FortiEDR 6.0+ offers the ability to integrate FortiEDR Manager with third part threat intelligence feeds. This feature allows administrators to digest trending indicators of compromise (IOC) and perform queries against collected Threat Hunting data.

An example of this is a dormant static file which may have no known signatures and is not executed to date. If a Threat Intelligence feed is configured in conjunction with saved queries, an administrator would have the ability to detect this dormant and malicious file.

Threat Intelligence Integrations Main Components

1) FortiEDR Manager will connect directly to the Threat Intelligence feed.

2) Threat Intelligence feed. This is a third party service and should leverage Trusted Automated eXchange of Intelligence Information (TAXII). TAXI is responsible for the format which threat intelligence data is transferred. TAXII is a transport protocol and widely used in the security industry. The actual feed information must be formatted to Structured Threat Information eXpression (STIX). STIX is a standardized language and leverages JSON-based formatting to share threat intelligence information into consistent and acceptable format.

3) FortiEDR Threat Hunting repository. This is a data repository for collected Threat Hunting information.

Threat Intelligence Configuration

The configuration of the Threat Intelligence integration can be found here https://docs.fortinet.com/document/fortiedr/6.2.0/administration-guide/900872/threat-intelligence-fe....

Tips, Flow and Noteworthy Points

 When an administrator configures a Threat Intelligence integration, the following sequence of events will unfold:

1) The FortiEDR Manager will connect to the TAXII1/TAXII2 server and fetches data in STIX1/STIX2 format.

2) The FortiEDR Manager will parse this STIX1/STIX2 format data and convert it into Lucene format for Threat Hunting queries.

3) The FortiEDR Manager will either create and/or update this into a saved query. This can be located under Threat Hunting > Saved Queries and will be labeled as “Threat Intelligence Feed”

5) Saved queries have a limitation of 1,000 conditions. If an intelligence feed has more than 1,000 conditions, a separate saved query will be created.

6) FortiEDR will verify if *one* of the IOC’s conditions match a query and will return an event in Event Viewer. If an event triggers within Event Viewer, users can hover their mouse over the 'Threat Hunting' event and open it directly within the Threat Hunting view. This will show verbose information about the event and help explain what specific IOC condition caused the event.

7) Saved queries behave the same as other saved queries. Threat Intelligence queries do not run on any pre-defined schedule. They require administrators to schedule queries accordingly and we recommend configuring an interval in Threat Hunting > Saved Queries > Edit:

8) When a new Threat Intelligence integration is configured, a new saved query will be created. This will not result in any new events. The query must be run manually under Threat Hunting > Saved Queries or added to a schedule: