Fortinet Document Library

Version:


Table of Contents

Fortinet FortiEDR

1.1.0
Copy Link

About the connector

FortiEDR protects endpoints pre and post-infection, and stops data breaches in real-time and automatically orchestrates incident investigation and response.

This document provides information about the Fortinet FortiEDR Connector, which facilitates automated interactions, with your Fortinet FortiEDR server using FortiSOAR™ playbooks. Add the Fortinet FortiEDR Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieves events from Fortinet FortiEDR, searching for a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system, and isolating a collector from the Fortinet FortiEDR network

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made in the Fortinet FortiEDR connector in version 1.1.0:

  • Certified the Fortinet FortiEDR connector.

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortiedr

Prerequisites to configuring the connector

  • You must have the URL of Fortinet FortiEDR server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • Users who have to use the Fortinet FortiEDR must be assigned a role with "REST API Access".
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiEDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Fortinet FortiEDR server to which you will connect and perform the automated operations.
Username Username that contains a Rest API role and using which you will access the Fortinet FortiEDR server to which you will connect and perform the automated operations.
Password Password used to access the FortiEDR server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Event by ID Retrieves a specific event from Fortinet FortiEDR based on the event ID you have specified. get_event_list
Investigation
Get Events Retrieves all the events from Fortinet FortiEDR that match the condition(s) you have specified.
Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.
get_event
Investigation
Get Raw Data Items Retrieves the raw data items from Fortinet FortiEDR based on the event ID and other input parameters you have specified. get_raw_data_items
Investigation
Get Event Count Retrieves the event count from Fortinet FortiEDR based on the filter parameters you have specified. get_event_count
Investigation
Search Filehash Searches a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system. search_filehash
Investigation
Get File Retrieves a specific file from the specified device from Fortinet FortiEDR, based on the device type, device name/ID, and file paths you have specified, and adds it as an attachment in the "Attachments" module get_file
Investigation
Retrieve File or Memory Retrieves a file or memory related to a specific event from Fortinet FortiEDR based on the raw event ID and other input parameters you have specified and adds it as an attachment in the "Attachments" module. get_event_file
Investigation
Remediate Device Takes remedi actions on Fortinet FortiEDR such as killing a process, deleting a file and/or cleaning persistent data on which malware was detected based on the device type, device name/ID, and other input parameters you have specified. remediate_device
Remediation
Get Collector List Retrieves the list of the collectors from Fortinet FortiEDR based on the device names or IDs, and other input parameters you have specified. get_collector_list
Investigation
Isolate Collector Isolates a collector from the Fortinet FortiEDR network based on the list of device IDs or names, and other input parameters you have specified. isolate_collector
Investigation
Unisolate Collector Unisolates a collector from the Fortinet FortiEDR network based on the device ID and other input parameters you have specified. isolate_collector
Investigation

operation: Get Event by ID

Input parameters

Parameter Description
Event ID ID of the event that you want to retrieve from Fortinet FortiEDR.
Note: You can get event IDs using the "Get Events" action.

Output

The output contains the following populated JSON schema:
{
     "eventId": "",
     "certified": "",
     "archived": "",
     "lastSeen": "",
     "collectors": [
         {
             "operatingSystem": "",
             "lastSeen": "",
             "collectorGroup": "",
             "ip": "",
             "device": "",
             "macAddresses": [],
             "id": ""
         }
     ],
     "destinations": [],
     "handled": "",
     "processType": "",
     "muted": "",
     "muteEndTime": "",
     "seen": "",
     "comment": "",
     "firstSeen": "",
     "classification": "",
     "loggedUsers": [],
     "organization": "",
     "rules": [],
     "process": "",
     "severity": "",
     "processPath": "",
     "action": ""
}

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Event IDs List of event IDs based on which you want to retrieve events from Fortinet FortiEDR.
Device Name Name of the device on which the events that you want to retrieve from Fortinet FortiEDR occurred.
Collector Groups List of collector groups whose collector had reported the events that you want to retrieve from Fortinet FortiEDR.
Operating System Name of the operating system of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred.
Device IPs List of IP addresses of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred.
MAC Addresses MAC addresses where the events that you want to retrieve from Fortinet FortiEDR occurred.
Filehash Hash signature of the main process of the event that you want to retrieve from Fortinet FortiEDR.
Process Name of the main process of the event that you want to retrieve from Fortinet FortiEDR.
Process Path Path of the processes related to the event that you want to retrieve from Fortinet FortiEDR.
First Seen From "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range.
First Seen To "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range.
Last Seen From "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range.
Last Seen To "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range.
Classification Classification of the events that you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe.
Actions Actions that were enforced on the events that you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log.
Destinations Connection destination(s) of the events that you want to retrieve from Fortinet FortiEDR.
Rule Short rule name of the rule that triggered the events that you want to retrieve from Fortinet FortiEDR.
Logged in User Logged-in user associated with the events that you want to retrieve from Fortinet FortiEDR.
Seen True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API.
Handled True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were handled/unhandled.
Signed True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is signed/unsigned.
Muted True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is muted/unmuted.
Organization Name of the organization whose associated events you want to retrieve from Fortinet FortiEDR.
The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies.
If you choose Exact organization name, then you must specify the following parameter:
  • Organization Name: Name of a specific organization whose associated events you want to retrieve from Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

If you choose All organizations, then this operation will retrieve data that is shared by all organizations.

Archived True/False parameter indicating whether to include only archived events while retrieving events from Fortinet FortiEDR. By default, this is set as false.
Strict Mode True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false.
Page Number Page number from which you want to retrieve records.
Items Per Page Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "eventId": "",
     "certified": "",
     "archived": "",
     "lastSeen": "",
     "collectors": [
         {
             "operatingSystem": "",
             "lastSeen": "",
             "collectorGroup": "",
             "ip": "",
             "device": "",
             "macAddresses": [],
             "id": ""
         }
     ],
     "destinations": [],
     "handled": "",
     "processType": "",
     "muted": "",
     "muteEndTime": "",
     "seen": "",
     "comment": "",
     "firstSeen": "",
     "classification": "",
     "loggedUsers": [],
     "organization": "",
     "rules": [],
     "process": "",
     "severity": "",
     "processPath": "",
     "action": ""
}

operation: Get Raw Data Items

Input parameters

Parameter Description
Event ID ID of the event that holds the raw data items that you want to retrieve from Fortinet FortiEDR.
Device Name (Optional) Name of the device on which the raw event that you want to retrieve from Fortinet FortiEDR occurred.
Collector Groups (Optional) List of collector groups whose collector had reported the raw events that you want to retrieve from Fortinet FortiEDR.
Operating System (Optional) Name of the operating system of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred.
Device IPs (Optional) List of IP addresses of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred.
MAC Addresses (Optional) MAC addresses where the raw events that you want to retrieve from Fortinet FortiEDR occurred.
Filehash (Optional) Hash signature of the main process of the raw event that you want to retrieve from Fortinet FortiEDR.
Process (Optional) Name of the main process of the raw event that you want to retrieve from Fortinet FortiEDR.
Process Path (Optional) Path of the processes related to the raw event that you want to retrieve from Fortinet FortiEDR.
First Seen From (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range.
First Seen To (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range.
Last Seen From (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range.
Last Seen To (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range.
Strict Mode True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false.
Full Data Requested True/False parameter indicating whether to include the event internal information for the raw events that you want to retrieve from Fortinet FortiEDR.
Page Number (Optional) Page number from which you want to retrieve records.
Items Per Page (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting (Optional) Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "count": "",
     "eventId": "",
     "lastSeen": "",
     "loggedUsers": [],
     "rawEventId": "",
     "destination": "",
     "firstSeen": "",
     "device": "",
     "deviceIp": ""
}

operation: Get Event Count

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Event IDs List of comma-separated event IDs based on which you want to retrieve event counts from Fortinet FortiEDR.
Device Name (Optional) Name of the device on which the event whose counts you want to retrieve from Fortinet FortiEDR occurred.
Collector Groups (Optional) List of collector groups whose collector had reported the events whose counts you want to retrieve from Fortinet FortiEDR.
Operating System (Optional) Name of the operating system of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred.
Device IPs (Optional) List of IP addresses of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred.
MAC Addresses (Optional) MAC addresses where the events whose counts you want to retrieve from Fortinet FortiEDR occurred.
Filehash (Optional) Hash signature of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR.
Process (Optional) Name of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR.
Process Path (Optional) Path of the processes related to the events whose counts you want to retrieve from Fortinet FortiEDR.
First Seen From (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range.
First Seen To (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range.
Last Seen From (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range.
Last Seen To (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range.
Classification Classification of the events whose counts you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe.
Actions Actions that were enforced on the events whose counts you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log.
Destinations Connection destination(s) of the events whose counts you want to retrieve from Fortinet FortiEDR.
Rule Short rule name of the rule that triggered the events whose counts you want to retrieve from Fortinet FortiEDR.
Seen True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API.
Handled True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were handled/unhandled.
Signed True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is signed/unsigned.
Muted True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is muted/unmuted.
Logged in User Logged-in user associated with the events whose counts you want to retrieve from Fortinet FortiEDR.
Organization Name of the organization whose associated event counts you want to retrieve from Fortinet FortiEDR.
The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies.
If you choose Exact organization name, then you must specify the following parameter:
  • Organization Name: Name of a specific organization whose associated event counts you want to retrieve from Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.
If you choose All organizations, then this operation will retrieve data that is shared by all organizations.
Archived True/False parameter indicating whether to include only archived events while retrieving event counts from Fortinet FortiEDR. By default, this is set as false.
Strict Mode True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false.
Page Number (Optional) Page number from which you want to retrieve records.
Items Per Page (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "event_cout": ""
}

operation: Search Filehash

Input parameters

Parameter Description
Filehash One or more comma-separated file hashes that you want to search for in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "threatsHunting": [
         {
             "fileName": "",
             "deviceName": "",
             "path": ""
         }
     ],
     "applications": [],
     "filehash": "",
     "eventIds": []
}

operation: Get File

Input parameters

Parameter Description
Type Type of the device input parameter from which you want to get the file from Fortinet FortiEDR. You can choose between ID or NAME.
If you choose 'ID', then you must specify the following parameter:
  • Device ID: ID of the device from which you want to retrieve the file.
If you choose 'NAME', then you must specify the following parameter:
  • Device Name: Name of the device from which you want to retrieve the file.
File Paths List of file paths from which you want to retrieve the file. For example, c:\temp\example.exe
Organization (Optional) Name of a specific organization whose associated files you want to retrieve from Fortinet FortiEDR.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "@type": "",
     "file": {
         "@type": "",
         "file": {
             "@type": ""
         },
         "mimeType": "",
         "@context": "",
         "size": "",
         "metadata": "",
         "filename": "",
         "owners": "",
         "uploadDate": "",
         "@id": ""
     },
     "createDate": "",
     "description": "",
     "modifyUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     },
     "@id": "",
     "name": "",
     "modifyDate": "",
     "@context": "",
     "id": "",
     "type": "",
     "createUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     }
}

