| Description | This article describes how to enable FortiClient EMS to enforce zero-trust policies based on FortiEDR security posture feeds. |
| Scope | FortiEDR/EMS-Cloud. |
| Solution |
General Concept.
FortiClient EMS holds in store the ability to tag hosts and enforce access policies in respect. The goal of this article is to enable a seamless integration between #FortiClient Cloud-EMS and FortiEDR, one that will allow to assign hosts in #FortiClient EMS with FortiEDR associated security tags and by doing so restrict the host accessibility based on its security posture.
Integration Steps.
1) Create a cloud-EMS connector: Effective v5.0.3 FortiEDR supports OOTB (Fabric related) and custom associated connectors which allow to integrate FortiEDR with any 3rd party entity and trigger OOTB and customized actions per the applied playbook policy. #Cloud-EMS connector will be set as 'Custom Connector' as listed under Administrator -> Integrations.
Ensure to fill the following: - Select a jumpbox component (enforced by the 'custom connector' option as part of an anti-tampering requirement). - Add the wishful connector-name, host and port and API-key as generated by the #EMS-Cloud environment in subject.
2) Add an 'EMS Tag Sharing' action: Under the Administration -> Integrations, select the 'Add Action' option on the right end of the 'custom connector' window and select 'Create new action' option:
At the action manager dialog, list an action name (1) (this action will become available in the playbook template under 'CUSTOM' actions section), description (2) and select the 'Upload' action script button (3). Select the #EMS-Cloud script as listed in this article and select 'Save'.
Once saved, select the 'Add' and verify the connector functionality by selecting the 'test' button:
The test script will return '0' for success and different error messages incl. respective stdout (print associated) and stderr verbose logs for failures.
Enable and save the connector:
3) Enable the new custom action in the extended playbook options: Under the Security Settings ->Playbook option (1), ensure to enable the relevant connector (2) and the new added action listed under 'CUSTOM' action section for all the tag/classification associated options (3). The playbook should be set to protection (4) and applied to the respective host group (5):
Expected Outcome: Upon event triggering one should expect the following:
1) If not created already a new tag format (‘FortiEDR_CLASSIFICATION’) will be created under the #EMS-Cloud console.
2) Once an incident is triggered and associated with a host that is subject to the assigned playbook policy, the host will be associated with the triggered classification/tag in #EMS-Cloud.
Going Forward.
In order to further streamline and automate the different integrations process, we are planning to add further OOTB connectors and respective actions for Fabric and 3rd parties as part of v5.2 release (ETA Q2-22’) – #FortiClient Cloud-EMS tagging is planned to be one of those connector actions. |
