Quarantine Automation Using FortiAnalyzer and FortiOS

Questions and Answers

What is the primary purpose of FortiAnalyzer as mentioned in the text?

To generate security reports

To perform vulnerability scanning

To provide a user-friendly interface for device management

To aggregate log data from multiple devices (correct)

How does FortiAnalyzer help in reducing the workload for administrators?

By integrating with external threat intelligence sources

By creating a single channel for accessing network data (correct)

By providing real-time notifications for security events

By automating device configuration settings

Which type of logs can FortiAnalyzer collect from FortiGate devices?

System Logs, Debug Logs, Error Logs

Event, Command Line Interface, Configuration

Security, Vulnerability Scan, Traffic

Traffic, Event, Security (correct)

How can administrators access the logs stored in FortiAnalyzer?

By connecting to FortiAnalyzer using the GUI

Which device type is NOT listed as supported for log collection by FortiAnalyzer?

FortiSecure

What does ZTA stand for in the context of log types collected by FortiAnalyzer?

Zero Trust Architecture

What network components are required for the Security Fabric to automatically quarantine an endpoint with an IOC?

FortiGate, FortiClient, FortiAnalyzer

How is an endpoint quarantined from the network when an IOC is detected?

FortiClient-EMS notifies FortiClient to isolate itself.

How can a FortiClient endpoint be manually quarantined?

Use Quarantine Access Code

What is a way to remove a FortiClient endpoint from quarantine?

Unquarantine using Quarantine Access Code

Where does a FortiClient-EMS administrator view quarantined file information for all managed endpoints?

Quarantine Management in FortiOS

What function does FortiAnalyzer play in the quarantine process?

Sends logs to FortiOS for IOC discovery

Which network device identifies if a connected endpoint should be quarantined?

-FortiGate

What happens when the endpoint notifies FortiGate and EMS of the status change?

-EMS searches for the endpoint

How can an allowlisted file be restored after being quarantined?

-EMS can allowlist and restore files from -FortiOS console

What must occur for an endpoint to receive and implement a quarantine message?

-FortiGate must send a notification to -EMS to quarantine the endpoint.

What happens when a security alert matches security rule 1 in FortiNAC?

The host is moved to the quarantine isolation network, and the alert, host, and user information are logged on the SIEM.

In FortiNAC, what is the starting point for new rule creation?

Security events

What does a trigger represent in FortiNAC?

One or more security filters

What determines whether a user or host profile requirement is met in FortiNAC?

Profile matching

What happens when a trigger is satisfied in FortiNAC?

A security alarm is generated.

What initiates the creation of a security event in FortiNAC?

Filter match

How are security alarms different from security events in FortiNAC?

Security alarms are created when triggers are satisfied, while security events are created on filter matches.

What information does a security event in FortiNAC contain about the host causing the alert?

Source MAC address

What does a satisfied rule result in within FortiNAC?

Security Event generation

What components make up a security rule in FortiNAC?

Triggers and Profiles

What is a key attribute that makes the association between the security alert and the host?

IP-address

In the FortiClient console, why are the options to restore and delete quarantined files greyed out?

Security automation

What process does FortiNAC follow when processing inbound security events?

Analyzes events against security rules

How does Security Orchestration combine different capabilities to create automated prevention processes?

By combining visibility, detection, control, and response capabilities

What type of information is combined with received security alerts within the FortiNAC database?

User's email and phone extension

Why is it important for FortiNAC to integrate with nearly any device?

To expand endpoint-based visibility

How are security rules in FortiNAC evaluated against incoming security alerts?

By correlating with visibility information

What is the purpose of FortiAnalyzer playbook templates?

To customize use cases with playbooks for investigation

When does the FortiAnalyzer playbook run if no filters are set?

When no filters are set, all events will trigger the playbook

What is the primary function of triggers in a FortiAnalyzer playbook?

To define when the playbook should be executed

How are playbooks triggered on FortiAnalyzer?

Based on event triggers, incident triggers, schedules, or manual initiation

What is required to integrate FortiAnalyzer with FortiClient-EMS?

Configuring FortiClient-EMS as a Security Fabric connector on FortiAnalyzer

What happens once an IOC threat is detected on FortiAnalyzer?

FortiAnalyzer sends an API to FortiClient-EMS to quarantine the endpoint

What is one of the predefined actions that can be performed using the FortiClient-EMS connector?

Scanning and quarantining the endpoint

In a FortiAnalyzer playbook example shown, what action is taken after an IOC threat is detected?

'FortiClient-EMS searches for the endpoint and sends a quarantine message to it'

'Quarantine Automation' using FortiAnalyzer involves integration with which Security Fabric connector?

'FortiClient-EMS as a Security Fabric connector'

'ON_DEMAND' trigger in a FortiAnalyzer playbook indicates that it is run:

'Only when manually started by an administrator'

What feature of FortiAnalyzer allows it to display all units in a Security Fabric group as if they were logs from a single device?

Security Fabric Logging

Which view in FortiView provides summaries of real-time critical alerts and information like top threats and indicators of compromise?

Top Threats

What does FortiAnalyzer automatically correlate traffic logs to for reporting sessions, bandwidth, and UTM threats?

UTM logs

Which FortiAnalyzer feature provides full visibility of network devices, systems, and users through correlated data and analysis of real-time and historical events?

Security Fabric Analytics

What tool in FortiAnalyzer can SOC teams use to manage incident handling and life cycle by assigning incidents, viewing event details, adding analysis comments, and reviewing playbook execution details?

Incident Detection and Response

Which feature of FortiAnalyzer provides SOC analysts with customizable NOC and SOC dashboards and widgets for monitoring events in real-time?

Monitors

What type of automation-driven analytics in FortiAnalyzer provides full visibility of network devices, systems, and users by correlating log data for threat intelligence and analysis?

Security Fabric Analytics

In FortiAnalyzer, what functionality enables users to archive network knowledge for compliance or historical analysis purposes?

Log View