FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 270412
Description This article how to run a FortiClient Endpoint Antivirus scanning using Playbook.
Scope FortiAnalyzer, FortiClient Endpoint, FortiClient EMS.

For this step, the FortiClient EMS and Endpoint have been integrated with FortiAnalyzer:


  1. Create an EMS Connector: Go to Fabric View -> Create New -> FortiCLient EMS -> Next.




  1. Create a playbook: Go to FortiSoC -> Create New -> choose template 'Run AV Scan on Endppoint' -> OK ->'double-click' on the template -> run AV Scan on Endpoint -> GUI will display playbook of AV Scan.





  • Represent a trigger when a playbook is to be executed.
  • In this playbook, on_demand is used, meaning this playbook is manually run by the administrator.



  • Represent automated actions that take place on FortiAnalyzer or another connector.
  • In this lab playbook, the EMS connector is used to collect the data, and FortiAnalyzer to get the data from FortiClient Endpoint.


  1. EMS Connector.




  • This connector needs the FortiClient details.
  • Hence, ensure the FortiClient is managed by FortiClient EMS.
  • Endpoint ID =  4 Digit number  >> Automatically appears in Playbook.
  • FortiClient ID = UUID >> Manually upload to playbook.


  1.  FortiAnalyzer Connector.




  • The FortiAnalyzer connector is known as a local connector
  • As this playbook is run on_demand, the incident ID needs to be created manually from FortiAnalyzer .
  • The run Antivirus status can be seen from the playbook monitor either success or failure.


  1. To run the playbook, ensure the status of the playbook is enabled. Select 'run AV Scan on Endpoint' -> Run,  it is necessary to field in the Endpoint information -> OK.




  1. The notification will get the playbook started to run the AV Scan.





  1. Wait 5 minutes for Endpoint to get a notification from the playbook and run the AV Scan.




  1. From the Play monitor, it is possible to define if the playbook succeeded or failed to run the task.




The trigger section mentions this playbook is run manually by 'user'.