Fortinet black logo

Administration Guide

Home FortiEDR/XDR 6.2.0 Administration Guide
6.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

User Access integration

User Access integration

When a user access connector, such as Active Directory, is set and Playbook policies are configured, automatic incident response actions can include resetting user’s password or disabling user account on domain controller upon security event triggering.

Prerequisites

Before you start User Access configuration, verify the following:

  • Your FortiEDR deployment includes a Jumpbox that has connectivity to the domain controller server. Details about how to install a FortiEDR Core and configure it as a Jumpbox are described in Setting up the FortiEDR Core. You may refer to Cores for more information about configuring a Jumpbox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • You have a valid API user with access to Active Directory or equivalent domain control system.

Follow the steps below to perform user access actions automatically upon the detection of a FortiEDR security event.

Configuring a FortiEDR Connector
To configure User Access integration:
  1. Click the Add Connector button and select User Access from the dropdown list.

    The following displays:

  2. Fill in the following fields:

    Field

    Description

    JumpboxSelect the FortiEDR Jumpbox that will communicate with this User Access system.
    NameSpecify a name of your choice to be used to identify this User Access system.

    Type

    Select the type of user access to be used in the dropdown list. For example, Active Directory.

    HostSpecify the IP or DNS address of the external User Access system.
    PortSpecify the port that is used for communication with the external User Access system.
    API Key/CredentialsSpecify authentication details of the external user access system. To use an API token , click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external User Access system API username (or Bind User DN) and password.
  3. In the Actions area on the right, define the action to be taken by this connector:
    • To use an action provided out-of-the-box with FortiEDR (for example, Disable user account on Active Directory), in the baseDN field of Disable user account or Reset user password, specify where FortiEDR starts searching for the user upon which actions are performed.
    • To use a custom integration action:
      1. Click the + Add Action button. The following popup window displays:

      2. In the Action dropdown menu, select one of the previously defined actions (which were defined in FortiEDR as described in User Access integration), or define a new action that can be triggered according to the definitions in the Playbook:
        1. Click the Create New Action button. The following displays:

        2. Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.
          Note

          In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. However, this action is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.

          Field

          Definition

          NameEnter any name for this action.
          DescriptionEnter a description of this action.
          Upload

          Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. The Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of the coding conventions and provides various links that you can click to see more detail and/or to download sample files.

        3. Click Save. The new action is then listed in the Actions area.
  4. You can click the Test button next to an action to execute that action.
  5. Click Save to save the connector configuration.
Configuring Playbooks
To configure an automated incident response that uses a user access connector to reset user password or disable a user upon security event triggering:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the user access response to apply.
  3. Place a checkmark in the relevant Classification column next to the Disable user row under the INVESTIGATION section or the Reset user password row under the REMEDIATION section.

    4. FortiEDR is now configured to automatically perform user access actions upon triggering of a security event.

To configure an automated incident response that uses a User Access connector to perform a custom action upon the triggering of a security event:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
  3. In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
  4. In the dropdown menu next to the relevant custom action, select the relevant User Access connector with which to perform the action.

    5. FortiEDR is now configured to trigger this action in the third-party system upon the triggering of a security event.

Automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console, as shown below:

Previous
Next

User Access integration

When a user access connector, such as Active Directory, is set and Playbook policies are configured, automatic incident response actions can include resetting user’s password or disabling user account on domain controller upon security event triggering.

Prerequisites

Before you start User Access configuration, verify the following:

  • Your FortiEDR deployment includes a Jumpbox that has connectivity to the domain controller server. Details about how to install a FortiEDR Core and configure it as a Jumpbox are described in Setting up the FortiEDR Core. You may refer to Cores for more information about configuring a Jumpbox.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
  • You have a valid API user with access to Active Directory or equivalent domain control system.

Follow the steps below to perform user access actions automatically upon the detection of a FortiEDR security event.

Configuring a FortiEDR Connector
To configure User Access integration:
  1. Click the Add Connector button and select User Access from the dropdown list.

    The following displays:

  2. Fill in the following fields:

    Field

    Description

    JumpboxSelect the FortiEDR Jumpbox that will communicate with this User Access system.
    NameSpecify a name of your choice to be used to identify this User Access system.

    Type

    Select the type of user access to be used in the dropdown list. For example, Active Directory.

    HostSpecify the IP or DNS address of the external User Access system.
    PortSpecify the port that is used for communication with the external User Access system.
    API Key/CredentialsSpecify authentication details of the external user access system. To use an API token , click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external User Access system API username (or Bind User DN) and password.
  3. In the Actions area on the right, define the action to be taken by this connector:
    • To use an action provided out-of-the-box with FortiEDR (for example, Disable user account on Active Directory), in the baseDN field of Disable user account or Reset user password, specify where FortiEDR starts searching for the user upon which actions are performed.
    • To use a custom integration action:
      1. Click the + Add Action button. The following popup window displays:

      2. In the Action dropdown menu, select one of the previously defined actions (which were defined in FortiEDR as described in User Access integration), or define a new action that can be triggered according to the definitions in the Playbook:
        1. Click the Create New Action button. The following displays:

        2. Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.
          Note

          In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. However, this action is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.

          Field

          Definition

          NameEnter any name for this action.
          DescriptionEnter a description of this action.
          Upload

          Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. The Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of the coding conventions and provides various links that you can click to see more detail and/or to download sample files.

        3. Click Save. The new action is then listed in the Actions area.
  4. You can click the Test button next to an action to execute that action.
  5. Click Save to save the connector configuration.
Configuring Playbooks
To configure an automated incident response that uses a user access connector to reset user password or disable a user upon security event triggering:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the user access response to apply.
  3. Place a checkmark in the relevant Classification column next to the Disable user row under the INVESTIGATION section or the Reset user password row under the REMEDIATION section.

    4. FortiEDR is now configured to automatically perform user access actions upon triggering of a security event.

To configure an automated incident response that uses a User Access connector to perform a custom action upon the triggering of a security event:
  1. Navigate to the SECURITY SETTINGS > Playbooks page.
  2. Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
  3. In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
  4. In the dropdown menu next to the relevant custom action, select the relevant User Access connector with which to perform the action.

    5. FortiEDR is now configured to trigger this action in the third-party system upon the triggering of a security event.

Automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console, as shown below:

Previous
Next