Description
This article describes how to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate, FortiAnalyzer and FortiClient EMS.
Pre-requisite.
Refer to the related articles section and to the document below.
Related document:
Viewing Compromised Hosts
Indicators Of Compromised (IOC) Flow.
Scope
FortiGate v6.4.4, FortiAnalyzer 6.4.5 and FortiClient EMS 6.4.3.
Solution
FortiGate.
Configure a firewall policy going to the Internet that has a web filter profile enabled on it. This is required for the IOC to work.
config firewall policy
edit 0
set srcintf "port3"
set dstintf "virtual-wan-link"
set srcaddr "10.115.2.52/32"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set webfilter-profile "monitor-all"
set logtraffic all
set nat enable
next
config system automation-stitch
edit "Compromised Host Quarantine"
set trigger "Compromised Host Quarantine"
set action "Compromised Host Quarantine_quarantine-forticlient"
next
end
FortiClient EMS.
Set the FortiAnalyzer IP address under the Endpoint Profile System Settings so as to allow FortiClient to send logs directly to FortiAnalyzer.
FortiClient.
Note.
For simplification of this guide, only webfilter is enabled and website categories have used their respective default action values.
Results: To trigger IOC logs, access the eicar detection file from the endpoint machine. (For more information, see the eicar website site.)
Results: To trigger IOC logs, access the eicar detection file from the endpoint machine. (For more information, see the eicar website site.)
FortiGate.
Note:
Starting from v7.0.0 the log with the message 'IOC detected by FortiAnalyzer' will not be generated in the System Event logs. To obtain this log the 'Compromised Host Quarantine' automation stitch will need to be configured with an automation action for email notification as well.
FortiAnalyzer.
FortiClient.
Next actions:
To remove the host from being quarantined, go to FortiClient EMS dashboard -> Endpoints -> All Endpoints , select the quarantined host, select 'Action' and select 'Unquarantine'.
FortiClient EMS.
Note.
It is also possible to provide the endpoint user with a one-time access code.
The user can enter the code to access FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in the FortiClient console.
It is also possible to provide the endpoint user with a one-time access code.
The user can enter the code to access FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in the FortiClient console.
The code is available under Quarantine Access Code after selecting a quarantined endpoint as seen below.
Related document:
Quarantining endpoints
Afterwards, it is necessary to acknowledge the logs from FortiAnalyzer to clear the compromised hosts list from FortiGate so that it can execute the Automation Stitch for the same host once triggered again.
Quarantining endpoints
Afterwards, it is necessary to acknowledge the logs from FortiAnalyzer to clear the compromised hosts list from FortiGate so that it can execute the Automation Stitch for the same host once triggered again.
FortiAnalyzer.
FortiGate Compromised Hosts by Verdict lists after acknowledgment.
Related articles:
Technical Tip: Configuring the root FortiGate and downstream FortiGates in Security Fabric
Technical Tip: EMS Connector setup
