FortiEDR protects endpoints pre and post-infection, and stops data breaches in real-time and automatically orchestrates incident investigation and response.
This document provides information about the Fortinet FortiEDR Connector, which facilitates automated interactions, with your Fortinet FortiEDR server using FortiSOAR™ playbooks. Add the Fortinet FortiEDR Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieves events from Fortinet FortiEDR, searching for a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system, and isolating a collector from the Fortinet FortiEDR network
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
Following enhancements have been made in the Fortinet FortiEDR connector in version 1.1.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortiedr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiEDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiEDR server to which you will connect and perform the automated operations. |
Username | Username that contains a Rest API role and using which you will access the Fortinet FortiEDR server to which you will connect and perform the automated operations. |
Password | Password used to access the FortiEDR server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Event by ID | Retrieves a specific event from Fortinet FortiEDR based on the event ID you have specified. | get_event_list Investigation |
Get Events | Retrieves all the events from Fortinet FortiEDR that match the condition(s) you have specified. Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned. |
get_event Investigation |
Get Raw Data Items | Retrieves the raw data items from Fortinet FortiEDR based on the event ID and other input parameters you have specified. | get_raw_data_items Investigation |
Get Event Count | Retrieves the event count from Fortinet FortiEDR based on the filter parameters you have specified. | get_event_count Investigation |
Search Filehash | Searches a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system. | search_filehash Investigation |
Get File | Retrieves a specific file from the specified device from Fortinet FortiEDR, based on the device type, device name/ID, and file paths you have specified, and adds it as an attachment in the "Attachments" module | get_file Investigation |
Retrieve File or Memory | Retrieves a file or memory related to a specific event from Fortinet FortiEDR based on the raw event ID and other input parameters you have specified and adds it as an attachment in the "Attachments" module. | get_event_file Investigation |
Remediate Device | Takes remedi actions on Fortinet FortiEDR such as killing a process, deleting a file and/or cleaning persistent data on which malware was detected based on the device type, device name/ID, and other input parameters you have specified. | remediate_device Remediation |
Get Collector List | Retrieves the list of the collectors from Fortinet FortiEDR based on the device names or IDs, and other input parameters you have specified. | get_collector_list Investigation |
Isolate Collector | Isolates a collector from the Fortinet FortiEDR network based on the list of device IDs or names, and other input parameters you have specified. | isolate_collector Investigation |
Unisolate Collector | Unisolates a collector from the Fortinet FortiEDR network based on the device ID and other input parameters you have specified. | isolate_collector Investigation |
Parameter | Description |
---|---|
Event ID | ID of the event that you want to retrieve from Fortinet FortiEDR. Note: You can get event IDs using the "Get Events" action. |
The output contains the following populated JSON schema:
{
"eventId": "",
"certified": "",
"archived": "",
"lastSeen": "",
"collectors": [
{
"operatingSystem": "",
"lastSeen": "",
"collectorGroup": "",
"ip": "",
"device": "",
"macAddresses": [],
"id": ""
}
],
"destinations": [],
"handled": "",
"processType": "",
"muted": "",
"muteEndTime": "",
"seen": "",
"comment": "",
"firstSeen": "",
"classification": "",
"loggedUsers": [],
"organization": "",
"rules": [],
"process": "",
"severity": "",
"processPath": "",
"action": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Event IDs | List of event IDs based on which you want to retrieve events from Fortinet FortiEDR. |
Device Name | Name of the device on which the events that you want to retrieve from Fortinet FortiEDR occurred. |
Collector Groups | List of collector groups whose collector had reported the events that you want to retrieve from Fortinet FortiEDR. |
Operating System | Name of the operating system of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred. |
Device IPs | List of IP addresses of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred. |
MAC Addresses | MAC addresses where the events that you want to retrieve from Fortinet FortiEDR occurred. |
Filehash | Hash signature of the main process of the event that you want to retrieve from Fortinet FortiEDR. |
Process | Name of the main process of the event that you want to retrieve from Fortinet FortiEDR. |
Process Path | Path of the processes related to the event that you want to retrieve from Fortinet FortiEDR. |
First Seen From | "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range. |
First Seen To | "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range. |
Last Seen From | "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range. |
Last Seen To | "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range. |
Classification | Classification of the events that you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe. |
Actions | Actions that were enforced on the events that you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log. |
Destinations | Connection destination(s) of the events that you want to retrieve from Fortinet FortiEDR. |
Rule | Short rule name of the rule that triggered the events that you want to retrieve from Fortinet FortiEDR. |
Logged in User | Logged-in user associated with the events that you want to retrieve from Fortinet FortiEDR. |
Seen | True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API. |
Handled | True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were handled/unhandled. |
Signed | True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is signed/unsigned. |
Muted | True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is muted/unmuted. |
Organization | Name of the organization whose associated events you want to retrieve from Fortinet FortiEDR. The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies. If you choose Exact organization name, then you must specify the following parameter:
If you choose All organizations, then this operation will retrieve data that is shared by all organizations. |
Archived | True/False parameter indicating whether to include only archived events while retrieving events from Fortinet FortiEDR. By default, this is set as false. |
Strict Mode | True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false. |
Page Number | Page number from which you want to retrieve records. |
Items Per Page | Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"eventId": "",
"certified": "",
"archived": "",
"lastSeen": "",
"collectors": [
{
"operatingSystem": "",
"lastSeen": "",
"collectorGroup": "",
"ip": "",
"device": "",
"macAddresses": [],
"id": ""
}
],
"destinations": [],
"handled": "",
"processType": "",
"muted": "",
"muteEndTime": "",
"seen": "",
"comment": "",
"firstSeen": "",
"classification": "",
"loggedUsers": [],
"organization": "",
"rules": [],
"process": "",
"severity": "",
"processPath": "",
"action": ""
}
Parameter | Description |
---|---|
Event ID | ID of the event that holds the raw data items that you want to retrieve from Fortinet FortiEDR. |
Device Name | (Optional) Name of the device on which the raw event that you want to retrieve from Fortinet FortiEDR occurred. |
Collector Groups | (Optional) List of collector groups whose collector had reported the raw events that you want to retrieve from Fortinet FortiEDR. |
Operating System | (Optional) Name of the operating system of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred. |
Device IPs | (Optional) List of IP addresses of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred. |
MAC Addresses | (Optional) MAC addresses where the raw events that you want to retrieve from Fortinet FortiEDR occurred. |
Filehash | (Optional) Hash signature of the main process of the raw event that you want to retrieve from Fortinet FortiEDR. |
Process | (Optional) Name of the main process of the raw event that you want to retrieve from Fortinet FortiEDR. |
Process Path | (Optional) Path of the processes related to the raw event that you want to retrieve from Fortinet FortiEDR. |
First Seen From | (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range. |
First Seen To | (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range. |
Last Seen From | (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range. |
Last Seen To | (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range. |
Strict Mode | True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false. |
Full Data Requested | True/False parameter indicating whether to include the event internal information for the raw events that you want to retrieve from Fortinet FortiEDR. |
Page Number | (Optional) Page number from which you want to retrieve records. |
Items Per Page | (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | (Optional) Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"count": "",
"eventId": "",
"lastSeen": "",
"loggedUsers": [],
"rawEventId": "",
"destination": "",
"firstSeen": "",
"device": "",
"deviceIp": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Event IDs | List of comma-separated event IDs based on which you want to retrieve event counts from Fortinet FortiEDR. |
Device Name | (Optional) Name of the device on which the event whose counts you want to retrieve from Fortinet FortiEDR occurred. |
Collector Groups | (Optional) List of collector groups whose collector had reported the events whose counts you want to retrieve from Fortinet FortiEDR. |
Operating System | (Optional) Name of the operating system of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred. |
Device IPs | (Optional) List of IP addresses of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred. |
MAC Addresses | (Optional) MAC addresses where the events whose counts you want to retrieve from Fortinet FortiEDR occurred. |
Filehash | (Optional) Hash signature of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR. |
Process | (Optional) Name of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR. |
Process Path | (Optional) Path of the processes related to the events whose counts you want to retrieve from Fortinet FortiEDR. |
First Seen From | (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range. |
First Seen To | (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range. |
Last Seen From | (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range. |
Last Seen To | (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range. |
Classification | Classification of the events whose counts you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe. |
Actions | Actions that were enforced on the events whose counts you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log. |
Destinations | Connection destination(s) of the events whose counts you want to retrieve from Fortinet FortiEDR. |
Rule | Short rule name of the rule that triggered the events whose counts you want to retrieve from Fortinet FortiEDR. |
Seen | True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API. |
Handled | True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were handled/unhandled. |
Signed | True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is signed/unsigned. |
Muted | True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is muted/unmuted. |
Logged in User | Logged-in user associated with the events whose counts you want to retrieve from Fortinet FortiEDR. |
Organization | Name of the organization whose associated event counts you want to retrieve from Fortinet FortiEDR. The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies. If you choose Exact organization name, then you must specify the following parameter:
|
Archived | True/False parameter indicating whether to include only archived events while retrieving event counts from Fortinet FortiEDR. By default, this is set as false. |
Strict Mode | True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false. |
Page Number | (Optional) Page number from which you want to retrieve records. |
Items Per Page | (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"event_cout": ""
}
Parameter | Description |
---|---|
Filehash | One or more comma-separated file hashes that you want to search for in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"threatsHunting": [
{
"fileName": "",
"deviceName": "",
"path": ""
}
],
"applications": [],
"filehash": "",
"eventIds": []
}
Parameter | Description |
---|---|
Type | Type of the device input parameter from which you want to get the file from Fortinet FortiEDR. You can choose between ID or NAME. If you choose 'ID', then you must specify the following parameter:
|
File Paths | List of file paths from which you want to retrieve the file. For example, c:\temp\example.exe |
Organization | (Optional) Name of a specific organization whose associated files you want to retrieve from Fortinet FortiEDR. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"@type": "",
"file": {
"@type": "",
"file": {
"@type": ""
},
"mimeType": "",
"@context": "",
"size": "",
"metadata": "",
"filename": "",
"owners": "",
"uploadDate": "",
"@id": ""
},
"createDate": "",
"description": "",
"modifyUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
},
"@id": "",
"name": "",
"modifyDate": "",
"@context": "",
"id": "",
"type": "",
"createUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
}
}
Parameter | Description |
---|---|
Raw Event ID | ID of the raw event on which you want to perform the memory retrieval from Fortinet FortiEDR. |
Retrieve From | Method to be used to perform the memory retrieval from Fortinet FortiEDR. You can choose between Memory or Disk. If you choose Memory, then you must specify the following parameters:
If you choose Disk, then you must specify the following parameters:
|
Process ID | (Optional) ID of the process from which you want to take a memory image. |
Memory Region Start Address | (Optional) Memory start range, in Hexadecimal format from which you want to take a memory image. |
Memory Region End Address | (Optional) Memory end range, in Hexadecimal format from which you want to take a memory image. |
File Paths | (Optional) List of file paths from which you want to perform the memory retrieval in Fortinet FortiEDR. |
Retrieve From | (Optional) Choose whether to retrieve the memory from Memory and/or Disk. |
Organization | (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"@type": "",
"file": {
"@type": "",
"file": {
"@type": ""
},
"mimeType": "",
"@context": "",
"size": "",
"metadata": "",
"filename": "",
"owners": "",
"uploadDate": "",
"@id": ""
},
"createDate": "",
"description": "",
"modifyUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
},
"@id": "",
nbsp; "name": "",
"modifyDate": "",
"@context": "",
"id": "",
"type": "",
"createUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
}
}
Parameter | Description |
---|---|
Type | Type of the device input parameter on which you want to perform the remediation action in Fortinet FortiEDR. You can choose between ID or NAME. If you choose 'ID', then you must specify the following parameter:
|
Organization | (Optional) Name of a specific organization that contains the device on which you want to perform the remediation action. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
Remediation Action | Action that you want to perform on the specified device. You can choose from the following options: Kill Process, Delete File, Handle Persistent Data, or Remediate Thread. If you choose 'Kill Process', then you must specify the following parameters:
If you choose 'Delete File', then you must specify the following parameter:
If you choose 'Remediate Thread', then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Type | Type of the device whose associate collector list you want to retrieve from Fortinet FortiEDR. You can choose between ID or NAME. If you choose 'ID', then you must specify the following parameter:
|
Collector Groups | (Optional) List of collector group names whose associated collectors you want to retrieve from Fortinet FortiEDR. |
IPs | (Optional) List of IP addresses whose associated collectors you want to retrieve from Fortinet FortiEDR. |
Operating Systems | (Optional) List of operating systems whose associated collectors you want to retrieve from Fortinet FortiEDR. For example, Windows 7 Pro. |
OS Families | (Optional) List of OS Families whose associated collectors you want to retrieve from Fortinet FortiEDR. e.g Windows, Windows Server, OS X. |
States | (Optional) List of collector states based on which you want to retrieve from Fortinet FortiEDR. You can choose one or more of the following options: Running, Disconnected, Disabled, Degraded, Pending Reboot, Isolated, or Expired. |
Last Seen Start | (Optional) Retrieves collectors from Fortinet FortiEDR that were last seen after the value assigned to this date. |
Last Seen End | (Optional) Retrieve collectors from Fortinet FortiEDR that were last seen before the value assigned to this date. |
Versions | (Optional) List of collector versions that you want to retrieve from Fortinet FortiEDR. |
Strict Mode | (Optional) True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false. |
Show Expired | True/False parameter indicating whether to show an expired collector in the results retrieved from Fortinet FortiEDR. |
Logged in User | (Optional) Logged-in user associated with the collectors you want to retrieve from Fortinet FortiEDR. |
Organization | (Optional) Name of the organization whose associated collectors you want to retrieve from Fortinet FortiEDR. The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies. If you choose Exact organization name, then you must specify the following parameter:
If you choose All organizations, then this operation will retrieve data that is shared by all organizations. |
Page Number | (Optional) Page number from which you want to retrieve records. |
Items Per Page | (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"operatingSystem": "",
"accountName": "",
"version": "",
"osFamily": "",
"ipAddress": "",
"stateAdditionalInfo": "",
"state": "",
"id": "",
"collectorGroupName": "",
"name": "",
"loggedUsers": [],
"organization": "",
"lastSeenTime": "",
"macAddresses": []
}
Parameter | Description |
---|---|
Type | Type of the device whose associate collectors you want to isolate from the Fortinet FortiEDR network. You can choose between ID or Name. If you choose 'ID', then you must specify the following parameter:
|
Organization | (Optional) Name of a specific organization whose associated collector you want to isolate from the Fortinet FortiEDR network. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Type | Type of the device whose associate collectors you want to unisolate from the Fortinet FortiEDR network. You can choose between ID or Name. If you choose 'ID', then you must specify the following parameter:
|
Organization | (Optional) Name of a specific organization whose associated collector you want to unisolate from the Fortinet FortiEDR network. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Fortinet FortiEDR - 1.1.0
playbook collection comes bundled with the Fortinet FortiEDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiEDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
FortiEDR protects endpoints pre and post-infection, and stops data breaches in real-time and automatically orchestrates incident investigation and response.
