FortiSIEM alerts classification

crimali · ‎02-21-2024

Hi, how is it possible to classify alerts coming from FortiSIEM (or coming from other)? I would like to be able to decide, based on the contents of a field, which playbook to activate. I can do this in a playbook that identifies the type of alerts and activates the corresponding subplaybooks. Is there a better way?

sioannou · ‎02-22-2024

Hi,

In FortiSIEM there is the option of Tags (Admin -> Settings -> Analytics -> Tags)

You can add as many tags as you want to a Rule (Rules -> Define Action section). You can utilise the tags to steer your playbook decision making.

Also the MITRE ATT&CK technique might be an option here as well. But tags is the easiest and most effective way.

NOTE: The tags where removed from the API in some versions but was re-introduced in version 7.1.X I think. You can check FNDN.

Regards,

S

View solution in original post

anarula · ‎02-21-2024

@crimali , you need to do two things

1) as part of Ingestion, ensure appropriate Type is mapped to corresponding SIEM Rule

2) Create an Indvidual playbook for responding to each such type.

For this usecase playbook, ensure the Trigger is per the attached image.

CTO (SOAR Business) | VP of Engineering

sioannou · ‎02-22-2024

Hi,

In FortiSIEM there is the option of Tags (Admin -> Settings -> Analytics -> Tags)

You can add as many tags as you want to a Rule (Rules -> Define Action section). You can utilise the tags to steer your playbook decision making.

Also the MITRE ATT&CK technique might be an option here as well. But tags is the easiest and most effective way.

NOTE: The tags where removed from the API in some versions but was re-introduced in version 7.1.X I think. You can check FNDN.

Regards,

S