operation: Retrieve File or Memory

Input parameters

Parameter Description
Raw Event ID ID of the raw event on which you want to perform the memory retrieval from Fortinet FortiEDR.
Retrieve From  Method to be used to perform the memory retrieval from Fortinet FortiEDR. You can choose between Memory or Disk.
If you choose Memory, then you must specify the following parameters:
  • Process ID: ID of the process from which you want to take a memory image.
  • Memory Region Start Address: Memory start range, in Hexadecimal format from which you want to take a memory image.
  • Memory Region End Address: Memory end range, in Hexadecimal format from which you want to take a memory image.
  • Organization: (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

If you choose Disk, then you must specify the following parameters:

  • File Paths: List of file paths from which you want to perform the memory retrieval in Fortinet FortiEDR.
  • Organization: (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.
Process ID (Optional) ID of the process from which you want to take a memory image.
Memory Region Start Address (Optional) Memory start range, in Hexadecimal format from which you want to take a memory image.
Memory Region End Address (Optional) Memory end range, in Hexadecimal format from which you want to take a memory image.
File Paths (Optional) List of file paths from which you want to perform the memory retrieval in Fortinet FortiEDR.
Retrieve From (Optional) Choose whether to retrieve the memory from Memory and/or Disk.
Organization (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "@type": "",
     "file": {
         "@type": "",
         "file": {
             "@type": ""
         },
         "mimeType": "",
         "@context": "",
         "size": "",
         "metadata": "",
         "filename": "",
         "owners": "",
         "uploadDate": "",
         "@id": ""
     },
     "createDate": "",
     "description": "",
     "modifyUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     },
     "@id": "",
 nbsp;    "name": "",
     "modifyDate": "",
     "@context": "",
     "id": "",
     "type": "",
     "createUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     }
}

operation: Remediate Device

Input parameters

Parameter Description
Type Type of the device input parameter on which you want to perform the remediation action in Fortinet FortiEDR. You can choose between ID or NAME.
If you choose 'ID', then you must specify the following parameter:
  • Device ID: ID of the device on which you want to take the remediation action.
If you choose 'NAME', then you must specify the following parameter:
  • Device Name: Name of the device on which you want to take the remediation action.
Organization (Optional) Name of a specific organization that contains the device on which you want to perform the remediation action.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.
Remediation Action Action that you want to perform on the specified device. You can choose from the following options: Kill Process, Delete File, Handle Persistent Data, or Remediate Thread.
If you choose 'Kill Process', then you must specify the following parameters:
  • Process ID: ID of the process you want to terminate on the specified device.
  • Process Name: (Optional) Name of the process you want to terminate on the specified device.

If you choose 'Delete File', then you must specify the following parameter:

  • Delete File at Path: List containing the full path of executable files (*.exe) that you want to delete from the specified device.
If you choose 'Handle Persistent Data', then you must specify the following parameter:
  • Persistence Data (Registry) Action: Action that should be taken for persistent data on the specified device. You can choose from the following options: Delete Key, Delete Value, or Update.
    • If you choose 'Delete Key', then you must specify the following parameters:
      • Persistence Data (Registry) Path: Path of the persistent data whose key you want to delete on the specified device.
      • Persistence Data (Registry) Value Name: Name of the key value of the persistent data you want to delete on the specified device.
    • If you choose 'Delete Value', then you must specify the following parameters:
      • Persistence Data (Registry) Path: Path of the persistent data whose value you want to delete on the specified device.
      • Persistence Data (Registry) Value Name: Name of the value of the persistent data that you want to delete on the specified device.
    • If you choose 'Update', then you must specify the following parameters:
      • Persistence Data (Registry) Path: Path of the persistent data that you want to update on the specified device.
      • Persistence Data (Registry) Value Name: Name of the value of the persistent data you want to update on the specified device.
      • Persistence Data (Registry) Value New Type: New data value type that should be applied to the persistent data on the specified device. You can choose from the following options: REG_SZ, REG_EXPAND_SZ, REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_RESOURCE_LIST, REG_FULL_RESOURCE_DESCRIPTOR, REG_RESOURCE_REQUIREMENTS_LIST, or REG_QWORD.threadId: (This specifies the thread ID)
      • Persistence Data (Registry) New Content: New data content that should be applied to the persistent data on the specified device. The content format provided depends on the type used in persistenceDataValueNewType. The format should be provided as follows: 
        • String value for the following types: REG_SZ(1), REG_EXPAND_SZ(2), REG_DWORD(4), and REG_QWORD(11). 
        • Base64 for the following types: REG_BINARY(3), REG_DWORD_BIG_ENDIAN(5), REG_LINK(6), REG_MULTI_SZ(7), REG_RESOURCE_LIST(8), REG_FULL_RESOURCE_DESCRIPTOR(9), and REG_RESOURCE_REQUIREMENTS_LIST(10)

If you choose 'Remediate Thread', then you must specify the following parameter:

  • Thread ID: ID of the thread on which you want to take the remediation action.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get Collector List

Input parameters

Parameter Description
Type Type of the device whose associate collector list you want to retrieve from Fortinet FortiEDR. You can choose between ID or NAME.
If you choose 'ID', then you must specify the following parameter:
  • Device IDs: List of device IDs whose associate collector list you want to retrieve from Fortinet FortiEDR.
If you choose 'NAME', then you must specify the following parameter:
  • Device Name: List of device names whose associate collector list you want to retrieve from Fortinet FortiEDR.
Collector Groups (Optional) List of collector group names whose associated collectors you want to retrieve from Fortinet FortiEDR.
IPs (Optional) List of IP addresses whose associated collectors you want to retrieve from Fortinet FortiEDR.
Operating Systems (Optional) List of operating systems whose associated collectors you want to retrieve from Fortinet FortiEDR. For example, Windows 7 Pro.
OS Families (Optional) List of OS Families whose associated collectors you want to retrieve from Fortinet FortiEDR. e.g Windows, Windows Server, OS X.
States (Optional) List of collector states based on which you want to retrieve from Fortinet FortiEDR. You can choose one or more of the following options: Running, Disconnected, Disabled, Degraded, Pending Reboot, Isolated, or Expired.
Last Seen Start (Optional) Retrieves collectors from Fortinet FortiEDR that were last seen after the value assigned to this date.
Last Seen End (Optional) Retrieve collectors from Fortinet FortiEDR that were last seen before the value assigned to this date.
Versions (Optional) List of collector versions that you want to retrieve from Fortinet FortiEDR.
Strict Mode (Optional) True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false.
Show Expired True/False parameter indicating whether to show an expired collector in the results retrieved from Fortinet FortiEDR.
Logged in User (Optional) Logged-in user associated with the collectors you want to retrieve from Fortinet FortiEDR.
Organization (Optional) Name of the organization whose associated collectors you want to retrieve from Fortinet FortiEDR.
The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies.
If you choose Exact organization name, then you must specify the following parameter:
  • Organization Name: Name of a specific organization whose associated collectors you want to retrieve from Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

If you choose All organizations, then this operation will retrieve data that is shared by all organizations.

Page Number (Optional) Page number from which you want to retrieve records.
Items Per Page (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "operatingSystem": "",
     "accountName": "",
     "version": "",
     "osFamily": "",
     "ipAddress": "",
     "stateAdditionalInfo": "",
     "state": "",
     "id": "",
     "collectorGroupName": "",
     "name": "",
     "loggedUsers": [],
     "organization": "",
     "lastSeenTime": "",
     "macAddresses": []
}

operation: Isolate Collector

Input parameters

Parameter Description
Type Type of the device whose associate collectors you want to isolate from the Fortinet FortiEDR network. You can choose between ID or Name.
If you choose 'ID', then you must specify the following parameter:
  • Device IDs: List of device IDs whose associate collectors you want to isolate from the Fortinet FortiEDR network.
If you choose 'Name', then you must specify the following parameter:
  • Device Names: List of device names whose associate collectors you want to isolate from the Fortinet FortiEDR network.
Organization (Optional) Name of a specific organization whose associated collector you want to isolate from the Fortinet FortiEDR network.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Unisolate Collector

Input parameters

Parameter Description
Type Type of the device whose associate collectors you want to unisolate from the Fortinet FortiEDR network. You can choose between ID or Name.
If you choose 'ID', then you must specify the following parameter:
  • Device IDs: List of device IDs whose associate collectors you want to unisolate from the Fortinet FortiEDR network.
If you choose 'Name', then you must specify the following parameter:
  • Device Names: List of device names whose associate collectors you want to unisolate from the Fortinet FortiEDR network.
Organization (Optional) Name of a specific organization whose associated collector you want to unisolate from the Fortinet FortiEDR network.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

Included playbooks

The Sample - Fortinet FortiEDR - 1.1.0 playbook collection comes bundled with the Fortinet FortiEDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiEDR connector.

  • Get Collector List
  • Get Event by ID
  • Get Event Count
  • Get Events
  • Get File
  • Get Raw Data Items
  • Isolate Collector
  • Remediate Device
  • Retrieve File or Memory
  • Search Filehash
  • Unisolate Collector

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

FortiEDR protects endpoints pre and post-infection, and stops data breaches in real-time and automatically orchestrates incident investigation and response.

This document provides information about the Fortinet FortiEDR Connector, which facilitates automated interactions, with your Fortinet FortiEDR server using FortiSOAR™ playbooks. Add the Fortinet FortiEDR Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieves events from Fortinet FortiEDR, searching for a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system, and isolating a collector from the Fortinet FortiEDR network

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made in the Fortinet FortiEDR connector in version 1.1.0:

