Tutorial (5.0) 04 Fortint cloud services and scripts * fortiedr * Fortinet network security expert NSE 5

   In this lesson , You will learn what is Fortinet The cloud service , Why do you need it , How it works , And about scripts .

   In this lesson , You will learn the topics shown above .

   Use by demonstration Fortinet The capabilities of cloud services , You will be able to handle event management tasks .

  FCS It is a system that centrally handles event management tasks . It evaluates each event after it occurs . The core makes the initial decision to block or allow , And classify the events , Then send the data to FCS For further analysis .FCS Verify the classification and change it if necessary , Then perform any allocated script operations on the classification .FCS Responsible for managing all survey operations in the script , For example, put the collector in isolation mode , And repair operations , Such as deleting malicious files .

　　FCS Its main advantage is to improve the accuracy of event classification . To prevent malware from causing harm , You must decide in real time whether you should block or allow the process . This is the role of the core .FCS The event will then be analyzed in depth ( This is not possible in real time ), And fine tune the classification . Final , Our goal is to classify all events as malicious or security events , In this way, it does not need to spend a lot of time on manual analysis .

   Now? , You will understand FCS How to integrate Fortinet Infrastructure . As you saw in the previous lesson , The core receives event data from the collector , And send back a permissive or blocking decision . The core also aggregates the event data through the aggregator ( Including preliminary classification ) Send to centralized management , And then send it to FCS.FCS Maintaining a constantly updated database of events and malware data , For in-depth analysis of events , And fine tune the classification level of core allocation .FCS It also handles the investigation and remediation tasks configured in the script . After fixing the malicious event ,FCS It is automatically marked as processed . If FCS Reclassify an event as safe , It will automatically create an exception , So if the same thing happens again , It will not be stopped .FCS Send all this information back to centralized management , Centralized management displays it in the event viewer of the management console .

   Now? , You will learn more FCS How it works . First , It automatically evaluates each event based on a large number of previous event databases . All this information is important to improve Fortinet The accuracy of is very useful , But it does take a few seconds to process this information . This is why the initial classification took place at the core . The core can evaluate an event , And almost instantly make the decision to stop or allow it to happen . It's important , Because an attacker doesn't need more than a few milliseconds to encrypt or steal data , So you have to be able to react in real time . After the core makes a decision ,FCS Fine tune the classification . Script actions are based on FCS Approved classification . for example , In the event you see on the right ,Fortinet The core classified the event as suspicious . If you look at the trigger rule section , You can see that this event violates the suspicious file detection rule in the implementation prevention policy , therefore Fortinet Stopped it , You can see this through the red icon next to the rule . then ,FCS Analyze the event , And upgrade it to a malicious event , The event was verified as an adverse event according to the previous event data . Based on this malicious classification ,FCS The affected collectors are moved to the high security collector group , But the script is in simulation mode . You can judge by the gray simulation label before the script action .

   Look at the timeline of a typical event . The time when the event first occurred is the starting point . If you look at the events on the right , You can see that the incident happened in 6 month 11 Japan 21 spot 23 branch 4 second . Within milliseconds of the event , The core evaluates it 、 classification , And assign one of the three operations according to the configured policy settings ： Blocking 、 Allow or record . In the example shown above , You can see the classification details pane of the event History part . The initial classification at the bottom is specified by the kernel —— It will 21 spot 23 Zero 4 Second events are classified as uncertain events —— Within one second of the initial event . Next ,FCS Receive event data and perform additional evaluations , Apply script actions or exceptions as needed . Again , Look at history , You can see FCS stay 21 spot 23 branch 13 Seconds to change the classification to possible security . Still very soon , But in this case , Slower than the core 9 second . In this case , You don't see any of the script actions listed , Because I didn't Likely Safe Event selection script operation .

  ForiEDR Aggregate event , Make it easier for you to review them . The raw data items will be based on the process 、 Attempted actions and violated rules are aggregated into a single event . for example , If one is called driverupdate.exe The file of tried to connect to the network several times , May break non-standard communication rules , Each attempt is aggregated into an event .

　　 Events are then aggregated into alerts . You can aggregate events by device or process . for example , If you choose Process View , All involve driverupdate.exe File events are aggregated into an alert .

　　 If you view events by process , You may notice that different events involving the same process may have different classifications . And the reason for that is , Classification is not just based on the process itself , And based on what it's trying to do . for example ：notepad.exe, It is a very common text editing application , In almost all Windows You can find it on the machine , as everyone knows , It's safe . Usually ,notepad.exe No alarms will be generated , But if it violates when writing to disk FortiEDR The rules ( It may be due to careless software revision ), It will generate an alarm . After checking the event ,FCS This event may be reclassified as a security event . you hope notepad.exe Write to disk , Therefore, this behavior will not cause any danger signals . But if notepad.exe Suddenly started a service , Open a port , Start listening . This is not how text editors behave , therefore FCS This event may be reclassified as malicious . In two cases , It is the same signed executable , But in the second case , Its behavior is very strange , May have been hijacked by a malicious process .

