SOCFortress Integrations — FortiClient EndPoint Security

3 min readJul 8, 2024

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of FortiClient security events using a single pane of glass.

About Fortinet’s FortiClient

Fortinet’s FortiClient is an endpoint security solution designed to integrate with Fortinet’s security fabric, providing comprehensive security for endpoints. Here are some key features and capabilities of FortiClient:

Features and Capabilities

1. Endpoint Protection:
— Antivirus/Anti-malware: FortiClient provides real-time antivirus and anti-malware protection, detecting and blocking threats.
— Web Filtering: Controls and restricts web access to prevent exposure to malicious sites and inappropriate content.
— Application Firewall: Monitors and controls application traffic to prevent unauthorized access and potential threats.

2. Advanced Threat Protection:
— Sandbox Integration: Integrates with FortiSandbox for advanced threat protection, allowing suspicious files to be analyzed in a sandbox environment.
— Behavior-based Detection: Detects and mitigates threats based on behavior analysis, preventing zero-day attacks and advanced persistent threats (APTs).

3. Secure Remote Access:
— VPN (Virtual Private Network): Provides secure remote access through SSL and IPsec VPNs, ensuring secure connections for remote users.
— Two-Factor Authentication (2FA): Enhances security by requiring a second form of authentication for VPN access.

4. Endpoint Management and Visibility:
— Centralized Management: Managed through FortiClient EMS (Enterprise Management Server), allowing centralized control, deployment, and monitoring of endpoint security.
— Compliance and Reporting: Ensures endpoints comply with security policies and provides detailed reporting for compliance and auditing purposes.
— Telemetry and Automation: Collects telemetry data and integrates with Fortinet’s security fabric for automated threat response.

5. Endpoint Detection and Response (EDR):
— Threat Hunting: Allows for proactive threat hunting and investigation of security incidents.
— Automated Response: Provides automated responses to detected threats, minimizing the impact of security incidents.
— Incident Management: Facilitates incident management and response, helping to mitigate and resolve security incidents effectively.

6. Network Access Control (NAC):
— Device Posture Assessment: Evaluates the security posture of devices before allowing network access, ensuring compliance with security policies.
— Dynamic Access Control: Adjusts access privileges based on device posture and user roles, enhancing network security.

7. Cloud Integration:
— SaaS and Cloud Application Security: Protects access to SaaS and cloud applications, ensuring secure usage and compliance with security policies.
— Cloud Sandbox: Provides cloud-based sandboxing for advanced threat analysis and protection.

Ingesting FortiClient logs and events

FortiClient can be configured to forward alerts and events to an external syslog server / SIEM.

Reference: https://docs.fortinet.com/document/forticlient/7.4.0/xml-reference-guide/921514/log-settings

Visualizations

FortiClient Events, Events by Type and Severity

Security events by host and message

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/