Fortinet FortiEDR 2.0.0
App Vendor: Fortinet
App Category: Endpoint, Forensics & Malware Analysis
Connector Version: 2.0.0
API Version: 1.0.0
About App
Fortinet FortiEDR protects endpoints before and after infection, stops data breaches in real time, and automatically orchestrates incident investigation and response. In Orchestrate, the app enables security teams to isolate and unisolate endpoints. The app also helps in retrieving files, collectors, events, products, raw event items, system summaries, and hash values.
The Fortinet FortiEDR app is configured with the Orchestrate application to perform the following actions.
Action Name | Description |
|---|---|
Get File | This action retrieves a binary file in zip format. |
Isolate Endpoint | This action isolates an endpoint. |
List Collectors | This action retrieves a list of collectors in the system. |
List Events | This action retrieves a list of events in the system. |
List Products | This action retrieves a list of communicating applications in the system. |
List Raw Event Items | This action retrieves a list of raw data items of an event. |
List System Summary | This action retrieves the system summary data of the environment. |
Search Hash | This action searches for a file hash among the current events, threat hunting repository, and communicating applications that exist in the system. |
Unisolate Endpoint | This action unisolates an endpoint. |
Configuration Parameters
The following configuration parameters are required for the Fortinet FortiEDR connector app to communicate with the Fortinet FortiEDR enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. Example: "www.cyware.com" | Text | Required | |
Auth Token | Enter the authentication token. | Password | Required | |
Verify | Specify whether you want to verify the TLS certificate or not. Example: true | Boolean | Optional | Allowed values:
Default value: true |
Action: Get File
This action retrieves a binary file in zip format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Paths | Enter the list of file paths. | List | Required |
|
Type | Enter the input type of the Device input parameter. | Text | Required | Allowed values:
|
Device | Enter the name or ID of the device to remediate. | Text | Required |
|
Query Params | Enter the query parameters. | Key Value | Optional |
|
Action: Isolate Endpoint
This action isolates an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the list of IDs of the devices to isolate. Example: $LIST[1001, 10002] | List | Required |
|
Devices | Enter the list of device names. Example: $LIST[device1, device2] | List | Required |
|
Organization | Enter the name of the organization. Example: "Cyware" | Text | Required |
|
Action: List Collectors
This action retrieves a list of collectors in the system.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Params | Enter the query parameters. | Key Value | Optional | Allowed keys:
For the complete list of allowed keys, see Fortinet Endpoint Protection and Response Platform RESTful API. |
Action: List Events
This action retrieves a list of events in the system.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event IDs | Enter a comma-separated list of event IDs. | Text | Optional |
|
Query Params | Enter the query parameters. | Key Value | Optional | Allowed keys:
For the complete list of allowed keys, see Fortinet Endpoint Protection and Response Platform RESTful API. |
Action: List Products
This action retrieves a list of communicating applications in the system.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Params | Enter the query parameters. | Key Value | Optional | Allowed keys:
For the complete list of allowed keys, see Fortinet Endpoint Protection and Response Platform RESTful API. |
Action: List Raw Event Items
This action retrieves a list of raw data items of an event.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID. | Text | Required |
|
Query Params | Enter the query parameters. | Key Value | Optional | Allowed keys:
For the complete list of allowed keys, see Fortinet Endpoint Protection and Response Platform RESTful API. |
Action: List System Summary
This action retrieves the system summary data of the environment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Params | Enter the query parameters. | Key Value | Optional | Allowed keys:
|
Action: Search Hash
This action searches for a file hash among the current events, threat hunting repository, and communicating applications that exist in the system.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash | Enter a comma-separated list of hash values. | Text | Required |
|
Action: Unisolate Endpoint
This action unisolates an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter a comma-separated list of device IDs. Example: $LIST[1001, 10002] | List | Required | |
Devices | Enter a comma-separated list of device names. Example: $LIST[device1, device2] | List | Required | |
Organization | Enter the organization name. Example: "Cyware" | Text | Required |