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortiedr

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiEDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Fortinet FortiEDR server to which you will connect and perform the automated operations.
Username Username that contains a Rest API role and using which you will access the Fortinet FortiEDR server to which you will connect and perform the automated operations.
Password Password used to access the FortiEDR server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Event by ID Retrieves a specific event from Fortinet FortiEDR based on the event ID you have specified. get_event_list
Investigation
Get Events Retrieves all the events from Fortinet FortiEDR that match the condition(s) you have specified.
Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.
get_event
Investigation
Get Raw Data Items Retrieves the raw data items from Fortinet FortiEDR based on the event ID and other input parameters you have specified. get_raw_data_items
Investigation
Get Event Count Retrieves the event count from Fortinet FortiEDR based on the filter parameters you have specified. get_event_count
Investigation
Search Filehash Searches a file hash among the current events, threat hunting repository, and communicating applications that exist in the Fortinet FortiEDR system. search_filehash
Investigation
Get File Retrieves a specific file from the specified device from Fortinet FortiEDR, based on the device type, device name/ID, and file paths you have specified, and adds it as an attachment in the "Attachments" module get_file
Investigation
Retrieve File or Memory Retrieves a file or memory related to a specific event from Fortinet FortiEDR based on the raw event ID and other input parameters you have specified and adds it as an attachment in the "Attachments" module. get_event_file
Investigation
Remediate Device Takes remedi actions on Fortinet FortiEDR such as killing a process, deleting a file and/or cleaning persistent data on which malware was detected based on the device type, device name/ID, and other input parameters you have specified. remediate_device
Remediation
Get Collector List Retrieves the list of the collectors from Fortinet FortiEDR based on the device names or IDs, and other input parameters you have specified. get_collector_list
Investigation
Isolate Collector Isolates a collector from the Fortinet FortiEDR network based on the list of device IDs or names, and other input parameters you have specified. isolate_collector
Investigation
Unisolate Collector Unisolates a collector from the Fortinet FortiEDR network based on the device ID and other input parameters you have specified. isolate_collector
Investigation

operation: Get Event by ID

Input parameters

Parameter Description
Event ID ID of the event that you want to retrieve from Fortinet FortiEDR.
Note: You can get event IDs using the "Get Events" action.

Output

The output contains the following populated JSON schema:
{
     "eventId": "",
     "certified": "",
     "archived": "",
     "lastSeen": "",
     "collectors": [
         {
             "operatingSystem": "",
             "lastSeen": "",
             "collectorGroup": "",
             "ip": "",
             "device": "",
             "macAddresses": [],
             "id": ""
         }
     ],
     "destinations": [],
     "handled": "",
     "processType": "",
     "muted": "",
     "muteEndTime": "",
     "seen": "",
     "comment": "",
     "firstSeen": "",
     "classification": "",
     "loggedUsers": [],
     "organization": "",
     "rules": [],
     "process": "",
     "severity": "",
     "processPath": "",
     "action": ""
}

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Event IDs List of event IDs based on which you want to retrieve events from Fortinet FortiEDR.
Device Name Name of the device on which the events that you want to retrieve from Fortinet FortiEDR occurred.
Collector Groups List of collector groups whose collector had reported the events that you want to retrieve from Fortinet FortiEDR.
Operating System Name of the operating system of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred.
Device IPs List of IP addresses of the devices on which the events that you want to retrieve from Fortinet FortiEDR occurred.
MAC Addresses MAC addresses where the events that you want to retrieve from Fortinet FortiEDR occurred.
Filehash Hash signature of the main process of the event that you want to retrieve from Fortinet FortiEDR.
Process Name of the main process of the event that you want to retrieve from Fortinet FortiEDR.
Process Path Path of the processes related to the event that you want to retrieve from Fortinet FortiEDR.
First Seen From "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range.
First Seen To "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range.
Last Seen From "From" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range.
Last Seen To "To" date when the event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range.
Classification Classification of the events that you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe.
Actions Actions that were enforced on the events that you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log.
Destinations Connection destination(s) of the events that you want to retrieve from Fortinet FortiEDR.
Rule Short rule name of the rule that triggered the events that you want to retrieve from Fortinet FortiEDR.
Logged in User Logged-in user associated with the events that you want to retrieve from Fortinet FortiEDR.
Seen True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API.
Handled True/False parameter indicating whether events that you want to retrieve from Fortinet FortiEDR were handled/unhandled.
Signed True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is signed/unsigned.
Muted True/False parameter indicating whether the event that you want to retrieve from Fortinet FortiEDR is muted/unmuted.
Organization Name of the organization whose associated events you want to retrieve from Fortinet FortiEDR.
The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies.
If you choose Exact organization name, then you must specify the following parameter:
  • Organization Name: Name of a specific organization whose associated events you want to retrieve from Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

If you choose All organizations, then this operation will retrieve data that is shared by all organizations.

Archived True/False parameter indicating whether to include only archived events while retrieving events from Fortinet FortiEDR. By default, this is set as false.
Strict Mode True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false.
Page Number Page number from which you want to retrieve records.
Items Per Page Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "eventId": "",
     "certified": "",
     "archived": "",
     "lastSeen": "",
     "collectors": [
         {
             "operatingSystem": "",
             "lastSeen": "",
             "collectorGroup": "",
             "ip": "",
             "device": "",
             "macAddresses": [],
             "id": ""
         }
     ],
     "destinations": [],
     "handled": "",
     "processType": "",
     "muted": "",
     "muteEndTime": "",
     "seen": "",
     "comment": "",
     "firstSeen": "",
     "classification": "",
     "loggedUsers": [],
     "organization": "",
     "rules": [],
     "process": "",
     "severity": "",
     "processPath": "",
     "action": ""
}

