact Support to get information on how to contact Fortinet Support to license the Meta Stream feature.
If the feature is enabled, you will see a Retrieve button. Refer to Retrieving S3 Credentials for instructions.
Retrieving S3 Credentials
Note: You must be an "Admin" user to perform these steps.
-
Go to Account Management.
-
Select an account.
-
Click the Modules tab.
-
Find the Metadata Stream block.
-
Click Retrieve to retrieve the credentials.
-
View Credentials in the dialog that appears.
Note the following:
-
Access Key Id
-
Secret Access Key
-
Bucket
-
Prefix
-
Setup in FortiSIEM
Note: The S3 Bucket configuration is optional, and not required to populate the dashboards. This data is ideally for long term retention of underlying event data that resulted in a detection in FortiNDR Cloud.
Take the following steps:
-
Login to FortiSIEM tenant as an administrator.
-
Navigate to Admin > Setup > Credentials.
-
Under Step 1: Enter Credentials, click New.
-
In the Access Method Definition window, input the following:
-
In the Name field, enter "FortiNDR".
-
From the Device Type drop-down list, select Fortinet FortiNDR Cloud.
-
In the API Key field, enter/paste the API Key you created earlier.
-
In the S3 Bucket Name field, enter "fortindr-cloud-metastream".
-
In the S3 Bucket Prefix field, enter "/v1/customer/cust-xxxx/".
-
In the S3 Access Key field, enter/paste your S3 Access Key.
-
In the S3 Access Key Secret and Confirm S3 Access Key field, enter/paste the S3 Access Key Secret.
-
From the S3 Data Set Options drop-down list, select the types of data to ingest.
-
Signals (default)
-
Devices
-
Sensor Data (heavy cost, not recommended unless required)
-
-
When done, click Save.
-
Under Step 2: Enter IP Range to Credential Associations, take the following steps.
-
If the organization has more than 1 collector, select the collector from the drop-down list that will do the API polling.
Note: If the organization has 1 or no collectors, there is no drop-down list, so you can proceed to step 2.
-
Click New.
-
From the Device Credential Mapping Definition window, take the following steps.
-
In the IP/Host Name field, enter "detections.icebrg.io".
-
From the Credentials drop-down list, select the credential you just created in the above steps.
-
Click Save.
-
Note: As of this writing, the current API endpoint for FortiNDR Cloud is “detections.icebrg.io”, but this can change in the future. Reference FortiNDR Cloud API documentation for more information.
Verifying Mapping
To verify your configuration, take the following steps.
-
Under Step 2: Enter IP Range to Credential Associations, select the "IP to Credential Mapping" you just created.
-
Click the Test drop-down, and select Test Connectivity without Ping.
After a successful test, it will be approximately 5 minutes before the first pull job starts. You can view this by clicking the Pull Events tab at the top of the screen.
-
A yellow star next to a pull job means it has not started yet.
-
A green checkmark means the pull job has completed successfully for the latest interval.
-
Other status implies an error.
-
Rules and Reports
The following rules and reports are available.
Rules
FortiNDR Cloud: High Severity Detection triggered for a Host
FortiNDR Cloud: Moderate Severity Detection triggered for a Host
FortiNDR Cloud: Low Severity Detection triggered for a Host
Reports
FortiNDR Cloud: Detection Details
FortiNDR Cloud: Top Detection Categories by Count
FortiNDR Cloud: Top Detection Hosts by Count
FortiNDR Cloud: Top Detections and Hosts by Count
FortiNDR Cloud: Top Detections by Count
FortiNDR Cloud: Top Detection Severities by Count
Search FortiNDR Cloud Events via Event Type Prefix
You can locate FortiNDRCloud raw logs by running a search. FortiNDR Cloud event types contain "FortiNDRCloud". Perform a search by taking the following steps:
-
Navigate to Analytics.
-
Click inside the Edit Filters and Time Range... field.
-
Ensure Event Attribute is selected in Filter By. If not, select it.
-
In the first row, input the following:
-
In the Attribute field, enter/select "Event Type".
-
From the Operator drop-down list, select "=".
-
In the Value field, enter "FortiNDRCloud".
-
Configure any additional parameters, and click Apply & Run.
-