Scribd
Upload
198 views

Lab Guide - FortiClientEMS+FortiEDR

Uploaded by

Mijail MontesdeOca Castro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
198 views

Lab Guide - FortiClientEMS+FortiEDR

Uploaded by

Mijail MontesdeOca Castro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 101

Index: 1.

0
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets including ZTNA
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Proactive Advanced Endpoint Protection, Visibility and


Control for Critical Assets including ZTNA
Endpoints are frequently the target of initial compromise or attacks. Fortinet strengthens
endpoint security through integrated visibility, control, and proactive defense. With the ability
to discover, monitor, and assess endpoint risks, you can ensure endpoint compliance, mitigate
risks, and reduce exposure.

In this Fast Track, we will explore controlling endpoints using Fortinet Advanced Endpoint
Protection tools in mixed Windows & Linux environments and see first-hand how these
solutions integrate with the Fortinet Security Fabric to protect your company’s critical assets.

The products included in the Security Operation Solutions are:

FortiClient: Fabric connected agent protecting and monitoring endpoints


FortiClient EMS: Central management of all FortiClient protected endpoints
FortiEDR: Next-Gen endpoint security solution and automated EDR
FortiGate: High threat protection performance with automated visibility to stop attacks

Note: For all objectives, click Continue then select the next available objective from the list to
proceed.
Index: 1.0 (a)
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets
including ZTNA
Objective Title: Fast Track Program
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

About Fast Track Program

Fast Tracks are a free instructor-led hands-on workshop that introduce Fortinet solutions for
securing your digital infrastructure. These workshops are only an introduction to what Fortinet
security solutions can do for your organization. For more in-depth training, we encourage you
to investigate our full portfolio of NSE training courses at https://training.fortinet.com
Index: 1.0 (b)
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets including ZTNA
Objective Title: Topology
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Welcome
to the
Advanced Endpoint Workshop

Network Topology
Index: 1.0 (c)
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets including ZTNA
Objective Title: Agenda
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Proactive Advanced Endpoint Security, Visibility and


Control for Critical Assets including ZTNA
This Fast Track focuses on FortiClient EMS and FortiEDR.
FortiClient EMS is the central manager for FortiClient Fabric agents. FortiClient is available on
Windows, Mac, Linux, iOS, Android and Chromebook devices and is designed to integrate with
the Fortinet Security Fabric providing visibility, compliance control, vulnerability management
and, web-filtering, application firewall and secure remote access.
FortiEDR (formally enSilo) is an Endpoint Detection & Response (EDR) solution offering certified
next-gen AV, automated EDR, forensics, threat hunting and virtual patching capabilities in a
single, lightweight agent. Compliant with regulations such as PCI/DSS and HIPAA, FortiEDR
features multi-tenant management in the cloud, on-premise and hybrid environments.

FortiClient ZTNA
Topic Time Prerequisite
Lab 2.0: FortiClient EMS & Fortinet Security Fabric 15 Minutes Lab 1
Lab 2.1: Customizing the FortiClient Installer 15 Minutes Lab 2
Lab 2.2: Zero Trust Network Access 30 Minutes Lab 2

FortiEDR Endpoint Security


Topic Time Prerequisite
Lab 3.1: EDR Architecture and Deployment 10 Minutes Lab 1
Lab 3.2 EDR Advanced Protection 25 Minutes Lab 3.1
Lab 3.3 EDR Events, Forensics, and Reporting 25 Minutes Lab 3.1
Index: 2.0
Use Case: FortiClient ZTNA
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

FortiClient ZTNA

Endpoint Protection provides security measures that prevent threat, mitigate risks, reduce
exposure, and ensure endpoint compliance. An additional key function of FortiClient EMS is to
strengthen the Security Fabric by providing information about the endpoints to the FortiGates.
The FortiClient EMS can pull machine and user information from Active Directory, which can
then be used by the FortiGate policies.

In the following objectives of this use case, you will establish the communication between EMS,
Active Directory, and Security Fabric and demonstrate ZTNA capabilities.

Time to Complete
Estimated: 60 minutes

Note: Clicking Continue button will upload a configuration file to FortiGate-ISFW.


Index: 2.0 (a)
Use Case: FortiClient ZTNA
Objective Title: Integrating EMS with Active Directory
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Integrate EMS with Active Directory


Endpoints can be manually imported from an AD server. You can import and synchronize information
about computer accounts with an LDAP or LDAPS service. You can add endpoints by identifying
endpoints that are part of an AD domain server. Once EMS knows about the domain, you will assign it to
the default policy that will be applied to any FortiClient registering to EMS. This includes the features to
be enabled on the endpoint and the Security Fabric telemetry details.

Add Domain
1. From the Lab Activity: Endpoint tab, access FortiClient EMS using the HTTPS option.
Note: Unless otherwise indicated, all username and passwords for various admin consoles
are:
Username: admin Password: Fortinet1!
2. Navigate to Endpoints > Domains > Add a domain.
3. Use the following information:

 IP address/Hostname: 172.16.100.10

 Port: 389
 Bind type: Regular

 Username: admin

 Password: Fortinet1!
Note: The common practice is to observe the distinguished name (DN) of a domain
when there is more than one forest in the network. In the above, it was possible to
obtain the value automatically as there is only one domain but in case of manual
entry is required, the DN is acmecorp.net

 LDAPS connection: Uncheck


4. Click Test
5. Click Save once the successful message appears.
Note: While the domain information is being synced in EMS, it may take up to a minute to
complete. Wait for the synchronization process to complete. You may need to reload
Manage Domains page by clicking on Refresh on the top right if acmecorp.net does not
appear in Endpoints > Domains.

Assign User Group/Users to Endpoint Policy

1. Click Endpoint Policy & Components > Manage Policies.

2. Click Default_ policy and click Edit.


3. In the Endpoint Groups field, click Edit.
4. Expand acmecorp.net > Users and click Domain Users.
5. Click Save.
6. In the Users field, select the following users:

 alice
 bob

 carol

 david
Note: EMS provides granular control in assigning endpoint policies to specific AD
users/user groups.
7. For On-Fabric Detection Rules, Select Corporate Network from the drop-down menu.

8. Click Save.

Stop & Think


(True or False) Does FortiGate also has the capability to provide complete management and
telemetry solution to FortiClient endpoints?
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint 1:
FortiGate was the only device to manage FortiClient until EMS became available.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
Answer
False
FortiGate provides the required telemetry service to extend visibility and control vulnerability
and quarantine compromised endpoint.

Answer Key:
✘ 1. True
✔ 2. False
Index: 2.0 (b)
Use Case: FortiClient ZTNA
Objective Title: Integrating EMS with Security Fabric
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Integrate EMS with Security Fabric


Although the endpoints in this lab environment reside behind the ISFW FortiGate, EMS and
Security Fabric initial configurations need to be completed in the Security Fabric Root device
(FortiGate-Edge) of the Security Fabric group.