operation: Get Raw Data Items

Input parameters

Parameter Description
Event ID ID of the event that holds the raw data items that you want to retrieve from Fortinet FortiEDR.
Device Name (Optional) Name of the device on which the raw event that you want to retrieve from Fortinet FortiEDR occurred.
Collector Groups (Optional) List of collector groups whose collector had reported the raw events that you want to retrieve from Fortinet FortiEDR.
Operating System (Optional) Name of the operating system of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred.
Device IPs (Optional) List of IP addresses of the devices on which the raw events that you want to retrieve from Fortinet FortiEDR occurred.
MAC Addresses (Optional) MAC addresses where the raw events that you want to retrieve from Fortinet FortiEDR occurred.
Filehash (Optional) Hash signature of the main process of the raw event that you want to retrieve from Fortinet FortiEDR.
Process (Optional) Name of the main process of the raw event that you want to retrieve from Fortinet FortiEDR.
Process Path (Optional) Path of the processes related to the raw event that you want to retrieve from Fortinet FortiEDR.
First Seen From (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range.
First Seen To (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range.
Last Seen From (Optional) "From" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range.
Last Seen To (Optional) "To" date when the raw event that you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range.
Strict Mode True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving events from Fortinet FortiEDR. By default, this is set as false.
Full Data Requested True/False parameter indicating whether to include the event internal information for the raw events that you want to retrieve from Fortinet FortiEDR.
Page Number (Optional) Page number from which you want to retrieve records.
Items Per Page (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting (Optional) Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "count": "",
     "eventId": "",
     "lastSeen": "",
     "loggedUsers": [],
     "rawEventId": "",
     "destination": "",
     "firstSeen": "",
     "device": "",
     "deviceIp": ""
}

operation: Get Event Count

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Event IDs List of comma-separated event IDs based on which you want to retrieve event counts from Fortinet FortiEDR.
Device Name (Optional) Name of the device on which the event whose counts you want to retrieve from Fortinet FortiEDR occurred.
Collector Groups (Optional) List of collector groups whose collector had reported the events whose counts you want to retrieve from Fortinet FortiEDR.
Operating System (Optional) Name of the operating system of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred.
Device IPs (Optional) List of IP addresses of the devices on which the events whose counts you want to retrieve from Fortinet FortiEDR occurred.
MAC Addresses (Optional) MAC addresses where the events whose counts you want to retrieve from Fortinet FortiEDR occurred.
Filehash (Optional) Hash signature of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR.
Process (Optional) Name of the main process of the events whose counts you want to retrieve from Fortinet FortiEDR.
Process Path (Optional) Path of the processes related to the events whose counts you want to retrieve from Fortinet FortiEDR.
First Seen From (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen To" parameter to specify a date range.
First Seen To (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the first time. Use this parameter together with the "First Seen From" parameter to specify a date range.
Last Seen From (Optional) "From" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen To" parameter to specify a date range.
Last Seen To (Optional) "To" date when the events whose counts you want to retrieve from Fortinet FortiEDR, was seen for the last time. Use this parameter together with the "Last Seen From" parameter to specify a date range.
Classification Classification of the events whose counts you want to retrieve from Fortinet FortiEDR. Classification is a list of strings that contain one or more of the following values: Malicious, Suspicious, Inconclusive, Likely Safe, PUP, or Safe.
Actions Actions that were enforced on the events whose counts you want to retrieve from Fortinet FortiEDR. You can choose from the following options: Block, Simulation Block, or Log.
Destinations Connection destination(s) of the events whose counts you want to retrieve from Fortinet FortiEDR.
Rule Short rule name of the rule that triggered the events whose counts you want to retrieve from Fortinet FortiEDR.
Seen True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were read/unread by the user operating the API.
Handled True/False parameter indicating whether events whose counts you want to retrieve from Fortinet FortiEDR were handled/unhandled.
Signed True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is signed/unsigned.
Muted True/False parameter indicating whether the events whose counts you want to retrieve from Fortinet FortiEDR is muted/unmuted.
Logged in User Logged-in user associated with the events whose counts you want to retrieve from Fortinet FortiEDR.
Organization Name of the organization whose associated event counts you want to retrieve from Fortinet FortiEDR.
The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies.
If you choose Exact organization name, then you must specify the following parameter:
  • Organization Name: Name of a specific organization whose associated event counts you want to retrieve from Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.
If you choose All organizations, then this operation will retrieve data that is shared by all organizations.
Archived True/False parameter indicating whether to include only archived events while retrieving event counts from Fortinet FortiEDR. By default, this is set as false.
Strict Mode True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false.
Page Number (Optional) Page number from which you want to retrieve records.
Items Per Page (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "event_cout": ""
}

operation: Search Filehash

Input parameters

Parameter Description
Filehash One or more comma-separated file hashes that you want to search for in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "threatsHunting": [
         {
             "fileName": "",
             "deviceName": "",
             "path": ""
         }
     ],
     "applications": [],
     "filehash": "",
     "eventIds": []
}

operation: Get File

Input parameters

Parameter Description
Type Type of the device input parameter from which you want to get the file from Fortinet FortiEDR. You can choose between ID or NAME.
If you choose 'ID', then you must specify the following parameter:
  • Device ID: ID of the device from which you want to retrieve the file.
If you choose 'NAME', then you must specify the following parameter:
  • Device Name: Name of the device from which you want to retrieve the file.
File Paths List of file paths from which you want to retrieve the file. For example, c:\temp\example.exe
Organization (Optional) Name of a specific organization whose associated files you want to retrieve from Fortinet FortiEDR.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "@type": "",
     "file": {
         "@type": "",
         "file": {
             "@type": ""
         },
         "mimeType": "",
         "@context": "",
         "size": "",
         "metadata": "",
         "filename": "",
         "owners": "",
         "uploadDate": "",
         "@id": ""
     },
     "createDate": "",
     "description": "",
     "modifyUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     },
     "@id": "",
     "name": "",
     "modifyDate": "",
     "@context": "",
     "id": "",
     "type": "",
     "createUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     }
}

operation: Retrieve File or Memory

Input parameters

Parameter Description
Raw Event ID ID of the raw event on which you want to perform the memory retrieval from Fortinet FortiEDR.
Retrieve From  Method to be used to perform the memory retrieval from Fortinet FortiEDR. You can choose between Memory or Disk.
If you choose Memory, then you must specify the following parameters:
  • Process ID: ID of the process from which you want to take a memory image.
  • Memory Region Start Address: Memory start range, in Hexadecimal format from which you want to take a memory image.
  • Memory Region End Address: Memory end range, in Hexadecimal format from which you want to take a memory image.
  • Organization: (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

If you choose Disk, then you must specify the following parameters:

  • File Paths: List of file paths from which you want to perform the memory retrieval in Fortinet FortiEDR.
  • Organization: (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.
Process ID (Optional) ID of the process from which you want to take a memory image.
Memory Region Start Address (Optional) Memory start range, in Hexadecimal format from which you want to take a memory image.
Memory Region End Address (Optional) Memory end range, in Hexadecimal format from which you want to take a memory image.
File Paths (Optional) List of file paths from which you want to perform the memory retrieval in Fortinet FortiEDR.
Retrieve From (Optional) Choose whether to retrieve the memory from Memory and/or Disk.
Organization (Optional) Name of a specific organization on which you want to perform the memory retrieval in Fortinet FortiEDR.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "@type": "",
     "file": {
         "@type": "",
         "file": {
             "@type": ""
         },
         "mimeType": "",
         "@context": "",
         "size": "",
         "metadata": "",
         "filename": "",
         "owners": "",
         "uploadDate": "",
         "@id": ""
     },
     "createDate": "",
     "description": "",
     "modifyUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     },
     "@id": "",
 nbsp;    "name": "",
     "modifyDate": "",
     "@context": "",
     "id": "",
     "type": "",
     "createUser": {
         "@type": "",
         "modifyDate": "",
         "createDate": "",
         "@settings": "",
         "modifyUser": "",
         "id": "",
         "userType": "",
         "name": "",
         "@id": "",
         "userId": "",
         "avatar": "",
         "createUser": ""
     }
}

operation: Remediate Device

Input parameters

Parameter Description
Type Type of the device input parameter on which you want to perform the remediation action in Fortinet FortiEDR. You can choose between ID or NAME.
If you choose 'ID', then you must specify the following parameter:
  • Device ID: ID of the device on which you want to take the remediation action.
If you choose 'NAME', then you must specify the following parameter:
  • Device Name: Name of the device on which you want to take the remediation action.
Organization (Optional) Name of a specific organization that contains the device on which you want to perform the remediation action.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.
Remediation Action Action that you want to perform on the specified device. You can choose from the following options: Kill Process, Delete File, Handle Persistent Data, or Remediate Thread.
If you choose 'Kill Process', then you must specify the following parameters:
  • Process ID: ID of the process you want to terminate on the specified device.
  • Process Name: (Optional) Name of the process you want to terminate on the specified device.

If you choose 'Delete File', then you must specify the following parameter:

  • Delete File at Path: List containing the full path of executable files (*.exe) that you want to delete from the specified device.
If you choose 'Handle Persistent Data', then you must specify the following parameter:
  • Persistence Data (Registry) Action: Action that should be taken for persistent data on the specified device. You can choose from the following options: Delete Key, Delete Value, or Update.
    • If you choose 'Delete Key', then you must specify the following parameters:
      • Persistence Data (Registry) Path: Path of the persistent data whose key you want to delete on the specified device.
      • Persistence Data (Registry) Value Name: Name of the key value of the persistent data you want to delete on the specified device.
    • If you choose 'Delete Value', then you must specify the following parameters:
      • Persistence Data (Registry) Path: Path of the persistent data whose value you want to delete on the specified device.
      • Persistence Data (Registry) Value Name: Name of the value of the persistent data that you want to delete on the specified device.
    • If you choose 'Update', then you must specify the following parameters:
      • Persistence Data (Registry) Path: Path of the persistent data that you want to update on the specified device.
      • Persistence Data (Registry) Value Name: Name of the value of the persistent data you want to update on the specified device.
      • Persistence Data (Registry) Value New Type: New data value type that should be applied to the persistent data on the specified device. You can choose from the following options: REG_SZ, REG_EXPAND_SZ, REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_RESOURCE_LIST, REG_FULL_RESOURCE_DESCRIPTOR, REG_RESOURCE_REQUIREMENTS_LIST, or REG_QWORD.threadId: (This specifies the thread ID)
      • Persistence Data (Registry) New Content: New data content that should be applied to the persistent data on the specified device. The content format provided depends on the type used in persistenceDataValueNewType. The format should be provided as follows: 
        • String value for the following types: REG_SZ(1), REG_EXPAND_SZ(2), REG_DWORD(4), and REG_QWORD(11). 
        • Base64 for the following types: REG_BINARY(3), REG_DWORD_BIG_ENDIAN(5), REG_LINK(6), REG_MULTI_SZ(7), REG_RESOURCE_LIST(8), REG_FULL_RESOURCE_DESCRIPTOR(9), and REG_RESOURCE_REQUIREMENTS_LIST(10)

If you choose 'Remediate Thread', then you must specify the following parameter:

  • Thread ID: ID of the thread on which you want to take the remediation action.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get Collector List

Input parameters

Parameter Description
Type Type of the device whose associate collector list you want to retrieve from Fortinet FortiEDR. You can choose between ID or NAME.
If you choose 'ID', then you must specify the following parameter:
  • Device IDs: List of device IDs whose associate collector list you want to retrieve from Fortinet FortiEDR.
If you choose 'NAME', then you must specify the following parameter:
  • Device Name: List of device names whose associate collector list you want to retrieve from Fortinet FortiEDR.
Collector Groups (Optional) List of collector group names whose associated collectors you want to retrieve from Fortinet FortiEDR.
IPs (Optional) List of IP addresses whose associated collectors you want to retrieve from Fortinet FortiEDR.
Operating Systems (Optional) List of operating systems whose associated collectors you want to retrieve from Fortinet FortiEDR. For example, Windows 7 Pro.
OS Families (Optional) List of OS Families whose associated collectors you want to retrieve from Fortinet FortiEDR. e.g Windows, Windows Server, OS X.
States (Optional) List of collector states based on which you want to retrieve from Fortinet FortiEDR. You can choose one or more of the following options: Running, Disconnected, Disabled, Degraded, Pending Reboot, Isolated, or Expired.
Last Seen Start (Optional) Retrieves collectors from Fortinet FortiEDR that were last seen after the value assigned to this date.
Last Seen End (Optional) Retrieve collectors from Fortinet FortiEDR that were last seen before the value assigned to this date.
Versions (Optional) List of collector versions that you want to retrieve from Fortinet FortiEDR.
Strict Mode (Optional) True/False parameter indicating whether or not to perform strict matching on the search parameters while retrieving event counts from Fortinet FortiEDR. By default, this is set as false.
Show Expired True/False parameter indicating whether to show an expired collector in the results retrieved from Fortinet FortiEDR.
Logged in User (Optional) Logged-in user associated with the collectors you want to retrieve from Fortinet FortiEDR.
Organization (Optional) Name of the organization whose associated collectors you want to retrieve from Fortinet FortiEDR.
The value that you specify for this parameter indicates how the operation applies to an organization(s). Some parts of the FortiEDR system have separate, non-shared data that is organization-specific. Other parts of the system have data that is shared by all organizations. The value that you specify for the organization parameter, determines the organization(s) to which this operation applies.
If you choose Exact organization name, then you must specify the following parameter:
  • Organization Name: Name of a specific organization whose associated collectors you want to retrieve from Fortinet FortiEDR.
    Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

If you choose All organizations, then this operation will retrieve data that is shared by all organizations.

Page Number (Optional) Page number from which you want to retrieve records.
Items Per Page (Optional) Maximum number of events that this operation should return for the current page. Values supported are: Default "100" and Maximum "2000".
Sorting Name of the fields by which you want to sort the results retrieved by this operation. You can enter the fields in the following format: {"column1":true, "column2":false}. True indicates to sort in descending order. Results are sorted by the first field, then by the second field and so on.

Output

The output contains the following populated JSON schema:
{
     "operatingSystem": "",
     "accountName": "",
     "version": "",
     "osFamily": "",
     "ipAddress": "",
     "stateAdditionalInfo": "",
     "state": "",
     "id": "",
     "collectorGroupName": "",
     "name": "",
     "loggedUsers": [],
     "organization": "",
     "lastSeenTime": "",
     "macAddresses": []
}

operation: Isolate Collector

Input parameters

Parameter Description
Type Type of the device whose associate collectors you want to isolate from the Fortinet FortiEDR network. You can choose between ID or Name.
If you choose 'ID', then you must specify the following parameter:
  • Device IDs: List of device IDs whose associate collectors you want to isolate from the Fortinet FortiEDR network.
If you choose 'Name', then you must specify the following parameter:
  • Device Names: List of device names whose associate collectors you want to isolate from the Fortinet FortiEDR network.
Organization (Optional) Name of a specific organization whose associated collector you want to isolate from the Fortinet FortiEDR network.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Unisolate Collector

Input parameters

Parameter Description
Type Type of the device whose associate collectors you want to unisolate from the Fortinet FortiEDR network. You can choose between ID or Name.
If you choose 'ID', then you must specify the following parameter:
  • Device IDs: List of device IDs whose associate collectors you want to unisolate from the Fortinet FortiEDR network.
If you choose 'Name', then you must specify the following parameter:
  • Device Names: List of device names whose associate collectors you want to unisolate from the Fortinet FortiEDR network.
Organization (Optional) Name of a specific organization whose associated collector you want to unisolate from the Fortinet FortiEDR network.
Note: The value that you specify in this parameter must match exactly with the organization name specified in Fortinet FortiEDR.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

Included playbooks

The Sample - Fortinet FortiEDR - 1.1.0 playbook collection comes bundled with the Fortinet FortiEDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiEDR connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.