This document provides information about the Fortinet FortiEDR Connector, which facilitates automated interactions, with your Fortinet FortiEDR server using FortiSOAR™ playbooks. Add the Fortinet FortiEDR Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieves events from Fortinet FortiEDR, searching for a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system, and isolating a collector from the Fortinet FortiEDR network
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
Following enhancements have been made in the Fortinet FortiEDR connector in version 1.1.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortiedr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiEDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiEDR server to which you will connect and perform the automated operations. |
Username | Username that contains a Rest API role and using which you will access the Fortinet FortiEDR server to which you will connect and perform the automated operations. |
Password | Password used to access the FortiEDR server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Event by ID | Retrieves a specific event from Fortinet FortiEDR based on the event ID you have specified. | get_event_list Investigation |
Get Events | Retrieves all the events from Fortinet FortiEDR that match the condition(s) you have specified. Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned. |
get_event Investigation |
Get Raw Data Items | Retrieves the raw data items from Fortinet FortiEDR based on the event ID and other input parameters you have specified. | get_raw_data_items Investigation |
Get Event Count | Retrieves the event count from Fortinet FortiEDR based on the filter parameters you have specified. | get_event_count Investigation |
Search Filehash | Searches a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system. | search_filehash Investigation |
Get File | Retrieves a specific file from the specified device from Fortinet FortiEDR, based on the device type, device name/ID, and file paths you have specified, and adds it as an attachment in the "Attachments" module | get_file Investigation |
Retrieve File or Memory | Retrieves a file or memory related to a specific event from Fortinet FortiEDR based on the raw event ID and other input parameters you have specified and adds it as an attachment in the "Attachments" module. | get_event_file Investigation |
Remediate Device | Takes remedi actions on Fortinet FortiEDR such as killing a process, deleting a file and/or cleaning persistent data on which malware was detected based on the device type, device name/ID, and other input parameters you have specified. | remediate_device Remediation |
Get Collector List | Retrieves the list of the collectors from Fortinet FortiEDR based on the device names or IDs, and other input parameters you have specified. | get_collector_list Investigation |
Isolate Collector | Isolates a collector from the Fortinet FortiEDR network based on the list of device IDs or names, and other input parameters you have specified. | isolate_collector Investigation |
Unisolate Collector | Unisolates a collector from the Fortinet FortiEDR network based on the device ID and other input parameters you have specified. | isolate_collector Investigation |
Parameter | Description |
---|---|
Event ID | ID of the event that you want to retrieve from Fortinet FortiEDR. Note: You can get event IDs using the "Get Events" action. |
The output contains the following populated JSON schema:
{
"eventId": "",
"certified": "",
"archived": "",
"lastSeen": "",
"collectors": [
{
"operatingSystem": "",
"lastSeen": "",
"collectorGroup": "",
"ip": "",
"device": "",
"macAddresses": [],
"id": ""
}
],
"destinations": [],
"handled": "",
"processType": "",
"muted": "",
"muteEndTime": "",
"seen": "",
"comment": "",
"firstSeen": "",
"classification": "",
"loggedUsers": [],
"organization": "",
"rules": [],
"process": "",
"severity": "",
"processPath": "",
"action": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Event IDs | List of event IDs based on which you want to retrieve events from Fortinet FortiEDR. |
Device Name | Name of the device on which the events that you want to retrieve from Fortinet FortiEDR occurred. |
Collector Groups | List of collector groups whose collector had reported the events that you want to retrieve from Fortinet FortiEDR. |
Operating System | Name of the operating system of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred. |
Device IPs | List of IP addresses of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred. |
MAC Addresses | MAC addresses where the events that you want to retrieve from Fortinet FortiEDR occurred. |
Filehash | Hash signature of the main process of the event that you want to retrieve from Fortinet FortiEDR. |
Process | Name of the main process of the event that you want to retrieve from Fortinet FortiEDR. |
Process Path | Path of the processes related to the event that you want to retrieve from Fortinet FortiEDR. |
