SOCFortress Integrations — FortiEMS (Fortinet Endpoint Management Server)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

SOCFortress integration and visualisation tools allow security analysts the visualisation and triage of FortiEMS logs and events using a single pane of glass.

NOTE: See previous article for FortiClient integration.

About FortiEMS

FortiEMS (Fortinet Endpoint Management Server) is a centralised management and control solution designed for managing Fortinet’s endpoint security products. It’s part of Fortinet’s Security Fabric ecosystem and is commonly used for managing FortiClient deployments across organisations.

FortiEMS includes many features for FortiClient deployment:

• Centralized Endpoint Management:
  — Manage endpoint profiles, configurations, and policies from a single interface.
  — Control FortiClient settings such as VPN, firewall, web filtering, and application security.
• Integration with Security Fabric:
  — Integrates seamlessly with other Fortinet products like FortiGate firewalls, enabling a unified threat management approach.
  — Provides visibility and reporting across the network for endpoint-related events.
• Endpoint Visibility:
  — Monitors endpoints in real-time, displaying their security status, compliance, and connection activity.
  — Tracks endpoints with remote users, ensuring consistent policy enforcement.
• Threat Detection and Response:
  — Utilises FortiClient’s capabilities for malware protection, vulnerability scanning, and behaviour monitoring.
  — Provides integration with FortiSandbox for advanced threat analysis and detection.
• Security Posture Assessment:
  — Enforces security policies to ensure endpoints meet compliance requirements before connecting to the network.
  — Includes endpoint quarantine for devices that don’t meet compliance standards.
• Scalability:
  — Suitable for small to large enterprise environments.
  — Allows administrators to manage hundreds or thousands of endpoints effectively.
• VPN Management:
  — Centralised configuration and deployment of VPN policies for FortiClient.
  — Ensures secure remote access for users connecting to the corporate network.

FortiEMS can be deployed on-premises for organisations with local data center or in the cloud for flexible and scalable management.

FortiEMS can integrate with Microsoft Active Directory to import and synchronise user and group information. It can also apply endpoint profiles or policies based on AD group membership.

Ingesting FortiEMS Logs and Events

Reference: https://docs.fortinet.com/document/forticlient/7.4.1/ems-administration-guide/810850/configuring-logs-settings

Logs received from FortiEMS (Fortinet Endpoint Management Server) are categorised into various types, each serving a specific purpose for monitoring, troubleshooting, and analysing events within the EMS system. Let’s break down the log types you’ve mentioned:

Some log types and their relevance in IT operations/security

1. “ems-adconnector”: Related to the Active Directory (AD) Connector functionality in FortiEMS. Key Information in “ems-adconnector” Logs:
   — Connection status to Active Directory servers (success/failure).
   — Synchronisation events, such as fetching user or group information.
   — Errors or warnings related to AD integration, e.g., credential issues or network connectivity problems.
   — LDAP query execution details.

2. “ems-addaemonworker”: These logs are associated with daemon worker processes responsible for background tasks in EMS related to Active Directory and other services. Key Information in “ems-addaemonworker” Logs:
— Execution of background tasks related to Active Directory.
— Status of worker threads or processes (e.g., started, stopped, or errors).
— Logs indicating completion or failure of specific tasks.

3. “ems-update”: Related to update processes managed by FortiEMS. Updates can include:
— Software updates for FortiEMS itself.
— Updates to endpoint security components (e.g., FortiClient updates).
— Policy, signature, or configuration distribution to connected endpoints.

Provide details about the EMS server’s software update processes (e.g., version, success, or failure), FortiClient endpoint updates (e.g., push initiation, download, installation).

4. “ems-event”: System startup, shutdown, and restarts. Administrative actions, such as configuration changes or policy updates.
It also provides notifications about important system events or anomalies.

5. “ems-error”: System crashes or failures, but also errors in communication with endpoints, AD servers, or other integrated systems.

6. “ems-client”: They track:
- Endpoint connection and disconnection events.
- Policy application and enforcement for endpoints.
- Endpoint health status, including compliance checks and threat detection events.

7. “ems-vpn”: If you use FortiClient to manage VPN connections, these logs record VPN-related events:
- Connection attempts to VPN gateways.
- Authentication success or failure.
- VPN disconnections or drops.

9. “ems-authentication”: Admin logins and logouts on the EMS server, as well as failed login attempts or lockouts.

10. “ems-policy”: These can include:
- Deployment of policies to endpoints.
- Policy updates or modifications.
- Success or failure of policy application.

11. “ems-network”: Communication between FortiEMS and endpoints.

Visualizations

In SOCFortress landing page:

Logs by FortiEMS type and subtype

Event details (vuln signatures updated in example below):

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html