Configure Fabric Connector


1. From the Lab Activity: Endpoint tab, access FGT-EDGE using the HTTPS option.
Username: admin Password: Fortinet1!

2. Click Security Fabric > Fabric Connectors


3. Click FortiClient EMS Fabric connector.
4. Click Edit and use the following information:

 Status: Enabled

 Type: FortiClient EMS

 Name: FortiClient-EMS

 IP/Domain: 172.16.100.125

 HTTPS port: 443

 EMS Threat Feed: Leave it set to enabled by default

 Synchronize firewall addresses: Leave it set to enabled by default


5. Click OK
Note: A ‘Verify EMS Server Certificate’ window should come up. The FortiGate needs to be
authorized on the EMS server which you will do after this exercise.
6. Click Accept

7. Click OK
8. Click Close
9. Click Security Fabric > Fabric Connectors.
Note: FortiClient-EMS connector was automatically created based on the information you
just provided in the Settings section. Notice that this connector has a red arrow pointing
downward, which means that it is not communicating properly to its destination.

Authorize FortiGate-Edge Fabric Device on EMS Server


1. From the web browser, access the FortiClient EMS using the web console.
2. A Fabric Device Authorization Requests window for FortiGate-Edge and FortiGate-ISFW
should pop up. Click View Detail
CAUTION: Click F5 to refresh browser window and wait for a few seconds in case the Fabric
Device Authorization Requests window doesn’t show up.

3. Select FortiGate-Edge with serial no, FGVM01TM19002139 and click Authorize

4. Similarly, Select FortiGate-ISFW with serial no, FGVM01TM19002141 and click Authorize
Note: Both FortiGates should show up as authorized.
Index: 2.3
Use Case: Customizing the FortiClient Installer
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Customizing the FortiClient Installer

To facilitate the installation of FortiClient on the endpoints, EMS allows the creation of custom
FortiClient deployment packages with pre-configured parameters needed for an endpoint to
register with EMS and connect to FortiGate as part of the Security Fabric group. These
installation packages however, are only for Windows and Mac OS operating systems.
You can install FortiClient (Linux) on Ubuntu, CentOS, and RedHat operating systems. In the
interest of time the FortiClient(Linux) has already been installed for you on the Ubuntu
workstation.
In this exercise, you will create an installation package and install FortiClient on the Windows
workstation.

Objectives
 Create a deployment package.

 Install FortiClient from EMS deployment package.

Time to Complete
Estimated: 15 minutes
Index: 2.3 (a)
Use Case: Customizing the FortiClient Installer
Objective Title: Creating Deployment Package
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Create Deployment Package


In this objective, you will create a FortiClient installer and pre-configure the parameters needed for an
endpoint to register with EMS and connect to FortiGate as part of the Security Fabric group.

1. From the web browser, access the FortiClient EMS using the web console.
2. Click Deployment & Installers > FortiClient Installer.
3. Click + Add.
4. Under Version section, select Installer Type as Choose an official release.
5. For Release, select 7.0 from the drop down list.
6. For Patch, choose 7.0.7

7. Click Next.
8. Under General section, type the Name as FCT-Installer

Note: Make sure the name is typed in the exact same manner as shown below in the
screenshot.

9. Click Next.
10. Under Features section, leave everything set to default settings.
11. Click Next.
12. Under Advanced, checkmark the following settings:

 Enable desktop shortcut


 Enable Endpoint Profile and choose Default endpoint profile from the drop-down
list.
13. Click Next.
14. Click Finish.

Stop & Think


(True or False) When you enable and configure Installer ID in the FortiClient Installer
deployment package, FortiClient EMS automatically groups endpoints according to installer
ID group assignment rules?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 4

Hint Text:

Hint 1:
You can configure a FortiClient installer with an installer ID, then deploy this installer to the
desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient
EMS places them in the desired group. For example, consider you want all endpoints located in
your company's headquarters to be placed in the same endpoint group.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
Answer

True

Answer Key:
✔ 1. True
✘ 2. False
Index: 2.3 (b)
Use Case: Customizing the FortiClient Installer
Objective Title: Installing FortiClient
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Install FortiClient
In most companies, new machines connect to the corporate network on a regular basis. In this
exercise, we have a Windows machine that was recently joined to the domain and requires
further steps to meet the company’s compliance policy. To that end, we will install FortiClient
on this workstation via the install package we created in the previous objective.

1. From the Lab Activity: Endpoint tab, access Alice machine using the RDP option.
Username: ACMECORP/alice Password: Fortinet1!

1. Open Chrome web browser on the desktop and using the FCT-Installer bookmark, browse to
https://172.16.100.125:10443/installers/Default/FCT-Installer
2. Click advanced and proceed to website (not recommended) to get past the certificate
warning page.
3. The installer folder should be displayed. Select FortiClientSetup_7.0.7_x64.exe

4. Pay attention to the bottom left corner of the browser, to see that the file is being
downloaded.

Note: Click keep and allow the download if you see a browser pop-up warning that the file
might be harmful.
6. When you get confirmation that the file has been downloaded, the installer should be saved
in the Downloads folder. Go ahead and start the installer.
7. Once the Installer starts, go ahead and close (or minimize) the browser.
8. Follow the wizard process by ticking the checkbox Yes, I have read and accept the License
Agreement.
9. Click Next.
10. Leave the default directory specified and click Next.
11. Click Install and wait for a few moments while the installation completes.
12. When the installer wizard is done, click Finish.

13. Open the FortiClient console by double clicking the FortiClient icon on the Desktop.
Note: Wait for a 1-2 minutes to allow FortiClient to connect and fully synchronize with EMS.
Pay attention to FortiClient notification on the taskbar. In case the FortiClient isn’t
automatically connected to EMS server, Click Zero Trust Telemetry and enter IP
172.16.100.125. Click Connect.

Verify Endpoint Registration

1. From the web browser, access FortiClient EMS using the web console.

2. Click Dashboard > Status.


Note: The console page will show information with regards to the current status of
managed endpoints. You can look into the Endpoint widget to see the number of machines
that are online or offline, as well as how many are managed or unmanaged.
3. For more details, go ahead and click on the number inside the bubble to observe additional
information about these endpoints. Hover the mouse on the green icons to view the status
of EMS management synchronization and Zero Trust Telemetry connection status.

Note: Alice’s avatar may not be visible but will eventually sync up on the next sync cycle.
Index: 2.4
Use Case: Zero Trust Network Access
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Zero Trust Network Access

Zero Trust Network Access (ZTNA) is an access control method that uses client device
identification, authentication, and Zero Trust tags to provide role-based application access. It
gives administrators the flexibility to manage network access for On-net local users and Off-net
remote users. Access to applications is granted only after device verification, authenticating the
user’s identity, authorizing the user, and then performing context based posture checks using
Zero Trust tags.

When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information,
log on user information, and security posture are all shared over ZTNA telemetry with the EMS
server. Based on the client information, EMS applies matching Zero Trust tagging rules to tag
the clients. These tags, and the client certificate information, are synchronized with the
FortiGate in real-time. This allows the FortiGate to verify the client's identity using the client
certificate, and grant access based on the ZTNA tags applied in the ZTNA rule.

Objectives
 Create Zero Trust Tags and Rules

 Dynamically control user access

Time to Complete
Estimated: 25 minutes
Index: 2.4.1
Use Case: Dynamic Access Control (AD Group Membership)
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Dynamic Access Control Based on AD Group Membership

A feature that was introduced in the 6.2 version of EMS, is the ability to tag endpoints based on
Active Directory user group membership of the logged in user. EMS considers the endpoint as
satisfying the rule if the logged in user belongs to the selected AD group. You can also use the
NOT option to indicate that the rule requires that the logged in user certain does not belong to
certain AD groups.
As these conditions change, EMS updates the tags on the Endpoints and passes that
information on to the FortiGates, which can then dynamically control access to the endpoints
via the firewall policies.
In this use case, you will create Zero Trust Tagging rules to apply tags to the endpoints, and
then pull those tags into the FortiGate via an EMS connector. You will then apply these ZTNA
tags to the firewall and demonstrate the changes in access as the tags on the endpoint change.

Objectives
 Create Zero Trust Tagging Rules and Tags

 Dynamically control user access

Time to Complete
Estimated: 15 minutes
Index: 2.4.1 (a)
Use Case: Dynamic Access Control (AD Group Membership)
Objective Title: Creating Zero Trust Tags and Rules
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Create Zero Trust Tags and Rules

EMS tags the endpoints based on Zero Trust Tagging Rules. Let’s have a look at an existing rule,
and then create a few more.

Verify an Existing Rule


1. From the web browser, access FortiClient EMS using the web console.
2. Click Zero Trust Tags > Zero Trust Tagging Rules
3. Select the Trusted_Windows_PC rule and click Edit.
Note: This rule will apply a tag named Trusted_PC_Tag to a device, if that device has a
Windows OS and is being managed by EMS.

4. Click Cancel to close this rule.

Create New Rule


Alice works in the Sales department of AcmeCorp, and is therefore a member of the Sales group
in Active Directory. In a previous task, you configured EMS to retrieve domain information from
AcmeCorp’s Active Directory. Let’s make use of that information by creating a rule that will tag
devices based on the AD group membership of the user who is logged onto that device.
1. Click +Add and use the following information:

 Name: Sales_User

 Tag Endpoint As: Sales_User_Tag (Press Enter)


Note: You must press enter after entering the name of a new tag, otherwise it will
not be created.

2. Click +Add Rule and use the following information:

 OS: Windows

 Rule Type: Users in AD Group

 AD Group: Users/Sales
Note: Take a moment to explore the different rule types with which you can apply
tags to devices.

3. Click Save.
4. Click Save.

Verify Tagged Devices/Users


EMS will compare these rules with information from endpoints and then apply the associated
tags.
1. Click Zero Trust Tags > Zero Trust Tag Monitor.
Note: If the following tag doesn’t appear, wait for 1-2 minutes You should see Alice’s
endpoint machine tagged with the Sales_User_Tag and Trusted_PC_Tag.
Index: 2.4.1 (b)
Use Case: Dynamic Access Control (AD Group Membership)
Objective Title: Enforcing ZTNA Firewall Policy
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Enforce ZTNA Firewall Policy


ZTNA tags are pulled and automatically synced with the EMS server. They are converted into
read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.
You will now use the EMS tags to dynamically control access via the firewall policies.

1. From the Lab Activity: Endpoint tab, access FGT-ISFW using the HTTPS option.

Username: admin Password: Fortinet1!


2. Click Policy & Objects > ZTNA > ZTNA Tags

3. Hover the mouse icon over Sales_User_Tag

4. Click View Matched Endpoints


Note: Alice’s machine IP address 172.16.10.50 is listed here.

4. Click Policy & Objects > Firewall Policy.


5. Expand Sales Network (port2) -> EDGE_ISFW Network (port4) section.
6. Select the To Marketing Network policy and click Edit
7. For IP/MAC Based Access Control, click + and select Sales_User_Tag

8. Click OK
Note: You are giving sales users access to marketing network.
9. Select the To HR Network firewall policy and click Edit
10. For IP/MAC Based Access Control, click + and select Trusted_PC_Tag

11. Click OK
Note: You are giving FCT registered users access to HR network.
Index: 2.4.1 (c)
Use Case: Dynamic Access Control (AD Group Membership)
Objective Title: Verifying Access Control
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Verify Dynamic Access


Verify Network Access Before Tag Enforcement
Let’s see what access Alice has in the network. To test this, you are simply going to use Putty to
establish a connection to hosts in the remote networks.
1. From the web browser, access Alice machine using the web console.

2. If you have not logged in automatically, login as the user alice and password Fortinet1!

3. Open the Putty application by double clicking on the Putty shortcut on the Desktop.
4. Select HR from the Saved Sessions area, and click on the Load button.

5. Click Open
Note: Click Yes to accept the SSH key fingerprint. The Putty window should open, and you
should see the login prompt. This tells you that the application was able to access the
destination host in the HR network and establish a connection. So Alice has access to the HR
network.

6. Close the Putty windows to end the session.


7. Repeat the above steps for the Marketing and Sales networks.
Note: You should see that Alice also has access to marketing and sales network as well.

Disconnect FortiClient
1. Open the FortiClient console, and click Disconnect.

2. When asked if you are sure you want to disconnect, select Yes.
5. Open Putty from Desktop. Select Sales from the Saved Sessions area, click Load and click
Open

Note: The Putty window should open, and you should see the login prompt. This tells you
that the application was able to access the destination host in the Sales network and
establish a connection. So Alice has access to the Sales network which makes sense as Alice
is in the Sales AD group

3. Repeat the steps above for the HR network.


Note: Although a Putty window opens, it does not display the login prompt. This tells us
that the application does not have access to the HR network anymore and therefore cannot
establish a connection. If you remember, the HR policy is for Trusted_PC_TAG, and trusted
PCs are those that are managed by EMS. So Alice should not be able to access the HR
network while disconnected from EMS. As you can see, the Firewall policies can dynamically
control access based on the tags that EMS applies to the endpoints. You have also seen that
these tags can be based on a large number of conditions, providing fine grain access control
of the endpoints.

4. Repeat the steps above for the Marketing network.


Note: Although a Putty window opens, it does not display the login prompt. This tells us
that the application does not have access to the marketing network and therefore cannot
establish a connection.

Re-Connect FortiClient

1. Open FortiClient console on Alice’s machine.

2. Click Zero Trust Telemetry

3. Enter EMS IP: 172.16.100.125

4. Click Connect
Index: 2.4.2
Use Case: AntiVirus Compliance
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

AntiVirus Compliance Check

Zero Trust Network Access (ZTNA) is an access control method that uses client device
identification, authentication, and Zero Trust tags to provide role-based application access. It
gives administrators the flexibility to manage network access for On-net local users and Off-net
remote users. Access to applications is granted only after device verification, authenticating the
user’s identity, authorizing the user, and then performing context based posture checks using
Zero Trust tags.

In this use case, you will create a AV compliance check tag through a Zero Trust Tagging rule.
You will then apply ZTNA tag on firewall policy and demonstrate the changes in access as the
tags on the endpoint change.

Objectives
 Configure Zero Trust tag and rule

 Enable Malware Protection

 Verify access to corporate assets

Time to Complete
Estimated: 10 minutes
Index: 2.4.2 (a)
Use Case: AntiVirus Compliance
Objective Title: Creating AV Check Zero Trust Tags and Rules
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Configure Zero Trust Tagging Rule


1. From the web browser, access FortiClient EMS using the web console.
2. Click Zero Trust Tags > Zero Trust Tagging Rules.
3. Click Add and use the following information.
 Name: AV_Enabled
 Tag: AV_Enabled_Tag (Press enter to save the tag)

4. Click +Add Rule and use the following information:


 OS: Windows
 Rule Type: AntiVirus Software
 AV Software: AV Software is installed and running
5. Click Save.
6. Click Save.
Index: 2.4.2 (b)
Use Case: AntiVirus Compliance
Objective Title: Enforcing ZTNA Firewall Policy
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Enforce ZTNA Tag on Firewall Policy


As per AcmeCorp’s policy, access to corporate web servers should only be granted to corporate
machines that have antivirus software running.
You will now use the Zero Trust antivirus enabled tag to dynamically control access via the
firewall policy.

Apply Tag to Firewall Policy


1. From the web browser, access FGT-ISFW using the web console.
2. Click Policy & Objects > Firewall Policy

3. Expand Sales Network (port2) -> EDGE_ISFW Network (port4) policy section.

4. Select To Web Server firewall policy and click Edit

5. For IP/MAC Based Access Control, click + and select AV_Enabled_Tag

Note: If you don’t see the AV_Enabled_Tag listed, wait for 1-2 minutes for EMS to sync the
new tag with the FortiGate and refresh the browser tab.
8. Click OK
Stop and think
Out of the following, what are the different Zero Trust Tagging Rule types supported by
FortiClient EMS? (Select all that apply)

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint 1:

In the EMS console, click Compliance Verification > Compliance Verification Rules > + Add > +
Add Rule > Rule Type

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:
Answer:

All options are correct

AntiVirus From the AV Software dropdown list, select the desired conditions. You
 Windows
Software installed and running and that the AV signature is up-to-date. You can a
 macOS endpoint does not have AV software installed or running or that the AV
FortiClient AV and third-party AV software that registers to the Window
 Linux Windows Security Center of the status of its signatures. FortiClient que
third party AV software is installed and if the software reports signature
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.
Certificate In the Subject CN and Issuer CN fields, enter the certificate subject and
 Windows
that the rule requires that a certain certificate is not present for the endp
 macOS The endpoint must satisfy all conditions to satisfy this rule. For example
certificate B, and NOT certificate C, then the endpoint must have both c
 Linux
OS Version  Windows From the OS Version field, select the OS version. If the rule is configure
as satisfying the rule if it has one of the configured OS versions installe
 macOS

 Linux

 iOS

 Android
Registry In the Registry Key field, enter the registry key or registry data value. E
 Windows
Key to indicate a registry data value. You can also use the NOT option to in
data value is not present on the endpoint.
The endpoint must satisfy all configured conditions to satisfy this rule. F
key A, registry key B, and NOT registry key C, then the endpoint must h

Windows From the Windows Security dropdown list, select the desired conditions
 Windows
Security Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard,
NOT option for the rule to require that the endpoint have Windows Defe
Application Guard, and/or Windows firewall disabled.
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.

Answer Key:
✔ 1. Certificate
✔ 2. AntiVirus Software
✔ 3. OS Version
✔ 4. Windows Security
✔ 5. Registry Key
Index: 2.4.2 (c)
Use Case: AntiVirus Compliance
Objective Title: Verifying Access to Corporate Assets
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Verify Access to Corporate Assets

Let’s verify what level of network access does Alice’s Windows machine has in the network and
how does the AV_Enabled Zero Trust tag modifies it.

Verify Access (Pre-Malware Protection)


1. From the web browser, access Alice machine using the web console.
2. Open Chrome web browser and click Web_Server browser bookmark.
Note: You will find out that Alice’s PC doesn’t has access to the corporate web server
because there isn’t any AntiVirus software running on it yet.
3. Close the web browser.

Enable Malware Protection


1. From the web browser, access EMS using the web console.
2. Click Endpoint Profiles > Malware Protection
3. Click Default profile and click Edit
4. Turn ON AntiVirus Protection

5. Click Save
6. Click Zero Trust Tags > Zero Trust Tag Monitor
Note: Alice’s machine should be tagged with AV_Enabled Tag. If you don’t see the correct
tag information, wait for 1-2 minutes as Alice machine’s FortiClient configuration is sync’d
with the EMS server.

Verify Access (Post Malware Protection Enabled)


1. From the web browser, access Alice machine using the web console.
2. Open FortiClient console.
Note: Minimize or close the antivirus scan progress, if running. You should see Malware
Protection enabled now. FortiClient console in lab will look different from the screenshot
shown below due to a different version.
3. Open Chrome web browser and click Web_Server browser bookmark.
4. Ignore the certificate warning. Click Advanced and Proceed to srv01.acmecorp.net.
5. A login page for access to FortiManager server appears.
Note: This implies that Alice’s machine has now successful access to the corporate web
server after malware protection is enabled.

Disconnect FortiClient
1. From the web browser tab, RDP to Alice machine using the web console.
2. Open FortiClient console from Desktop.
3. Click Zero Trust Telemetry
4. Click Disconnect
5. From the System tray right-bottom corner, click ^ Show Hidden icons
6. Right-click FortiClient icon and click Shutdown FortiClient

NOTE: This is done just to make sure there are no issues with the next lab objectives.
Index: 3.0
Use Case: FortiEDR Endpoint Security
Objective Title: FortiEDR Endpoint Security
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

FortiEDR Endpoint Security

The security team at ACME Corp must enhance its existing endpoint security solution to
prevent malware prevention and data loss.
Using FortiEDR, the SOC team will find and remediate possible threats on these new users’
laptops, particularly those working in more secure areas such as accounting and finance,
without impacting critical business services.
This enhanced endpoint protection use case will include the following exercises:

 Overview of backend EDR infrastructure

 Deploying FortiEDR collector on a workstation

 Examining malware missed by first-generation signature-based antivirus

 Configuring pre and post-execution scanning policies

 Event and forensics analysis on malware, PUPs (possibly unwanted programs), and
suspicious programs

 Creating exceptions, generating reports, and archiving events.

Time to Complete: 60 minutes

Note: Clicking Continue button will upload a configuration file to FortiGate-ISFW.


Index: 3.1
Use Case: Architecture and Deployment
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

Before installing FortiEDR collectors on each endpoint, ACMEcorp’s security


administrators must verify that the backend EDR components (core, manager, and
threat repository) are set up correctly and communicated with each other.
Once FortiEDR backend infrastructure has been verified, the security admins will install
endpoint collectors on workstations, add them to the associated collector groups in
inventory, and then assign the appropriate policies and playbooks.

Objectives
 Overview of backend EDR infrastructure

 Deploy the EDR collector on a victim PC

Time to Complete
Estimated: 10 minutes
Index: 3.1 (a)
Use Case: Architecture and Deployment
Objective Title: Architecture and Overview
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Background
This objective introduces the FortiEDR solution components required to stop malicious threats.
This exercise provides additional context for future objectives.

The FortiEDR solution has several components, all of which work together to protect endpoints
at scale.

 FortiEDR Collector – a lean collector agent runs on each endpoint (Microsoft, OS X,


Linux)

 FortiEDR Core – this security policy enforcer determines whether an endpoint


connection request is legitimate or should be blocked.

 FortiEDR Aggregator – manages the collection from the collectors to the FortiEDR
Central Manager

 FortiEDR Central Manager – a central web server and backend server for viewing
and analyzing events

 FortiEDR Threat Hunter Repository – allows admins to find and delete malware
across any of the devices.

Tasks

1. From the Lab Activity: Endpoint tab, access FortiEDR using the HTTPS option.

User name: admin Password: Fortinet1!

2. Click Dashboard. Locate System Components widget and note the system components of
the system.

3. Both the Cores and Aggregators must be up and green.


NOTE: FCS component shows red/down and that is acceptable and this services requires a
separate license.

If the EDR-Core is down/red, go to Lab Activity Tab, click FortiEDR-Core. Click Power off.
Wait for 1-2 minutes. Click Power on to turn on the VM. Wait for a few minutes for the core
to come back up and check the FortiEDR dashboard again.

Stop and Think


Key questions to ask before installing collector agents on the endpoints in your environment:

1. How are endpoints in an environment best grouped (roles, geography, departments,


etc.), and which groups might need more security controls at the application level?

2. Once an admin establishes security groupings, what types of different program


execution policies might be needed to protect those endpoints from known malicious
content and vulnerable applications?
Index: 3.1 (b)
Use Case: Architecture and Deployment
Objective Title: Deployment
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Tasks

Endpoint Collector Deployment


1. From the Lab Activity: Endpoint tab, access Alice machine using the RDP option.

Username: ACMECORP/alice Password: Fortinet1!

2. Open the install folder on the desktop and click FortiEDRCollectorInstaller.

3. Go through the install wizard setting. Use the default settings and click Next

4. Leave path set to default: c:\program files\Fortinet\FortiEDR and click Next.


4. Use the following collector configuration and click Install

 Aggregator Address: 172.16.100.133

 Port: 8081

 Registration password: Fortinet1!

5. Click Yes
6. Click Close

Confirm Successful Registration


1. From the web browser, access FortiEDR using the web console.

2. Click the Dashboard > Collectors

Note: Green bar in the upper right side, indicating that the collector is properly running on
the Windows 2016 (Alice) victim machine. In case, the collector is not showing in
green/running state, wait 2-3 minutes for configuration to sync between EDR collector and
FortiEDR Agg/Manager.
3. Click Inventory > Collectors to show all collectors

Note: To avoid changing menus, one could click on the green dashboard “running” bar
instead.

4. Make sure that the newly added endpoint (Alice) has:

 been appropriately added to the Default Collector Group, and

 a state of “running” (in green)

Note: In case, the EDR collector is not showing in green/running state, wait 2-3
minutes for configuration to sync between collector and FortiEDR Agg/Manager.
5. Click Security Settings > Security Events > Security Policies.

Note: All policies by default are in simulation mode (which alerts on malicious activities).
Keep these settings for the next malware analysis exercise.

Note: Policies are always in either simulation or prevention mode. However, the rules under
each policy can be disabled on a case by case basis.

6. Once a policy is selected, the Default Collector group will show up on the right-hand side, as
shown below.

7. Click Communications Control > Policies and do the following:

 Default Communication Control Policy: Checkmark

 Toggle FORTINET Policy: Prevention (green)


 Click Set to Prevention

8. On the right-hand side of the Policies Settings page, check that the collectors (which include
the Alice victim PC) in the Default Collector Group are assigned to the Default
Communication Control Policy.

Success
Now that the Alice victim PC now has a FortiEDR collector installed and is added to the correct
security collector groups, it can detect malicious software runs on the machine.

Stop and Think


How might the following endpoint collector group categories work in an enterprise
environment?

 Default collector group (default group for newly installed collectors)

 High-security collector group (used by EDR playbooks to isolate infected systems for
forensic analysis)

 Working groups (temporarily in simulation mode during early deployment)

 Simulation group (used for troubleshooting, for a short period)

Question:

A user calls the help desk and cannot print. What can be done by the help desk to see if
FortiEDR is impacting the printing process?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 0

Hint Text:

Hint

The user needs to be put in a group that doesn’t restrict them, but simulates the restrictions so
that the help desk can look at what events are being generated.
This will help determine communications control rule might be preventing the print job.
----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer

Simulation (Notification Only): FortiEDR only issues an alert for all connections that violate a
rule in a FortiEDR security policy. In simulation mode, FortiEDR does not secure
communications. FortiEDR comes pre-configured in simulation mode and can be used for
troubleshooting, but not security, until simulation mode is switched to prevention mode..

Answer Key:
✔ 1. Simulation group
✘ 2. High security group
✘ 3. Printing security group
Index: 3.2
Use Case: Advanced Protection
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

ACMEcorp’s security admins must reduce their attack surface by stopping advanced
malware and virtually patching healthcare and point of sale workstations until the next
scheduled maintenance.
Because threat actors target users with custom malware, ACMEcorp’s endpoint
protection solution must detect malware without relying only on legacy signature-based
solutions that depend on hashes, as would be the case with first-generation endpoint
products. ACMEcorp must also defuse critical vulnerabilities in older and unpatched
workstations in a way that does not disrupt business continuity.
Security admins at ACMEcorp would like to stop all advanced malware from initially
executing on endpoint clients. For the files allowed to run, the ACMEcorp security team
would like to inspect, record, and block malicious behaviors.

