Creating an Enforcement Profile
Use Enforcement Profiles to triggers an NDR response based on event category and its risk level.
Response actions are based on API calls, either to Fortinet Fabric Products or third-party products. Please ensure API is
enabled on the receiving side. FortiNDR supports execution and undo actions. Technically these are two different API calls, which are called to trigger an action and undo an action. For example, quarantine and release of IP.
Duplicate anomalies
- A response is only triggered once when multiple events in NDR anomalies in the same category (e.g. IOC campaign) occurs within one minute.
- lA response is recorded as a duplicate when multiple events in NDR anomalies in the same category occur every minute after that.
To create and enforcement profile:
- Go to Security Fabric > Enforcement Settings.
- In the toolbar, click Create New. The General Settings page opens.
- Configure the profile settings.
Profile Name Enter a name for the profile. Event Category Select one of the following options:
- Malware Detection
- NDR: Botnet Detection
- NDR: Encryption Attack Detection
- NDR: Network Attack Detection
- NDR: Indication of Compromise Detection
- NDR: Weak Cipher and Vulnerable Protocol Detection
NDR Detection Severity Level Select Critical, High, Medium or Low severity from the dropdown.
Malware Risk Level Select Critical, High, Medium or Low severity from the dropdown. Malware Confidence Level Enter a numeric value for the confidence level and click either Medium or High. White List Enter the IP address you want to exclude as a trigger.
If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.
- Click OK.
For NDR detection Severity Level and Malware risk level, severity is inclusive of higher severity levels. For example, if High is selected, the enforcement profile will match both HIGH and CRITICAL events. |