Fortinet white logo
Fortinet white logo

Administration Guide

Identity Management integration

Identity Management integration

When an Identity Management connector, such as FortiClient Endpoint Management Server (EMS), is set and Playbook policies are configured, automatic incident response actions can include ZeroTrust device tagging on FortiClient EMS upon security event triggering.

For more details about integrating FortiEDR with FortiClient EMS, refer to the FortiClient EMS Integration Guide.

Prerequisites

Before you start Identity Management configuration, verify the following:

  • Your FortiEDR deployment includes a Jumpbox that has connectivity to the identity management server.
    • Refer to Setting up the FortiEDR Core for details about how to install a FortiEDR Core and configure it as a Jumpbox.
    • Refer to Cores for more information about configuring a Jumpbox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • You have a valid API user with access to the identity management system. For FortiClient EMS, the following type of user is required depending on the deployment type:
    • FortiClient EMS On-Premise—A valid API user. See the FortiClient EMS Integration Guide for detailed instructions.

    • FortiClient EMS Cloud—FortiCloud master user (e.g. email address) with read/write access to the FortiClient EMS Cloud portal. Sub user accounts cannot be used. See the FortiCloud IAM documentation for detailed instructions about creating a permission profile and an API user.

Follow the steps below to tag a device as non-trusted automatically upon the detection of a FortiEDR security event.

Configuring a FortiEDR Connector
To configure Identity Management integration:
  1. Click the Add Connector button and select Identity Management from the dropdown list.

    The following displays:

  2. Fill in the following fields:

    Field

    Description

    JumpboxSelect the FortiEDR Jumpbox that will communicate with this Identity Management system.
    NameSpecify a name of your choice to be used to identify this Identity Management system.

    Type

    Select the type of Identity Management to be used in the dropdown list. For example, FortiClient EMS.

    HostSpecify the IP or DNS address of the external Identity Management system.
    PortSpecify the port that is used for communication with the external Identity Management system.
    API Key/CredentialsSpecify authentication details of the external Identity Management system. Fill in the external Identity Management system API username/Account and password/key.

    For FortiClient EMS, specify the following depending on your deployment type:

    • (FortiClient EMS on-premise) Specify the username and password of the FortiClient EMS Admin User.

    • (FortiClient EMS cloud) Specify the account (e.g. email address) and password of the FortiCloud master user with read/write access to the FortiClient EMS Cloud portal. Sub user accounts cannot be used.

  3. In the Actions area on the right, define the action to be taken by this connector:
    • To use an action provided out-of-the-box with FortiEDR (for example, Zero Trust device tagging on FortiClient EMS), tag the device as non-trusted the Identity management system and specify the classification tag to apply on the device in the Tag name field.

      This step is optional for FortiClient EMS 7.2 or later as it has the following fabric tags predefined for FortiEDR. Both the predefined fabric tags and classification tags, if any, will be used by FortiClient EMS 7.2 or later to tag the device.

      • FortiEDR_Malicious: FortiEDR has classified this endpoint as malicious.

      • FortiEDR_PUP: FortiEDR has detected a potentially unwanted program on this endpoint.

      • FortiEDR_Suspicious: FortiEDR has detected suspicious activity on this endpoint.

      • FortiEDR_Likely_Safe: FortiEDR has detected this endpoint as likely to be safe.

      • FortiEDR_Probably_Good: FortiEDR has determined that this endpoint is not a safety risk.

      See the FortiClient EMS Administration Guide for more information about endpoint tagging in FortiClient EMS.

    • To use a custom integration action:
      1. Click the + Add Action button. The following popup window displays:

      2. In the Action dropdown menu, select one of the previously defined actions (which were defined in FortiEDR as described in Custom integration), or define a new action that can be triggered according to the definitions in the Playbook:
        1. Click the Create New Action button. The following displays:

        2. Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.
          Note

          In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. However, this action is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.

          Field

          Definition

          NameEnter any name for this action.
          DescriptionEnter a description of this action.
          Upload

          Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. The Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of the coding conventions and provides various links that you can click to see more detail and/or to download sample files.

        3. Click Save. The new action is then listed in the Actions area.
  4. You can click the Test button next to an action to execute that action.
  5. Click Save to save the connector configuration.
Configuring Playbooks
To configure an automated incident response that uses an Identity Management connector to tag a device upon security event triggering:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the identity management response to apply.
  3. Place a checkmark in the relevant Classification column next to the Zero Trust device tagging row under the REMEDIATION section.
  4. FortiEDR is now configured to automatically tag a device as non-trusted upon triggering of a security event.

To configure an automated incident response that uses an Identity Management connector to perform a custom action upon the triggering of a security event:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
  3. In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
  4. In the dropdown menu next to the relevant custom action, select the relevant Identity Management connector with which to perform the action.
  5. FortiEDR is now configured to trigger this action in the third-party system upon the triggering of a security event.

Automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console, as shown below:

Identity Management integration

Identity Management integration

When an Identity Management connector, such as FortiClient Endpoint Management Server (EMS), is set and Playbook policies are configured, automatic incident response actions can include ZeroTrust device tagging on FortiClient EMS upon security event triggering.

For more details about integrating FortiEDR with FortiClient EMS, refer to the FortiClient EMS Integration Guide.

Prerequisites

Before you start Identity Management configuration, verify the following:

  • Your FortiEDR deployment includes a Jumpbox that has connectivity to the identity management server.
    • Refer to Setting up the FortiEDR Core for details about how to install a FortiEDR Core and configure it as a Jumpbox.
    • Refer to Cores for more information about configuring a Jumpbox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • You have a valid API user with access to the identity management system. For FortiClient EMS, the following type of user is required depending on the deployment type:
    • FortiClient EMS On-Premise—A valid API user. See the FortiClient EMS Integration Guide for detailed instructions.

    • FortiClient EMS Cloud—FortiCloud master user (e.g. email address) with read/write access to the FortiClient EMS Cloud portal. Sub user accounts cannot be used. See the FortiCloud IAM documentation for detailed instructions about creating a permission profile and an API user.

Follow the steps below to tag a device as non-trusted automatically upon the detection of a FortiEDR security event.

Configuring a FortiEDR Connector
To configure Identity Management integration:
  1. Click the Add Connector button and select Identity Management from the dropdown list.

    The following displays:

  2. Fill in the following fields:

    Field

    Description

    JumpboxSelect the FortiEDR Jumpbox that will communicate with this Identity Management system.
    NameSpecify a name of your choice to be used to identify this Identity Management system.

    Type

    Select the type of Identity Management to be used in the dropdown list. For example, FortiClient EMS.

    HostSpecify the IP or DNS address of the external Identity Management system.
    PortSpecify the port that is used for communication with the external Identity Management system.
    API Key/CredentialsSpecify authentication details of the external Identity Management system. Fill in the external Identity Management system API username/Account and password/key.

    For FortiClient EMS, specify the following depending on your deployment type:

    • (FortiClient EMS on-premise) Specify the username and password of the FortiClient EMS Admin User.

    • (FortiClient EMS cloud) Specify the account (e.g. email address) and password of the FortiCloud master user with read/write access to the FortiClient EMS Cloud portal. Sub user accounts cannot be used.

  3. In the Actions area on the right, define the action to be taken by this connector:
    • To use an action provided out-of-the-box with FortiEDR (for example, Zero Trust device tagging on FortiClient EMS), tag the device as non-trusted the Identity management system and specify the classification tag to apply on the device in the Tag name field.

      This step is optional for FortiClient EMS 7.2 or later as it has the following fabric tags predefined for FortiEDR. Both the predefined fabric tags and classification tags, if any, will be used by FortiClient EMS 7.2 or later to tag the device.

      • FortiEDR_Malicious: FortiEDR has classified this endpoint as malicious.

      • FortiEDR_PUP: FortiEDR has detected a potentially unwanted program on this endpoint.

      • FortiEDR_Suspicious: FortiEDR has detected suspicious activity on this endpoint.

      • FortiEDR_Likely_Safe: FortiEDR has detected this endpoint as likely to be safe.

      • FortiEDR_Probably_Good: FortiEDR has determined that this endpoint is not a safety risk.

      See the FortiClient EMS Administration Guide for more information about endpoint tagging in FortiClient EMS.

    • To use a custom integration action:
      1. Click the + Add Action button. The following popup window displays:

      2. In the Action dropdown menu, select one of the previously defined actions (which were defined in FortiEDR as described in Custom integration), or define a new action that can be triggered according to the definitions in the Playbook:
        1. Click the Create New Action button. The following displays:

        2. Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.
          Note

          In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. However, this action is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.

          Field

          Definition

          NameEnter any name for this action.
          DescriptionEnter a description of this action.
          Upload

          Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. The Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of the coding conventions and provides various links that you can click to see more detail and/or to download sample files.

        3. Click Save. The new action is then listed in the Actions area.
  4. You can click the Test button next to an action to execute that action.
  5. Click Save to save the connector configuration.
Configuring Playbooks
To configure an automated incident response that uses an Identity Management connector to tag a device upon security event triggering:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the identity management response to apply.
  3. Place a checkmark in the relevant Classification column next to the Zero Trust device tagging row under the REMEDIATION section.
  4. FortiEDR is now configured to automatically tag a device as non-trusted upon triggering of a security event.

To configure an automated incident response that uses an Identity Management connector to perform a custom action upon the triggering of a security event:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
  3. In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
  4. In the dropdown menu next to the relevant custom action, select the relevant Identity Management connector with which to perform the action.
  5. FortiEDR is now configured to trigger this action in the third-party system upon the triggering of a security event.

Automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console, as shown below: