The FortiSOARâ„¢ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) provides you with a snapshot of the configuration data and other items that can help you to optimally use and experience FortiSOAR's incident response.
This article provides a listing and brief description of the various types of playbook collections included in the Content Pack. You can use the playbooks to perform varied operations used to automate security processes across your organization. These playbooks can also be used to simulate use cases and provide training for FortiSOAR.
The playbooks are categorized as follows based on the type of function they perform such as ingestion, enrichment, triaging, etc.
You can use the playbooks in the 01-Ingest collection to ingest data from external SIEM solutions like LogRhythm. and other third-party sources like threat intelligence platforms like ThreatQ, email solutions, etc.
Following is a table that lists the playbooks that are part of the "01-Ingest" collection in the Content Pack:
Name of the playbook |
Usage of the playbook |
Elastic > Create Alert |
Receives 'Login Failure Events' from Elastic using Watcher. |
> Elastic > Create Alert (Single Record) |
Creates an alert record for events created in Elastic. |
Email > Extract Indicators |
Extracts indicators from the body and header of the email. |
Email (Manual Attach) > File to Alert (Suspicious Email) |
Attaches an email to an alert of type 'Suspicious Email', which is further used for investigations. |
Email (Manual Upload) > Extract Attachments |
Extracts attachments from emails, creates indicators, and then links them to the parent alert. |
Email (Manual Upload) > Investigate |
Extracts email metadata from an email file that is uploaded, e.g. mail.eml or mail.msg. |
Indicator > Import Bulk Indicators |
Extracts indicators from the specified text. |
>> JASK > Create Alert for Insight |
Creates alerts for JASK Insight. |
>> JASK > Create or Find Indicator and Comment |
Creates or finds an indicator and associated comments from JASK Insight. |
>> JASK > Get Signal Details |
Retrieves details of JASK Signals. |
JASK > Ingest Insights |
Pulls insight data from JASK. |
LogRhythm > Fetch Alarms |
Pulls alarms created between the specified duration from LogRhythm. |
> LogRhythm > Generate LogRhythm Records |
Creates LogRhythm records. |
Phishing/Suspicious Email Alert > Extract Indicators |
Extract Indicators from the body and header of alerts that are of type "Phishing" and "Suspicious Email". |
Symantec CloudSOC > Fetch Incidents |
Retrieves incidents from Symantec CloudSOC. |
> Symantec CloudSOC > Fetch Incidents > Create Single Alert |
Creates a single alert for Symantec CloudSOC incidents. |
Symantec Email.Cloud > Fetch Alert |
Retrieves alerts from Symantec Email.Cloud. |
Tenable.io > Fetch Assets |
Retrieves assets for the specified scan from Tenable.io. |
> Tenable.io > Fetch Assets > Ingest Asset |
Creates a new asset record in Tenable.io and builds the relation between the scan and the asset. |
Tenable.io > Fetch Scan |
Retrieves scans for the specified scan from Tenable.io. |
> Tenable.io > Fetch Scan > Ingest Scan |
Creates a new scan record. |
Tenable.io > Fetch Vulnerabilities |
Retrieves vulnerabilities for the specified asset from Tenable.io. |
> Tenable.io > Fetch Vulnerabilities > Ingest Vulnerabilities |
Creates a new vulnerability record in Tenable.io and builds the relationship between the asset and the vulnerabilities. |
Tenable.io > Fetch Vulnerability Details |
Retrieves vulnerability information for the specified vulnerability from Tenable.io. |
Threat Intel > Create Indicators |
Retrieves indicators that have been created or updated in the past 24 Hours from ThreatQ. |
Note: |
You can use the playbooks in the 02-Enrich collection to perform enrichment of data, which is one of the first incident response tasks. Automating data enrichment tasks help to better manage increasing volumes of threats and provide more actionable context to the analysts. An example of an enrichment type playbook would be retrieving the reputation of a file, domain, URL, etc. from threat intelligence platforms such as Anomali ThreatStream and VirusTotal
Following is a table that lists the playbooks that are part of the "02-Enrich" collection in the Content Pack:
Name of the playbook |
Usage of the playbook |
Asset > Get Running Process |
Retrieves a list of all processes that are running on the specified host. |
