Fortinet white logo
Fortinet white logo

Administration Guide

Playbook policy actions

Playbook policy actions

Playbook policy actions are divided into the following types:

Each of these categories contains different types of actions that can be performed when a security event is triggered.

Notifications

Notification actions send a notification when a relevant security event is triggered. These actions are implemented in both FortiEDR modes (Simulation and Prevention).

Notifications can be one of the following types:

  • Emails
  • Syslog
  • Open Ticket

Each row under Notifications corresponds to a single type of notification (mail [email] notification, Syslog notification or Open Ticket notification). In the Notifications area, you configure each notification type to indicate whether or not it is to automatically send the relevant notification, once triggered by a security event. By default, the Default Playbook policy is set to Simulation mode, and only email notifications are automatically enabled, as shown below:

Note

Notification actions must be enabled in order to be implemented by a Playbook policy. If notifications are disabled, they are not implemented by the Playbook policy, even if that policy is configured to send notifications. For more details see SMTP.

The Malicious, Suspicious, PUP, Inconclusive, and Likely Safe columns correspond to the possible classifications for a security event. When a checkmark appears in one of these columns, it means that a notification of the specified type is sent when an event is triggered that has that classification. Notifications are sent for all security events except those classified as Likely Safe. For example, the figure below shows that an email notification is sent whenever a Malicious, Suspicious, PUP or Inconclusive security event is triggered. Syslog and Open Ticket notifications work in the same way as Email notifications. For more details about classifications, see Events pane.

SMTP, Syslog and Open Ticket must already be configured in order to send their respective notifications. If their settings are not already configured, the relevant row in the Notifications list displays a message indicating that you must first configure it, as shown below:

Note

The word Admin in each of these messages is a link that when clicked, jumps to the relevant place in the user interface to configure it. For example, when you click Admin in any of these messages, the following window displays in which you can configure the relevant settings.

Investigation

Investigation actions enable you to isolate a device or assign it to a high-security Collector Group, in order to further investigate the relevant device’s activity.

Investigation actions can be one of the following types:

Isolate device with Collector

This action blocks the communication to/from the affected Collector. This action only applies for endpoint Collectors. For example, if the Playbook policy is configured to isolate the device for a malicious event, then whenever a maliciously classified security event is triggered from a device, then that device is isolated (blocked) from communicating with the outside world (for both sending and receiving). This means, for example, that applications that communicate with the outside world, such as Google Chrome, Firefox and so on, will be blocked for outgoing communications.

A checkmark in a classification column here means that the device is automatically isolated when a security event is triggered with that classification.

Note

The tab bar at the top of the window may display a white circle(s) with a number inside the circle to indicate that new security events have not been read by the user. The number represents the number of new registered devices.

When the circle is white, it means that there are no isolated devices and the number inside the circle represents the number of new registered devices in the last three days.

When the circle is red, it indicates that there are one or more isolated devices. In this case, the number inside the circle indicates only the number of isolated devices.

You can hover over the number to see the list of new registered devices and isolated devices. Each row shows the number of devices added, by day.

Isolate device with NAC

This action blocks the communication to/from the affected device by disabling this host on an external Network Access Control system. A NAC connector must already be configured in order to perform this action. For details about how to configure NAC connectors, see Network Access Control (NAC) integration.

In the dropdown menu next to the action, you can specify which NAC to use for disabling the host or select all of them.

Note

Unlike devices that are isolated using the FortiEDR Collector for which there is an isolation indication on Inventory tab and un-isolation is available, devices that were isolated using an external system such as a NAC are not indicated as such on the FortiEDR Console and un-isolation is only possible on the external NAC system.

Move device to High Security Group

FortiEDR provides two default Collector Groups: the Default Collector Group and the High Security Collector Group. Both of these default Collector Groups are initially assigned to the Default Playbook policy, and cannot be deleted.

A checkmark in a classification column here means that the device is automatically moved (assigned) to the High Security Collector Group when a security event is triggered that has that classification. This feature is useful when you want to mark Collectors that triggered malicious events.

Remediation

Remediation actions enable you to remediate a situation in the FortiEDR system, should malware be detected on a device.

Remediation actions can be one of the following types:

Terminate process

This action terminates the affected process. It does not guarantee that the affected process will not attempt to execute again. This action can also be performed manually using the Forensics add-on, as described on Remediating a device upon malware detection

A checkmark in a classification column here means that the affected process is automatically terminated on the device when a security event is triggered that has that classification.

Delete file

This action ensures that the file does not attempt to exfiltrate data again, as the file is permanently removed from the device. This action can also be performed manually using the Forensics add-on, as described on Remediating a device upon malware detection

A checkmark in a classification column here means that the affected file is automatically removed on the device when a security event is triggered that has that classification.

Clean persistent data

This action cleans the registry keys in Windows. This action can also be performed manually using the Forensics add-on, as described on Remediating a device upon malware detection.

A checkmark in a classification column here means that the affected registry key is automatically cleaned on the device when a security event is triggered that has that classification.

Block address on Firewall

This action ensures that connections to remote malicious addresses that are associated with the security event are blocked. A Firewall Connector must already be configured in order to perform this action. For details about how to configure firewall connectors, see Firewall Integration on Firewall integration.

In the dropdown menu next to the action, you can specify which firewalls are used to perform the blocking or select all of them, as shown below:

A checkmark in a Classification column means that communication with the affected destination is automatically blocked when a security event is triggered that has that classification.

The firewall must already be configured in order to add malicious destinations to blocked addresses. If its settings are not already configured, the relevant row in the Remediation list displays a message indicating that you must first configure it, as shown below:

Note

Clicking the Integration Admin link in this message jumps to the relevant place in the user interface to configure it (in the Integration page under the Admin tab).

Custom

Custom actions enable you to automatically trigger an incident response in a third-party system as the result of a security event detected by FortiEDR, according to the Custom Integration connector (and its actions) that you define.

The CUSTOM section of the Playbook page lists the actions that have been defined for Custom Integration Connectors, as described on Custom integration.

Note

This list appears empty appears until at least one Custom Integration Connector has been defined.

A checkmark in a classification column here means that the defined action is triggered in the third-party system when a security event is triggered that has that classification.

Other options in the Playbooks tab

You can perform the following operations using the toolbar at the top of the tab:

  • Clone Playbook: Clones a Playbook policy, as described on Playbook policies.
  • Set Mode: Changes the mode of the Playbook policy. This process is similar to that for setting the mode for a standard security policy, which is described on Setting a security policy’s Prevention or Simulation mode
  • Assign Collector Group: Assigns a Playbook policy to a Collector Group. This process is similar to that for assigning a standard security policy to a Collector Group, which is described on Assigning a security policy to a Collector Group.
  • Delete: Deletes a cloned Playbook policy. Default Playbook policies cannot be deleted.
Note

The default Playbook policy (named Default Playbook) is mandatory and cannot be deleted.

Playbook policy actions

Playbook policy actions

Playbook policy actions are divided into the following types:

Each of these categories contains different types of actions that can be performed when a security event is triggered.

Notifications

Notification actions send a notification when a relevant security event is triggered. These actions are implemented in both FortiEDR modes (Simulation and Prevention).

Notifications can be one of the following types:

  • Emails
  • Syslog
  • Open Ticket

Each row under Notifications corresponds to a single type of notification (mail [email] notification, Syslog notification or Open Ticket notification). In the Notifications area, you configure each notification type to indicate whether or not it is to automatically send the relevant notification, once triggered by a security event. By default, the Default Playbook policy is set to Simulation mode, and only email notifications are automatically enabled, as shown below:

Note

Notification actions must be enabled in order to be implemented by a Playbook policy. If notifications are disabled, they are not implemented by the Playbook policy, even if that policy is configured to send notifications. For more details see SMTP.

The Malicious, Suspicious, PUP, Inconclusive, and Likely Safe columns correspond to the possible classifications for a security event. When a checkmark appears in one of these columns, it means that a notification of the specified type is sent when an event is triggered that has that classification. Notifications are sent for all security events except those classified as Likely Safe. For example, the figure below shows that an email notification is sent whenever a Malicious, Suspicious, PUP or Inconclusive security event is triggered. Syslog and Open Ticket notifications work in the same way as Email notifications. For more details about classifications, see Events pane.

SMTP, Syslog and Open Ticket must already be configured in order to send their respective notifications. If their settings are not already configured, the relevant row in the Notifications list displays a message indicating that you must first configure it, as shown below:

Note

The word Admin in each of these messages is a link that when clicked, jumps to the relevant place in the user interface to configure it. For example, when you click Admin in any of these messages, the following window displays in which you can configure the relevant settings.

Investigation

Investigation actions enable you to isolate a device or assign it to a high-security Collector Group, in order to further investigate the relevant device’s activity.

Investigation actions can be one of the following types:

Isolate device with Collector

This action blocks the communication to/from the affected Collector. This action only applies for endpoint Collectors. For example, if the Playbook policy is configured to isolate the device for a malicious event, then whenever a maliciously classified security event is triggered from a device, then that device is isolated (blocked) from communicating with the outside world (for both sending and receiving). This means, for example, that applications that communicate with the outside world, such as Google Chrome, Firefox and so on, will be blocked for outgoing communications.