Objectives

 Analyze modified malware

 Create pre-execution security policies

 Virtual patch low reputation and vulnerable applications

 Create data exfiltration security policies to protect against ransomware.

Time to Complete
Estimated: 25 minutes
Index: 3.2 (a)
Use Case: Advanced Protection
Objective Title: Malware Analysis
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

Because threat actors target executives with custom malware, ACMEcorp’s endpoint protection
solution must detect malware without relying only on legacy signature-based solutions that
depend on hashes, as would be the case with first-generation endpoint products.

Tasks

To demonstrate how FortiEDR’s pre and post-execution rules detect modified malware, we will
be appending characters to a known malicious file to change the hash signatures and confirm
how it is undetectable with ClamWin (a first-generation open source antivirus tool) and Virus
Total (a cloud-based antivirus database).

After modifying the executable, we will use PE Studio to find suspicious artifacts and compare
the modified executable (with the new signature, due to the appended strings) to the original
malware.

1. From the Lab Activity: Endpoint tab, access Alice machine using the RDP option.

2. On Alice Desktop, open Windows command prompt (CMD).

3. Right-click, copy the following command from here and paste it in the Alice’s CMD:

cd c:\Program Files (x86)\clamwin\bin

4. Next, enter the following command:

Sigtool.exe --sha1 c:\reports\tpsreport.exe > c:\programdata\.clamwin\db\tpsreport.hdb


Note: sigtool.exe is included with ClamWin. It creates a ClamWin antivirus signature for the
known malicious file.

5. Next, enter the following command to scan the directory using the newly generated
signature:

Clamscan.exe --database=”c:\programdata\.clamwin\db\tpsreport.hdb” c:\reports

6. Type the following command to examine the hash of the file using certutil:

certutil -hashfile c:\reports\tpsreport.exe

7. Enter the following command to change directory to c:\reports:

cd c:\reports

8. Now make a copy of TPSreport.exe file entering the following command:

copy TPSreport.exe TPSreport-fasttrack.exe

9. Append the string “fasttrack” to the newly named file by entering the following command:

echo “fasttrack” >> TPSreport-fasttrack.exe


10. Enter the following two commands and note the different SHA1 hash:

certutil -hashfile TPSreport.exe

certutil -hashfile TPSreport-fasttrack.exe

11. This new modified file is not recognizable by ClamAV, as evidenced by the following
commands:

cd c:\Program Files (x86)\clamwin\bin

Clamscan.exe --database=”c:\programdata\.clamwin\db\tpsreport.hdb” c:\reports

12. Open Frhed (a hex editor located on the Alice victim machine desktop).
13. Click File > Open

14. Open the file c:\reports\tspresport-fasttrack.exe. Scroll down and note “fasttrack” string at
the very end of the file.

Note: A simple modification like this might not thwart all commercial scanners that use
non-signature based detection, such as file heuristics or static analysis. The next exercise
will demonstrate how one might look inside a file to find questionable components.)
15. On Alice Desktop, right-click PE Studio icon and Run as administrator. Click Run

16. Click File > Open and enter in c:\reports\TPSreport-fasttrack.exe


Note: Wait about a minute for PE Studio to inspect the code and find the malicious artifacts.
After some time, items in the left panel will turn red.

17. Click Indicators on the left and note the blacklisted items inside the file (levels 1,2,3)

18. Click Imports on the left panel. Click blacklist column heading to sort items and note the
blacklisted items (x).
19. Click strings on the left panel. Click blacklist column heading to sort items and note the
blacklisted strings (x).

Note: Simply appending a few characters to the end of the file may evade some
signature-based antivirus programs registered with Virus Total, even though PE Studio
clearly shows it has some malicious looking components inside.

Note: If there is a delay with PE Studio connecting us to Virus Total, manually search the
webpage for hashes (www.virustotal.com). PE Studio depends on open access to the free
version of Virus Total, which sometimes times out with excessive use.
Stop and Think
In your environment, ask yourself two key questions:

 What defenses are in place if threat actors sent your company’s executives custom
made malware?

 Which lines of defense (firewalls, secure email gateways, desktop AV) might depend on
signature-based protection in detecting malware?

The limitations of signature-based solutions compel security admins to think more carefully
about pre and post-execution policies on protected endpoints. Using FortiEDR, we can prevent
malicious files from executing or even allowing them to execute and safely record their
interaction with other operating systems' files.

Question:

Which of the following artifacts might be helpful when initially analyzing malware with a tool
like PE Studio (choose all that apply)?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 0

Hint Text:

Hint 1

Malicious software often attempts to hide its intents in order to evade early detection and
static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies
and other valuable indicators.

----------------------- Answer Section -----------------------

Answer: checkbox
Answer Text:

Answer

Malicious software often attempts to hide its intents in order to evade early detection and
static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies
and other valuable indicators.

Answer Key:
✔ 1. suspicious patterns
✔ 2. unexpected metadata
✔ 3. anomalies
Index: 3.2 (b)
Use Case: Advanced Protection
Objective Title: Pre-Exec Protection
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

Security admins at ACMEcorp would like to stop all malware from initially executing on
endpoint clients. The following steps will create a pre-execution security policy that prevents
malware from damaging a computer.
Rules included in this policy include:

 Detecting malicious files

 Privilege escalation exploit detection

 Suspicious drivers

 Suspicious file detection

 Suspicious script execution

 Unconfirmed file detection

Tasks

Create a Pre-Execution Security Policy


1. From the web browser, access FortiEDR using the web console.

2. In FortiEDR, click Security Settings > Security Events > Security Policies and toggle all
policies to set to Prevention Mode (simulation mode was just for testing purposes in the
previous exercise).
Note: All Execution Prevention rules are set to block (except for those grayed out)

3. On the right-hand side, note that Default Collector Group is in the Execution Prevention
policy

4. From the web browser, access Alice machine using the web console and open Explorer

5. In Explorer, open c:\reports\, then right-click on TPSreport-fasttrack.exe and Run as


administrator. FortiEDR blocks and prevents it from running.
Note: You might see ‘Little Encrypt Bitcoin’ pop-up depending on the stage where FortiEDR
blocked it but the execution is successfully blocked

6. Close all popups (if applicable).

7. From the web browser, access FortiEDR using the web console.

8. Click Event Viewer and confirm that FortiEDR labeled the event as malicious or suspicious
and stopped the files from being renamed.

