This article describes how to integrate FortiEDR with the FortiSIEM solution.
Table of Contents
Scope
FortiEDR 5.2+.
Solution
On the FortiEDR Side
Step 1: Add a FortiEDR user with Rest API roles v5.2, v6.0+.
Step 2: Login to the FortiEDR console after the user was created to change the initial password.
On FortiSIEM
First: Create Credentials for FortiEDR:
In FortiSIEM, navigate to Admin -> Credentials -> Select ‘New’ under the ‘Step 1: Enter Credentials’ section. Then the Access Method Definition window will open:
Step 1: Select the ‘Fortinet FortiEDR’ device type.
Step 2: FortiEDR_API populates in the Access Protocol field.
Step 3: Specify pull interval.
Step 4: Tenant ID field: In the case of single-tenant environments, leave it blank.
In multi-organization deployments:
- If it is desired to pull data for All organizations in FortiEDR, leave it blank. It is important to note that the FortiEDR user must be created under ‘All organization’ as well.
- In case of shared environments, or security data for a specific organization, it is possible to grab the Tenant ID value from any Windows machine with FortiEDR Collector installed and registered to the same organization. With a text editor, open the CollectorBootstrap.jsn file located under C:\ProgramData\FortiEDR\Config\Collector.
The tenant ID is a value stored in the ‘AccountId’ key.
Step 5: Enter credentials for users associated with specific organizations.
Second: Define the Credential Associations:
- Select the New button in section Step 2: Enter IP Range to Credential Associations.
- Enter FortiEDR Console FQDN or IP address.
- Select the created FortiEDR credentials.
Lastly, test the newly added credentials by:
- Selecting FortiEDR credential association.
- Selecting Test button -> Test Connectivity under ‘Step 2: Enter IP Range to Credential Associations’.
