Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
lestopace
Staff
Staff

Created on ‎03-14-2021 11:45 PM Edited on ‎11-23-2022 04:28 AM By Moderator

Article Id 192722

Technical Tip: How to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate, FortiAnalyzer and FortiEMS

Description

 

This article describes how to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate, FortiAnalyzer and FortiEMS.

Pre-requisite.

Refer to the related articles section and to the document below.

Related document:
https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-guide/137635/viewing-compromis...

Indicators Of Compromised (IOC) Flow.



Scope
Versions used in this guide:
FortiGate 6.4.4.
FortiAnalyzer 6.4.5.
FortiEMS 6.4.3.

Solution

 

FortiGate.

Configure a firewall policy going to Internet that has a web filter profile enabled on it.
This is required for the IOC to work.

 

# config firewall policy
    edit 0
        set srcintf "port3"
        set dstintf "virtual-wan-link"
        set srcaddr "10.115.2.52/32"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "monitor-all"
        set logtraffic all
        set nat enable
    next
# config system automation-stitch
    edit "Compromised Host Quarantine"
        set trigger "Compromised Host Quarantine"
        set action "Compromised Host Quarantine_quarantine-forticlient"
    next
end

 
FortiEMS.
 
Set the FortiAnalyzer IP address under the Endpoint Profile System Settings so as to allow FortiClient to send logs directly to FortiAnalyzer. 
 
 
FortiClient.
 
 
Note.
For simplification of this guide, only webfilter is enabled and website categories have used their respective default action values.

Results.

To trigger IOC logs, access http://195.22.28.198/ from the endpoint machine.
 
FortiGate.
 
 
 
 
FortiAnalyzer.
 
 
FortiClient.
 
 
 
Next actions.

1) To remove the host from being quarantined, go to FortiEMS dashboard -> Endpoints -> All Endpoints , select the quarantined host, select 'Action' and select 'Unquarantine'.
 
FortiEMS.
 
kb_19916_10.png

 

Note.
It is also possible to provide the endpoint user with a one-time access code.
The user can enter the code to access FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in the FortiClient console.
The code is available under Quarantine Access Code after selecting a quarantined endpoint as seen below.
 
Related document:
https://docs.fortinet.com/document/forticlient/6.0.3/ems-administration-guide/176816/quarantining-en...

2) Afterwards, it is necessary to acknowledge the logs from FortiAnalyzer to clear the compromised hosts list from FortiGate so that it can execute the Automation Stitch for the same host once triggered again.
 
FortiAnalyzer.
 
 
 
  
FortiGate Compromised Hosts by Verdict lists after acknowledgement.
 

Related Articles:

Technical Tip: Configuring the root FortiGate and downstream FortiGates in Security Fabric

Technical Tip: EMS Connector setup

Technical Tip: How to integrate EMS in the FortiAnalyzer

Troubleshooting Tip: IOC detection

13520
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.