Fortinet black logo

New Features

EMS API support for FortiAnalyzer to notify and tag suspicious endpoints 7.0.1

Copy Link
Copy Doc ID 6dd8af04-513d-11eb-b9ad-00505692583a:425201
Download PDF

EMS Connector now supports new options to tag and untag endpoints. Playbooks can be setup on FortiAnalyzer to tag endpoints based on triggered events. These tags are called fabric tags and are pushed to EMS via the connector. When EMS receives a fabric tag, it is added to the endpoint as a classification tag. You can view all received fabric tabs under Zero Trust Tags > Zero Trust Tag Monitor. See Zero Trust Tag Monitor.

To enable an EMS connector and view the default EMS connector playbooks:
  1. In the EMS server, register a Windows 10 endpoint.
    In this example, the endpoint name is WinDev2104Eval. Notice that there is no IOC Suspicious tag for this endpoint.
  2. On FortiAnalyzer, go to Fabric View > Fabric > Connectors, and create a FortiClient EMS connector.
  3. Go to FortiSoC > Automation > Connectors and expand the FortiClient EMS connector dropdown to view the actions. Two new actions have been added:
    • Tag Endpoints
    • Untag Endpoints

  4. After the EMS connector has been created, three default playbooks are automatically created in FortiSoC > Automation > Playbook.
    • Get Software Inventory from EMS
    • Get Vulnerabilities from EMS
    • Update Asset and Identity Database


  5. If the configuration is correct, after a short while the three playbooks will run automatically and the endpoint (WinDev2104Eval) on the EMS server will be displayed in Fabric View > Asset Center > All.
To create a playbook to tag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Tag-IOC-Suspicious.
    1. Select Event Trigger as the starter.
    2. Add a task using the EMS connector with the action "Tag Endpoints" and tag name "IOC Suspicious".
    3. Save the playbook.
      Please note that this playbook cannot be manually run by an administrator. This playbook is automatically triggered when an IOC violation is detected.
  2. Generate an IOC suspicious event on the endpoint.
    In this example, a Web Filtering violation is used to trigger an IOC detection so that the Tag-IOC-Suspicious playbook will be automatically run.
    1. On FortiGate, configure the device to send logs to FortiAnalyzer.
    2. In the IPv4 policy, enable Web Filter.
    3. From the endpoint, try to browse to a website that is blocked by FortiGate web filtering.
    4. On FortiAnalyzer, go to FortiView > Threats > Compromised Hosts.
      The WinDev2104Eval endpoint is listed as a detected compromised host.
    5. Go to FortiSoC > Automation > Playbook Monitor.
      The Tag-IOC-Suspicious playbook was run automatically and the result is displayed as Success.
  3. Go to the EMS server and check the endpoint. The IOC Suspicious tag is added for that endpoint.
To create a playbook to untag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Untag-IOC-Suspicious.
    1. Select On Demand as the starter.
    2. Add a task using the EMS connector with the action "Untag Endpoints" and the tag "IOC Suspicious".
    3. Save the playbook.
  2. From the Playbook menu, manually run the playbook for the endpoint by selecting it and clicking Run from the toolbar.
  3. Go to FortiSoC > Automation > Playbook Monitor to see that the playbook result is displayed as Success.
  4. Go to the EMS server and check the endpoint. The IOC Suspicious tag has been removed for that endpoint.

EMS Connector now supports new options to tag and untag endpoints. Playbooks can be setup on FortiAnalyzer to tag endpoints based on triggered events. These tags are called fabric tags and are pushed to EMS via the connector. When EMS receives a fabric tag, it is added to the endpoint as a classification tag. You can view all received fabric tabs under Zero Trust Tags > Zero Trust Tag Monitor. See Zero Trust Tag Monitor.

To enable an EMS connector and view the default EMS connector playbooks:
  1. In the EMS server, register a Windows 10 endpoint.
    In this example, the endpoint name is WinDev2104Eval. Notice that there is no IOC Suspicious tag for this endpoint.
  2. On FortiAnalyzer, go to Fabric View > Fabric > Connectors, and create a FortiClient EMS connector.
  3. Go to FortiSoC > Automation > Connectors and expand the FortiClient EMS connector dropdown to view the actions. Two new actions have been added:
    • Tag Endpoints
    • Untag Endpoints

  4. After the EMS connector has been created, three default playbooks are automatically created in FortiSoC > Automation > Playbook.
    • Get Software Inventory from EMS
    • Get Vulnerabilities from EMS
    • Update Asset and Identity Database


  5. If the configuration is correct, after a short while the three playbooks will run automatically and the endpoint (WinDev2104Eval) on the EMS server will be displayed in Fabric View > Asset Center > All.
To create a playbook to tag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Tag-IOC-Suspicious.
    1. Select Event Trigger as the starter.
    2. Add a task using the EMS connector with the action "Tag Endpoints" and tag name "IOC Suspicious".
    3. Save the playbook.
      Please note that this playbook cannot be manually run by an administrator. This playbook is automatically triggered when an IOC violation is detected.
  2. Generate an IOC suspicious event on the endpoint.
    In this example, a Web Filtering violation is used to trigger an IOC detection so that the Tag-IOC-Suspicious playbook will be automatically run.
    1. On FortiGate, configure the device to send logs to FortiAnalyzer.
    2. In the IPv4 policy, enable Web Filter.
    3. From the endpoint, try to browse to a website that is blocked by FortiGate web filtering.
    4. On FortiAnalyzer, go to FortiView > Threats > Compromised Hosts.
      The WinDev2104Eval endpoint is listed as a detected compromised host.
    5. Go to FortiSoC > Automation > Playbook Monitor.
      The Tag-IOC-Suspicious playbook was run automatically and the result is displayed as Success.
  3. Go to the EMS server and check the endpoint. The IOC Suspicious tag is added for that endpoint.
To create a playbook to untag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Untag-IOC-Suspicious.
    1. Select On Demand as the starter.
    2. Add a task using the EMS connector with the action "Untag Endpoints" and the tag "IOC Suspicious".
    3. Save the playbook.
  2. From the Playbook menu, manually run the playbook for the endpoint by selecting it and clicking Run from the toolbar.
  3. Go to FortiSoC > Automation > Playbook Monitor to see that the playbook result is displayed as Success.
  4. Go to the EMS server and check the endpoint. The IOC Suspicious tag has been removed for that endpoint.