  FCS When to update Events ？FCS Evaluate each new event as it occurs . If the same event happens again — for example , If the process tries to connect to a again IP Address —FCS The event will be re evaluated . If new information is available at that time ,FCS The classification of existing events will be updated as needed . In the example on the right of the above figure ,24 Raw data items are aggregated into highlighted Events . Every time a new original event occurs ,FCS Will reassess the event . In the first event 1 month 16 Japan ,FCS Classify it as “ malice ”.5 Days later , A new original event happened ,FCS According to the new data, the classification is changed to Safe. A day later , This event occurs again ,FCS Classify it again as “ May be safe ”. You can see these changes in the classification details pane under history .

　　FCS Will not evaluate past events , Unless they happen again . In the same environment , Recursive events must be aggregated with original events . It means , If the event happened at a different time , Two companies with similar events may see different categories .

　　 Take a look at the timeline on the right of the figure above . company A stay 1 month 12 Day and 1 month 18 Two incidents occurred on the th involving GoogleUpdate.exe The original event .B There are three companies raw event , Involving the same process and the same violations , The last one happened in 1 month 22 Japan . in the meantime ,FCS New data obtained , And in 1 month 21 Day and 1 In June, the classification was revised again 22.A The company in FCS After revising its classification , No new events have occurred . If companies review their own events at the end of the month ,A The company will find 18 Days are classified as “ malice ” Events , and B The company will find 22 Days are classified as “ May be safe ” Events .

   How do you know FCS Is running in your environment ？ The quickest way is to check DASHBOARD. In the lower right corner of the dashboard , You will find SYSTEM COMPONENTS Health charts .FCS Is the fourth bar displayed — If it's green , that FCS Started and running .

   answer ：A

   Now you know Fortinet The cloud service . Next , You will learn the script .

   By showing the power in the script , You will be able to understand FortiEDR AIR Solution .

  Fortinet Two types of scripts are used . The first is AIR, These scripts are written by FCS Support , This can be done in the management console SECURITY SETTINGS Tab .

　　FCS The script can be passed upon request Fortinet Support to enable . These scripts use Fortinet Know how to identify security events and create automatic exceptions .

   The script is FortiEDR A set of automatic actions performed when an event occurs . You can assign different operations to different classification levels . for example , You can enable notifications for all category level events , But only when the classification is malicious can the process be terminated and the persistent data be cleared .

　　 You can clone scripts to create versions with different settings . The default script appears in simulation mode . When the script is in simulation mode , You will still receive notification of the configuration , But no other action will be taken . By looking at EVENT VIEWER Classification details panel in , You can see FortiEDR What to do in response to a particular event . You will learn more in another lesson . If the script is in prevention mode , that FortiEDR All operations will be performed as configured .

　　 Each collector group is assigned to one and only one script . By default , All collector groups are assigned to the default script .

   You can modify the script operation according to your own needs .AIR Script control event notification ( E-mail 、syslog Or open the ticket ), The device can be automatically connected to the collector or used FortiNAC Isolation , Transfer it to the high security group , And remedy it . As part of the remediation configuration , malice IP Addresses can also be added to FortiGate To prevent future transactions . After configuring custom connectors and actions , You can add custom actions to the script .

   Isolation mode is a collection state , Used to help control infections under investigation and repair .AIR The script can be configured to automatically put the collector in isolation mode when an event is triggered . for example , You can configure scripts , Automatically put all collectors that trigger events classified as malicious into isolation mode .

　　 Isolation mode is a state . It does not affect the allocation of collector groups , The collector can be in isolation mode , But still in its usual collector group . however , Collectors in isolation mode are automatically assigned to “ Communication control ” Medium “ Isolation strategy ”, Instead of their group policy . The isolation policy is built-in , By default , It prevents all applications from communicating . You can allow specific applications as needed , Such as help desk or security software . The best practice is to allow only applications that may need to repair devices remotely . have access to “ Isolation ” The drop-down list is in “ stock ” Manually put the collector into or out of isolation mode on the tab . The collector in isolation mode will have a red indicator icon .

   If enabled FCS Script ,FCS You can automatically create exceptions . When FCS When analyzing an event , It may find that an event initially blocked by the core is actually safe . In these cases , It can change the classification to safe, however , To ensure that events are not blocked again , It can also create an automatic exception . You can see an example on the right side of the figure above . The exception has a description , It's made up of FCS Created , You can see the date 、 Time and reason for applying the exception .

　　 Why enable automatic exceptions ？ This is good for both end users and system administrators . End users can be more efficient , Because the safe process will not be blocked again . They don't need to call technical support to solve the problem , This is automatically allowed . For administrators , Less work —— The event viewer will not be full of security events that need to investigate and create exceptions . Be careful , If Auto exception is enabled , The system owner must track all automatic exceptions .Fortinet incorrect FCS Responsible for any exceptions .

   answer ：B

   answer ：B

   congratulations ！ You have finished this lesson . Now? , You will review the goals you covered in this lesson .

   By mastering the objectives involved in this lesson , You know Fortinet How cloud services work . You also learned about its integration with scripts .