FortiClient EMS receives predefined outbreak alert rules from FortiGuard to help protect your network from vulnerabilities. For example, consider that FortiGuard Labs discovers a zero-day vulnerability in a popular application. The Fortinet team then creates a new FortiGuard outbreak alert rule, which tags endpoints with that application installed as vulnerable. After EMS receives this new rule from FortiGuard, the EMS administrator can easily see which endpoints are vulnerable to the new outbreak.
FortiGuard outbreak alert rules are similar to Zero Trust tagging rules in that you can use the tags to dynamically group endpoints, and the FortiOS administrator can also use the dynamic endpoint groups to build dynamic policy rules. See FortiOS dynamic policies using EMS dynamic endpoint groups.
Unlike Zero Trust tagging rules, you cannot modify or delete FortiGuard outbreak alert rules. You can only enable or disable them from the FortiGuard Outbreak Alert Rules pane.
You can also view a rule to see its details. In this example, the endpoint only needs to satisfy one of the three criteria to be eligible for the rule. If EMS does not display the Rule Logic field, the default rule logic is an “or” relationship.