Configuring an EMS connector for use in FortiSoC playbooks
Configuring an EMS connector on FortiAnalyzer allows FortiSoC automation playbooks to reach out to endpoints and collect information or take containment actions.
To use EMS connectors in FortiSoC Playbooks:
Configure the EMS connector
To configure an EMS connector for use in FortiSoC playbooks:
- Configure a FortiClient EMS 6.4.0 server which supports the FortiAnalyzer EMS connector feature.
- Register FortiClient to the EMS server.
In the example below, two FortiClients have been registered.
- In FortiClient EMS System Settings, configure FortiClient EMS to send logs to FortiAnalyzer.
- In FortiAnalyzer, register the EMS device to a Fabric ADOM.
- In the Fabric ADOM, go to Fabric View > Fabric > Connectors. Click Create New, and select FortiClient EMS.
Configure the EMS connector, and click OK.
- Go to FortiSoC > Automation > Connectors. Here you can view the actions FortiAnalyzer can take on endpoints using the EMS connector.
Create a playbook using the EMS connector
Below are two examples of how FortiSoC playbooks can be configured to use the FortiClient EMS connector to enable actions in FortiAnalyzer.
To create a playbook from a template:
- Go to FortiSoC > Automation > Playbook, and click Create New.
- From the list of templates, select Playbook EMS Run_Vulnerability_Scan.
This template will run a vulnerability scan on an endpoint. Save the playbook.
- From the Playbook menu, run the playbook.
A prompt appears to select the endpoint on which to perform the vulnerability scan. Select the endpoint and enter the ID of the incident that will be updated with information from the scan. - Go to FortiSoC > Automation > Playbook Monitor to view the running status of the playbook job and confirm it has completed successfully.
To create a playbook from scratch
- Go to FortiSoC > Automation > Playbook, and click Create New.
From the list of templates, select New Playbook created from scratch.
- Configure the playbook:
- Select a playbook trigger. For example, the On Demand trigger.
- Add a task with the EMS connector Get Endpoints action.
- Add a task with the Local connector Update Asset and Identity action.
- Click Save Playbook.
- Run the playbook, and go to Fabric View > Assets to view the collected endpoint information.