FortiClient Manual Quarantine Process

Questions and Answers

What feature of FortiAnalyzer allows it to store and analyze logs from Security Fabric groups?

Security Fabric Analytics

FortiView Integration

Security Fabric Logging (correct)

Device Manager Configuration

How does FortiAnalyzer handle logs from the units in a Security Fabric group?

Requires manual configuration for analysis

Stores and analyzes them individually

Ignores them due to their complexity

Correlates them to UTM logs (correct)

What can be viewed by selecting 'Fabric Topology' after right-clicking a Security Fabric device in FortiAnalyzer's Device Manager?

Logs from all devices in the network

Historical bandwidth usage

Real-time network traffic data

Security Fabric group membership (correct)

Which feature of FortiAnalyzer provides customizable SOC and NOC dashboards for monitoring events in real-time?

Security Fabric Analytics

For what purpose does FortiAnalyzer provide reports related to compliance or historical analysis?

Compliance or historical analysis

What is a key function of FortiView within FortiAnalyzer's analytics and reporting capabilities?

Providing summaries of critical alerts

What is the purpose of a trigger in the context of security events and alarms?

To combine one or more filters

What happens if all trigger criteria are satisfied?

A security alarm is generated

In the context of security events, what information is included in a security event triggered by a filter match?

Date and time, Source IP, Source Mac, Destination IP, Location

What determines if a user or host element associated with a security event must match the profile?

The user and/or host profile requirement

In the context of security alarms, what does the security alarm contain?

Host MAC, alarm date and time, matched rule, actions taken

What is the role of security rules in relation to security filters?

Security rules evaluate the priority order of filters

What is the primary purpose of FortiAnalyzer automation-driven analytics?

To provide full visibility of network devices, systems, and users

What is the key role of the Monitors view in FortiAnalyzer?

Providing customizable NOC and SOC dashboards

What does the Log View feature in FortiAnalyzer enable analysts to do?

Utilize search filters on managed device logs

Which type of trigger initiates a playbook when an incident is created matching certain filters?

Incident Trigger

What is the purpose of Playbook Automation in FortiSOC?

Simplify investigation through automated incident response

What additional licenses are required for the use of Automation Playbooks in FortiSOC?

Additional FortiSOC license

Which type of trigger in FortiAnalyzer Playbooks is run during a configured schedule?

On-Schedule Trigger

What is the benefit of integrating FortiAnalyzer with SOC connectors?

Enhancing Incident Detection and Response capabilities

What do Triggers determine in the context of FortiAnalyzer Playbooks?

When a playbook is to be executed.

What is the main role of the Monitors view in FortiAnalyzer?

Customizable NOC and SOC dashboards and widgets.

How can a FortiClient endpoint be manually quarantined?

By clicking on Endpoints and selecting Quarantine

What is the process to unquarantine a FortiClient endpoint?

Selecting the quarantined endpoint in FortiEMS console and choosing Unquarantine

In what ways can quarantined files be allowlisted and restored?

Through editing file descriptions in the Allowlist pane

What happens after FortiClient quarantines files on endpoints and sends the information to FortiClient-EMS?

Files are made accessible on the endpoint after next telemetry communication

What does Security Orchestration involve?

Combining visibility, detection, control, and response capabilities to create automated prevention processes

Which tool is used to orchestrate network security processes with FortiNAC?

FortiNAC

How does FortiNAC integrate with other devices?

Bidirectional integration for information exchange

What is required to create preventative network access and threat triage processes?

Policy-based platform leveraging end-to-end visibility

What must be done to allowlist and restore quarantined files from EMS?

Edit their file descriptions in the Allowlist Pane.

What does Security Automation and Orchestration aim to automate?

Provisioning and SOC threat response procedures.

What is the purpose of triggers in a playbook on FortiAnalyzer?

To initiate the playbook

What is the maximum number of triggers that can be included in a single playbook on FortiAnalyzer?

Only one trigger

How does a playbook flow through its tasks after being triggered on FortiAnalyzer?

Using the trigger as a starting point

What actions can be performed by FortiAnalyzer on FortiClient-EMS using an API?

All of the above

How are incidents created by FortiAnalyzer playbooks?

Automatically based on playbook configuration

In the context of FortiAnalyzer, what is the function of FortiClient-EMS as a Security Fabric connector?

Quarantining endpoints

What initiates the execution of a playbook when an IOC threat is detected?

FortiAnalyzer discovering IOCs in logs

What is the role of FortiOS in the IOC flow described in the text?

Sending logs to FortiAnalyzer

Which network devices are required for automatic endpoint quarantine on IOC detection using Security Fabric?

