Fortinet black logo

Administration Guide

Home FortiNDR 7.0.3 Administration Guide
7.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Enforcement

Enforcement

Enforcement provides an extra layer of logic to deal with the detection discovered by FortiNDR and delivers follow-up actions to Security Fabric devices. FortiNDR periodically evaluates the latest batch of detection based on enforcement settings. If any detection satisfies the criteria for the next cause of action, the system then looks at which automation profile the detection falls under and performs the response action accordingly.

The system uses the webhook registered to the automation profiles or predefined APIs to carry out different enforcement strategies. FortiNDR supports the following action types:

  • FortiGate Quarantine (Previously known as Ban IP action)
  • FortiNAC Quarantine (FortiNAC version v9.2.0+ support)
  • FortiSwitch Quarantine via FortiLink
  • Generic Webhook

FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

Enforcement Settings

Enforcement Settings are policies for FortiNDR to filter out malicious detections and NDR anomaly detections when executing enforcement. These policies include Event Category, NDR Detection Severity Level, Malware Risk Level, Malware Confidence Level, and Allow List.

Register the automation stitches webhook you created in FortiGate so that FortiNDR can execute the enforcement. FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

To create and enforcement profile:
  1. Go to Security Fabric > Enforcement Settings.
  2. In the toolbar, click Create New. The General Settings page opens.
  3. Configure the profile settings.

    Profile NameEnter a name for the profile.
    Event Category

    Select one of the following options:

    • Malware Detection
    • NDR: Botnet Detection
    • NDR: Encryption Attack Detection
    • NDR: Network Attack Detection
    • NDR: Indication of Compromise Detection
    • NDR: Weak Cipher and Vulnerable Protocol Detection
    NDR Detection Severity Level

    Select Critical, High, Medium or Low severity from the dropdown.

    Malware Risk LevelSelect Critical, High, Medium or Low severity from the dropdown.
    Malware Confidence LevelEnter a numeric value for the confidence level and click either Medium or High.
    White List

    Enter the IP address you want to exclude as a trigger.

    If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.

  4. Click OK.
Previous
Next

Enforcement

Enforcement provides an extra layer of logic to deal with the detection discovered by FortiNDR and delivers follow-up actions to Security Fabric devices. FortiNDR periodically evaluates the latest batch of detection based on enforcement settings. If any detection satisfies the criteria for the next cause of action, the system then looks at which automation profile the detection falls under and performs the response action accordingly.

The system uses the webhook registered to the automation profiles or predefined APIs to carry out different enforcement strategies. FortiNDR supports the following action types:

  • FortiGate Quarantine (Previously known as Ban IP action)
  • FortiNAC Quarantine (FortiNAC version v9.2.0+ support)
  • FortiSwitch Quarantine via FortiLink
  • Generic Webhook

FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

Enforcement Settings

Enforcement Settings are policies for FortiNDR to filter out malicious detections and NDR anomaly detections when executing enforcement. These policies include Event Category, NDR Detection Severity Level, Malware Risk Level, Malware Confidence Level, and Allow List.

Register the automation stitches webhook you created in FortiGate so that FortiNDR can execute the enforcement. FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

To create and enforcement profile:
  1. Go to Security Fabric > Enforcement Settings.
  2. In the toolbar, click Create New. The General Settings page opens.
  3. Configure the profile settings.

    Profile NameEnter a name for the profile.
    Event Category

    Select one of the following options:

    • Malware Detection
    • NDR: Botnet Detection
    • NDR: Encryption Attack Detection
    • NDR: Network Attack Detection
    • NDR: Indication of Compromise Detection
    • NDR: Weak Cipher and Vulnerable Protocol Detection
    NDR Detection Severity Level

    Select Critical, High, Medium or Low severity from the dropdown.

    Malware Risk LevelSelect Critical, High, Medium or Low severity from the dropdown.
    Malware Confidence LevelEnter a numeric value for the confidence level and click either Medium or High.
    White List

    Enter the IP address you want to exclude as a trigger.

    If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.

  4. Click OK.
Previous
Next