This article describes how to detect and monitor high-risk Trojans using FortiNDR and FortiSandbox
Scope
FortiNDR (On premises).
Solution
Step 1: Make sure that a connection is established between FortiNDR and FortiSandbox.
From the FortiSAndbox, select Security Fabric, type the IP address for FORTINDR, and the Token will be the API key generated from FortiNDR as mentioned above. Select test connection to verify the connection.
Verify the connection From FortiNDR. Select Security Fabric > Device Input > Other Device.
Step 2: From FortiSandbox, select Scan Policy & Object > Scan Profile and enable option FortiNDR entrust.
Step 3: Since malware is detected, check from FortiNDR. Select Log&Report > Malware Log > Detected, and find all information needed about malware including MD5 hash: Virus name, detection type, attacker and victim IP address, and device name FortiSandbox.
Step 4: For more details about the Malware attack sample, select View details report to can see more details about file type PE (portable executable), Detection name Win32, and Detection type FortiNDR Binary AI engine.
Step 5: It is also possible to check FortiSandbox scanned jobs. FortiSandbox will also rate it as malicious or high risk with more details as per FortiNDR file rating.