Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Fortinet FortiNDR

    Home FortiSOAR Connectors Fortinet FortiNDR
    1.3.0
    1.3.0
    1.2.0

    Fortinet FortiNDR v1.3.0

    About the connector

    The FortiNDR is a leading-edge product which utilizes machine learning technology for malware detection, intrusion detection and network anomalies.. This connector provides action to submits file samples for analysis and potentially fetches scan verdicts

    This document provides information about the Fortinet FortiNDR Connector, which facilitates automated interactions, with a Fortinet FortiNDR server using FortiSOAR™ playbooks. Add the Fortinet FortiNDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiNDR.

    Version information

    Connector Version: 1.3.0

    FortiSOAR™ Version Tested on: 7.5.0-4015

    Fortinet FortiNDR Version Tested on: 7.4.1

    Authored By: Fortinet

    Certified: Yes

    Release Notes for version 1.3.0

    Following enhancements have been made to the Fortinet FortiNDR Connector in version 1.3.0:

    • Added a new action Get Events
    • Following changes have been to the parameter Get Result By in the action Get File Verdict Result:
      • Removed the option SHA512
      • Added options SHA1 and SHA256
    • Updated the output schema for the action Get File Verdict Result

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

    You can also use the yum command as a root user to install the connector:

    yum install cyops-connector-fortinet-fortiai

    Prerequisites to configuring the connector

    • You must have the URL of the Fortinet FortiNDR server to which you will connect and perform automated operations and the API key configured for your account for using that server.
    • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiNDR server.

    Minimum Permissions Required

    • To perform actions and the automated operations using the Fortinet FortiNDR connector, users' admin profile should be assigned read-write access to FortiNDR.

    Configuring the connector

    For the procedure to configure a connector, click here

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiNDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server URL URL of the FortiNDR server to which you will connect and perform automated operations.
    API Key API key that is configured for your account for using the FortiNDR server.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified.
    By default, this option is set to True.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Submit File Submits a file for analysis to Fortinet FortiNDR from FortiSOAR™'s Attachments module; i.e. based on the attachment IRI or file IRI that you have specified in the corresponding playbook step. submit_file
    Investigation
    Get File Verdict Result Retrieves the results of the file verdict result from the FortiNDR server based on the MD5, SID, File ID, SHA1, or SHA256 values you have specified for that file get_file_verdict_results
    Investigation
    Get Events Retrieves detailed list of events based on the IP hostname, event type, and other input parameters that you have specified. get_events
    Investigation

    operation: Submit File

    Input parameters

    Parameter Description
    File IRI/Attachment ID Select the method using which to submit the file present in FortiSOAR™ for analysis to FortiNDR. You can choose from following options:
    • Attachment ID: Specify the attachment ID of the FortiSOAR™ file, which you want to submit for analysis to FortiNDR, in the Attachment ID field.
    • File IRI: Specify the file IRI of the FortiSOAR™ file, which you want to submit for analysis to FortiNDR, in the File IRI field.

    The supported file types are 32-bit and 64-bit executable files, which apply to all the Portable Executables (PE) files, any text-based files, such as HTML, VBA, VBS, JS, BAT, SH, PHP, XML, etc., power shell scripts, archive formats like .tar, .gz, .tar.gz, .tgz, .zip, .bz2, .rar, office documents, or PDF files. The maximum file size supported is 200 MB.
    Password (Optional) Specify the password for .zip file.

    Output

    The output contains the following populated JSON schema:

    {
    "result": {
        "submit_id": ""
    },
    "status": ""
}

    operation: Get File Verdict Result

    Input parameters

    Parameter Description
    Get Result By Specify the value based on which you want to retrieve the results of the file verdict from FortiNDR. You can choose from the following options:
    • SID(Submission ID): Specify the submission ID received when uploading the file, to retrieve file verdicts, in the Submission ID field.
    • File ID: Specify the file ID, to retrieve file verdicts, in the File ID field.
    • MD5: Specify the MD5 checksum of the file, to retrieve file verdicts, in the MD5 field.
    • SHA1: Specify the SHA1 checksum of the file, to retrieve file verdicts, in the SHA1 field.
    • SHA256: Specify the SHA256 checksum of the file, to retrieve file verdicts, in the SHA256 field.