FortiGate, FortiAnalyzer, FortiClient-EMS, FortiClient

What should be configured on FortGate to enable automatic endpoint quarantine during an IOC threat?

FortClient-EMS IP address and login credentials for administrator

What is the key attribute that makes the association between the security alert and the host?

IP-address

In the context of FortiNAC, what is the purpose of creating security rules?

To automate incident response

What happens if a received security alert does not match any of the security rules in FortiNAC?

No action is taken

What can be designated as a log host in FortiNAC?

SIEM

What type of information is used to determine what kind of work flow should be designed when handling a security alert in FortiNAC?

Host physical location

What information can be included in the visibility information within the FortiNAC database?

Host and user attributes like name, physical address, IP-address, location, and user details such as email and phone extension

In FortiNAC, what is a filter evaluated against the contents of?

Parsed security alert

What action is taken when a triggered filter does not match any criteria in a security rule in FortiNAC?

No action is taken

Which attribute is used to create new work flows in FortiNAC for automating responses?

Fully understood security alerts

What does a satisfied rule result in within FortiNAC?

Creation of a security alarm

Study Notes

FortiAnalyzer Features and Functionality

• Log Management: FortiAnalyzer stores and analyzes logs from Security Fabric groups, providing centralized visibility and management.
• Log Handling: Logs from units in a Security Fabric group are processed and aggregated for comprehensive analysis and reporting.
• Fabric Topology View: Selecting 'Fabric Topology' in the Device Manager reveals the hierarchical representation and relationships between Security Fabric devices.
• Dashboards: Customizable SOC and NOC dashboards in FortiAnalyzer enable real-time event monitoring and situational awareness.

Compliance and Reporting

• Compliance Reports: FortiAnalyzer generates reports that assist in compliance audits and historical analysis of security events.
• FortiView Functionality: Provides an intuitive interface for detailed analytics and reporting, showcasing event trends and anomalies.

Security Events and Alarms

• Trigger Definition: A trigger initiates responses to security events and alarms based on predefined criteria.
• Trigger Criteria: If all criteria are satisfied, the associated actions for the trigger are executed.
• Security Event Information: Triggered security events contain details such as source, severity, and impact assessment.
• Profile Matching: User or host elements associated with security events must match with predefined profiles to trigger appropriate actions.
• Security Alarm Content: Security alarms encapsulate critical event information and alert metrics for further investigation.

Analytics and Automation

• Security Rules and Filters: Security rules define criteria, while filters categorize events for specific responses in FortiAnalyzer.
• Automation-Driven Analytics: Aims to streamline and enhance the analysis process by leveraging automation to reduce response times.
• Monitors View: Serves as a real-time dashboard for security analysts to oversee ongoing events and trends in network activity.

Playbook Automation

• Trigger Types: An incident-based trigger in FortiAnalyzer initiates a playbook for responding to specified events.
• FortiSOC Integration: FortiSOC requires additional licenses to utilize Automation Playbooks effectively.
• Scheduled Triggers: Triggers can be set to execute playbooks based on defined schedules, enabling timely interventions.

Endpoint Management with FortiClient

• Manual Quarantine: FortiClient endpoints can be quarantined directly via management interfaces in FortiAnalyzer.
• Unquarantine Process: Quarantined endpoints can be restored by following specific unquarantine protocols.
• File Management: Quarantined files can be allowlisted or restored through FortiClient-EMS, ensuring security and compliance.

Security Orchestration and Integration

• Security Orchestration: Involves automating and coordinating security processes across different devices and platforms.
• FortiNAC Integration: FortiNAC orchestrates network security processes using API connectivity with other security devices.
• Preventative Processes: Creating effective preventative access and threat triage processes involves integrating various security solutions effectively.

Alert Management in FortiNAC

• Security Rules Purpose: Security rules in FortiNAC determine the handling procedures for incoming security alerts.
• Non-Matching Alerts: Alerts that do not match existing security rules are subject to predefined default handling processes.
• Log Hosts: FortiNAC can designate specific devices as log hosts for centralized log management.

Workflows and Filters

• Workflow Design: Handling security alerts involves evaluating workflow design based on the type of alert and its characteristics.
• Visibility Information: Provides detailed data on devices and network activity within the FortiNAC database for informed decision-making.
• Triggered Filters: Filters are evaluated against security rule contents, and unmatched criteria lead to defined default actions in network responses.

Rule Evaluation and Response Automation

• Automated Workflows: Satisfied rules create new workflows for automating responses to various network security events, enhancing operational efficiency.

Description

Learn about the manual quarantine process for FortiClient endpoints on the FortiClient-EMS console. Quarantined endpoints are isolated from the network after the manual quarantine is initiated.