First Seen From | "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range. |
First Seen To | "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range. |
Last Seen From | "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range. |
Last Seen To | "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range. |
Classification | Classification of the events that you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe. |
Actions | Actions that were enforced on the events that you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log. |
Destinations | Connection destination(s) of the events that you want to retrieve from Fortinet FortiEDR. |
Rule | Short rule name of the rule that triggered the events that you want to retrieve from Fortinet FortiEDR. |
Logged in User | Logged-in user associated with the events that you want to retrieve from Fortinet FortiEDR. |
Seen | True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API. |
Handled | True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were handled/unhandled. |
Signed | True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is signed/unsigned. |
Muted | True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is muted/unmuted. |
Organization | Name of the organization whose associated events you want to retrieve from Fortinet FortiEDR. The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies. If you choose Exact organization name, then you must specify the following parameter:
If you choose All organizations, then this operation will retrieve data that is shared by all organizations. |
Archived | True/False parameter indicating whether to include only archived events while retrieving events from Fortinet FortiEDR. By default, this is set as false. |
Strict Mode | True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false. |
Page Number | Page number from which you want to retrieve records. |
Items Per Page | Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"eventId": "",
"certified": "",
"archived": "",
"lastSeen": "",
"collectors": [
{
"operatingSystem": "",
"lastSeen": "",
"collectorGroup": "",
"ip": "",
"device": "",
"macAddresses": [],
"id": ""
}
],
"destinations": [],
"handled": "",
"processType": "",
"muted": "",
"muteEndTime": "",
"seen": "",
"comment": "",
"firstSeen": "",
"classification": "",
"loggedUsers": [],
"organization": "",
"rules": [],
"process": "",
"severity": "",
"processPath": "",
"action": ""
}
Parameter | Description |
---|---|
Event ID | ID of the event that holds the raw data items that you want to retrieve from Fortinet FortiEDR. |
Device Name | (Optional) Name of the device on which the raw event that you want to retrieve from Fortinet FortiEDR occurred. |
Collector Groups | (Optional) List of collector groups whose collector had reported the raw events that you want to retrieve from Fortinet FortiEDR. |
Operating System | (Optional) Name of the operating system of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred. |
Device IPs | (Optional) List of IP addresses of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred. |
MAC Addresses | (Optional) MAC addresses where the raw events that you want to retrieve from Fortinet FortiEDR occurred. |
Filehash | (Optional) Hash signature of the main process of the raw event that you want to retrieve from Fortinet FortiEDR. |
Process | (Optional) Name of the main process of the raw event that you want to retrieve from Fortinet FortiEDR. |
Process Path | (Optional) Path of the processes related to the raw event that you want to retrieve from Fortinet FortiEDR. |
First Seen From | (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range. |
First Seen To | (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range. |
Last Seen From | (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range. |
Last Seen To | (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range. |
Strict Mode | True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false. |
Full Data Requested | True/False parameter indicating whether to include the event internal information for the raw events that you want to retrieve from Fortinet FortiEDR. |
Page Number | (Optional) Page number from which you want to retrieve records. |
Items Per Page | (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | (Optional) Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"count": "",
"eventId": "",
"lastSeen": "",
"loggedUsers": [],
"rawEventId": "",
"destination": "",
"firstSeen": "",
"device": "",
"deviceIp": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Event IDs | List of comma-separated event IDs based on which you want to retrieve event counts from Fortinet FortiEDR. |
Device Name | (Optional) Name of the device on which the event whose counts you want to retrieve from Fortinet FortiEDR occurred. |
Collector Groups | (Optional) List of collector groups whose collector had reported the events whose counts you want to retrieve from Fortinet FortiEDR. |
Operating System | (Optional) Name of the operating system of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred. |
Device IPs | (Optional) List of IP addresses of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred. |
MAC Addresses | (Optional) MAC addresses where the events whose counts you want to retrieve from Fortinet FortiEDR occurred. |
Filehash | (Optional) Hash signature of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR. |
Process | (Optional) Name of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR. |
Process Path | (Optional) Path of the processes related to the events whose counts you want to retrieve from Fortinet FortiEDR. |
First Seen From | (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range. |
First Seen To | (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range. |
Last Seen From | (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range. |
Last Seen To | (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range. |
Classification | Classification of the events whose counts you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe. |
Actions | Actions that were enforced on the events whose counts you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log. |
Destinations | Connection destination(s) of the events whose counts you want to retrieve from Fortinet FortiEDR. |
Rule | Short rule name of the rule that triggered the events whose counts you want to retrieve from Fortinet FortiEDR. |
Seen | True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API. |
Handled | True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were handled/unhandled. |
Signed | True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is signed/unsigned. |
Muted | True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is muted/unmuted. |
Logged in User | Logged-in user associated with the events whose counts you want to retrieve from Fortinet FortiEDR. |
Organization | Name of the organization whose associated event counts you want to retrieve from Fortinet FortiEDR. The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies. If you choose Exact organization name, then you must specify the following parameter:
|
Archived | True/False parameter indicating whether to include only archived events while retrieving event counts from Fortinet FortiEDR. By default, this is set as false. |
Strict Mode | True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false. |
Page Number | (Optional) Page number from which you want to retrieve records. |
Items Per Page | (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"event_cout": ""
}
Parameter | Description |
---|---|
Filehash | One or more comma-separated file hashes that you want to search for in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"threatsHunting": [
{
"fileName": "",
"deviceName": "",
"path": ""
}
],
"applications": [],
"filehash": "",
"eventIds": []
}
Parameter | Description |
---|---|
Type | Type of the device input parameter from which you want to get the file from Fortinet FortiEDR. You can choose between ID or NAME. If you choose 'ID', then you must specify the following parameter:
|
File Paths | List of file paths from which you want to retrieve the file. For example, c:\temp\example.exe |
Organization | (Optional) Name of a specific organization whose associated files you want to retrieve from Fortinet FortiEDR. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"@type": "",
"file": {
"@type": "",
"file": {
"@type": ""
},
"mimeType": "",
"@context": "",
"size": "",
"metadata": "",
"filename": "",
"owners": "",
"uploadDate": "",
"@id": ""
},
"createDate": "",
"description": "",
"modifyUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
},
"@id": "",
"name": "",
"modifyDate": "",
"@context": "",
"id": "",
"type": "",
"createUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
}
}
Parameter | Description |
---|---|
Raw Event ID | ID of the raw event on which you want to perform the memory retrieval from Fortinet FortiEDR. |
Retrieve From | Method to be used to perform the memory retrieval from Fortinet FortiEDR. You can choose between Memory or Disk. If you choose Memory, then you must specify the following parameters:
If you choose Disk, then you must specify the following parameters:
|
Process ID | (Optional) ID of the process from which you want to take a memory image. |
Memory Region Start Address | (Optional) Memory start range, in Hexadecimal format from which you want to take a memory image. |
Memory Region End Address | (Optional) Memory end range, in Hexadecimal format from which you want to take a memory image. |
File Paths | (Optional) List of file paths from which you want to perform the memory retrieval in Fortinet FortiEDR. |
Retrieve From | (Optional) Choose whether to retrieve the memory from Memory and/or Disk. |
Organization | (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"@type": "",
"file": {
"@type": "",
"file": {
"@type": ""
},
"mimeType": "",
"@context": "",
"size": "",
"metadata": "",
"filename": "",
"owners": "",
"uploadDate": "",
"@id": ""
},