Note: Your classifications may be slightly different, as FortiEDR sometimes additional


context to label a file as malicious or suspicious. Depending on how far the installation
program was allowed to run (or re-run), there may be multiple events with one program.

9. In the Classification Details pane, view the Triggered Rules: Execution Prevention

10. Expand Advanced Data to view the Event Graph for detailed information on the process
and how FortiEDR blocked it.

Stop and Think


How might FortiEDR pre-execution rules better protect users than legacy signature-based
antivirus solutions or sandbox solutions that first detonate malware in a virtual machine?

Question:

How might malware creators ensure that their files remain undetected in some VM sandboxed
environments?
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 0

Hint Text:

Hint

Malware creators look for the following clues that their software is being run in a virtualized
environment and not by their targeted users:

 MAC OUI

 Low CPU count / low RAM

 Screen resolution

 Recent file count, desktop file count

 Few application, active windows, or processes

 Malware researcher tools

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:
Answer

ALL are correct

Answer Key:
✔ 1. MAC OUI known hypervisors (VMware etc)
✔ 2. Low CPU core count / low RAM
✔ 3. Screen resolution
✔ 4. Recent file count / Desktop file count
✔ 5. Few applications, active windows, or processes
✔ 6. Check for malware researcher tools (wireshark, procmon, sysmon, python.exe, etc)
Index: 3.3
Use Case: Events, Forensics, and Reports
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

PUPs (possibly unwanted programs) pose potential problems to security-conscious


organizations.
Acme Corp admins will use FortiEDR to inspect raw events and gather more information
on how PUPs communicate with localhost files and remote hosts. This information will
then help analyze and classify potentially malicious events.
Once Acme Corp’s security admins make a decision, they will generate reports that
document their choices and, in some cases, create exceptions for executables, which
would allow certain processes to execute without creating future events.

Objectives

 Install PUPs on a victim machine.

 Analyze events generated by installed programs

 Forensically analyze what executed programs have done

 Create exceptions, reports, and archiving handled events.

Time to Complete
Estimated: 25 minutes
Index: 3.3 (a)
Use Case: Events, Forensics, and Reports
Objective Title: PUPs and Suspicious Files
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Tasks

The files in this exercise are not technically malware, but they may pose some risks to
security-conscious enterprises, as they might communicate to other countries or possibly are a
platform for other potentially unwanted programs.

1. From the web browser, access Alice machine using the web console.

2. Open the install folder on the desktop. Right-click on the BitTorrent.exe file and install as
administrator with default options.

3. Access is denied pop-up would appear. A “execution blocked” popup may also appear in the
lower right hand side of the screen. Close it by hitting the Got It button.

Note: The EDR block pop-up in your lab might be different from screenshot below.

4. In the same install folder, right click on the TeamViewer_Setup.exe and install as
administrator. Select default installation.
5. FortiEDR will not allow the installation, and a popup will appear on the bottom right hand
side. Click OK on the popup and close the installer.
Note: When you Close out installer, you may see another error messaging saying that saying
“TeamViewer service could not be started. Installation will be continued.” If more FortiEDR
popups appear, click Got It as before to close them.

6. In the same install folder on the desktop, right-click and install (as administrator) the
SteamSetup.exe file.

7. Run through the install wizard screens:

 Welcome screen

 Language: English
 Install location: c:\program files\steam

8. Close the popup from FortiEDR by clicking on the Got It message, and the Finish button on
the steam wizard. Close any other error dialogue boxes that pop up.

Note: We will not be doing anything with these programs on Alice. The rest of this lab
will be examining the event logs generated by these programs.

Stop and Think

Question:

Which of the following tools not be appropriate for ordinary users in enterprise environments?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 0

Hint Text:
Hint

ALL of the tools below are generally considered questionable for most enterprise users
(excluding appropriate IT and security employees)

 Netcat

 Wireshark

 Nmap

 Nessus

 IRC

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:

Answer

ALL of the tools below are generally considered questionable for most enterprise users
(excluding appropriate IT and security employees)

Answer Key:
✔ 1. nc (netcat)
✔ 2. wireshark
✔ 3. nmap
✔ 4. nessus
✔ 5. irc
Index: 3.3 (b)
Use Case: Events, Forensics, and Reports
Objective Title: Event Analysis
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Tasks

1. From the web browser, access FortiEDR using the web console.

2. Click the Event Viewer module at the top of the screen.

3. Click on each of the alerts associated with the programs ran earlier and note the Device the
event was detected on the endpoint.

NOTE: YOUR CLASSIFICATIONS MAY BE SLIGHTLY DIFFERENT FROM BELOW, AS FORTIEDR


SOMETIMES TAKES ADDITIONAL CONTEXT TO LABEL A FILE AS PUP OR MALICIOUS OR
SUSPICIOUS. DEPENDING ON HOW FAR THE INSTALLATION PROGRAM WAS ALLOWED TO
RUN (OR RE-RUN), THERE MAY BE MULTIPLE EVENTS WITH ONE PROGRAM AS WELL.

4. Find and click the endpoint device (Alice) to see the alerts associated with it.

 SteamService classified as PUP


 Team Viewer was classified as a PUP
 Bit Torrent was classified as Malicious

Note: Your classifications may be slightly different, as FortiEDR sometimes takes


additional context to label a file as pup or malicious. Depending on how far the
installation program was allowed to run (or re-run), there may be multiple events with
one program as well.
5. Click TeamViewer_Service.exe event.

 On the right side of the EDR GUI in the CLASSIFICATION DETAILS pane, click the triangle
( ) in the Triggered Rules window next to the Exfiltration Prevention to expand it for
more details.

Note: The Exfiltration Prevention engine triggered the rule Exfiltration Prevent – PUP
(Potentially Unwanted Program) rule for the TeamViewer installation file, which is often
used in MITRE techniques such as Credential Dumping and Input Capture.

FortiEDR solution indicates the rule that triggered an event and detailed information about
the rule (description of the rule, MITRE techniques and possible remediation steps). This
information helps bridge knowledge gaps and help SOC admins quickly remediate and
resolve issues.

6. At the bottom left corner of the screen, click the triangle ( ) in the ADVANCED DATA pane
to expand for an Event Graph data related to the highlighted event.

This graph shows the point at which FortiEDR blocked the TeamViewer process and all the
steps leading up to it. This event in particular included:
 ProcessExplorer.exe created the process TeamViewer_Setup.exe
 TeamViewer_Setup.exe created the process ProcessTeamViewer.exe
 ProcessTeamViewer.exe created the process ProcessTeamViewer.exe (again)
 ProcessTeamViewer.exe created the process ProcessTeamViewer_Service.exe
 FortiEDR blocked the process

7. Repeat these same steps for the other malicious and PUP events generated by BitTorrent
and Steam.

Steam: (In the Event Viewer, look for an alert that triggered Steam event)

BitTorrent: (In the Event Viewer, look for an alert that triggered BitTorrent event)

Stop & Think

Events in FortiEDR can be organized by either processes or devices, depending on which view is
selected. When might each view help investigate security events?

