Fortinet black logo

Administration Guide

Home FortiEDR/XDR 6.2.0 Administration Guide
6.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Threat Intelligence Feed integration

Threat Intelligence Feed integration

When a Threat Intelligence Feed connector is configured, FortiEDR creates a Threat Hunting query based on the data fetched from STIX/TAXII feed. The related query is updated upon each scheduled retrieval of collection data which covers the following indicators: hashes, file names, files size, paths, IPs, usernames, registry keys, URLs, and domain names. You can find the relevant queries under Threat Hunting > Saved Queries.

Note As one Threat Hunting query can include only 150 to 1000 conditions, depending on the indicator type, FortiEDR may create multiple query entries for the same collection.
To set up a Threat Intelligence Feed connector with FortiEDR:
  1. Click the Add Connector button and select Threat Intelligence Feed in the Connectors dropdown list. The following displays:

  2. In the Details section, fill in the following fields:

    Field

    Definition

    NameSpecify a name of your choice which will be used to identify this Threat Intelligence Feed Collection.
    TypeSelect the syntax type of the original query, for example: TAXII (JSON) or TAXII 1 (XML).

    URL

    Specify the IP or DNS address of the Threat Intelligence server.

    Collection IDSpecify the collection name of the XML query or collection ID of the JSON query.
    Authentication

    Select this option to specify authentication details of your Threat Intelligence Feed. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external system API username and password.

    Enabled Use this option to enable or disable FortiEDR integration with this Threat Intelligence Feed.
  3. In the Actions section, specify the schedule for FortiEDR to retrieve the provided collection data, which covers the following indicators: hashes, file names, files size, paths, IPs, usernames, registry keys, URLs, and domain names.
  4. Specify the age of collection data for the initial retrieval. For example, One day old means that only indicators that were added to the Collection during the last day will be retrieved for the initial retrieval.
  5. Click the Test button to execute the action.
  6. Click Save.

    The Threat Intelligence Feed connector is set up and relevant queries will be created in Saved Queries under Threat Hunting.

Previous
Next

Threat Intelligence Feed integration

When a Threat Intelligence Feed connector is configured, FortiEDR creates a Threat Hunting query based on the data fetched from STIX/TAXII feed. The related query is updated upon each scheduled retrieval of collection data which covers the following indicators: hashes, file names, files size, paths, IPs, usernames, registry keys, URLs, and domain names. You can find the relevant queries under Threat Hunting > Saved Queries.

Note As one Threat Hunting query can include only 150 to 1000 conditions, depending on the indicator type, FortiEDR may create multiple query entries for the same collection.
To set up a Threat Intelligence Feed connector with FortiEDR:
  1. Click the Add Connector button and select Threat Intelligence Feed in the Connectors dropdown list. The following displays:

  2. In the Details section, fill in the following fields:

    Field

    Definition

    NameSpecify a name of your choice which will be used to identify this Threat Intelligence Feed Collection.
    TypeSelect the syntax type of the original query, for example: TAXII (JSON) or TAXII 1 (XML).

    URL

    Specify the IP or DNS address of the Threat Intelligence server.

    Collection IDSpecify the collection name of the XML query or collection ID of the JSON query.
    Authentication

    Select this option to specify authentication details of your Threat Intelligence Feed. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external system API username and password.

    Enabled Use this option to enable or disable FortiEDR integration with this Threat Intelligence Feed.
  3. In the Actions section, specify the schedule for FortiEDR to retrieve the provided collection data, which covers the following indicators: hashes, file names, files size, paths, IPs, usernames, registry keys, URLs, and domain names.
  4. Specify the age of collection data for the initial retrieval. For example, One day old means that only indicators that were added to the Collection during the last day will be retrieved for the initial retrieval.
  5. Click the Test button to execute the action.
  6. Click Save.

    The Threat Intelligence Feed connector is set up and relevant queries will be created in Saved Queries under Threat Hunting.

Previous
Next