FortiEDR logs from the api

mr345123

I need to collect and ingest FortiEDR logs. I have access to the API, and have been provided a read-only api key, but I do not see a built in feed type.

Has anyone collected and ingested FortiEDR logs from the API?

wesleyv

There is no feed for it. You have to ingest the logs with the syslog option in FortiEDR and send it to the chronicle forwarder for ingestion.

Syslog | FortiEDR/XDR 7.0.0 | Fortinet Document Library

There is a prebuilt parser available (FORTINET_FORTIEDR)
Supported log types and default parsers | Google Security Operations | Google Cloud

darrenswift

Good morning,

I am not familliar with Fortinet EDR logs being collected from an api, do Fortinet offer a service to export these to cloud storage? Many vendors do this such as Crowdstrike and SentinelOne. If so you could leverage collection from a cloud location (S3, GCP, Azure blob). Other than that you are correct there is not a built in feed for this within Google SecOps.

You can leverage Google SecOps ingestion api, library of standard scripts here: https://github.com/chronicle/ingestion-scripts

Please also note that the Fortinet EDR parser supports Syslog + KV so testing the parsing rates will be crucial. If Fortinet EDR output JSON data from its api (which I assume it does) you could leverage Google SecOps auto extraction features.

Thanks

mr345123

Unfortunately, this client cannot get access to the syslog feed, and the existing MSSP is unable to write only this one customer's logs to a bucket. The API is the only access provided to the logs. I'll see what I can achieve.

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

FortiEDR logs from the api