Skip to main content
malbrecht-kle
malbrecht-kle
Visitor III
February 11, 2025
Solved

Fortinet EDR generating Exceptions for USB mass storage devices via API

  • February 11, 2025
  • 1 reply
  • 1266 views

Hello Fortinet Community,
I activated device control in #EDR to control the use of mass storage devices. The last days I created several exceptions for usb sticks with in the gui. Now we plan a bigger roll out of usb sticks. I want to prepare the exception in advance before handing out the sticks

I used the API several times to handle collectors and their groups. This was no problem. The description of the API has a function call "create-or-edit-exception". The Exception data is mentioned as JSON in the body. There is no example for it in the dosumentation. I retrieved an exeption with "list-exceptions". I passed this JSON output to the create-or-edit function an get an error.

So I´ve got the following questions:

Can I create an exception for an usb mass storage device which has never generated an event?

When there first has to be an event, can I used the event to create or add the device to an exception?
Is there an example existing?
My goal is to generate a script on an Linux machine in order to automate the process.

Thanks in advance

Michael

 

Best answer by mvatansever

Dear @malbrecht-kle 


In FortiEDR, an event must be generated before you can apply an exception.
You cannot create an exception for an event that has not yet occurred.
However, I have a suggestion for achieving what you want.

You can implement a scenario where you filter events generated only in the Device Control policy, identify the appropriate device based on the Rule or processPath fields, and then automatically create an exception for it.
View Blocked Events with this Script

With this script, you can view blocked events:

#!/bin/bash

# Define variables
URL="https://xxx.fortiedr.com"
ORGANIZATION="XXXX"
AUTHORIZATION="Your API authentication"
COOKIE="Your Cookie"

# Execute the curl command
curl --location "${URL}/management-rest/events/list-events?deviceControl=true&organization=${ORGANIZATION}" \
--header "Accept: */*" \
--header "Authorization: ${AUTHORIZATION}" \
--header "Cookie: ${COOKIE}"
Create an Exception Based on EventID

From the output data, you can write an exception based on the EventID using the following Bash script:

#!/bin/bash

# Define variables
URL="https://xxx.fortiedr.com"
ORGANIZATION="XXXX"
AUTHORIZATION="Your API authentication"
COOKIE="Your Cookie"
EVENT_ID="USB_BLOCK_EVENT_ID"

# Execute the curl command
curl --location --request POST "${URL}/management-rest/events/create-exception?allCollectorGroups=true&allDestinations=true&allUsers=true&eventId=${EVENT_ID}&organization=${ORGANIZATION}" \
--header "Content-Type: application/json" \
--header "Accept: */*" \
--header "Authorization: ${AUTHORIZATION}" \
--header "Cookie: ${COOKIE}"


I hope this helps.
Cheers!
Mehmet Vatansever

 

1 reply

mvatansever
mvatanseverAnswer
Explorer III
February 11, 2025

Dear @malbrecht-kle 


In FortiEDR, an event must be generated before you can apply an exception.
You cannot create an exception for an event that has not yet occurred.
However, I have a suggestion for achieving what you want.

You can implement a scenario where you filter events generated only in the Device Control policy, identify the appropriate device based on the Rule or processPath fields, and then automatically create an exception for it.
View Blocked Events with this Script

With this script, you can view blocked events:

#!/bin/bash

# Define variables
URL="https://xxx.fortiedr.com"
ORGANIZATION="XXXX"
AUTHORIZATION="Your API authentication"
COOKIE="Your Cookie"

# Execute the curl command
curl --location "${URL}/management-rest/events/list-events?deviceControl=true&organization=${ORGANIZATION}" \
--header "Accept: */*" \
--header "Authorization: ${AUTHORIZATION}" \
--header "Cookie: ${COOKIE}"
Create an Exception Based on EventID

From the output data, you can write an exception based on the EventID using the following Bash script:

#!/bin/bash

# Define variables
URL="https://xxx.fortiedr.com"
ORGANIZATION="XXXX"
AUTHORIZATION="Your API authentication"
COOKIE="Your Cookie"
EVENT_ID="USB_BLOCK_EVENT_ID"

# Execute the curl command
curl --location --request POST "${URL}/management-rest/events/create-exception?allCollectorGroups=true&allDestinations=true&allUsers=true&eventId=${EVENT_ID}&organization=${ORGANIZATION}" \
--header "Content-Type: application/json" \
--header "Accept: */*" \
--header "Authorization: ${AUTHORIZATION}" \
--header "Cookie: ${COOKIE}"


I hope this helps.
Cheers!
Mehmet Vatansever

 

    malbrecht-kle
    malbrecht-kleAuthor
    Visitor III
    February 13, 2025

    Dear @mvatansever ,

    thanks a lot for your answer. I will use your script examples for further tests. One short question,

    How do I generate the Cookie? I mad several curl api calls an never used a cookie. Is the cookie generatet within an api call prior to authenticate to the api?

    Thanks in advance.

    Kind regards

    Michael Albrecht 

      mvatansever
      mvatansever
      Explorer III
      February 13, 2025

      Dear @malbrecht-kle 

      I copied and pasted the request I made earlier, and a cookie remained; you can ignore it.
      If you haven't used an API before, I recommend checking out this document:
      FortiEDR REST API and Postman Tips

      https://community.fortinet.com/t5/FortiEDR/Technical-Tip-Tips-and-Tricks-with-Rest-API-and-Postman/ta-p/263249


      Regards,

      Mehmet Vatansever

      Terms & ConditionsAccessibility statement