(Note: Some events may not need immediate attention, yet a SOC admin might click on them to
get more information before moving on to another event. This can lead to a mixture of read
and unread events within the Event Viewer. Clicking the filter at the top of the list ( ) allows
you to hide some events, including the Read events.

If multiple admins are using the system, the read/unread status is local to the individual admin
and not system-wide. The upcoming objective will demonstrate how to use the Handled and
Archive statuses, which are system-wide flags.)

Question: When does an Alert or Device change its status from Unread to Read? (Pick one)
----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer Key:
✘ 1. Once any event within the alert has been read
✔ 2. Once all events within the alert have been read
✘ 3. When the alert has been flagged as Handled
✘ 4. After you exit from the FortiEDR Manager GUI
Index: 3.3 (c)
Use Case: Events, Forensics, and Reports
Objective Title: Forensics
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Tasks

1. From the web browser, access FortiEDR using the web console.
2. Click Event Viewer.
3. Now, click on an event that triggered a PUP classification in your lab environment.
4. In our example below, it’s SteamService.exe. But, in your lab, the results might vary and a
different program could have been classified as PUP, for example: teamviewer.exe
Note: Your classifications may be slightly different, as FortiEDR sometimes takes additional
context to label a file as pup or malicious or suspicious. Depending on how far the
installation program was allowed to run (or re-run), there may be multiple events with one
program as well.
4. Click the triangle ( ) for that event to dive into the Raw Event Details screen. In this
example, Steam Event (SteamService.exe) event

4. In this new view are raw events, each with their unique ID.
5. At the bottom of the screen, click the triangle ( ) to expand the ADVANCED DATA pane
showing the Event Graph how FortiEDR blocked multiple events and the service.
6. Click the back button ( ) to return to the Events List.
7. Click the checkbox ( ) for the Steam event and then click the Forensics button

Note: You will be in the Flow Analyzer View, similar to the Event Graph available from the
Event Viewer tool.

9. Click the Stacks View icon ( ) in the upper right corner of the screen.

Note: There is a lot of detailed information about the event available here in Forensics
under the Stacks View. Each of the steps leading up to the event will be listed and can be
clicked.
Start with the first PARENT PROCESS CREATION step and work your way to the right.
Pieces of useful information to determine if the event is safe or malicious include:

 Source Process

 Company

 Target

 Executable File Name

 Certificate
 Hash

Note: The events in your lab might be different from the screenshot above depending on
how long was the process ran before EDR block. In the last raw event, you’ll notice the red
dot ( ) on the top line for the Steam executable file. This dot indicates where the rule was
violated that created the event.

10. On the far right, click the three vertical dots icon ( ) next to the violating process's hash.

11. Select VirusTotal

12. This will open a new tab in the browser to the VirusTotal.com website for the entry
matching the hash.
Note: VirusTotal does not provide a definitive answer regarding the safety rating of a hash.
However, it is a reputable source that helps make an educated decision when used with
additional context.
13. Close the VirusTotal browser tab.
14. Return to the Event Viewer by clicking the tab at the top of the screen.

Stop & Think

Question: You have loaded an event to the Forensics tab and now want to add another event
for comparison. What is the best way to do this? Feel free to try this in your environment.
Hint – As part of the process, look for this icon

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer Key:
✘ 1. You can only view one event at a time in the Forensics tab
✔ 2. Go to the Event Viewer tab, select the second event and click the Forensics button to
load it into the Forensics tab
✘ 3. Go to the Event View tab and choose both events then click the Forensics tab
✘ 4. Click Add in the Forensics tab
Index: 3.3 (d)
Use Case: Events, Forensics, and Reports
Objective Title: Exceptions, Reports, and Archiving
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Tasks

Generate Reports

1. On the Event Viewer page, find and click the alert for device Alice.
2. Click the checkbox on the left for the Steam event
3. At the top of the screen, choose the Export pull-down menu and select PDF

Note: In the above example, only events within view would be exported into PDF. In many
environments, auditors may require PDF exports of all events, including those Archived.
4. A pop-up window will display on the screen showing the report being generated. Once it is
finished being developed, click the Download link to save a copy of the report.

5. At the bottom of the browser, click the saved PDF file to preview the report.
6. In the report, we have the most pertinent information about the event, including the ID,
which can be used to help locate the event later if we ever need to review it again:
 ID

 Device

 Process

 Classification

 Destinations

 Received

 Action

 Policies and Rules


7. Close the browser tab for the report to return to the FortiEDR interface.
8. Click the Close button to close the pop-up window

Create Security Event Exception

Exceptions enable you to limit the enforcement of a rule, meaning to create a white list for a
specific flow of security events that was used to establish a connection request or perform a
specific operation.

FortiEDR exception management is highly flexible and provides various options that enable you
to define pinpointed, granular exceptions.
1. In the Event Viewer tab, click the Steam event so that it expands, and you can see the User,
Certificate, full Process Path, and the number of Raw data items.

2. Click the Create Exception icon ( ) to the left of the User field.
3. In the pop-up window, create the new exception with the following values, then click the
Create Exception button.

 All groups

 All destinations

 All users

 Expand PUP and select Current Path


4. Click Close
5. Click again on the Steam event and click the Handle Event button at the top of the screen.

6. A pop-up window will display. Set the following fields and click the Save and Handled
button.
 Set the Classification to Safe

 Check the Archive When Handled checkbox

7. The archived event will now disappear from the Events List.

Stop & Think


Question: What is the best practice for creating exceptions?

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer Key:
✘ 1. Apply exception to as many paths or destinations as possible, but make sure they cover
as few users as possible
✘ 2. Always file a ticket with Fortinet before creating an exception
✔ 3. Apply exceptions to a minimal number of destinations and paths
✘ 4. Create exceptions for as many events as possible to prevent productivity inhibitors
Index: 4.0
Use Case: Conclusion
Objective Title: Review
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Review

After completing this Fast Track module, you should now understand how:
1. FortiClient EMS protects the endpoint and integrates into the Fortinet Security Fabric for
increased visibility and control of the network.

2. FortiEDR provides endpoint protection for pre and post infection scenarios with extensive event
monitoring, alerting and forensic investigation capabilities.
Index: 4.0 (a)
Use Case: Conclusion
Objective Title: End of Session
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

You have successfully completed the


Proactive Advanced Endpoint Protection,
Visibility and Control for Critical Assets
including ZTNA Hands-On Lab

Thank You

To get more information on this or other Fortinet solutions, please consider


looking at Fortinet's NSE training.

Please take a moment to complete our short survey located within web portal tab above.

You might also like