Fortinet black logo

Administration Guide

Home FortiNDR 7.4.0 Administration Guide
7.4.0
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Enforcement Settings

Enforcement Settings

Enforcement Settings provide an extra layer of logic to deal with the detection discovered by FortiNDR and delivers follow-up actions to Security Fabric devices. FortiNDR periodically evaluates the latest batch of detections based on enforcement settings. If any detection satisfies the criteria for the next cause of action, the system then looks at which automation profile the detection falls under and performs the response action accordingly.

The system uses the webhook registered to the automation profiles or predefined APIs to carry out different enforcement strategies. FortiNDR supports the following action types:

  • FortiGate Quarantine (Previously known as Ban IP action)
  • FortiNAC Quarantine (FortiNAC version v9.2.0+ support)
  • FortiSwitch Quarantine via FortiLink
  • Generic Webhook

FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

Enforcement Settings are policies for FortiNDR to filter out malicious detections and NDR anomaly detections when executing enforcement. These policies include Event Category, NDR Detection Severity Level, Malware Risk Level, Malware Confidence Level, and Allow List.

Register the automation stitches webhook you created in FortiGate so that FortiNDR can execute the enforcement. FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

Creating enforcement profiles

Use Enforcement Profiles to triggers an NDR response based on event category and its risk level.

Response actions are based on API calls, either to Fortinet Fabric Products or third-party products. Please ensure API isenabled on the receiving side. FortiNDR supports execution and undo actions. Technically these are two different API calls, which are called to trigger an action and undo an action. For example, quarantine and release of IP.

Duplicate anomalies

  • A response is only triggered once when multiple events in NDR anomalies in the same category (e.g. IOC campaign) occurs within one minute.
  • lA response is recorded as a duplicate when multiple events in NDR anomalies in the same category occur every minute after that.
To create and enforcement profile:
  1. Go to Security Fabric > Enforcement Settings.
  2. In the toolbar, click Create New. The General Settings page opens.
  3. Configure the profile settings and then click OK.

    Profile NameEnter a name for the profile.

    Enforcement Policy

    Event Category

    Select one of the following options:

    • Malware Detection
    • NDR: Botnet Detection
    • NDR: Encryption Attack Detection
    • NDR: Network Attack Detection
    • NDR: Indication of Compromise Detection
    • NDR: Weak Cipher and Vulnerable Protocol Detection

    • NDR: Machine Learning Detection

    Malware Risk LevelSelect Critical, High, Medium or Low severity from the dropdown.
    Malware Confidence LevelEnter a numeric value for the confidence level and click either Medium or High.

    Additional Settings

    Allow List

    Click the plus sign (+) to the IP address you want to exclude as a trigger.

    If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.

    Tooltip

    For NDR detection Severity Level and Malware risk level, severity is inclusive of higher severity levels. For example, if High is selected, the enforcement profile will match both HIGH and CRITICAL events.

Previous
Next

On This Page

Creating an Enforcement Profile
Duplicate anomalies

Enforcement Settings

Enforcement Settings provide an extra layer of logic to deal with the detection discovered by FortiNDR and delivers follow-up actions to Security Fabric devices. FortiNDR periodically evaluates the latest batch of detections based on enforcement settings. If any detection satisfies the criteria for the next cause of action, the system then looks at which automation profile the detection falls under and performs the response action accordingly.

The system uses the webhook registered to the automation profiles or predefined APIs to carry out different enforcement strategies. FortiNDR supports the following action types:

  • FortiGate Quarantine (Previously known as Ban IP action)
  • FortiNAC Quarantine (FortiNAC version v9.2.0+ support)
  • FortiSwitch Quarantine via FortiLink
  • Generic Webhook

FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

Enforcement Settings are policies for FortiNDR to filter out malicious detections and NDR anomaly detections when executing enforcement. These policies include Event Category, NDR Detection Severity Level, Malware Risk Level, Malware Confidence Level, and Allow List.

Register the automation stitches webhook you created in FortiGate so that FortiNDR can execute the enforcement. FortiNDR combines the information from the Automation Framework and the Enforcement Settings to generate enforcement actions.

Creating enforcement profiles

Use Enforcement Profiles to triggers an NDR response based on event category and its risk level.

Response actions are based on API calls, either to Fortinet Fabric Products or third-party products. Please ensure API isenabled on the receiving side. FortiNDR supports execution and undo actions. Technically these are two different API calls, which are called to trigger an action and undo an action. For example, quarantine and release of IP.

Duplicate anomalies

  • A response is only triggered once when multiple events in NDR anomalies in the same category (e.g. IOC campaign) occurs within one minute.
  • lA response is recorded as a duplicate when multiple events in NDR anomalies in the same category occur every minute after that.
To create and enforcement profile:
  1. Go to Security Fabric > Enforcement Settings.
  2. In the toolbar, click Create New. The General Settings page opens.
  3. Configure the profile settings and then click OK.

    Profile NameEnter a name for the profile.

    Enforcement Policy

    Event Category

    Select one of the following options:

    • Malware Detection
    • NDR: Botnet Detection
    • NDR: Encryption Attack Detection
    • NDR: Network Attack Detection
    • NDR: Indication of Compromise Detection
    • NDR: Weak Cipher and Vulnerable Protocol Detection

    • NDR: Machine Learning Detection

    Malware Risk LevelSelect Critical, High, Medium or Low severity from the dropdown.
    Malware Confidence LevelEnter a numeric value for the confidence level and click either Medium or High.

    Additional Settings

    Allow List

    Click the plus sign (+) to the IP address you want to exclude as a trigger.

    If the source IP matches the entry, the profile will not be triggered even if the event and severity level match.

    Tooltip

    For NDR detection Severity Level and Malware risk level, severity is inclusive of higher severity levels. For example, if High is selected, the enforcement profile will match both HIGH and CRITICAL events.

Previous
Next