Fortinet black logo

EMS Administration Guide

Zero Trust Tag Monitor

Zero Trust Tag Monitor

You can view all dynamic endpoint groups in Zero Trust Tags > Zero Trust Tag Monitor. EMS creates dynamic endpoint groups based on the tag configured for each rule. This page shows endpoints tagged using the following tag types:

Tag

Description

Zero Trust tags

See Zero Trust Tags.

FortiGuard outbreak alert tags

See FortiGuard Outbreak Alerts.

Classification tags

See Viewing the Endpoints pane.

Fabric tags

Fabric tags require connection to FortiAnalyzer. See the following process:

  1. EMS administrator configures FortiAnalyzer in an endpoint profile. See System Settings.
  2. FortiClient connects to EMS and receives FortiAnalyzer connection information from the endpoint profile.
  3. FortiClient sends logs to FortiAnalyzer.
  4. FortiAnalyzer administrator configures rule to tag endpoints which have indicators of compromise (IOC).
  5. If a log entry received from FortiClient on the FortiAnalyzer matches an IOC, FortiAnalyzer adds a tag to that endpoint.
  6. EMS adds this tag to the endpoint. You can view the tag in the endpoint details, as well as in Zero Trust Tag Monitor. Note that this tag displays as a Fabric tag in Zero Trust Tag Monitor, but the tag displays under Classification Tags in endpoint details. See Viewing the Endpoints pane.
  7. If FortiGate is configured to receive all tags for this specific endpoint, EMS sends the tag to FortiGate.

See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.

The panes at the top show how many tags belong to each tag type. You can click each pane to display only tags that belong to that tag type.

Refresh

Click to refresh the list of tagged endpoints in the content pane.

Endpoint

Endpoint's hostname.

User

Name of the user logged into the endpoint.

OS

OS currently installed on the endpoint.

IP

Endpoint's IP address.

Category

Type of tag that the endpoint was tagged with. This can be one of the following:

  • Zero Trust
  • FortiGuard outbreak alert
  • Classification
  • Fabric

Tagged on

Date and time that EMS added the endpoint to the dynamic endpoint group.

Zero Trust Tag Monitor

You can view all dynamic endpoint groups in Zero Trust Tags > Zero Trust Tag Monitor. EMS creates dynamic endpoint groups based on the tag configured for each rule. This page shows endpoints tagged using the following tag types:

Tag

Description

Zero Trust tags

See Zero Trust Tags.

FortiGuard outbreak alert tags

See FortiGuard Outbreak Alerts.

Classification tags

See Viewing the Endpoints pane.

Fabric tags

Fabric tags require connection to FortiAnalyzer. See the following process:

  1. EMS administrator configures FortiAnalyzer in an endpoint profile. See System Settings.
  2. FortiClient connects to EMS and receives FortiAnalyzer connection information from the endpoint profile.
  3. FortiClient sends logs to FortiAnalyzer.
  4. FortiAnalyzer administrator configures rule to tag endpoints which have indicators of compromise (IOC).
  5. If a log entry received from FortiClient on the FortiAnalyzer matches an IOC, FortiAnalyzer adds a tag to that endpoint.
  6. EMS adds this tag to the endpoint. You can view the tag in the endpoint details, as well as in Zero Trust Tag Monitor. Note that this tag displays as a Fabric tag in Zero Trust Tag Monitor, but the tag displays under Classification Tags in endpoint details. See Viewing the Endpoints pane.
  7. If FortiGate is configured to receive all tags for this specific endpoint, EMS sends the tag to FortiGate.

See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.

The panes at the top show how many tags belong to each tag type. You can click each pane to display only tags that belong to that tag type.

Refresh

Click to refresh the list of tagged endpoints in the content pane.

Endpoint

Endpoint's hostname.

User

Name of the user logged into the endpoint.

OS

OS currently installed on the endpoint.

IP

Endpoint's IP address.

Category

Type of tag that the endpoint was tagged with. This can be one of the following:

  • Zero Trust
  • FortiGuard outbreak alert
  • Classification
  • Fabric

Tagged on

Date and time that EMS added the endpoint to the dynamic endpoint group.