FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
Ahmed_Mohamed
Article Id 328260
Description This article describes how to integrate FortiEDR with the FortiSIEM solution.
Scope FortiEDR 5.2+.
Solution

On the FortiEDR Side.

  1. Add a FortiEDR user with Rest API roles v5.2, v6.0+.
  2. Login to the FortiEDR console after the user was created to change the initial password.

 

CHANGE PASSWORD-2024-07-25 14_28_10.png

 

On FortiSIEM.

First: Create Credentials for FortiEDR:

 

FSIEM_FEDR_Add_Credintials.png

 

In FortiSIEM, navigate to Admin -> Credentials -> Select 'New' under the 'Step 1: Enter Credentials' section. Then the Access Method Definition window will open:

 

FSIEM_FEDR_Access_Method.png

 

  1. Select the 'Fortinet FortiEDR' device type.
  2. FortiEDR_API populates in the Access Protocol field.
  3. Specify pull interval.
  4. Tenant ID field: In the case of single-tenant environments, leave it blank.

In multi-organization deployments:

  • If it is desired to pull data for All organizations in FortiEDR, leave it blank. It is important to note that the FortiEDR user must be created under 'All organization' as well.
  • In case of shared environments, or security data for a specific organization, it is possible to grab the Tenant ID value from any Windows machine with FortiEDR Collector installed and registered to the same organization. With a text editor, open the CollectorBootstrap.jsn file located under C:\ProgramData\FortiEDR\Config\Collector.

The tenant ID is a value stored in the 'AccountId' key.

 

TenantID_FEDR_FSIEM.png

 

  1. Enter credentials for users associated with specific organizations.

     

Second: Define the Credential Associations:

  • Select the New button in section Step 2: Enter IP Range to Credential Associations.

 

FortiSIEM-credential_associations.png

 

  • Enter FortiEDR Console FQDN or IP address.
  • Select the created FortiEDR credentials.

 

Lastly, test the newly added credentials by:

  • Selecting FortiEDR credential association.
  • Selecting Test button -> Test Connectivity under 'Step 2: Enter IP Range to Credential Associations'.

 

FortiSIEM-connectivity-result.png

 

For further info about FortiSIEM configuration, follow this document: Fortinet FortiEDR.