Fortinet Document Library

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

EMS API support for FortiAnalyzer to notify and tag suspicious endpoints 7.0.1

EMS Connector now supports new options to tag and untag endpoints. Playbooks can be setup on FortiAnalyzer to tag endpoints based on triggered events. The tags are pushed to EMS via the connector and displayed for the corresponding endpoints as Classification Tags

To enable an EMS connector and view the default EMS connector playbooks:
  1. In the EMS server, register a Windows 10 endpoint.
    In this example, the endpoint name is WinDev2104Eval. Notice that there is no IOC Suspicious tag for this endpoint.
  2. On FortiAnalyzer, go to Fabric View > Fabric > Connectors, and create a FortiClient EMS connector.
  3. Go to FortiSoC > Automation > Connectors and expand the FortiClient EMS connector dropdown to view the actions. Two new actions have been added:
    • Tag Endpoints
    • Untag Endpoints

  4. After the EMS connector has been created, three default playbooks are automatically created in FortiSoC > Automation > Playbook.
    • Get Software Inventory from EMS
    • Get Vulnerabilities from EMS
    • Update Asset and Identity Database


  5. If the configuration is correct, after a short while the three playbooks will run automatically and the endpoint (WinDev2104Eval) on the EMS server will be displayed in Fabric View > Asset Center > All.
To create a playbook to tag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Tag-IOC-Suspicious.
    1. Select Event Trigger as the starter.
    2. Add a task using the EMS connector with the action "Tag Endpoints" and tag name "IOC Suspicious".
    3. Save the playbook.
      Please note that this playbook cannot be manually run by an administrator. This playbook is automatically triggered when an IOC violation is detected.
  2. Generate an IOC suspicious event on the endpoint.
    In this example, a Web Filtering violation is used to trigger an IOC detection so that the Tag-IOC-Suspicious playbook will be automatically run.
    1. On FortiGate, configure the device to send logs to FortiAnalyzer.
    2. In the IPv4 policy, enable Web Filter.
    3. From the endpoint, try to browse to a website that is blocked by FortiGate web filtering.
    4. On FortiAnalyzer, go to FortiView > Threats > Compromised Hosts.
      The WinDev2104Eval endpoint is listed as a detected compromised host.
    5. Go to FortiSoC > Automation > Playbook Monitor.
      The Tag-IOC-Suspicious playbook was run automatically and the result is displayed as Success.
  3. Go to the EMS server and check the endpoint. The IOC Suspicious tag is added for that endpoint.
To create a playbook to untag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Untag-IOC-Suspicious.
    1. Select On Demand as the starter.
    2. Add a task using the EMS connector with the action "Untag Endpoints" and the tag "IOC Suspicious".
    3. Save the playbook.
  2. From the Playbook menu, manually run the playbook for the endpoint by selecting it and clicking Run from the toolbar.
  3. Go to FortiSoC > Automation > Playbook Monitor to see that the playbook result is displayed as Success.
  4. Go to the EMS server and check the endpoint. The IOC Suspicious tag has been removed for that endpoint.

EMS API support for FortiAnalyzer to notify and tag suspicious endpoints 7.0.1

EMS Connector now supports new options to tag and untag endpoints. Playbooks can be setup on FortiAnalyzer to tag endpoints based on triggered events. The tags are pushed to EMS via the connector and displayed for the corresponding endpoints as Classification Tags

To enable an EMS connector and view the default EMS connector playbooks:
  1. In the EMS server, register a Windows 10 endpoint.
    In this example, the endpoint name is WinDev2104Eval. Notice that there is no IOC Suspicious tag for this endpoint.
  2. On FortiAnalyzer, go to Fabric View > Fabric > Connectors, and create a FortiClient EMS connector.
  3. Go to FortiSoC > Automation > Connectors and expand the FortiClient EMS connector dropdown to view the actions. Two new actions have been added:
    • Tag Endpoints
    • Untag Endpoints

  4. After the EMS connector has been created, three default playbooks are automatically created in FortiSoC > Automation > Playbook.
    • Get Software Inventory from EMS
    • Get Vulnerabilities from EMS
    • Update Asset and Identity Database


  5. If the configuration is correct, after a short while the three playbooks will run automatically and the endpoint (WinDev2104Eval) on the EMS server will be displayed in Fabric View > Asset Center > All.
To create a playbook to tag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Tag-IOC-Suspicious.
    1. Select Event Trigger as the starter.
    2. Add a task using the EMS connector with the action "Tag Endpoints" and tag name "IOC Suspicious".
    3. Save the playbook.
      Please note that this playbook cannot be manually run by an administrator. This playbook is automatically triggered when an IOC violation is detected.
  2. Generate an IOC suspicious event on the endpoint.
    In this example, a Web Filtering violation is used to trigger an IOC detection so that the Tag-IOC-Suspicious playbook will be automatically run.
    1. On FortiGate, configure the device to send logs to FortiAnalyzer.
    2. In the IPv4 policy, enable Web Filter.
    3. From the endpoint, try to browse to a website that is blocked by FortiGate web filtering.
    4. On FortiAnalyzer, go to FortiView > Threats > Compromised Hosts.
      The WinDev2104Eval endpoint is listed as a detected compromised host.
    5. Go to FortiSoC > Automation > Playbook Monitor.
      The Tag-IOC-Suspicious playbook was run automatically and the result is displayed as Success.
  3. Go to the EMS server and check the endpoint. The IOC Suspicious tag is added for that endpoint.
To create a playbook to untag an endpoint as IOC Suspicious:
  1. On FortiAnalyzer, go to FortiSoC > Automation > Playbook, and create a new playbook called Untag-IOC-Suspicious.
    1. Select On Demand as the starter.
    2. Add a task using the EMS connector with the action "Untag Endpoints" and the tag "IOC Suspicious".
    3. Save the playbook.
  2. From the Playbook menu, manually run the playbook for the endpoint by selecting it and clicking Run from the toolbar.
  3. Go to FortiSoC > Automation > Playbook Monitor to see that the playbook result is displayed as Success.
  4. Go to the EMS server and check the endpoint. The IOC Suspicious tag has been removed for that endpoint.