Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Fortinet FortiEDR

Fortinet FortiEDR

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event Types, and search for "FortiEDR" to see the event types associated with this device.

Rules

No specific rules are written for FortiEDR but generic end point rules apply

Reports

No specific reports are written for FortiEDR but generic end point rules apply

Configuration

Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample Events below)

Syslog Configuration

To configure syslog for FortiEDR, take the following steps:

Note: It is recommended you refer to the latest FortiEDR Administration Guide for the most current information. Steps provided here are based off the 5.0 FortiEDR Administration Guide (Refer to page 206).

  1. Login to the FortiEDR Central Maanger.

  2. Navigate to Administration > Export Settings > Syslog.

  3. Click Define New Syslog and fill in the following fields.
    Note: If logs must pass across an unprotected medium, see the FortiEDR guide for Configuring Syslog over TLS on FortiSIEM collectors, and set port to 6514, protocol TCP, with Use SSL checked.

    Field

    Input

    Name Input "FortiSIEM".
    Host Enter the IP address or FQDN of the FortiSIEM Collector.
    Port Input "514".
    Protocol Select UDP.
    Use SSL Make sure the checkbox is unchecked.
  4. Click the save icon to complete the configuration.

Configuration via API

Setup in FortiEDR

Take the following steps in FortiEDR.

  1. Login to your FortiEDR device and to go ADMINISTRATION > LICENSING > <Name>.

  2. Give REST API permission to a new or existing user in ADMINISTRATION > USERS, and ensure the user has Local Admin permissions.

  3. Remember the user name and password for your setup in FortiSIEM.

Setup in FortiSIEM

FortiSIEM processes events from this via the Fortinet FortiEDR API. Configure and obtain the user name and password from the API before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiEDR
      Access ProtocolFortiEDR_API
      Pull Interval5 minutes

      Tenant ID

      The FortiEDR tenant ID.

      User NameThe user name for your FortiEDR account.
      PasswordThe password for your FortiEDR account.

      Confirm Password

      Input the same password as above for verification.

      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiEDR.
  5. To see the jobs associated with FortiEDR, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "FortiEDR" in the search box.

For a video example of FortiSIEM investigation of a FortiEDR Alert, see here.

Sample Events

<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;

Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;

Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;

Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;

First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;

Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;

MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A

Fortinet FortiEDR

Fortinet FortiEDR

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event Types, and search for "FortiEDR" to see the event types associated with this device.

Rules

No specific rules are written for FortiEDR but generic end point rules apply

Reports

No specific reports are written for FortiEDR but generic end point rules apply

Configuration

Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample Events below)

Syslog Configuration

To configure syslog for FortiEDR, take the following steps:

Note: It is recommended you refer to the latest FortiEDR Administration Guide for the most current information. Steps provided here are based off the 5.0 FortiEDR Administration Guide (Refer to page 206).

  1. Login to the FortiEDR Central Maanger.

  2. Navigate to Administration > Export Settings > Syslog.

  3. Click Define New Syslog and fill in the following fields.
    Note: If logs must pass across an unprotected medium, see the FortiEDR guide for Configuring Syslog over TLS on FortiSIEM collectors, and set port to 6514, protocol TCP, with Use SSL checked.

    Field

    Input

    Name Input "FortiSIEM".
    Host Enter the IP address or FQDN of the FortiSIEM Collector.
    Port Input "514".
    Protocol Select UDP.
    Use SSL Make sure the checkbox is unchecked.
  4. Click the save icon to complete the configuration.

Configuration via API

Setup in FortiEDR

Take the following steps in FortiEDR.

  1. Login to your FortiEDR device and to go ADMINISTRATION > LICENSING > <Name>.

  2. Give REST API permission to a new or existing user in ADMINISTRATION > USERS, and ensure the user has Local Admin permissions.

  3. Remember the user name and password for your setup in FortiSIEM.

Setup in FortiSIEM

FortiSIEM processes events from this via the Fortinet FortiEDR API. Configure and obtain the user name and password from the API before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiEDR
      Access ProtocolFortiEDR_API
      Pull Interval5 minutes

      Tenant ID

      The FortiEDR tenant ID.

      User NameThe user name for your FortiEDR account.
      PasswordThe password for your FortiEDR account.

      Confirm Password

      Input the same password as above for verification.

      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiEDR.
  5. To see the jobs associated with FortiEDR, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "FortiEDR" in the search box.

For a video example of FortiSIEM investigation of a FortiEDR Alert, see here.

Sample Events

<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;

Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;

Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;

Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;

First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;

Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;

MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A