FortiEDR Fabric

Integration Guide

Technical Integration Guide for Automated

Incident Response and Event Analysis with
FortiEDR
Rev. 2
May 2020
 FortiEDR Fabric Integration Guide

Table of Contents
Chapter 1 – Overview ............................................................................................. 3
Chapter 2 – Using FortiEDR Syslog for Threat Visibility and Event Analysis .... 4
FortiEDR Syslog Configuration ............................................................................................................. 4
Chapter 3 – Using FortiEDR Connectors for Automated Incident Response and
Enhanced Detection ............................................................................................... 6
Prerequisites ........................................................................................................................................ 6
FortiGate Integration – Automatically Block Malicious Destinations ...................................................... 6
FortiSandbox Integration – Enhanced Detection................................................................................. 11
Appendix A – Creating a FortiEDR User with API Permissions ........................ 14

www.fortinet.com 2
 FortiEDR Fabric Integration Guide

Chapter 1 – Overview
FortiEDR provides realtime endpoint security on top of next-generation AV (NGAV) and automated incident response. When
working synergistically with other elements of the Fortinet Security Fabric, it enhances network visibility and threat detection
and provides the means for synchronizing a coordinated response.
With its various export capabilities and rich REST APIs, FortiEDR enables easy integration with other Fortinet components.
This guide describes both Syslog and Connector integration methods and explains the configuration steps required while
focusing on two different use cases.
The following table summarizes FortiEDR integration options with various elements of the Fortinet Security Fabric.
FortiEDR FortiGate Forti Manager Forti Sandbox Forti NAC Forti Analyzer Forti SIEM Forti SOAR
Integration
Syslog V V V V
Connector V V V

www.fortinet.com 3
 FortiEDR Fabric Integration Guide

Chapter 2 – Using FortiEDR Syslog for Threat

Visibility and Event Analysis
To provide complete visibility into the device and correlate security incidents across Fortinet Security Fabric components, the
FortiEDR Central Manager can be configured to automatically export security events to one or more components via Syslog
messages. For example, security events that are sent to FortiNAC as Syslog messages can be configured to trigger isolation
of the affected devices.
Follow the steps described below to automatically export security events via Syslog messages to other elements of the
Fortinet Security Fabric.

FortiEDR Syslog Configuration

Before you begin Syslog configuration, validate connectivity between the FortiEDR Central Manager and the customer Fortinet
product that is to receive the messages.
To define a new Syslog export with FortiEDR Central Manager:
1. Log in to the FortiEDR management console using your Admin credentials.
2. Navigate to the ADMINISTRATION page.
3. Click EXPORT SETTINGS in the left pane.
4. In the Syslog area, click the Define New System button and then complete the standard Syslog
parameters for your Fortinet receiving component (for example, FortiNAC).
5. Save the configuration.

6. Select the Syslog row and then use the sliders in the NOTIFICATIONS pane on the right to enable sending security
events.

www.fortinet.com 4
 FortiEDR Fabric Integration Guide

7. Click the Settings button next to Security Events and then check the Syslog message fields of your choice.

8. Click Save. FortiEDR security events will now be sent as Syslog messages to the configured destination
server. For more details, refer to the FortiEDR Installation and Administration Guide.

www.fortinet.com 5
 FortiEDR Fabric Integration Guide

Chapter 3 – Using FortiEDR Connectors for

Automated Incident Response and Enhanced
Detection
Security orchestration, automation and response (SOAR) are key elements of today’s security. With its built-in connectors,
FortiEDR leverages the Fabric to orchestrate customer responses to active attacks. FortiEDR connectors utilize Fortinet
products’ APIs to automatically perform the required actions.

Prerequisites
The following prerequisites are required to set up FortiEDR connectors:
• The FortiEDR deployment must include an on-premise Core that has connectivity to the FortiGate server.
• The FortiEDR Central Manager must have connectivity to Fortinet Cloud Services (FCS).
• A valid FortiEDR user with API permissions to FortiEDR is required. To define this user, refer to Appendix A, Creating a
FortiEDR User with API Permissions on page 14.
• A valid API user with access to FortiGate or FortiSandbox is required. Make sure that the IP of the on-premise FortiEDR
Core is specified as Trusted Hosts for this API user as shown below:

FortiGate Integration – Automatically Block Malicious Destinations

Follow the steps below to automatically deny access on FortiGate to malicious destination addresses detected by FortiEDR.
The example below describes how to define an address group on FortiGate and associate it with a FortiGate policy rule, such
that it blocks connections to the addresses in the group. The address group is then used when configuring the FortiEDR
connector so that it is automatically populated with malicious destinations upon detection by FortiEDR1.
The same address group can obviously be used for multiple firewall policies in order to cover any VLAN to WAN interface in
the network.

1 After the FortiGate Address Groups maximum value is reached, old group members are overridden by new ones.

www.fortinet.com 6
 FortiEDR Fabric Integration Guide

FortiGate Configuration
1. Go to Policy & Objects  Addresses.
2. Create a new address group to be populated by FortiEDR. The new address group now appears in the FortiGate
Addresses table.

3. Go to Policy & Objects  IPv4 Policy.

4. Create a new policy to deny traffic to any address in the address group that was created as part of step 2. The new policy
now appears in the FortiGate Policies table.

www.fortinet.com 7
 FortiEDR Fabric Integration Guide

FortiEDR Connector Configuration

Configuration of FortiEDR connectors is performed with Rest API requests to the FortiEDR Central Manager. To do so, run the
following API command from a device that has connectivity to the FortiEDR Central Manager. You can use any API tool such
as Postman to do so:
https://FORTIEDRHOST/maintenance/update-application-properties
Request Type: POST
Request Header: Content-Type: Application/JSON
Request Body:
{ "properties": [{
"key": "coc.soarConfigParams",
"value": "{\"OrganizationName\": { \"Enabled\":true,\"PbFabricActionBlock\": {
\"Enabled\":true,\"AirActionExecutingCoreName\":\"FortiEDRonPremCoreName\",
\"FABRIC_ENV_CONFIG\": {\"FortigateUser\":\"FortiGateUsername\",
\"FortigatePolicyGroupName\":\"FortiEDR_Malicious_Destinations\",
\"FortigateIpAddress\":\"10.51.122.63\",\"FortigatePassword\":\"FortiGateP@ssword\",
\"DeviceType\":\"Fortigate\"}}}}"
} ]}
All parameters are mandatory. The bold parts of the request (see above) are values that should be replaced with the
environment’s specific parameters, as follows:
• FORTIEDRHOST: The domain name or IP address of the FortiEDR Central Manager.
• OrganizationName: The name of the organization for which integration with FortiGate is required. You can locate the
organization’s name in both single-tenant and multi-tenant environments in the ADMINISTRATION 
ORGANIZATIONS page in the FortiEDR Console, as shown below:

• Enabled: true/false for enabling or disabling this connector’s incident response action.
• AirActionExecutingCoreName: The FortiEDR on-premise Core name entered during its installation. See the
Prerequisites section on page 6 for more details. You can locate the Core’s name in the INVENTORY  SYSTEM
COMPONENTS page in the FortiEDR Console, as shown below:

www.fortinet.com 8
 FortiEDR Fabric Integration Guide

• FortigateUser2: The FortiGate API user. See the Prerequisites section on page 6 for more details.
• FortigatePassword: The FortiGate API password. See the Prerequisites section on page 6 for more details.
• FortigateIpAddress: The IP address of the FortiGate server.
• FortigatePolicyGroupName: The name of the FortiGate address group that was previously defined. See the FortiGate
Configuration section on page 7 for more details.
For example, the following figures show the Authorization, Headers and Body of an API request that was sent using Postman
to the FortiEDR Central Manager with IP address 130.211.75.199 that is connecting to FortiGate with IP address
10.51.122.63:

2 Alternatively API token can be used instead of Fortigate user and password

www.fortinet.com 9
 FortiEDR Fabric Integration Guide

Check FortiEDR Automatic Incident Response

FortiEDR is now configured to add malicious IP addresses to the blocking policy on FortiGate upon triggering of a security
event.
You can check that malicious IP addresses are added to the address group that was configured on FortiGate following
FortiEDR security events.
In addition, automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the
FortiEDR Console, as shown below:

www.fortinet.com 10
 FortiEDR Fabric Integration Guide

FortiSandbox Integration – Enhanced Detection

Similarly, a FortiEDR connector can be configured to enable file analysis by FortiSandbox.
When FortiSandbox is configured and the Sandbox Analysis Policy rule is enabled, files that meet several conditions and that
have not been previously analyzed trigger a sandbox analysis event on FortiEDR and are sent to FortiSandbox. The
conditions are a combination of several items, such as the file was downloaded from the Internet and was not signed by a
known vendor. If the file is found to be clean, the event is automatically classified as safe and is archived. If the file is
determined by the sandbox to be suspicious or malicious, then the event is classified as non-safe and any future execution
attempt of the file in the environment is blocked by one of the Pre-execution (NGAV) Policy rules. Note that in all cases the
first file execution is not delayed or blocked.

FortiEDR Connector Configuration

To configure FortiSandbox connector on FortiEDR make sure to have all items of the Prerequisites section on page 6 in place
and then, run the following API command from a device that has connectivity to the FortiEDR Central Manager. Again, you
can use any API tool such as Postman to do so:
https://FORTIEDRHOST/maintenance/update-application-properties
Request Type: POST
Request Header: Content-Type: Application/JSON
Request Body:
{ "properties": [{
"key": "coc.soarConfigParams",
"value": "{\"OrganizationName\":
{\"Enabled\":true,\"KeysToEncrypt\":[\"FortiSBPassword\"],
\"PbFabricActionSandboxSubmitFile\":{\"Enabled\":true,
\"AirActionExecutingCoreName\":\"FortiEDRonPremCoreName\",\"FABRIC_ENV_CONFIG\":{
\"FortiSBUser\":\"FortiSandboxUsername\",\"FortiSBIpAddress\":\"35.235.40.131\",
\"FortiSBPassword\":\"FortiSandboxP@ssword\",\"DeviceType\":\"FortiSandbox\"}},
\"PbFabricActionSandboxGetResult\":{\"Enabled\":true,
\"AirActionExecutingCoreName\":\"FortiEDRonPremCoreName\",
\"FABRIC_ENV_CONFIG\":{\"FortiSBUser\":\"FortiSandboxUsername\",
\"FortiSBIpAddress\":\"35.235.40.131\",\"FortiSBPassword\":\"FortiSandboxP@ssword\",
\"DeviceType\":\"FortiSandbox\"}}}}"
} ]}
All parameters are mandatory. The bold parts of the request (see above) are values that should be replaced with the
environment’s specific parameters, as follows:
• FORTIEDRHOST: The domain name or IP address of the FortiEDR Central Manager.
• OrganizationName: The name of the organization for which integration with FortiGate is required. You can locate the
organization’s name in both single-tenant and multi-tenant environments in the ADMINISTRATION  ORGANIZATIONS
page in the FortiEDR Console, as shown in the previous section.
• Enabled: True/false for enabling or disabling this connector’s incident response action.
• AirActionExecutingCoreName: The FortiEDR on-premise Core name entered during its installation. See the
Prerequisites section on page 6 for more details. You can locate the Core’s name in the INVENTORY  SYSTEM
COMPONENTS page in the FortiEDR Console, as shown in the previous section.

www.fortinet.com 11
 FortiEDR Fabric Integration Guide

• FortiSBUser: The FortiSandbox API user. See the Prerequisites section on page 6 for more details.
FortiSBPassword: The FortiSandbox API password. See the Prerequisites section on page 6 for more
details.
• FortiSBIpAddress: The IP address of the FortiSandbox server.

FortiEDR Policy Configuration

In order to complete sandbox integration, the Sandbox Scan rule must be enabled with the FortiEDR Central Manager.
To enable the Sandbox Scan rule:
1. Log in to the FortiEDR management console.
2. Navigate to the SECURITY SETTINGS  Security Policies page.
3. Open the Execution Prevention policy that is applied on devices for which you want the sandbox scan to apply and
click the Disabled button next to the Sandbox Analysis rule to enable it, as shown below:

www.fortinet.com 12
 FortiEDR Fabric Integration Guide

Check FortiSandbox Analysis

FortiEDR is now configured to send unknown files to FortiSandbox.
You can check file analysis on your FortiSandbox.
In addition, you can see sandbox analysis events in the Events page of the FortiEDR Console. Events on files that were found
to be clean appear under the Archived Events filter and files that were found to be risky are displayed under the All filter,
such as shown below:

www.fortinet.com 13
 FortiEDR Fabric Integration Guide

Appendix A – Creating a FortiEDR User with API

Permissions
To create a user with REST API privileges:
1. Log in to the FortiEDR management console using your Admin credentials.
2. Navigate to the ADMINISTRATION page.
3. Click USERS in the left pane.
4. Click the Add User button and complete the details for this new user. Be sure to define Rest API and Admin
roles, as shown below:

5. Log out from the FortiEDR management console.

6. Perform another login to the console. Use the newly created API username and password that were defined in step 4.

www.fortinet.com 14
 FortiEDR Fabric Integration Guide

7. When prompted, change the initial password to a new permanent one. The new REST API user is now ready to perform
API calls using basic authentication by supplying its username and password for each API call.

www.fortinet.com 15