Fortinet black logo

Administration Guide

Home FortiEDR/XDR 6.0.0 Administration Guide
6.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

eXtended detection source integration

eXtended detection source integration

You can connect to external systems to collect activity log by adding a new connector for extended detection. The aggregated data is then being sent to Fortinet Cloud Services (FCS) where it is correlated and analyzed to detect malicious indications that will result in security events of eXtended Detection policy rule violations.

FortiEDR supports extended detection with the following external systems:

  • FortiAnalyzer device type, which collects the logs from other systems, such as firewalls, Active Directory and other security products
  • Google Cloud Security Command Center (SCC) and its built-in Event Threat Detection service
  • AWS GuardDuty
Prerequisites

Before you start configuring an eXtended detection source connector, verify you have the following:

  • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

  • A Jumpbox with connectivity to the external detection source, such as FortiAnalyzer. Details about how to install a FortiEDR Core and configure it as a Jumpbox are provided inSetting up the FortiEDR Core. You may refer to Cores for more information about configuring a Jumpbox.
  • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • Valid permissions to perform API calls on the eXternal detection source:

    • (FortiAnalyzer) You have a FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.

    • (Google Cloud SCC) The following roles are required per account:

      • Organization Admin (resourcemanager.organizationAdmin)

      • Security Center Admin (securityCenter.admin)

      See Google Documentation for more details about permissions.

    • (AWS GuardDuty) An IAM user with Programmatic access type and full permissions to access GuardDuty service.
Configuring Google SCC
To enable threat logging on Google:
  1. To use Google Cloud SCC as an eXtended detection source, licensing of Security Command Center Premium tier that has Event Threat Detection feature is required.
  2. Enable Event Threat Detection per monitored project in the organization. The following Event Threat Detection rules are required:
    • Malware: bad IP
    • Malware: bad domain

    Make sure to enable all log source types that are needed for these rules detectors to work, such as Cloud DNS logs and Admin Activity log. For more details about Event Threat Detection rules and the required log sources, see Google Documentation.

  3. Verify that raw log items now show on Google’s Logs Explorer and Event Threat Detection findings show on Security Command Center as described in Google Documentation.
To enable API access to Google for fetching threat logs:
  1. Set up a service account on Google, as described in Google Documentation.
  2. Download the json key file for this service account. This file should be uploaded via FortiEDR console as part of setting up the extended detection source connector (see section below).
  3. Grant Security Command Center admin permission to the service account (securityCenter.admin) to allow API access.
Configuring AWS GuardDuty
  1. Enable Amazon GuardDuty in your account as described in AWS Documentation.

    The following GuardDuty finding types are correlated with the FortiEDR events:

    • Backdoor:EC2/C&CActivity.B!DNS
    • Discovery:Kubernetes/MaliciousIPCaller
    You are encouraged to test that GuardDuty generates these findings as described on AWS documentation.
  2. Create IAM user on AWS console as described here:
    1. Set Programmatic Access for this user to allow API calls
    2. Set full permissions to access GuardDuty service
    3. Show and copy access key ID and secret access key of this user, which will be used on FortiEDR console when you set up the extended detection source connector in the following section.
Setting up an extended detection connector with FortiEDR
  1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list. The following displays:

  2. Fill in the following fields: eXtended Detection Source Enabled: Check this checkbox to enable blocking of malicious IP addresses by FortiAnalyzer.

    Field

    Definition

    JumpboxSelect the FortiEDR Jumpbox that will communicate with the external system.
    NameSpecify a name of your choice which will be used to identify the external system.
    TypeSelect the type of external system to be used in the dropdown list.
    HostSpecify the IP or DNS address of the external system.
    PortSpecify the port that is used for API communication with the external system.
    API Key/CredentialsSpecify authentication details of your external system. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external system API username/password or Access key ID/Secret access key. To use Service Account key file, upload the JSON file that was created for your Google Service Account.

    Actions Parameters

    • (Google SCC) Specify the unique organization resource identifier in Google cloud or ID of Google cloud project to use for fetching alerts.

    • (AWS GuardDuty) Specify AWS region for API calls.

  3. Click Save.
Setting up FortiEDR Central Manager

In order to complete eXtended detection source integration, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

To enable eXtended detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

To enable FortiEDR Threat Hunting events collection:
  1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
  2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
  3. Select the following event types on that profile:

    • Socket Connect

    • Process Creation

    • File Create

    • File Detected

FortiEDR is now configured to issue eXtended detection alerts.

Previous
Next

eXtended detection source integration

You can connect to external systems to collect activity log by adding a new connector for extended detection. The aggregated data is then being sent to Fortinet Cloud Services (FCS) where it is correlated and analyzed to detect malicious indications that will result in security events of eXtended Detection policy rule violations.

