FortiSOAR Discussions

FortiSOAR Content Pack 7.0.1 Release

The FortiSOAR Incident Response Content Pack (fsr-ir-content-pack) 7.0.1 Release splits the content pack into various use cases, which will enable users in the future to take only the use cases they requireImportant release highlights include enhancing the enrichment playbooks, updating use cases and scenarios, and enhancing the Pause SLA functionality. 

New features and enhancements 



Split the Content Pack 

The content of the Content Pack has been split as follows: 

  • fsr-ir-content-pack.json 
  • fsr-mitre-content-pack.json 
  • fsr-scenario-content-pack.json 
  • fsr-vm-content-pack 

Future releases of CP will use the split content files to provide users with only the content that they require for their use case. 

Added the QRadar Threat Hunt workflow 

Added the 'QRadar Threat Hunt' workflow to the "Investigate Malicious Indicators" playbook in the '04-Use Cases' collection. 

Enhanced the 'Enrichment' Playbook collection  

  • Updated all enrichment playbooks to use the VirusTotal v2.0.0 connector. VirusTotal 2.0.0 connector supports the latest API i.e, API v3. 
  • Enhanced the layout for the Indicator Description to include more information from VirusTotal API v3 for the following input types: IP Address, Domain, FileHash MD5, URL, and File, as shown in the following image: 

Updated the Suspicious Email Use Case 

Updated the Suspicious Email Use Case by adding logic that introduces uses to the concept of a 'Drive By Download' attack. A Drive By Download (DBD) attack refers to the unintentional download of malicious code to your computer or mobile device leaving you open to a cyberattack. 

Enhanced 'Pause SLA' functionality 

The Pause SLA functionality has been enhanced as follows:  

  • Added two new fields: Ack SLA Paused on and Resp SLA paused to the Alerts and Incident schemas. 
  • Updated SLA Playbooks to capture paused and resume SLA values when the state is changed. 
  • Added new manual trigger playbooks to "Pause SLA - Alerts" and "Pause SLA - Incidents" to pause the SLA for alerts and incidents by triggering these playbooks using the 'Execute' drop-down in the detail view of an alert or incident record. 
  • Updated the SLA Count Down Widget to display paused SLA. 

For more information about the 'fsr-ir-content-pack', see the article.