Attachment > Get File Reputation |
Retrieves the reputation of a file that is submitted from FortiSOAR to VirusTotal. |
>> Create Indicators (Batch) |
Creates indicator records in bulk. |
Extract Indicators |
Extracts and creates indicators from the specified data and then enriches specific fields in alerts with the indicator data. |
Extract Indicators > Manual |
Extracts and creates indicators from the specified alert records and then enriches specific fields in alerts with the indicator data. |
>> Fotinet Fortisandbox (Get Reputation) > Get Scan Results |
Retrieves the job verdict details for submitted samples based on the specified job ID. |
Get Related IOCs For An IP |
Retrieves related IOCs for a specified IP address from threat intel sources. |
Get Reputation After Specified Time |
Re-enriches indicators after a specified time. |
Indicator (Manual Trigger) > Get Latest Reputation |
Retrieves the reputation of indicators using configured threat intelligence tools. |
Indicator (Type All) > Get Latest Reputation |
Retrieves the reputation of indicators using configured threat intelligence tools. |
Indicator (Type Domain) > Get Reputation |
Retrieves the reputation of indicators of type 'Domain' using configured threat intelligence tools. |
Indicator (Type Email) > Get Reputation |
Retrieves the reputation of indicators of type 'Email Address' using configured threat intelligence tools. |
Indicator (Type File) > Get Reputation |
Uploads a file to a sandbox and then retrieves its reputation using configured threat intelligence tools. |
Indicator (Type File) > Get Reputation (Fortinet Sandbox) |
Submits a file to Fortinet Sandbox and then retrieves its reputation. |
Indicator (Type File - MD5) > Get Reputation |
Retrieves the reputation of a file, identified by its MD5 hash, using configured threat intelligence tools. |
Indicator (Type Host) > Get Reputation |
Retrieves the reputation of indicators of type 'Host' using configured threat intelligence tools. |
Indicator (Type IP) > Get Reputation |
Retrieves the reputation of indicators of type 'IP Address' using configured threat intelligence tools. |
Indicator (Type Port) > Get Reputation |
Retrieves the reputation of indicators of type 'Port' using configured threat intelligence tools. |
Indicator (Type Process) > Get Reputation |
Retrieves the reputation of indicators of type 'Process' using configured threat intelligence tools. |
Indicator (Type URL) > Get Reputation |
Retrieves the reputation of indicators of type 'URL' using configured threat intelligence tools. |
Indicator (Type User Account) > Get Details |
Retrieves the details of indicators of type 'User Account' using configured threat intelligence tools. |
Note: |
Following is a table that lists the playbooks that are part of the "02-Enrich (Pluggable)" collection in the Content Pack:
Name of the playbook |
AlienValut OTX - File MD5 Reputation |
AlienValut OTX - IP Reputation |
AlienValut OTX - URL Reputation |
AlienVault-OTX - Domain Reputation |
Anomali Threatstream - Email Reputation |
Anomali Threatstream - File MD5 Reputation |
Anomali Threatstream - IP Reputation |
Anomali Threatstream - URL Reputation |
Cisco Threat Grid - File Reputation |
Fortinet Web Filter Lookup - Domain Reputation |
Fortinet Web Filter Lookup - URL Reputation |
IP Stack - Domain Geo Location |
IP Stack - IP Reputation |
Indicator (Domain) > Get Latest Reputation |
Indicator (Email) > Get Latest Reputation |
Indicator (File MD5) > Get Latest Reputation |
Indicator (File) > Get Latest Reputation |
Indicator (IP Address) > Get Latest Reputation |
Indicator (Manual Trigger) > Get Latest Reputation |
Indicator (Type All) > Get Latest Reputation |
Indicator (Type File - MD5) > Get Reputation |
Indicator (Type Host) > Get Latest Reputation |
Indicator (Type Process) > Get Latest Reputation |
Indicator (URL) > Get latest Reputation |
MXToolBox - IP Reputation |
Symantec Deepsight Intelligence - File MD5 Reputation |
ThreatQ - Email Reputation |
URLVoid - Domain Reputation |
URLVoid - URL Reputation |
VirusTotal - Domain Reputation |
VirusTotal - URL Reputation |
Virustotal - File MD5 Reputation |
Virustotal - File Reputation |
Virustotal - IP Reputation |
Whois - IP Reputation |
You can use the playbooks in the 03-Triage collection to perform actions such as sorting, systematize, computing, etc. your enriched data, enabling you to quickly investigate the incident and take decisions for containment and resolution of the incident.
Following is a table that lists the playbooks that are part of the "03-Triage" collection in the Content Pack:
Name of the playbook |
Usage of the playbook |
Compute Alert Priority Weight (Post Update) |
Computes and sets the priority weight for an alert, when the alert is updated. The priority weight is calculated based on indicators related to the alert. |
Compute Alert Priority Weight (Post Update - Indicator Linked) |
Computes and sets the priority weight for an alert, when an indicator related to the alert is updated. The priority weight is calculated based on indicators related to the alert. |
Compute Alert Priority Weight (Post Update - Indicator Reputation Update) |
Computes and sets the priority weight for an alert, when the reputation of an indicator is updated. The priority weight is calculated based on indicators related to the alert. |
Find and Relate Similar Alerts |
Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts. |
Find and Relate Similar Alerts - ML |
Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts using the recommendation APIs (ML). |
Flag Indicators Linked across multiple alerts |
Flags change in indicators that are linked to multiple alerts. |
Map Historical Alerts and Escalate for malicious Indicators |
Creates a mapping for historical alerts and then escalates the alerts to incidents if malicious indicators are found. If the incident already exists, then the information is updated into the incident; else a new incident is created. |
Prioritize Alerts With VIP Assets |
Raises the severity of the alert if it is associated with a supercritical asset. |
Update Alert Severity for Malicious Indicators |
Set the alert's severity to 'Critical' if its associated indicators are found to be 'malicious'. |
You can use the playbooks in the 04-Use Cases collection to understand and perform various tasks or steps needed to deal with an incident, such as a Phishing attack or a Brute Force Attempt.
Following is a table that lists the playbooks that are part of the "04-Use Cases" collection in the Content Pack:
Name of the playbook |
Usage of the playbook |
Investigate and Escalate Symantec Email.Cloud Phishing Alert |
Investigates an alert ingested from Symantec Email.Cloud of type 'Phishing', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'. |
Investigate Brute Force Attempt |
Investigates login failures and also identifies other impacted assets. |
Investigate Brute Force Attempt (FortiSIEM) |
Investigates login failures from FortiSIEM and also identifies other impacted assets. |
Investigate C2 Malware Traffic |
Investigates C2 Malware Traffic and blocks malicious content if indicators associated with the alert are found to be 'Malicious'. |
Investigate Command & Control |
Enriches alerts for C&C behavior. |
Investigate Compliance Alert |
Investigates alerts of type 'Compliance'. |
Investigate Concurrent login from different geolocation |
Investigates alerts of type 'Concurrent Login' by checking if the source IP address is in the specified CIDR range, and then performs remediation tasks based on the result. |
Investigate Data Leakage Alert (Symantec CloudSOC) |
Investigates a data leakage alert that is ingested from Symantec CloudSOC and performs containment and remediation tasks if sensitive data is leaked. |
Investigate DNS Exfiltration |
Investigates an alert ingested from Splunk using threat intelligence reports retrieved from Intel471 and by querying Splunk. Containment tasks are performed if malicious activity is found. |
Investigate Firewall Policy Violation |
Investigates policy violations and retrieves information about Destination and Source IP addresses along with the Protocol and Port used and then disables the system from the domain. |
Investigate Lateral Movement & VPN Breach Detection |
Investigates a FortiDeceptor Malicious IP Lateral Movement and performs containment and remediation tasks if a breach is detected. |
Investigate Lost / Stolen device |
Investigates lost or stolen devices using ServiceNow and Active Directory. |
> Investigate Malicious Indicator >> Hunt |
Referenced by 'Investigate Malicious Indicator' playbook. |
> Investigate Malicious Indicator >> Hunt >> QRadar Threat Hunt |
Performs QRadar Threat Hunting on last 7 days on the specified IOC. |
Investigate Malicious Indicators |
Hunts malicious indicators and provides their summary for review by analysts. |
Investigate Malware Infection |
Investigates a malware infection by querying ElasticSearch and Active Directory |
Investigate Reconnaissance |
Investigates alerts of type 'Reconnaissance'. |
Investigate S3 Bucket Permission Change |
Investigate a change in the S3 permissions, and performs containment and remediation tasks if the change is in violation of the S3 policy. |
Investigate Suspicious Email |
Investigates an alert of type 'Suspicious Email', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'. |
Investigate Symantec EMail.Cloud Alert |
Investigates an alert ingested from Symantec EMail.Cloud of type 'Suspicious Email'. |
Investigate Windows Sysmon event |
Investigates a Windows Sysmon event, and escalates the alert to an 'Incident' if malware is detected. |
Phishing Alert > Investigate and Escalate |
Investigates an alert of type 'Phishing', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'. |
Process CarbonBlack Bit9 Approval Requests |
Creates tasks against an incident to complete all requests listed in CarbonBlack Bit9 and sends requests for their approval process. |
> Process CarbonBlack Bit9 >> Approval Requests (Subroutine) |
The subroutine of CarbonBlack Bit9 approval process. |
Rapid7 - Fetch Scan and Deploy Patch |
Automates patch deployments by looking up Rapid7 Scan results. |
Rapid7 - Fetch Scan and Deploy Patch (Scheduled) |
Creates schedules to initiate patch deployments. |
> Rapid7 >> Patch (Subroutine) |
Deploys patches using MS SCCM. |
Remediate Malware Alert (Symantec EDR / ATP) |
Investigates an alert ingested from Symantec EDR / ATP of type 'Malware', and blocks entities that are found to be 'Malicious'. |
Note: |
You can use the playbooks in the 05-Actions collection to perform various operations or actions such as blocking or unblocking domains, URLs, hosts, etc.
Following is a table that lists the playbooks that are part of the "05-Actions" collection in the Content Pack. Note that we have not included a brief description or usage of the playbooks since the names are self-explanatory.
Name of the playbook |
Action > Asset Mitigation |
Action - Domain - Block (Indicator) |
Action - Domain - Block (Specified by User) |
Action - Domain - Unblock (Indicator) |
Action - Domain - Unblock (Specified by User) |
Action - Email Address - Block (Indicator) |
Action - Email Address - Block (Specified by User) |
Action - Email Address - Unblock (Indicator) |
Action - Email Address - Unblock (Specified by User) |
Action - File - Block (Indicator) |
Action - File - Block (Specified by User) |
Action - File MD5 - Block (Indicator) |
Action - File MD5 - Block (Specified by User) |
Action - File MD5- Unblock (Indicator) |
Action - File MD5 - Unblock (Specified by User) |
Action - File - Unblock (Indicator) |
Action - File - Unblock (Specified by User) |
Action - Host - Block (Indicator) |
Action - Host - Block (Specified by User) |
Action - Host - Isolate Host |
Action - Host - Unblock (Indicator) |
Action - Host - Unblock (Specified by User) |
Action - IP Address - Block (Forticlient EMS) |
Action - IP Address - Block (Fortigate,FortiEDR) |
Action - IP Address - Block (Indicator) |
Action - IP Address - Block (Specified by User) |
Action - IP Address - Unblock (Indicator) |
Action - IP Address - Unblock (Specified by User) |
Action (Type All) > Block Indicators |
Action - URL - Block (Indicator) |
Action - URL - Block (Specified by User) |
Action - URL - Unblock (Indicator) |
Action - URL - Unblock (Specified by User) |
Alert > Disable Specific User (FortiDeceptor) |
Asset > Deploy Patch |
Incident > Get Running Process |
You can use the playbooks in the 06-Hunt collection to automate threat hunting processes and search and identify suspicious domains, malware, and other indicators in your environment and create alerts based on them.
Following is a table that lists the playbooks that are part of the "06-Hunt" collection in the Content Pack:
Name of the playbook |
Usage of the playbook |
Hunt Indicators |
Searches for specified indicators in your environment using EDR tools, and create alerts for ones that are found. |
You can use the playbooks in the 07 - ChatOps collection to perform various operations such as fetching alert and incident details, using a Bot.
Following is a table that lists the playbooks that are part of the "07-Chatops" collection in the Content Pack:
Name of the playbook |
Usage of the playbook |
Bot command > Display Options |
Displays the Bot Commands. |
Bot Command > Get Alerts |
Retrieves the details for a specific alert whose alert ID is provided. |
Bot Command > Get Incidents |
Retrieves the details for a specific incident whose incident ID is provided. |
Bot Command > GetLocation |
Retrieves the geolocation details for a specific indicator. |
Bot Command > Get Reputation |
Retrieves the reputation for a specific indicator. |
Bot Command > Get Similar Alerts |
Retrieves the alert records that are similar to a specific alert whose alert ID is provided. |
Bot > Execute commands |
Executes a specific Bot Command when fired. |
code snippet |
Executes the provided Python code. |
You can use the playbooks in the 08 – Case Management collection to automate processes related to cases, including operations such as adding a user as a record owner, checking for SLA violations, calculating queued and resolution time for alerts, etc.
Following is a table that lists the playbooks that are part of the "08-Case Management" collection in the Content Pack:
Name of the playbook |
Add a User to the Owners List |
Alert > [01] Capture All SLA (Upon Create) |
Alert > [02] Capture Ack SLA (Upon Update) |
Alert > [03] Capture Response SLA (Upon Update) |
Alert > [04] Check for SLA violations |
Alert > [05] Update Ack and Response Due dates (Post Severity Change) |
Alert > Close Corresponding SIEM Alert |
> Alert >> Periodic Update Alert SLA Status |
Alert > Set Metrics (Upon Close) |
> Alert >> Update SLA Details |
Approval > On Create |
Approval > On Email Receipt (Exchange) |
Approval > On Email Receipt (IMAP) |
Approval > On Email Receipt >> Process Email |
Assign Random User to Unassigned Alerts |
Assign Random User to Unassigned Incidents |
Escalated Alert > Copy Related Records to Incidents |
Escalated Alert > Related Asset Records to Incidents |
Export Selected Records |
>> Fetch SLA Details |
Import Data |
Incident > [01] Capture All SLA (Upon Create) |
Incident > [02] Capture Ack SLA (Upon Update) |
Incident > [03] Capture Response SLA (Upon Update) |
Incident > [04] Check for SLA violations |
Incident > [05] Update Response and Ack Due date (Post Severity Change) |
> Incident >> Periodic Update Incident SLA Status |
Incident (Post Create) Phase Change |
Incident (Post Update) Phase Change |
>> Incident - Set Phase Dates |
Incident Summary Notification |
> Incidents >> Update SLA Details |
Indicator > Check Expiry Status |
Indicator > Set Default Expiry Date |
Indicator > Set First Seen Date |
Indicator > Set Last Seen Date |
Notify Blocked Indicator Status to Linked Alerts |
Pause SLA - Alerts |
Pause SLA - Incidents |
Prompt when Indicator linked is to Campaign |
Set Prompt to an Alert |
<Temp> Create Demo Approval |
<Temp> Pull Emails - Manual (Exchange) |
<Temp> Pull Emails - Manual (IMAP) |
Following is a table that lists the playbooks that are part of the "08-Case Management (Extended)" collection in the Content Pack:
Name of the playbook |
Incident > [06] Check for Ack SLA violations |
Incident > [07] Check for Response SLA violations |
>> Notify Ack SLA Violation |
>> Notify Response SLA Violation |
You can use the playbooks in the 09 – Incident Response collection to help you plan your response to an incident such as a malware attack, etc.
Following is a table that lists the playbooks that are part of the "09- Incident Response" collection in the Content Pack:
Name of the playbook |
Incident Response Plan (Type - Malware) |
Incident Response Plan (Type - NIST 800-61 - Generic) |
NIST 800-61 - Upfront Tasks |
You can use the playbooks in the 10 – Utilities collection to perform various operations in FortiSOAR such as creating and linking assets to specified emails, alerts, or incidents, exporting all records or a specified module, or scheduling the health check of connectors and send appropriate notifications.
Following is a table that lists the playbooks that are part of the "10- Utilities" collection in the Content Pack:
Name of the playbook |
Add Attacker Tag to Indicator (FortiDeceptor) |
Create and Link Asset |
Create and Link Indicator |
Download and Create Attachment |
Export as CSV |
> Get Paginated Records |
Notify Connector Health Check Failures |
Notify Failed Playbook Executions |
You can use the playbooks in the 11 – Demo collection to create various artifacts required to demonstrate various scenarios, such as the creation of a demo incident record to demonstrate a malware incident response, creation of global various required by playbooks, creation of default SLA templates, etc.
Following is a table that lists the playbooks that are part of the "11- Demo" collection in the Content Pack:
Name of the playbook |
Add to Exclude List |
Create Default Global Variables |
Create Default SLA Templates |
Create Demo Campaigns |
Create Sample Records - IR, Threat Intelligence and Vulnerability Management |
Create Sample Records - Legal , Physical Incidents |
Demo Incident Response Records |
Demo Scenario #1 - Compromised Credential |
Download and Create Attachment |
Email Based Alert Ingestion |
>> (Email Based Ingestion) Create Alert |
Generate > Attachment Records |
Generate > Malware Incident |
Generate > Tenable Scan, Assets and Vulnerabilities |
>> Get Similar Alerts > Fetch Similar Alerts |
Reset Sample Records (Database) |
Sample > Create FortiSOAR Users |
Sample > Reset Environment |
> Sample Users |
Send Counseling Email |
Setup Connector |
Setup Connector Configurations |
Setup Default Appliance Roles |
Setup Default Configuration for Code Snippet |
Setup Default Configuration for SLA Calculator |
Setup Default Configuration for SOC Simulator |
You can use the playbooks in the 12 – Training collection to provide FortiSOAR training.
Following is a table that lists the playbooks that are part of the "12- Training" collection in the Content Pack:
Name of the playbook |
01 - Investigate Filehash (Manual) |
02 - Investigate Filehash (Semi Automated) |
03 - Investigate Filehash (Fully Automated) |
The MITRE ATT&CK Playbook Collections demonstrate various MITRE ATT&CK Techniques.
Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CKâ„¢-CREDENTIAL ACCESS" collection in the Content Pack:
Name of the playbook |
>> Create and Link Alerts from Hunt (Host-based) |
HUNTS- Credential Dumping (T1003) |
HUNTS- Credential Dumping (T1003) Part2 |
Following is a table that lists the playbooks that are part of the "13 - MITRE ATT&CKâ„¢-DEFENSE EVASION" collection in the Content Pack:
Name of the playbook |
HUNTS- Deobfuscate/Decode Files or Information (T1140 |
HUNTS-DCShadow (T1207) |
Following is a table that lists the playbooks that are part of the "13 - MITRE ATT&CKâ„¢- Modulars" collection in the Content Pack:
Name of the playbook |
Create Alert from Network Sensor and Link to Hunt |
Create and Link Alerts from Asset (Host-based) |
Create and Link Alerts from Hunt (Host-based) |
Create and Link Indicator from Alert |
Create and Link User |
Create Asset from Alert |
Create User from Alert (Host) |
Deduplicate Comments (Asset) |
Deduplicate Comments (Hunt) |
Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CKâ„¢- PERSISTENCE" collection in the Content Pack:
Name of the playbook |
HUNTS- AppInit DLLs (T1103) |
HUNTS- Hidden Files and Directories (T1158) |
HUNTS- Netsh Helper DLL (T1128) |
HUNTS- Screensaver (T1180) |
HUNTS- Winlogon Helper DLL (T1004) |
Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CKâ„¢- PRIVILEGE ESCALATION" collection in the Content Pack:
Name of the playbook |
HUNT- SID-History Injection (T1178) |
Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CKâ„¢- PROCESS EXECUTION" collection in the Content Pack:
Name of the playbook |
>ASSETS- Service Execution (Enrichment) (T1035) |
ASSETS- Service Execution (T1035) |
HUNTS- CMSTP (T1191) |
HUNTS- Compiled HTML File (T1223) |
HUNTS- Control Panel Items (T1196) |
HUNTS- Dynamic Data Exchange (T1173) |
HUNTS- InstallUtil (T1118) |
HUNTS- LSASS Driver (T1177) |
HUNTS- Mshta (T1170) |
HUNTS- Regsvcs/Regasm (T1121) |
HUNTS- Rundll32 (T1085) |
HUNTS- XSL Script Processing (T1220) |
Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CKâ„¢- Pull-Technique-Details" collection in the Content Pack:
Name of the playbook |
Link ATT&CK technique to Alert |
You can use the playbooks in the 14 – Communications collection to automate various communication-related tasks such as sending a notification email or adding a note to a communication thread.
Following is a table that lists the playbooks that are part of the "14- Communications" collection in the Content Pack:
Name of the playbook |
Add Note for Communication Linked |
Add Note for Communication Linked (Received) |
Link Communication Record |
Link Previous Communications |
Manual Send Notification |
Notify > Email |
Notify > Email Reply |
Send Notification |
You can use the playbooks in the 15 – Hunt - Sunburst to demonstrate the Sunburst Hunt techniques.
Following is a table that lists the playbooks that are part of the "15- Hunt - Sunburst" collection in the Content Pack:
Name of the playbook |
Block Sunburst Indicators |
Hunt Sunburst IOCs |
Hunt Sunburst Indicator |
You can use the Scenario Playbook Collections to set up various scenarios in FortiSOAR such as Brute Force Attempt, Comprised Credentials, etc., and demonstrate how FortiSOAR is used to respond to these scenarios.
Following is a table that lists the playbooks that are part of the "16- Scenario" collection in the Content Pack:
Name of the playbook |
Generate > Brute Force Attempt |
Generate > Compliance Alert |
Generate > Device Lost/Stolen |
Generate > DLP Alert |
Generate > FortiAnalyzer (C&C Alert) |
Generate > FortiAnalyzer (User login from SSH) |
Generate > IDS Alert |
Generate > Malware Alert (Host1) |
Generate > Malware Alert (Host2) |
Generate > Malware Alert (Host3) |
Generate > PaloAlto Blocked C2 Connection Alert |
Generate > PaloAlto Panorama Threat Alert |
Generate > S3 Bucket Alert |
Following is a table that lists the playbooks that are part of the "16- Scenario - Brute Force Attack Scenario" collection in the Content Pack:
Name of the playbook |
Generate > FortiSIEM (Brute Force Attack) |
Following is a table that lists the playbooks that are part of the "16- Scenario - Compromised Credentials Scenario" collection in the Content Pack:
Name of the playbook |
Generate > FortiSIEM (01 - Initial Access - Firewall Configuration Change - Port Forwarding) |
Generate > FortiSIEM (02 - Initial Access - Firewall Configuration Change - Policy Change) |
Generate > FortiSIEM (03 - Persistence - Domain User Created) |
Generate > FortiSIEM (04 - Persistence - User Password Reset) |
Generate > FortiSIEM (05 - Persistence - User Added to Administrator Group) |
Generate > FortiSIEM (06 - Persistence - Schedule Task) |
Generate > FortiSIEM (07 - Exfiltration - File Transfer) |
Following is a table that lists the playbooks that are part of the "16- Scenario - FortiDeceptor" collection in the Content Pack:
Name of the playbook |
Generate > FortiDeceptor Alerts |
Following is a table that lists the playbooks that are part of the "16- Scenario - FortiSIEM" collection in the Content Pack:
Name of the playbook |
Generate > FortiSIEM (Concurrent Successful Authentications To Same Account From Multiple Countries) |
Generate > FortiSIEM (Excessive Denied Connections) |
Generate > FortiSIEM (Important process down) |
Generate > FortiSIEM (Large Outbound Transfer) |
Generate > FortiSIEM (Process Stopped) |
Generate > FortiSIEM (Sudden Increase in System Memory Usage) |
Following is a table that lists the playbooks that are part of the "16- Scenario - LogRhythm" collection in the Content Pack:
Name of the playbook |
Generate > LogRhythm Alarms |
Following is a table that lists the playbooks that are part of the "16- Scenario - Phishing Scenario" collection in the Content Pack:
Name of the playbook |
Generate > Phishing Alert |
Following is a table that lists the playbooks that are part of the "16- Scenario - Sunburst" collection in the Content Pack:
Name of the playbook |
Generate > Sunburst Alert |
Following is a table that lists the playbooks that are part of the "16- Scenario - Symantec" collection in the Content Pack:
Name of the playbook |
Generate > Symantec CloudSOC (External Filesharing Alert) |
Generate > Symantec Email.Cloud |
There are also other various playbook collections, such as SLA Management Playbooks, System Notification and Escalation Playbooks, War Room Automation, etc., that are included by default as 'System Fixtures' in FortiSOAR. For more information on System Fixtures, see the FortiSOAR Administration Guide. The following tables list the various playbook collections that are part of System Fixtures.
Following is a table that lists the playbooks that are part of the "Approval/Manual Task Playbooks" collection:
Name of the playbook |
Approval > Notify Owners |
Approval > Notify Updated Owners |
Manage Approval via API |
Manual Task > Resume Playbook |
Following is a table that lists the playbooks that are part of the "Comment Notifications" collection:
Name of the playbook |
> Comment - Send Email Notification |
Comment > Notify Mentioned/Tagged People on Comment Create |
Comment > Notify Mentioned/Tagged People on Comment Update |
Following is a table that lists the playbooks that are part of the "Report Management Playbooks" collection:
Name of the playbook |
> Generate Report |
Export Report |
Generate Incident Summary Report |
Generate Report from Schedule |
Following is a table that lists the playbooks that are part of the "SLA Management Playbooks" collection:
Name of the playbook |
Alert > Set Assigned Date (upon creation) |
Alert > Set Assigned Date (upon reassignment) |
Alert > Set Resolved Date |
Incident > Set Assigned Date (upon creation) |
Incident > Set Assigned Date (upon reassignment) |
Incident > Set Resolved Date |
Following is a table that lists the playbooks that are part of the "Schedule Management Playbooks" collection:
Name of the playbook |
Agent > Check For Missed Heartbeats |
Agent > Trigger Health Check |
AuditLog Cleanup |
Playbook execution history cleanup |
Purge Integration Logs |
Following is a table that lists the playbooks that are part of the "System Notification and Escalation Playbooks" collection:
Name of the playbook |
Alert > Escalate To Incident |
Alert > Escalate To Incident (No Trigger) |
Alert > Escalate to Incident (Link Relations) |
Alert > Notify Creation (Email) |
Alert > Notify Creation (System) |
Alert > Notify Updation (System) |
Incident > Notify Creation (Email) |
Incident > Notify Creation (System) |
Incident > Notify Updation |
Resolve Alert |
Tasks > Notify Creation (Email) |
Tasks > Notify Creation (System) |
Tasks > Notify Updation |
Tasks > Post-Create: Assign user owner |
Tasks > Post-Update: Assign user owner |
Following is a table that lists the playbooks that are part of the "Utilities Playbooks" collection:
Name of the playbook |
Link Similar Alerts |
Link Similar Emails |
Link Similar Incidents |
Link Similar Indicators |
Following is a table that lists the playbooks that are part of the "War Room Automation" collection:
Name of the playbook |
Cascade Ownership for Newly Linked Records |
Generate War Room Report |
Notify New Announcement |
Notify Newly Linked Team |
Notify Newly Linked User(s) |
Send Email |
Send Email Notification |
Send War Room Summary Email |
Set War Room Live and Notify Responders |
Set up War Room from Alerts |
Set up War Room from Incidents |
Update War Room Close Date |
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
Thanks for the reply.
Can you also expand on the use of the Sensitive Files module? How should this be used?
Can you expand on the use of the Users module? Is this for storing "threat actors" or "target users"?
TIA
-=Dan=-
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
Thanks for the reply.
Can you also expand on the use of the Sensitive Files module? How should this be used?
Can you expand on the use of the Users module? Is this for storing "threat actors" or "target users"?
TIA
-=Dan=-
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
Thanks for the reply.
Can you also expand on the use of the Sensitive Files module? How should this be used?
Can you expand on the use of the Users module? Is this for storing "threat actors" or "target users"?
TIA
-=Dan=-
So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module. It would appear from your documentation that the Emails module was its intent. The description sounds like exactly what we want. What is your recommendation?
Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOARâ„¢ extracts, and stores the Email Headers for further investigation. FortiSOARâ„¢ also creates an alert with a link to the email.
How to handle False Positives
Here's the issue. If the email is a false positive, how do we send this back to Gmail for delivery? We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration. Has anyone solved this issue? Options we see are:
1. There is an Gmail API that can allow sending a message. This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To and using the "inbound gateway" function to stop breaking SPF/DMARC.
https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP. Not sure how.
Any recommendations here?
TIA
<<Dan>>
Dan Smart
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.