FortiEDR supports extended detection with the following external systems:

  • FortiAnalyzer device type, which collects the logs from other systems, such as firewalls, Active Directory and other security products
  • Google Cloud Security Command Center (SCC) and its built-in Event Threat Detection service
  • AWS GuardDuty
Prerequisites

Before you start configuring an eXtended detection source connector, verify you have the following:

  • A valid license for eXtended Detection Response—While you can create an eXtended detection source connector without a valid license for eXtended Detection Response, the license is required for a successful XDR definition.

  • A Jumpbox with connectivity to the external detection source, such as FortiAnalyzer. Details about how to install a FortiEDR Core and configure it as a Jumpbox are provided inSetting up the FortiEDR Core. You may refer to Cores for more information about configuring a Jumpbox.
  • Connectivity from the FortiEDR Central Manager to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • Valid permissions to perform API calls on the eXternal detection source:

    • (FortiAnalyzer) You have a FortiAnalyzer administrator account with JSON API access enabled. Refer to the FortiAnalyzer Administration Guide for more information.

    • (Google Cloud SCC) The following roles are required per account:

      • Organization Admin (resourcemanager.organizationAdmin)

      • Security Center Admin (securityCenter.admin)

      See Google Documentation for more details about permissions.

    • (AWS GuardDuty) An IAM user with Programmatic access type and full permissions to access GuardDuty service.
Configuring Google SCC
To enable threat logging on Google:
  1. To use Google Cloud SCC as an eXtended detection source, licensing of Security Command Center Premium tier that has Event Threat Detection feature is required.
  2. Enable Event Threat Detection per monitored project in the organization. The following Event Threat Detection rules are required:
    • Malware: bad IP
    • Malware: bad domain

    Make sure to enable all log source types that are needed for these rules detectors to work, such as Cloud DNS logs and Admin Activity log. For more details about Event Threat Detection rules and the required log sources, see Google Documentation.

  3. Verify that raw log items now show on Google’s Logs Explorer and Event Threat Detection findings show on Security Command Center as described in Google Documentation.
To enable API access to Google for fetching threat logs:
  1. Set up a service account on Google, as described in Google Documentation.
  2. Download the json key file for this service account. This file should be uploaded via FortiEDR console as part of setting up the extended detection source connector (see section below).
  3. Grant Security Command Center admin permission to the service account (securityCenter.admin) to allow API access.
Configuring AWS GuardDuty
  1. Enable Amazon GuardDuty in your account as described in AWS Documentation.

    The following GuardDuty finding types are correlated with the FortiEDR events:

    • Backdoor:EC2/C&CActivity.B!DNS
    • Discovery:Kubernetes/MaliciousIPCaller
    You are encouraged to test that GuardDuty generates these findings as described on AWS documentation.
  2. Create IAM user on AWS console as described here:
    1. Set Programmatic Access for this user to allow API calls
    2. Set full permissions to access GuardDuty service
    3. Show and copy access key ID and secret access key of this user, which will be used on FortiEDR console when you set up the extended detection source connector in the following section.
Setting up an extended detection connector with FortiEDR
  1. Click the Add Connector button and select eXtended Detection Source in the Connectors dropdown list. The following displays:

  2. Fill in the following fields: eXtended Detection Source Enabled: Check this checkbox to enable blocking of malicious IP addresses by FortiAnalyzer.

    Field

    Definition

    JumpboxSelect the FortiEDR Jumpbox that will communicate with the external system.
    NameSpecify a name of your choice which will be used to identify the external system.
    TypeSelect the type of external system to be used in the dropdown list.
    HostSpecify the IP or DNS address of the external system.
    PortSpecify the port that is used for API communication with the external system.
    API Key/CredentialsSpecify authentication details of your external system. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external system API username/password or Access key ID/Secret access key. To use Service Account key file, upload the JSON file that was created for your Google Service Account.

    Actions Parameters

    • (Google SCC) Specify the unique organization resource identifier in Google cloud or ID of Google cloud project to use for fetching alerts.

    • (AWS GuardDuty) Specify AWS region for API calls.

  3. Click Save.
Setting up FortiEDR Central Manager

In order to complete eXtended detection source integration, the eXtended detection rules and FortiEDR Threat Hunting events collection must be enabled with the FortiEDR Central Manager, as follows.

To enable eXtended detection rules:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the eXtended detection policy that is applied on devices on which you want the eXtended detection policy to apply and click the Disabled button next to each of the underlying rules to enable it, as shown below:

To enable FortiEDR Threat Hunting events collection:
  1. Navigate to the SECURITY SETTINGS > Threat Hunting > Collection Profiles page.
  2. Open the Threat Hunting collection profile that is applied on devices on which you want the eXtended detection policy to apply.
  3. Select the following event types on that profile:

    • Socket Connect

    • Process Creation

    • File Create

    • File Detected

FortiEDR is now configured to issue eXtended detection alerts.

Previous
Next