FortiSOAR Discussions
Namrata
Staff
Staff

FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

The FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) provides you with a snapshot of the configuration data and other items that can help you to optimally use and experience FortiSOAR's incident response.

This article provides a listing and brief description of the various types of playbook collections included in the Content Pack. You can use the playbooks to perform varied operations used to automate security processes across your organization. These playbooks can also be used to simulate use cases and provide training for FortiSOAR.

The playbooks are categorized as follows based on the type of function they perform such as ingestion, enrichment, triaging, etc.  

Ingestion Playbook Collection


You can use the playbooks in the 01-Ingest collection to ingest data from external SIEM solutions like LogRhythm. and other third-party sources like threat intelligence platforms like ThreatQ, email solutions, etc.

Following is a table that lists the playbooks that are part of the "01-Ingest" collection in the Content Pack:

Name of the playbook

Usage of the playbook

Elastic > Create Alert

Receives 'Login Failure Events' from Elastic using Watcher.

> Elastic > Create Alert (Single Record)

Creates an alert record for events created in Elastic.

Email > Extract Indicators

Extracts indicators from the body and header of the email.

Email (Manual Attach) > File to Alert (Suspicious Email)

Attaches an email to an alert of type 'Suspicious Email', which is further used for investigations.

Email (Manual Upload) > Extract Attachments

Extracts attachments from emails, creates indicators, and then links them to the parent alert.

Email (Manual Upload) > Investigate

Extracts email metadata from an email file that is uploaded, e.g. mail.eml or mail.msg.

Indicator > Import Bulk Indicators

Extracts indicators from the specified text.

>> JASK >  Create Alert for Insight

Creates alerts for JASK Insight.

>> JASK > Create or Find Indicator and Comment

Creates or finds an indicator and associated comments from JASK Insight.

>> JASK >  Get Signal Details

Retrieves details of JASK Signals.

JASK > Ingest Insights

Pulls insight data from JASK.

LogRhythm > Fetch Alarms

Pulls alarms created between the specified duration from LogRhythm.

> LogRhythm > Generate LogRhythm Records

Creates LogRhythm records.

Phishing/Suspicious Email Alert > Extract Indicators

Extract Indicators from the body and header of alerts that are of type "Phishing" and "Suspicious Email".

Symantec CloudSOC > Fetch Incidents

Retrieves incidents from Symantec CloudSOC.

> Symantec CloudSOC > Fetch Incidents > Create Single Alert

Creates a single alert for Symantec CloudSOC incidents.

Symantec Email.Cloud > Fetch Alert

Retrieves alerts from Symantec Email.Cloud.

Tenable.io > Fetch Assets

Retrieves assets for the specified scan from Tenable.io.

> Tenable.io > Fetch Assets > Ingest Asset

Creates a new asset record in Tenable.io and builds the relation between the scan and the asset.

Tenable.io > Fetch Scan

Retrieves scans for the specified scan from Tenable.io.

> Tenable.io > Fetch Scan > Ingest Scan

Creates a new scan record.

Tenable.io > Fetch Vulnerabilities

Retrieves vulnerabilities for the specified asset from Tenable.io.

> Tenable.io > Fetch Vulnerabilities > Ingest Vulnerabilities

Creates a new vulnerability record in Tenable.io and builds the relationship between the asset and the vulnerabilities.

Tenable.io > Fetch Vulnerability Details

Retrieves vulnerability information for the specified vulnerability from Tenable.io.

Threat Intel > Create Indicators

Retrieves indicators that have been created or updated in the past 24 Hours from ThreatQ.

Note:
> sign indicates child playbooks
>> sign indicates reference playbooks

Enrichment Playbook Collection


You can use the playbooks in the 02-Enrich collection to perform enrichment of data, which is one of the first incident response tasks. Automating data enrichment tasks help to better manage increasing volumes of threats and provide more actionable context to the analysts. An example of an enrichment type playbook would be retrieving the reputation of a file, domain, URL, etc. from threat intelligence platforms such as Anomali ThreatStream and VirusTotal

Following is a table that lists the playbooks that are part of the "02-Enrich" collection in the Content Pack:

Name of the playbook

Usage of the playbook

Asset > Get Running Process

Retrieves a list of all processes that are running on the specified host.

Attachment > Get File Reputation

Retrieves the reputation of a file that is submitted from FortiSOAR to VirusTotal.

>> Create Indicators (Batch)

Creates indicator records in bulk.

Extract Indicators

Extracts and creates indicators from the specified data and then enriches specific fields in alerts with the indicator data.

Extract Indicators > Manual

Extracts and creates indicators from the specified alert records and then enriches specific fields in alerts with the indicator data.

>> Fotinet Fortisandbox (Get Reputation) > Get Scan Results

Retrieves the job verdict details for submitted samples based on the specified job ID.

Get Related IOCs For An IP

Retrieves related IOCs for a specified IP address from threat intel sources.

Get Reputation After Specified Time

Re-enriches indicators after a specified time.

Indicator (Manual Trigger)  > Get Latest Reputation

Retrieves the reputation of indicators using configured threat intelligence tools.

Indicator (Type All) > Get Latest Reputation

Retrieves the reputation of indicators using configured threat intelligence tools.

Indicator (Type Domain) > Get Reputation

Retrieves the reputation of indicators of type 'Domain' using configured threat intelligence tools.

Indicator (Type Email) > Get Reputation

Retrieves the reputation of indicators of type 'Email Address' using configured threat intelligence tools.

Indicator (Type File) > Get Reputation

Uploads a file to a sandbox and then retrieves its reputation using configured threat intelligence tools.

Indicator (Type File) > Get Reputation (Fortinet Sandbox)

Submits a file to Fortinet Sandbox and then retrieves its reputation.

Indicator (Type File - MD5) > Get Reputation

Retrieves the reputation of a file, identified by its MD5 hash, using configured threat intelligence tools.

Indicator (Type Host) > Get Reputation

Retrieves the reputation of indicators of type 'Host' using configured threat intelligence tools.

Indicator (Type IP) > Get Reputation

Retrieves the reputation of indicators of type 'IP Address' using configured threat intelligence tools.

Indicator (Type Port) > Get Reputation

Retrieves the reputation of indicators of type 'Port' using configured threat intelligence tools.

Indicator (Type Process) > Get Reputation

Retrieves the reputation of indicators of type 'Process' using configured threat intelligence tools.

Indicator (Type URL) > Get Reputation

Retrieves the reputation of indicators of type 'URL' using configured threat intelligence tools.

Indicator (Type User Account) > