Technical Tip: Best Practices for Configuring FortiEDR

Description

This article describes the best practices for configuring FortiEDR, including managing events, creating exceptions, and updating collector versions. Follow these steps to ensure the FortiEDR configuration is adequate and aligned with best practices.

Scope

FortiEDR.

Solution

To configure FortiEDR according to best practices, follow these steps:

1. Manage events in the FortiEDR console by classifying them correctly, rather than deleting them. This helps in maintaining a record of all events and facilitates better security monitoring.

2. Create exceptions in the FortiEDR console, applying them to specific groups instead of all users. This approach minimizes risks associated with broad exceptions. Create exceptions instead of exclusions whenever possible, as exceptions are less risky.

3. Ensure all collector groups have the 5 security shields assigned: Execution Prevention, Exfiltration Prevention, Ransomware Prevention, Playbooks, and Communication Control Policy. Currently, only the Communication Control Policy needs to be enabled. Refer to Application communication control - how does it work?
   And Policies for steps to enable Communication Control Policy.

4. Update collector versions to the latest available from the FortiEDR console. Start with small, controlled groups and monitor their behavior before updating the rest of the equipment. The update process can be found in the Updating the Updating the Collector Version.

5. Consider enabling more aggressive playbooks for high-security groups, as outlined in the Playbooks.

Related document:
Playbook Policy Actions