Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.1 Administration Guide
5.2.1
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Identity Management integration

Identity Management integration

When an Identity Management connector, such as FortiClient Endpoint Management Server (EMS), is set and Playbook policies are configured, automatic incident response actions can include ZeroTrust device tagging on FortiClient EMS upon security event triggering.

Prerequisites

Before you start Identity Management configuration, verify the following:

  • Your FortiEDR deployment includes a JumpBox that has connectivity to the identity management server. Details about how to install a FortiEDR Core and configure it as a JumpBox are described in Setting up a FortiEDR Core as a Jumpbox. You may refer to Cores for more information about configuring a JumpBox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS).
  • You have a valid API user with access to FortiClient EMS or equivalent identity management system.

Follow the steps below to tag a device as non-trusted automatically upon the detection of a FortiEDR security event.

Configuring a FortiEDR Connector
To configure Identity Management integration:
  1. Click the Add Connector button and select Identity Management from the dropdown list.

    The following displays:

  2. Fill in the following fields:

    Field

    Description

    JumpBoxSelect the FortiEDR JumpBox that will communicate with this Identity Management system.
    NameSpecify a name of your choice to be used to identify this Identity Management system.

    Type

    Select the type of Identity Management to be used in the dropdown list. For example, FortiClient EMS.

    HostSpecify the IP or DNS address of the external Identity Management system.
    PortSpecify the port that is used for communication with the external Identity Management system.
    API Key/CredentialsSpecify authentication details of the external Identity Management system. Fill in the external Identity Management system API username/Account and password/key.
  3. In the Actions area on the right, define the action to be taken by this connector:
    • To use an action provided out-of-the-box with FortiEDR (for example, Zero Trust device tagging on FortiClient EMS), tag the device as non-trusted the Identity management system and specify what tag to apply on the device in the Tag name field.
    • To use a custom integration action:
      1. Click the + Add Action button. The following popup window displays:

      2. In the Action dropdown menu, select one of the previously defined actions (which were defined in FortiEDR as described in Identity Management integration), or define a new action that can be triggered according to the definitions in the Playbook:
        1. Click the Create New Action button. The following displays:

        2. Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.
          Note

          In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. However, this action is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.

          Field

          Definition

          NameEnter any name for this action.
          DescriptionEnter a description of this action.
          Upload

          Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. The Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of the coding conventions and provides various links that you can click to see more detail and/or to download sample files.

        3. Click Save. The new action is then listed in the Actions area.
  4. You can click the Test button next to an action to execute that action.
  5. Click Save to save the connector configuration.
Configuring Playbooks
To configure an automated incident response that uses an Identity Management connector to tag a device upon security event triggering:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the identity management response to apply.
  3. Place a checkmark in the relevant Classification column next to the Zero Trust device tagging row under the INVESTIGATION section.

    4. FortiEDR is now configured to automatically tag a device as non-trusted upon triggering of a security event.

To configure an automated incident response that uses an Identity Management connector to perform a custom action upon the triggering of a security event:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
  3. In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
  4. In the dropdown menu next to the relevant custom action, select the relevant Identity Management connector with which to perform the action.

    5. FortiEDR is now configured to trigger this action in the third-party system upon the triggering of a security event.

Automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console, as shown below:

Previous
Next

Identity Management integration

When an Identity Management connector, such as FortiClient Endpoint Management Server (EMS), is set and Playbook policies are configured, automatic incident response actions can include ZeroTrust device tagging on FortiClient EMS upon security event triggering.

Prerequisites

Before you start Identity Management configuration, verify the following:

  • Your FortiEDR deployment includes a JumpBox that has connectivity to the identity management server. Details about how to install a FortiEDR Core and configure it as a JumpBox are described in Setting up a FortiEDR Core as a Jumpbox. You may refer to Cores for more information about configuring a JumpBox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS).
  • You have a valid API user with access to FortiClient EMS or equivalent identity management system.

Follow the steps below to tag a device as non-trusted automatically upon the detection of a FortiEDR security event.

Configuring a FortiEDR Connector
To configure Identity Management integration:
  1. Click the Add Connector button and select Identity Management from the dropdown list.

    The following displays:

  2. Fill in the following fields:

    Field

    Description

    JumpBoxSelect the FortiEDR JumpBox that will communicate with this Identity Management system.
    NameSpecify a name of your choice to be used to identify this Identity Management system.

    Type

    Select the type of Identity Management to be used in the dropdown list. For example, FortiClient EMS.

    HostSpecify the IP or DNS address of the external Identity Management system.
    PortSpecify the port that is used for communication with the external Identity Management system.
    API Key/CredentialsSpecify authentication details of the external Identity Management system. Fill in the external Identity Management system API username/Account and password/key.
  3. In the Actions area on the right, define the action to be taken by this connector:
    • To use an action provided out-of-the-box with FortiEDR (for example, Zero Trust device tagging on FortiClient EMS), tag the device as non-trusted the Identity management system and specify what tag to apply on the device in the Tag name field.
    • To use a custom integration action:
      1. Click the + Add Action button. The following popup window displays:

      2. In the Action dropdown menu, select one of the previously defined actions (which were defined in FortiEDR as described in Identity Management integration), or define a new action that can be triggered according to the definitions in the Playbook:
        1. Click the Create New Action button. The following displays:

        2. Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.
          Note

          In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. However, this action is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.

          Field

          Definition

          NameEnter any name for this action.
          DescriptionEnter a description of this action.
          Upload

          Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. The Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of the coding conventions and provides various links that you can click to see more detail and/or to download sample files.

        3. Click Save. The new action is then listed in the Actions area.
  4. You can click the Test button next to an action to execute that action.
  5. Click Save to save the connector configuration.
Configuring Playbooks
To configure an automated incident response that uses an Identity Management connector to tag a device upon security event triggering:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the identity management response to apply.
  3. Place a checkmark in the relevant Classification column next to the Zero Trust device tagging row under the INVESTIGATION section.

    4. FortiEDR is now configured to automatically tag a device as non-trusted upon triggering of a security event.

To configure an automated incident response that uses an Identity Management connector to perform a custom action upon the triggering of a security event:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
  3. In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
  4. In the dropdown menu next to the relevant custom action, select the relevant Identity Management connector with which to perform the action.

    5. FortiEDR is now configured to trigger this action in the third-party system upon the triggering of a security event.

Automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console, as shown below:

Previous
Next