Fortinet black logo

Administration Guide

Home FortiNDR 7.0.4 Administration Guide
7.0.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Creating an Enforcement Profile

Creating an Enforcement Profile

Use Enforcement Profiles to triggers an NDR response based on event category and its risk level.

Response actions are based on API calls, either to Fortinet Fabric Products or third-party products. Please ensure API is

enabled on the receiving side. FortiNDR supports execution and undo actions. Technically these are two different API calls, which are called to trigger an action and undo an action. For example, quarantine and release of IP.

Duplicate anomalies

  • A response is only triggered once when multiple events in NDR anomalies in the same category (e.g. IOC campaign) occurs within one minute.
  • lA response is recorded as a duplicate when multiple events in NDR anomalies in the same category occur every minute after that.
To create and enforcement profile:
  1. Go to Security Fabric > Enforcement Settings.
  2. In the toolbar, click Create New. The General Settings page opens.
  3. Configure the profile settings.

    Profile NameEnter a name for the profile.
    Event Category

    Select one of the following options:

    • Malware Detection
    • NDR: Botnet Detection
    • NDR: Encryption Attack Detection
    • NDR: Network Attack Detection
    • NDR: Indication of Compromise Detection
    • NDR: Weak Cipher and Vulnerable Protocol Detection
    NDR Detection Severity Level

    Select Critical, High, Medium or Low severity from the dropdown.

    Malware Risk LevelSelect Critical, High, Medium or Low severity from the dropdown.
    Malware Confidence LevelEnter a numeric value for the confidence level and click either Medium or High.
    White List

    Enter the IP address you want to exclude as a trigger.

    If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.

  4. Click OK.
Tooltip

For NDR detection Severity Level and Malware risk level, severity is inclusive of higher severity levels. For example, if High is selected, the enforcement profile will match both HIGH and CRITICAL events.
Previous
Next

Creating an Enforcement Profile

Use Enforcement Profiles to triggers an NDR response based on event category and its risk level.

Response actions are based on API calls, either to Fortinet Fabric Products or third-party products. Please ensure API is

enabled on the receiving side. FortiNDR supports execution and undo actions. Technically these are two different API calls, which are called to trigger an action and undo an action. For example, quarantine and release of IP.

Duplicate anomalies

  • A response is only triggered once when multiple events in NDR anomalies in the same category (e.g. IOC campaign) occurs within one minute.
  • lA response is recorded as a duplicate when multiple events in NDR anomalies in the same category occur every minute after that.
To create and enforcement profile:
  1. Go to Security Fabric > Enforcement Settings.
  2. In the toolbar, click Create New. The General Settings page opens.
  3. Configure the profile settings.

    Profile NameEnter a name for the profile.
    Event Category

    Select one of the following options:

    • Malware Detection
    • NDR: Botnet Detection
    • NDR: Encryption Attack Detection
    • NDR: Network Attack Detection
    • NDR: Indication of Compromise Detection
    • NDR: Weak Cipher and Vulnerable Protocol Detection
    NDR Detection Severity Level

    Select Critical, High, Medium or Low severity from the dropdown.

    Malware Risk LevelSelect Critical, High, Medium or Low severity from the dropdown.
    Malware Confidence LevelEnter a numeric value for the confidence level and click either Medium or High.
    White List

    Enter the IP address you want to exclude as a trigger.

    If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.

  4. Click OK.
Tooltip

For NDR detection Severity Level and Malware risk level, severity is inclusive of higher severity levels. For example, if High is selected, the enforcement profile will match both HIGH and CRITICAL events.
Previous
Next