Skip to main content

Cyware Orchestrate

Fortinet FortiEDR

App Vendor: Fortinet

App Category: Endpoint, Forensics & Malware Analysis

Connector Version: 1.0.2

API Version: 4.0.0

About App

FortiEDR delivers advanced, real-time threat protection for endpoints both pre-and post-infection. It proactively reduces the attack surface, prevents malware infection, detects and defuses potential threats in real-time, and can automate response and remediation procedures with customizable playbooks. In Orchestrate, this app stops data breaches in real-time and automatically orchestrates incident investigation and response.

The Fortinet FortiEDR app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

List Events

This action lists events in FortiEDR.

List Raw Event Items

This action lists raw event items associated with an event.

List Exceptions

This action lists exceptions that are used as alerts in FortiEDR.

List Products

This action calls and lists outputs of all the communicating applications in the system.

List Collectors

This action monitors the health of ensilo components and creates collector groups.

Isolate Collectors

This action isolates collectors i.e. quarantine an asset

Unisolate Collectors

This action integrates a collector.

Update Collector Installer

This action updates the collector installer. This API call also updates the collectors’ target version for collector groups.

List System Summary

This action lists the system summary.

Remediate Device

This action remediates a device used for incident response.

Search Hash

This action executes threat hunting automation.

Get File

This action obtains file/memory that matches the forensic criteria.

Configuration Parameters

The following configuration parameters are required for the Fortinet FortiEDR app to communicate with the Fortinet FortiEDR enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL

Enter the Base URL to access FortiEDR.

Example:

"http://abcd.com/"

Text

Required

Username

Enter the username to access FortiEDR.

Text

Required

Password

Enter the password to access FortiEDR.

Password

Required

SSL Verification

Optional action to either verify or skip the SSL certificate verification preference.

Boolean

Optional

Action: List Events

This action lists events in FortiEDR.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query params

Enter the query parameters to query events.

Example:

"eventids=1000,1001,1002"

Key Value

Optional

Action: List Raw Event Items

This action lists raw event items associated with an event.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Event ID

Enter the event ID to fetch raw events.

Text

Required

Query parameters

Enter the query parameters to query actions.

Key Value

Optional

Action: List Exceptions

This action lists exceptions that are used as alerts in FortiEDR.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the query parameters to query the exceptions.

Key Value

Optional

Action: List Products

This action calls and lists outputs of all the communicating applications in the system.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the query parameters to list products.

Key Value

Optional

Action: List Collectors

This action monitors the health of ensilo components and creates collector groups.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the query parameters to list collectors.

Key Value

Optional

Action: Isolate Collectors

This action isolates collectors.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Devices

Enter the device name.

Text

Required

Organization

Enter the organization's name.

Text

Required

Action: Unisolate Collectors

This action integrates a collector.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Devices

Enter the device name.

Text

Required

Organization

Enter the organization’s name.

Text

Required

Action: Update Collector Installer

This action updates the collector installer. This API call also updates the collectors’ target version for collector groups.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID

Enter the device ID.

Text

Required

Devices

Enter the device name.

Text

Required

Organization

Enter the organization’s name.

Text

Required

Action: List System Summary

This action lists the system summary.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the query parameters to list the system summary.

Key Value

Optional

Action: Remediate Device

This action remediates a device used for incident response.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the query parameters to remediate a device.

Example:

"device=myprocessid=1234=c:\filecryptor.exe"

Key Value

Required

Action: Search Hash

This action executes threat hunting automation.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File hash

Enter the file hash to search endpoints.

Text

Required

Action: Get File

This action obtains file/memory that matches the forensic criteria.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File paths

Enter the list of file paths.

Any

Required

Device type

Specify the type of the device input parameter ID or name.

Text

Required

Device

Specify the name or ID of the device to fetch files from.

Text

Required

Query parameters

Enter the query parameters to query events.

Key Value

Optional