A checkmark in a classification column here means that the device is automatically isolated when a security event is triggered with that classification.

Note

The tab bar at the top of the window may display a white circle(s) with a number inside the circle to indicate that new security events have not been read by the user. The number represents the number of new registered devices.

When the circle is white, it means that there are no isolated devices and the number inside the circle represents the number of new registered devices in the last three days.

When the circle is red, it indicates that there are one or more isolated devices. In this case, the number inside the circle indicates only the number of isolated devices.

You can hover over the number to see the list of new registered devices and isolated devices. Each row shows the number of devices added, by day.

Isolate device with NAC

This action blocks the communication to/from the affected device by disabling this host on an external Network Access Control system. A NAC connector must already be configured in order to perform this action. For details about how to configure NAC connectors, see Network Access Control (NAC) integration.

In the dropdown menu next to the action, you can specify which NAC to use for disabling the host or select all of them.

Note

Unlike devices that are isolated using the FortiEDR Collector for which there is an isolation indication on Inventory tab and un-isolation is available, devices that were isolated using an external system such as a NAC are not indicated as such on the FortiEDR Console and un-isolation is only possible on the external NAC system.

Move device to High Security Group

FortiEDR provides two default Collector Groups: the Default Collector Group and the High Security Collector Group. Both of these default Collector Groups are initially assigned to the Default Playbook policy, and cannot be deleted.

A checkmark in a classification column here means that the device is automatically moved (assigned) to the High Security Collector Group when a security event is triggered that has that classification. This feature is useful when you want to mark Collectors that triggered malicious events.

Remediation

Remediation actions enable you to remediate a situation in the FortiEDR system, should malware be detected on a device.

Remediation actions can be one of the following types:

Terminate process

This action terminates the affected process. It does not guarantee that the affected process will not attempt to execute again. This action can also be performed manually using the Forensics add-on, as described on Remediating a device upon malware detection

A checkmark in a classification column here means that the affected process is automatically terminated on the device when a security event is triggered that has that classification.

Delete file

This action ensures that the file does not attempt to exfiltrate data again, as the file is permanently removed from the device. This action can also be performed manually using the Forensics add-on, as described on Remediating a device upon malware detection

A checkmark in a classification column here means that the affected file is automatically removed on the device when a security event is triggered that has that classification.

Clean persistent data

This action cleans the registry keys in Windows. This action can also be performed manually using the Forensics add-on, as described on Remediating a device upon malware detection.

A checkmark in a classification column here means that the affected registry key is automatically cleaned on the device when a security event is triggered that has that classification.

Block address on Firewall

This action ensures that connections to remote malicious addresses that are associated with the security event are blocked. A Firewall Connector must already be configured in order to perform this action. For details about how to configure firewall connectors, see Firewall Integration on Firewall integration.

In the dropdown menu next to the action, you can specify which firewalls are used to perform the blocking or select all of them, as shown below:

A checkmark in a Classification column means that communication with the affected destination is automatically blocked when a security event is triggered that has that classification.

The firewall must already be configured in order to add malicious destinations to blocked addresses. If its settings are not already configured, the relevant row in the Remediation list displays a message indicating that you must first configure it, as shown below:

Note

Clicking the Integration Admin link in this message jumps to the relevant place in the user interface to configure it (in the Integration page under the Admin tab).

Custom

Custom actions enable you to automatically trigger an incident response in a third-party system as the result of a security event detected by FortiEDR, according to the Custom Integration connector (and its actions) that you define.

The CUSTOM section of the Playbook page lists the actions that have been defined for Custom Integration Connectors, as described on Custom integration.

Note

This list appears empty appears until at least one Custom Integration Connector has been defined.

A checkmark in a classification column here means that the defined action is triggered in the third-party system when a security event is triggered that has that classification.

Other options in the Playbooks tab

You can perform the following operations using the toolbar at the top of the tab:

  • Clone Playbook: Clones a Playbook policy, as described on Playbook policies.
  • Set Mode: Changes the mode of the Playbook policy. This process is similar to that for setting the mode for a standard security policy, which is described on Setting a security policy’s Prevention or Simulation mode
  • Assign Collector Group: Assigns a Playbook policy to a Collector Group. This process is similar to that for assigning a standard security policy to a Collector Group, which is described on Assigning a security policy to a Collector Group.
  • Delete: Deletes a cloned Playbook policy. Default Playbook policies cannot be deleted.
Note

The default Playbook policy (named Default Playbook) is mandatory and cannot be deleted.