CodeGreen XDR Use Case - Fortinet FortiGate Firewall Integration

Firewalls track all data in and out of your network, and can be crucial to understanding what's happening at the edge of your network. Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data. With an IP address, a firewall can also indicate the location of the machine sending data. In combination with User Behavior Analytics, CodeGreen’s XDR service can indicate who exactly owns which machine and who is completing the actions.

Adding firewall data allows our XDR service platform to track visits to malicious domains and cloud service utilization. Note that, rather than just collect configuration and change logs, we are interested in connection events, as the solution is able to automatically attribute these events to the users and endpoints generating the traffic.

Fortinet Fortigate is a "Next Generation Firewall" (NGFW) that offers multi-layered visibility beyond traditional firewalls, which only provided four levels of visibility. In addition to standard firewall protection, Fortinet Fortigate includes Unified Threat Management (UTM) features such as:

• Anti-Malware Capabilities: Scans network traffic, both incoming and outgoing, for suspicious files to prevent malware infections.

• Data Leak Prevention (DLP): Detects and prevents potential data breaches and exfiltration attempts, safeguarding sensitive information.

• Intrusion Prevention System (IPS): Monitors and analyzes network traffic to detect and prevent malicious activities, enhancing overall security.

• Virtual Private Network (VPN): Provides secure remote access to the network, protecting data transmission through encryption.

• Web Filtering: Controls and monitors web traffic to block access to malicious or inappropriate websites.

• Data Loss Prevention (DLP): Aids in identifying and preventing the unauthorized transfer of sensitive data, ensuring compliance and data protection.
  
  

The Fortinet Firewall event source allows our XDR platform to parse the following log types:

• Firewall

• VPN

• DHCP

• Virus

• IDS

This topic includes details on:

Events detected by Fortinet Fortigate as reported in CodeGreen XDR such as,

• dnsDomainBlockedByRelationToDNSBotnetC&CIp

• ipsAttackDetectedByTcp/UdpProtocol

• ipsBotnetC&CCommunicationSeverityWarning

• UTM - ips - Emotet.Cridex.Botnet

• UTM - dns - Dynamic DNS

• UTM - dns - Domain belongs to a denied category in policy

• UTM - webfilter - Dynamic DNS

• UTM - webfilter - Hacking

• UTM - webfilter - Malicious Websites

• UTM - webfilter - Potentially Unwanted Program

• UTM - dns - Hacking

• UTM - dns - Malicious Websites

• UTM - virus - HTML/IFrame

• UTM - virus - JS/Redirector

• UTM - ssl - SSL connection is blocked due to a blacklisted server certificate

• DNS - Newly Observed Domain

• UTM - webfilter - Phishing

• UTM - webfilter - Spam URLs

• UTM - dns - Spam URLs

• UTM - dns - Phishing

• Etc.
  
  

A typical 24x7 XDR Service workflow

On top builtin detections by Fortigate User Behavior Analytic and Attacker behavior analytics enable our XDR platform to detect,

• Attacks on VPN 

  • Brute force.

  • Connection from attacker IPs (Local/Global threat intel)

  • Ingress From Threat

  • Multiple Country Authentications

  • Multiple Organization Authentications

  • Suspicious Authentications
    
    

• Phishing Attacks

  • Spear Phishing URL Detected
    
    

• UEBA and attacker Behavior Analytics.
  

With our built-in SOAR platform with XDR, we take automated actions like,

• Block Malicious  IPs in Firewall (if detected by XDR analysts or from other solutions like EDR)

• Isolate machines using EDR if a confirmed threat is identified from firewall logs.

• Etc.