Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Fortinet FortiNDR

    Home FortiSOAR Connectors Fortinet FortiNDR
    1.2.0
    1.3.0
    1.2.0

    Fortinet FortiNDR v1.2.0

    About the connector

    FortiNDR is a leading-edge product that utilizes machine learning technology for malware detection, intrusion detection, and network anomalies.

    This document provides information about the Fortinet FortiNDR connector, which facilitates automated interactions with your FortiNDR server using FortiSOAR™ playbooks. Add the Fortinet FortiNDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as submitting file samples for Express Malware Analysis and potentially fetching scan verdicts.

    Version information

    Connector Version: 1.2.0

    FortiSOAR™ Version Tested on: 6.4.4-3164

    FortiNDR Version tested on: v7.0.0 build0006 (Beta)

    Authored By: Fortinet

    Certified: Yes

    Release Notes for version 1.2.0

    Following enhancements have been made in the Fortinet FortiNDR connector in version 1.2.0:

    • Renamed connector from 'Fortinet FortAI' to 'Fortinet FortiNDR'.

    Installing the connector

    Use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
    You can also use the following yum command as a root user to install connectors from an SSH session:

    yum install cyops-connector-fortinet-fortiai

    Prerequisites to configuring the connector

    • You must have the URL of the Fortinet FortiNDR server to which you will connect and perform automated operations and the API key configured for your account for using that server.
    • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiNDR server.

    Permissions Required

    To perform actions using the Fortinet FortiNDR connector and perform the automated operations, users' admin profile should be assigned read-write access to FortiNDR.

    Configuring the connector

    For the procedure to configure a connector, click here.

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiNDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server URL URL of the FortiNDR server to which you will connect and perform automated operations.
    API Key API key that is configured for your account for using the FortiNDR server.
    Note: The API key validation is not done at the configuration level, i.e., the API key validation check is not done doing Health Check. It is done at the "Actions" level since no separate API is available to validate the API key.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

    Actions supported by the connector

    The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Submit File

    Submits a file for analysis to Fortinet FortiNDR from FortiSOAR™ "Attachment'' module; i.e. based on the attachment IRI or file IRI that you have specified in the corresponding playbook step.

    		 submit_file
    Investigation
    Get File Verdict Result Retrieves the results of the file verdict result from the FortiNDR server based on the MD5, SID, File ID, or SHA512 values you have specified for that file. get_file_verdict_results
    Investigation

    operation: Submit File

    Input parameters

    Parameter Description
    File IRI/Attachment ID

    Select the method using which you want to submit the file present in FortiSOAR™ for analysis to FortiNDR. You can choose between Attachment ID and File IRI.

    • If you choose the 'Attachment ID' option, then in the Attachment ID field, you must specify the Attachment ID of the FortiSOAR™ file that you want to submit for analysis to FortiNDR.
    • If you choose the 'File IRI' option, then in the File IRI field, you must specify the IRI of the FortiSOAR™ file that you want to submit for analysis to FortiNDR.

    Note: The supported file types are 32bit and 64bit executable files, which apply to all the Portable Executables (PE) files, any text-based files, such as HTML, VBA, VBS, JS, PDF, BAT, SH, PHP, XML, etc., power shell scripts, archive formats like .tar, .gz, .tar.gz, .tgz, .zip, .bz2, .rar, office documents, or PDF files. The maximum file size supported is 200 MB.
    Password (Optional) Specify the password for the .zip file.

    Note: If the "Submit File" action is run on an agent machine, then a dummy filename is sent during submission instead of the exact file name due to some product issue.

    The output contains the following populated JSON schema:
    {
    "result": {
    "submit_id": ""
    },
    "status": ""
    }

    operation: Get File Verdict Result

    Input parameters

    Parameter Description
    Get Result By

    Specify the value based on which you want to retrieve the results of the file verdict from FortiNDR. You can choose between the following options SID(Submission ID), File ID, MD5, or SHA512.

    • If you choose the 'SID(Submission ID)' option, then in the Submission ID field specify the SID of the file whose verdict result you want to retrieve from FortiNDR. You get the submission id after uploading a file to FortiNDR.
    • If you choose the 'File ID' option, then in the File ID field specify the ID of the file whose verdict result you want to retrieve from FortiNDR.
    • If you choose the 'MD5' option, then in the MD5 field specify the MD5 checksum value of the file based on which you want to retrieve the latest verdict result from FortiNDR.
    • If you choose the 'SHA512' option, then in the SHA512 field specify the SHA512 checksum value of the file based on which you want to retrieve the latest verdict result from FortiNDR.

    Output

    The output contains the following populated JSON schema if 'Get Result By' is retrieved using the 'SID(Submission ID)' option:
    {
    "results": {
    "fileids": [],
    "total_fileids": ""
    }
    }

    The output contains the following populated JSON schema if 'Get Result By' is retrieved using the 'File ID', 'MD5', or 'SHA512' option:
    {
    "results": {
    "file_id": "",
    "virus_name": "",
    "md5": "",
    "sha512": "",
    "file_size": "",
    "source": "",
    "severity": "",
    "category": "",
    "create_date": "",
    "confidence": "",
    "file_type": "",
    "victim_ip": "",
    "attacker_ip": "",
    "victim_port": "",
    "attacker_port": "",
    "engine_version": "",
    "kdb_version": "",
    "tmfc": "",
    "pbit": ""
    }
    }

    Included playbooks

    The Sample - Fortinet FortiNDR - 1.2.0 playbook collection comes bundled with the Fortinet FortiNDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiNDR connector.

    • Get File Verdict Result
    • Submit File

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

    Previous
    Next

    Fortinet FortiNDR v1.2.0

    About the connector

    FortiNDR is a leading-edge product that utilizes machine learning technology for malware detection, intrusion detection, and network anomalies.

    This document provides information about the Fortinet FortiNDR connector, which facilitates automated interactions with your FortiNDR server using FortiSOAR™ playbooks. Add the Fortinet FortiNDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as submitting file samples for Express Malware Analysis and potentially fetching scan verdicts.

    Version information

    Connector Version: 1.2.0

    FortiSOAR™ Version Tested on: 6.4.4-3164

    FortiNDR Version tested on: v7.0.0 build0006 (Beta)

    Authored By: Fortinet

    Certified: Yes

    Release Notes for version 1.2.0

    Following enhancements have been made in the Fortinet FortiNDR connector in version 1.2.0:

    Installing the connector

    Use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
    You can also use the following yum command as a root user to install connectors from an SSH session:

    yum install cyops-connector-fortinet-fortiai

    Prerequisites to configuring the connector

    Permissions Required

    To perform actions using the Fortinet FortiNDR connector and perform the automated operations, users' admin profile should be assigned read-write access to FortiNDR.

    Configuring the connector

    For the procedure to configure a connector, click here.

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiNDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server URL URL of the FortiNDR server to which you will connect and perform automated operations.
    API Key API key that is configured for your account for using the FortiNDR server.
    Note: The API key validation is not done at the configuration level, i.e., the API key validation check is not done doing Health Check. It is done at the "Actions" level since no separate API is available to validate the API key.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

    Actions supported by the connector

    The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Submit File

    Submits a file for analysis to Fortinet FortiNDR from FortiSOAR™ "Attachment'' module; i.e. based on the attachment IRI or file IRI that you have specified in the corresponding playbook step.

    		 submit_file
    Investigation
    Get File Verdict Result Retrieves the results of the file verdict result from the FortiNDR server based on the MD5, SID, File ID, or SHA512 values you have specified for that file. get_file_verdict_results
    Investigation

    operation: Submit File

    Input parameters

    Parameter Description
    File IRI/Attachment ID

    Select the method using which you want to submit the file present in FortiSOAR™ for analysis to FortiNDR. You can choose between Attachment ID and File IRI.

    • If you choose the 'Attachment ID' option, then in the Attachment ID field, you must specify the Attachment ID of the FortiSOAR™ file that you want to submit for analysis to FortiNDR.
    • If you choose the 'File IRI' option, then in the File IRI field, you must specify the IRI of the FortiSOAR™ file that you want to submit for analysis to FortiNDR.

    Note: The supported file types are 32bit and 64bit executable files, which apply to all the Portable Executables (PE) files, any text-based files, such as HTML, VBA, VBS, JS, PDF, BAT, SH, PHP, XML, etc., power shell scripts, archive formats like .tar, .gz, .tar.gz, .tgz, .zip, .bz2, .rar, office documents, or PDF files. The maximum file size supported is 200 MB.
    Password (Optional) Specify the password for the .zip file.

    Note: If the "Submit File" action is run on an agent machine, then a dummy filename is sent during submission instead of the exact file name due to some product issue.

    The output contains the following populated JSON schema:
    {
    "result": {
    "submit_id": ""
    },
    "status": ""
    }

    operation: Get File Verdict Result

    Input parameters

    Parameter Description
    Get Result By

    Specify the value based on which you want to retrieve the results of the file verdict from FortiNDR. You can choose between the following options SID(Submission ID), File ID, MD5, or SHA512.

    • If you choose the 'SID(Submission ID)' option, then in the Submission ID field specify the SID of the file whose verdict result you want to retrieve from FortiNDR. You get the submission id after uploading a file to FortiNDR.
    • If you choose the 'File ID' option, then in the File ID field specify the ID of the file whose verdict result you want to retrieve from FortiNDR.
    • If you choose the 'MD5' option, then in the MD5 field specify the MD5 checksum value of the file based on which you want to retrieve the latest verdict result from FortiNDR.
    • If you choose the 'SHA512' option, then in the SHA512 field specify the SHA512 checksum value of the file based on which you want to retrieve the latest verdict result from FortiNDR.

    Output

    The output contains the following populated JSON schema if 'Get Result By' is retrieved using the 'SID(Submission ID)' option:
    {
    "results": {
    "fileids": [],
    "total_fileids": ""
    }
    }

    The output contains the following populated JSON schema if 'Get Result By' is retrieved using the 'File ID', 'MD5', or 'SHA512' option:
    {
    "results": {
    "file_id": "",
    "virus_name": "",
    "md5": "",
    "sha512": "",
    "file_size": "",
    "source": "",
    "severity": "",
    "category": "",
    "create_date": "",
    "confidence": "",
    "file_type": "",
    "victim_ip": "",
    "attacker_ip": "",
    "victim_port": "",
    "attacker_port": "",
    "engine_version": "",
    "kdb_version": "",
    "tmfc": "",
    "pbit": ""
    }
    }

    Included playbooks

    The Sample - Fortinet FortiNDR - 1.2.0 playbook collection comes bundled with the Fortinet FortiNDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiNDR connector.

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

    Previous
    Next