Fortinet white logo
Fortinet white logo

EMS Administration Guide

Sending endpoint classification tags to FortiAnalyzer

Sending endpoint classification tags to FortiAnalyzer

You can use tags for grouping and classifying endpoints, which can help with assessing incident impact and prioritizing incidents by SOC analysts or SOAR playbooks.

You can assign a classification tag to an endpoint. Classification tags include the following:

  • Default importance level tags (low, medium, high, or critical) to specify an endpoint's importance in the organization. You can tag critical endpoints accordingly and monitor them for security incidents.
  • Custom tags. You can create a maximum of eight custom tags. You can assign multiple custom tags to an endpoint or group of endpoints.

FortiAnalyzer Fabric View shows tags for each endpoint. FortiAnalyzer FortiSoC playbook pulls endpoint information from EMS using an EMS connector.

The following describes the process for configuring a classification tag and viewing the data in FortiAnalyzer:

  1. Configure and apply classification tags to endpoints in EMS.
  2. Configure FortiAnalyzer to receive the tags:
    1. Configure the EMS-FortiAnalyzer Fabric connection.
    2. Run the FortiSoC playbook to retrieve endpoint information from EMS.
To configure and apply classification tags to endpoints in EMS:

By default, EMS tags all newly registered endpoints with the Low default importance tag.

  1. In EMS, go to Endpoints.
  2. To apply tags to a single endpoint, go to the desired endpoint. Under Classification Tags, to create a new custom tag, click the Add button, enter the desired tag, the click the + button. You can also assign a new importance tag to the endpoint.

  3. To apply tags to multiple endpoints, select all desired endpoints, then select Action > Set Importance or Set Custom Tags.
To configure the EMS-FortiAnalyzer Fabric connection:
  1. In FortiAnalyzer, go to Fabric View.
  2. Click the Fabric Connectors tab, then click Create New.
  3. Click the FortiClient EMS tile. The Create New Fabric Connector dialog opens.
  4. In the Configuration tab, configure the connector settings, enter the EMS IP address and administrator credentials.

  5. On the Actions tab, leave the default settings.
  6. Click OK.
To run the FortiSoC playbook to retrieve endpoint information from EMS:
  1. In FortiAnalyzer, in the Fabric ADOM, go to FortiSoC > Automation > Playbook.
  2. Click Create New, then New Playbook created from scratch.
  3. Add an on-demand playbook with two tasks:

    * FabricView--FortiSoC--Playbook

    -- EMS_GET_ENDPOINTS (no parameters)

    -- LOCALHOST_UPDATE_ASSET_AND_IDENTITY (use parameter ems_endpoints = previous_task_id.ems_endpoints)

  4. Click Save.
  5. Click Run. Accept the Manually Run Playbook prompt.
  6. Go to Automation > Playbook Monitor. You can view the running playbook status.
  7. Once the corresponding playbook job finishes running, go to Fabric View > Assets. The endpoint and its tags display.

Sending endpoint classification tags to FortiAnalyzer

Sending endpoint classification tags to FortiAnalyzer

You can use tags for grouping and classifying endpoints, which can help with assessing incident impact and prioritizing incidents by SOC analysts or SOAR playbooks.

You can assign a classification tag to an endpoint. Classification tags include the following:

  • Default importance level tags (low, medium, high, or critical) to specify an endpoint's importance in the organization. You can tag critical endpoints accordingly and monitor them for security incidents.
  • Custom tags. You can create a maximum of eight custom tags. You can assign multiple custom tags to an endpoint or group of endpoints.

FortiAnalyzer Fabric View shows tags for each endpoint. FortiAnalyzer FortiSoC playbook pulls endpoint information from EMS using an EMS connector.

The following describes the process for configuring a classification tag and viewing the data in FortiAnalyzer:

  1. Configure and apply classification tags to endpoints in EMS.
  2. Configure FortiAnalyzer to receive the tags:
    1. Configure the EMS-FortiAnalyzer Fabric connection.
    2. Run the FortiSoC playbook to retrieve endpoint information from EMS.
To configure and apply classification tags to endpoints in EMS:

By default, EMS tags all newly registered endpoints with the Low default importance tag.

  1. In EMS, go to Endpoints.
  2. To apply tags to a single endpoint, go to the desired endpoint. Under Classification Tags, to create a new custom tag, click the Add button, enter the desired tag, the click the + button. You can also assign a new importance tag to the endpoint.

  3. To apply tags to multiple endpoints, select all desired endpoints, then select Action > Set Importance or Set Custom Tags.
To configure the EMS-FortiAnalyzer Fabric connection:
  1. In FortiAnalyzer, go to Fabric View.
  2. Click the Fabric Connectors tab, then click Create New.
  3. Click the FortiClient EMS tile. The Create New Fabric Connector dialog opens.
  4. In the Configuration tab, configure the connector settings, enter the EMS IP address and administrator credentials.

  5. On the Actions tab, leave the default settings.
  6. Click OK.
To run the FortiSoC playbook to retrieve endpoint information from EMS:
  1. In FortiAnalyzer, in the Fabric ADOM, go to FortiSoC > Automation > Playbook.
  2. Click Create New, then New Playbook created from scratch.
  3. Add an on-demand playbook with two tasks:

    * FabricView--FortiSoC--Playbook

    -- EMS_GET_ENDPOINTS (no parameters)

    -- LOCALHOST_UPDATE_ASSET_AND_IDENTITY (use parameter ems_endpoints = previous_task_id.ems_endpoints)

  4. Click Save.
  5. Click Run. Accept the Manually Run Playbook prompt.
  6. Go to Automation > Playbook Monitor. You can view the running playbook status.
  7. Once the corresponding playbook job finishes running, go to Fabric View > Assets. The endpoint and its tags display.