User Access integration

When a user access connector, such as Active Directory, is set and Playbook policies are configured, automatic incident response actions can include resetting user’s password or disabling user account on domain controller upon security event triggering.

Prerequisites

Before you start User Access configuration, verify the following:

• You have installed an EDR Core and configured the Core as a Jumpbox with connectivity to the domain controller server. To request the EDR Core ISO, contact Fortinet Support.

• You have a valid API user with access to Active Directory or equivalent domain control system. See Configuring Active Directory for detailed instructions about creating an Active Directory admin user.

Follow the steps below to perform user access actions automatically upon the detection of an EDR security event.

Configuring an EDR Connector

To configure User Access integration:

1. Click the Add Connector button and select User Access from the dropdown list.

   The following displays:

   

2. Fill in the following fields:

   Field	Description
   Jumpbox	Select the EDR Jumpbox that will communicate with this User Access system.
   Name	Specify a name of your choice to be used to identify this User Access system.
   Type	Select the type of user access to be used in the dropdown list. For example, Active Directory.
   Host	Specify the IP or DNS address of the external User Access system.
   Port	Specify the port that is used for communication with the external User Access system.
   API Key/Credentials	Specify authentication details of the external user access system: To use an API token , click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external User Access system API username (or Bind User DN) and password.

3. In the Actions area on the right, define the action to be taken by this connector:
   • To use an action provided out-of-the-box with EDR (for example, Disable user account on Active Directory), in the baseDN field of Disable user account or Reset user password, specify where EDR starts searching for the user upon which actions are performed.
   • To use a custom integration action:
     1. Click the + Add Action button. The following popup window displays:

        

     2. In the Action dropdown menu, select one of the previously defined actions (which were defined in EDR as described in Custom integration), or define a new action that can be triggered according to the definitions in the Playbook:
        1. Click the Create New Action button. The following displays:

           

        2. Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.

           In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. However, this action is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.

           Field	Definition
           Name	Enter any name for this action.
           Description	Enter a description of this action.
           Upload	Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. The Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of the coding conventions and provides various links that you can click to see more detail and/or to download sample files.

        3. Click Save. The new action is then listed in the Actions area.
4. You can click the Test button next to an action to execute that action.
5. Click Save to save the connector configuration.

Configuring Playbooks

To configure an automated incident response that uses a user access connector to reset user password or disable a user upon security event triggering:

1. Navigate to the Profiles > Playbooks page.
2. Open the Playbook policy that is applied on devices for which you want the user access response to apply.
3. Place a checkmark in the relevant Classification column next to the Disable user row under the INVESTIGATION section or the Reset user password row under the REMEDIATION section.

EDR is now configured to automatically perform user access actions upon triggering of a security event.

To configure an automated incident response that uses a User Access connector to perform a custom action upon the triggering of a security event:

1. Navigate to the Profiles > Playbooks page.
2. Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
3. In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
4. In the dropdown menu next to the relevant custom action, select the relevant User Access connector with which to perform the action.

EDR is now configured to trigger this action in the third-party system upon the triggering of a security event.

Automatic incident response actions are listed in theOverview tab when you select the incident and click Investigate in the Incidents pane, as shown below: