Which statement is true regarding a FortiClient quarantine using FortiAnalyzer playbooks?
Which statement is true regarding a FortiClient quarantine using FortiAnalyzer playbooks?
FortiAnalyzer sends an API to FortiClient EMS to quarantine the endpoint. This is because the FortiAnalyzer playbook is configured to act upon the detection of Indicators of Compromise (IOCs) in the logs it receives. Upon detecting a threat, FortiAnalyzer initiates a playbook that sends an API request to FortiClient EMS, instructing it to quarantine the affected endpoint. This process automates the response to detected threats, ensuring quick and effective isolation of compromised systems.
This configuration functions as follows: 1. FortiClient sends logs to FortiGate. 2. FortiGate sends logs to FortiAnalyzer. FortiAnalyzer discovers IOCs in the logs. 3. When an IOC threat type is detected on FortiAnalyzer, a playbook is triggered. As per the playbook configuration, FortiAnalyzer sends an API to FortiClient EMS to quarantine the endpoint. 4. FortiClient EMS searches for the endpoint and sends a quarantine message to it. 5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic.