Explorer III

Solved

How to get email notifications when FortiEDR isolates a collector

Forum|Forum|1 year ago
February 5, 2025
4 replies
2132 views

Hello!

I need to set up FortiEDR notifications for when a collector/device gets put in isolation automatically via the playbook. All of the system/security event notifications are setup and work properly, but how do I get the isolation notifications sent to the distribution lists?

Thank you!

S0ck-Pupp3t

FortiEDR

Best answer by RiverChen

Hi @Langflow,

Thanks for the question! To clarify, by design, if you've configured Distribution Lists for email notifications, you will only receive notifications for Security Events and System Events. There is no separate email specifically for device isolation.

For detailed tracking of isolation events, you can refer to the Audit Trail in the FortiEDR WebUI:
Go to Tools -> Audit Trail to view or download related events. If you have Syslog configured, the syslog output will include entries from the Audit Trail, including isolation events.

Anthony_E

Staff

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

S0ck-Pupp3tAuthor

Explorer III

Thank you!

Anthony_E

Staff

To receive email notifications when a FortiEDR Collector is isolated, you need to ensure that the playbook is set correctly.

Here are the steps to set up email notifications for isolation events in FortiEDR:

Make sure the playbook is configured correctly to trigger email notifications for isolation events.
Check that the email notification settings in FortiEDR are properly configured to send notifications for isolated devices.
Verify that the email notifications are not being filtered into the junk mail folder by checking the email settings.
If FortiClient EMS (FCS) is enabled, the isolation process will wait for a response from FCS before isolating a device marked as safe.

Best Regards

S0ck-Pupp3tAuthor

Explorer III

Hi @Anthony_E,

Thank you for this information. Points # 1 & 2 are what I'm struggling with. I have notifications enabled for every event type from Likely Safe to Malicious and the checkbox to Isolate the device is also checked on Malicious. I am on Version 6.2.1 and I don't see an option to notify on isolations. In the email notifications section where distribution lists are created, I have system events and security events enabled (and those work fine).

Is there something else that needs to be enabled or am I missing something?

Thank you in advance!

RiverChen

Staff

Hi @S0ck-Pupp3t,

FortiEDR does not send a separate email through the distribution list specifically for device isolation. Instead, when a device executes a malicious file and is automatically isolated, you will receive a Security Event Notification email.

To verify your setup, please check your Playbook settings under the Security Settings tab:

Under Notification, ensure "Send Mail Notification" is selected.
Under Investigation, ensure "Isolate Device" is selected.

Langflow

New Member

Email notifications for FortiEDR isolation would be super helpful! If anyone has set this up successfully, I'd love to know the best way to configure it.

RiverChenAnswer

Staff

Hi @Langflow,

Thanks for the question! To clarify, by design, if you've configured Distribution Lists for email notifications, you will only receive notifications for Security Events and System Events. There is no separate email specifically for device isolation.

For detailed tracking of isolation events, you can refer to the Audit Trail in the FortiEDR WebUI:
Go to Tools -> Audit Trail to view or download related events. If you have Syslog configured, the syslog output will include entries from the Audit Trail, including isolation events.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded