Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
ymasaki
Staff
Staff

Created on ‎04-02-2024 09:55 PM

Article Id 308082

Technical Tip: How to trigger the User Access Integration with Active Directory

Description This article describes how to trigger the User Access Integration to disable a domain user or reset a domain user password with Active Directory.
Scope FortiEDR v6.0.
Solution

To set up the User Access connector, visit the administration guide for more information:

User Access integration

 

  1. Make sure the test is successful in the User Access connector :

 

user_access_connector_test.png

 

  1. The Playbook is in Prevention mode and assigned to the correct group (Enable 'Disable user' or 'Reset user password'):

 

user_access_playbook.png

 

  1. Logged in as a domain user ('fortilabym1' in this test scenario) to the test Collector PC.
  2. Run the connectivity test command in Powershell to generate the FortiEDR event.

 

tnc -ComputerName x.x.x.x -Port xxx <----- Replace 'x' with a test IP and port.

 

user_access_client.png

 

  1. Event (powershel.exe) is detected as Inconclusive and User Access Integration is triggered properly.

 

user_access_event.png

 

  1.  In both Active Directory and the test PC, the user is disabled as expected.

 

user_access_disabled.png

 

user_access_disabled_pc.png

 

  1. A password reset is also required upon login with the domain user.

 

user_access_passwordreset.png

 

 

 

108
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.