"createDate": "",
"description": "",
"modifyUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
},
"@id": "",
nbsp; "name": "",
"modifyDate": "",
"@context": "",
"id": "",
"type": "",
"createUser": {
"@type": "",
"modifyDate": "",
"createDate": "",
"@settings": "",
"modifyUser": "",
"id": "",
"userType": "",
"name": "",
"@id": "",
"userId": "",
"avatar": "",
"createUser": ""
}
}
Parameter | Description |
---|---|
Type | Type of the device input parameter on which you want to perform the remediation action in Fortinet FortiEDR. You can choose between ID or NAME. If you choose 'ID', then you must specify the following parameter:
|
Organization | (Optional) Name of a specific organization that contains the device on which you want to perform the remediation action. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
Remediation Action | Action that you want to perform on the specified device. You can choose from the following options: Kill Process, Delete File, Handle Persistent Data, or Remediate Thread. If you choose 'Kill Process', then you must specify the following parameters:
If you choose 'Delete File', then you must specify the following parameter:
If you choose 'Remediate Thread', then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Type | Type of the device whose associate collector list you want to retrieve from Fortinet FortiEDR. You can choose between ID or NAME. If you choose 'ID', then you must specify the following parameter:
|
Collector Groups | (Optional) List of collector group names whose associated collectors you want to retrieve from Fortinet FortiEDR. |
IPs | (Optional) List of IP addresses whose associated collectors you want to retrieve from Fortinet FortiEDR. |
Operating Systems | (Optional) List of operating systems whose associated collectors you want to retrieve from Fortinet FortiEDR. For example, Windows 7 Pro. |
OS Families | (Optional) List of OS Families whose associated collectors you want to retrieve from Fortinet FortiEDR. e.g Windows, Windows Server, OS X. |
States | (Optional) List of collector states based on which you want to retrieve from Fortinet FortiEDR. You can choose one or more of the following options: Running, Disconnected, Disabled, Degraded, Pending Reboot, Isolated, or Expired. |
Last Seen Start | (Optional) Retrieves collectors from Fortinet FortiEDR that were last seen after the value assigned to this date. |
Last Seen End | (Optional) Retrieve collectors from Fortinet FortiEDR that were last seen before the value assigned to this date. |
Versions | (Optional) List of collector versions that you want to retrieve from Fortinet FortiEDR. |
Strict Mode | (Optional) True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false. |
Show Expired | True/False parameter indicating whether to show an expired collector in the results retrieved from Fortinet FortiEDR. |
Logged in User | (Optional) Logged-in user associated with the collectors you want to retrieve from Fortinet FortiEDR. |
Organization | (Optional) Name of the organization whose associated collectors you want to retrieve from Fortinet FortiEDR. The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies. If you choose Exact organization name, then you must specify the following parameter:
If you choose All organizations, then this operation will retrieve data that is shared by all organizations. |
Page Number | (Optional) Page number from which you want to retrieve records. |
Items Per Page | (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000". |
Sorting | Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false} . True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on. |
The output contains the following populated JSON schema:
{
"operatingSystem": "",
"accountName": "",
"version": "",
"osFamily": "",
"ipAddress": "",
"stateAdditionalInfo": "",
"state": "",
"id": "",
"collectorGroupName": "",
"name": "",
"loggedUsers": [],
"organization": "",
"lastSeenTime": "",
"macAddresses": []
}
Parameter | Description |
---|---|
Type | Type of the device whose associate collectors you want to isolate from the Fortinet FortiEDR network. You can choose between ID or Name. If you choose 'ID', then you must specify the following parameter:
|
Organization | (Optional) Name of a specific organization whose associated collector you want to isolate from the Fortinet FortiEDR network. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Type | Type of the device whose associate collectors you want to unisolate from the Fortinet FortiEDR network. You can choose between ID or Name. If you choose 'ID', then you must specify the following parameter:
|
Organization | (Optional) Name of a specific organization whose associated collector you want to unisolate from the Fortinet FortiEDR network. Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Fortinet FortiEDR - 1.1.0
playbook collection comes bundled with the Fortinet FortiEDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiEDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.