FortiEDR integrates FortiClient Endpoint Management Server (EMS) as an Identity Management connector. It allows FortiClient EMS to assign Classification Tags (FortiEDR_Malicious, FortiEDR_PUP, FortiEDR_Suspicious, FortiEDR_Likely_Safe, and FortiEDR_Probably_Good) to a client machine upon the event detection with FCS Classification in FortiEDR.

To set up the Identity Management connector, visit the administration guide for more information:

Identity Management integration 

Prerequisites.

Before triggering the Identity Management Integration, check the following:

• Both FortiClient and FortiEDR collectors run on the same machine.
• FortiClient establishes a Telemetry connection to FortiClient EMS.
  
  

In this scenario, FortiEDR Central Manager v6.0, Collector v5.2, FortiClient/EMS 7.2 and FortiGate 7.4 are used.

1. Make sure the test is successful in the Identity Management connector:

2. The Playbook is in Prevention mode and assigned to the correct group (ZeroTrust device tagging):

    

   

    

    

3. Run 'ConnectivityTestAppNew.exe' on a client machine:

    

   

    

    

4. Event (ConnectivityTestAppNew.exe) is detected as Malicious and Identity Management Integration is triggered:

    

   

    

    

5. In EMS, the Classification tag (FortiEDR_Malicious) is assigned to the FortiClient machine:

    

   

    

    

6. Make sure the option 'Classification Tags' is enabled to push the tags to FortiGate:

    

   

    

    

7. In FortiGate, the tag 'FortiEDR_Malicious' is available in the Security posture tag (FortiGate 7.4.2 or later) in the firewall policy:

    

   

    

The tag can then be used with a firewall policy to block network connectivity as desired.