    Output

    The output contains the following populated JSON schema:

    Output schema when you choose "Get Result By" as "SID(Submission ID)":

    {
    "results": {
        "fileids": [],
        "total_fileids": ""
    }
}

    This is the default output schema:

    {
    "results": {
        "file_id": "",
        "virus_name": "",
        "md5": "",
        "sha1": "",
        "sha256": "",
        "file_size": "",
        "source": "",
        "severity": "",
        "category": "",
        "create_date": "",
        "confidence": "",
        "file_type": "",
        "victim_ip": "",
        "attacker_ip": "",
        "victim_port": "",
        "attacker_port": "",
        "engine_version": "",
        "kdb_version": "",
        "tmfc": "",
        "pbit": "",
        "detected_by_ai_only": "",
        "family": "",
        "file_name": "",
        "parent_fname": "",
        "tfc": ""
    }
}

    operation: Get Events

    Input parameters

    Parameter Description
    IP or Hostname or MAC Select an option to get anomaly events. You can choose from following options:
    • IP Address: Specify the device IPv4 or IPv6 address to get the anomaly events, IP Address.
    • Hostname: Specify the device hostname to get the anomaly events, Hostname.
    • MAC Address: Specify the device MAC Address to get the anomaly events, MAC Address.
    Event Type Specify the anomaly event type. You can choose from the following options:
    • Botnet
    • Encrypted Attack
    • Network Attack
    • FortiGuard IOC
    • Weak Communication
    • ML Discovery
    • Malware
    Start Time Specify the start time of events to filter the results.
    End Time Specify the end time of events to filter the results.
    Offset Specify the number of records to skip from the results returned by this operation. This parameter is useful if you want to get a subset of records. For example, to skip the first 10 records, specify 10 in this field. By default, this is set to 0.
    Size Specify the maximum number of results that this operation should return per page. By default, this is set to 500.

    Output

    The output contains the following populated JSON schema:

    {
    "results": [
        {
            "event_time": "",
            "source_ip": "",
            "source_port": "",
            "destination_ip": "",
            "destination_port": "",
            "severity": "",
            "attack_name": ""
        }
    ]
}

    Included playbooks

    The Sample - Fortinet FortiNDR - 1.3.0 playbook collection comes bundled with the Fortinet FortiNDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiNDR connector.

    • Get Events
    • Get File Verdict Result
    • Submit File

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Previous
    Next

    Fortinet FortiNDR v1.3.0

    About the connector

    The FortiNDR is a leading-edge product which utilizes machine learning technology for malware detection, intrusion detection and network anomalies.. This connector provides action to submits file samples for analysis and potentially fetches scan verdicts

    This document provides information about the Fortinet FortiNDR Connector, which facilitates automated interactions, with a Fortinet FortiNDR server using FortiSOAR™ playbooks. Add the Fortinet FortiNDR Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiNDR.

    Version information

    Connector Version: 1.3.0

    FortiSOAR™ Version Tested on: 7.5.0-4015

    Fortinet FortiNDR Version Tested on: 7.4.1

    Authored By: Fortinet

    Certified: Yes

    Release Notes for version 1.3.0

    Following enhancements have been made to the Fortinet FortiNDR Connector in version 1.3.0:

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

    You can also use the yum command as a root user to install the connector:

    yum install cyops-connector-fortinet-fortiai

    Prerequisites to configuring the connector

    Minimum Permissions Required

    Configuring the connector

    For the procedure to configure a connector, click here

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiNDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server URL URL of the FortiNDR server to which you will connect and perform automated operations.
    API Key API key that is configured for your account for using the FortiNDR server.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified.
    By default, this option is set to True.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Submit File Submits a file for analysis to Fortinet FortiNDR from FortiSOAR™'s Attachments module; i.e. based on the attachment IRI or file IRI that you have specified in the corresponding playbook step. submit_file
    Investigation
    Get File Verdict Result Retrieves the results of the file verdict result from the FortiNDR server based on the MD5, SID, File ID, SHA1, or SHA256 values you have specified for that file get_file_verdict_results
    Investigation
    Get Events Retrieves detailed list of events based on the IP hostname, event type, and other input parameters that you have specified. get_events
    Investigation

    operation: Submit File

    Input parameters

    Parameter Description
    File IRI/Attachment ID Select the method using which to submit the file present in FortiSOAR™ for analysis to FortiNDR. You can choose from following options:
    • Attachment ID: Specify the attachment ID of the FortiSOAR™ file, which you want to submit for analysis to FortiNDR, in the Attachment ID field.
    • File IRI: Specify the file IRI of the FortiSOAR™ file, which you want to submit for analysis to FortiNDR, in the File IRI field.

    The supported file types are 32-bit and 64-bit executable files, which apply to all the Portable Executables (PE) files, any text-based files, such as HTML, VBA, VBS, JS, BAT, SH, PHP, XML, etc., power shell scripts, archive formats like .tar, .gz, .tar.gz, .tgz, .zip, .bz2, .rar, office documents, or PDF files. The maximum file size supported is 200 MB.
    Password (Optional) Specify the password for .zip file.

    Output

    The output contains the following populated JSON schema:

    {
    "result": {
        "submit_id": ""
    },
    "status": ""
}

    operation: Get File Verdict Result

    Input parameters

    Parameter Description
    Get Result By Specify the value based on which you want to retrieve the results of the file verdict from FortiNDR. You can choose from the following options:
    • SID(Submission ID): Specify the submission ID received when uploading the file, to retrieve file verdicts, in the Submission ID field.
    • File ID: Specify the file ID, to retrieve file verdicts, in the File ID field.
    • MD5: Specify the MD5 checksum of the file, to retrieve file verdicts, in the MD5 field.
    • SHA1: Specify the SHA1 checksum of the file, to retrieve file verdicts, in the SHA1 field.
    • SHA256: Specify the SHA256 checksum of the file, to retrieve file verdicts, in the SHA256 field.

    Output

    The output contains the following populated JSON schema:

    Output schema when you choose "Get Result By" as "SID(Submission ID)":

    {
    "results": {
        "fileids": [],
        "total_fileids": ""
    }
}

    This is the default output schema:

    {
    "results": {
        "file_id": "",
        "virus_name": "",
        "md5": "",
        "sha1": "",
        "sha256": "",
        "file_size": "",
        "source": "",
        "severity": "",
        "category": "",
        "create_date": "",
        "confidence": "",
        "file_type": "",
        "victim_ip": "",
        "attacker_ip": "",
        "victim_port": "",
        "attacker_port": "",
        "engine_version": "",
        "kdb_version": "",
        "tmfc": "",
        "pbit": "",
        "detected_by_ai_only": "",
        "family": "",
        "file_name": "",
        "parent_fname": "",
        "tfc": ""
    }
}

    operation: Get Events

    Input parameters

    Parameter Description
    IP or Hostname or MAC Select an option to get anomaly events. You can choose from following options:
    • IP Address: Specify the device IPv4 or IPv6 address to get the anomaly events, IP Address.
    • Hostname: Specify the device hostname to get the anomaly events, Hostname.
    • MAC Address: Specify the device MAC Address to get the anomaly events, MAC Address.
    Event Type Specify the anomaly event type. You can choose from the following options:
    • Botnet
    • Encrypted Attack
    • Network Attack
    • FortiGuard IOC
    • Weak Communication
    • ML Discovery
    • Malware
    Start Time Specify the start time of events to filter the results.
    End Time Specify the end time of events to filter the results.
    Offset Specify the number of records to skip from the results returned by this operation. This parameter is useful if you want to get a subset of records. For example, to skip the first 10 records, specify 10 in this field. By default, this is set to 0.
    Size Specify the maximum number of results that this operation should return per page. By default, this is set to 500.

    Output

    The output contains the following populated JSON schema:

    {
    "results": [
        {
            "event_time": "",
            "source_ip": "",
            "source_port": "",
            "destination_ip": "",
            "destination_port": "",
            "severity": "",
            "attack_name": ""
        }
    ]
}

    Included playbooks

    The Sample - Fortinet FortiNDR - 1.3.0 playbook collection comes bundled with the Fortinet FortiNDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiNDR connector.

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Previous
    Next