Technical Tip: How to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate, FortiAnalyzer and FortiClient EMS

Description

This article describes how to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate, FortiAnalyzer and FortiClient EMS.

Pre-requisite.

Refer to the related articles section and to the document below.

Related document:

Viewing Compromised Hosts

Indicators Of Compromised (IOC) Flow.

Scope

FortiGate v6.4.4, FortiAnalyzer 6.4.5 and FortiClient EMS 6.4.3.

Solution

FortiGate.

Configure a firewall policy going to the Internet that has a web filter profile enabled on it. This is required for the IOC to work.

config firewall policy
    edit 0
        set srcintf "port3"
        set dstintf "virtual-wan-link"
        set srcaddr "10.115.2.52/32"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "monitor-all"
        set logtraffic all
        set nat enable
    next

config system automation-stitch
    edit "Compromised Host Quarantine"
        set trigger "Compromised Host Quarantine"
        set action "Compromised Host Quarantine_quarantine-forticlient"
    next
end

 

FortiClient.

 

 

Note.

For simplification of this guide, only webfilter is enabled and website categories have used their respective default action values.

Results: To trigger IOC logs, access the eicar detection file from the endpoint machine. (For more information, see the eicar website site.)

 

FortiGate.

 

 

 

 

Note:

Starting from v7.0.0 the log with the message 'IOC detected by FortiAnalyzer' will not be generated in the System Event logs.  To obtain this log the 'Compromised Host Quarantine' automation stitch will need to be configured with an automation action for email notification as well.

 

FortiAnalyzer.

 

 

FortiClient.

 

 

 

Next actions:

To remove the host from being quarantined, go to FortiClient EMS dashboard -> Endpoints -> All Endpoints , select the quarantined host, select 'Action' and select 'Unquarantine'.

 

FortiClient EMS.

 

 

Note.
It is also possible to provide the endpoint user with a one-time access code.
The user can enter the code to access FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in the FortiClient console.

The code is available under Quarantine Access Code after selecting a quarantined endpoint as seen below.

 

Related document:
Quarantining endpoints

Afterwards, it is necessary to acknowledge the logs from FortiAnalyzer to clear the compromised hosts list from FortiGate so that it can execute the Automation Stitch for the same host once triggered again.

 

FortiAnalyzer.

 

 

  

FortiGate Compromised Hosts by Verdict lists after acknowledgment.

 

As the integration is using API calls to perform both the response and request, the latest FortiAnalyzer firmware has a new command to enable the API JSON call event log

(global)# set jsonapi-log
all logging both jsonapi request & response.
disable disable jsonapi log.
request logging jsonapi request.
response logging jsonapi response.

(global)#
(global)#
(global)#
(global)# set jsonapi-log all

(global)# end

Enabling JSON event logs towards FortiAnalyzer is helpful when performing troubleshooting between FortiGate, FortiAnalyzer, and FortiClient EMS.

Related articles:

• Technical Tip: Configuring the root FortiGate and downstream FortiGates in Security Fabric
• Technical Tip: EMS Connector setup
• Technical Tip: How to integrate EMS in the FortiAnalyzer
• Troubleshooting Tip: IOC detection