Overview

The FortiNDR Cloud App for IBM QRadar SIEM allows administrators to incorporate the network telemetry data collected and analyzed by FortiNDR Cloud into their QRadar deployment.

The app provides two types of inputs: Detections and Events.

Detections use the REST APIs to poll FortiNDR Cloud to introduce specific data sets into QRadar. Detections and reports can be imported into IBM QRadar SIEM and the app will periodically poll FortiNDR Cloud at specified intervals for new detections and reports.

Events can be retrieved from the AWS S3 buckets to import Observation and Suricata events and the associated metadata into QRadar. After the initial import, the app will periodically poll FortiNDR Cloud at a specified interval (by default 900 seconds) for new match events to import. Enrichment and intelligence can also be imported for specified entities, such as WHOIS information, VirusTotal reports, Passive DNS records, and DHCP records. AWS access is required to poll raw events from AWS S3 buckets.

See Setting up FortiNDR Cloud inputs for information on how to configure FortiNDR Cloud inputs.