Skip to Content

How to Detect, Monitor and Mitigate High-Risk Trojans Using FortiNDR and FortiMail

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article explains how to detect, Monitor, and Mitigation High-Risk Trojans Using FortiNDR and FortiMail.

Scope

FortiNDR (On premises).

Solution

Make sure that establishment connection between FortiNDR and FortiMail. From System > Administrator, edit the Administrator profile and select Generate API key.

  1. In FortiMail select System > NDR type API key to be the same FortiNDR API key mentioned first, for Base URL type IP address for the FortiNDR as mentioned below, then select Test connection to verify connection established successfully. In FortiMail select System, NDR type API key to be the same FortiNDR API key mentioned first, for Base URL type IP address for the FortiNDR as mentioned below, then select Test connection to verify connection established successfully.
  2. In FortiMail enable the NDR scan option from the Antivirus profile applied to the policy.
  3. To verify connection From the FortiNDR side select Security Fabric > Device input > Other Device.
  4. As part of detection-monitoring, check logs in FortiNDR and select Log&Report > Malware Logs > Detected.
  5. If selecting view details report, it is possible to find more details as an example like attacker and victim IP address described by (TCP port service multiplexer TCPMUX), detected by FortiNDR AI engine, SHA1 and SHA256, detection named Win32, file type PE (Portable executable) and submitted – analyzed dates.
  6. As part of mitigation, the FortiMail Quarantine mail (Based on the configured AV profile action mentioned in step 3). Check logs from the FortiMail side as below, The confidence level is 100% valued from FortiNDR mentioned in point 5.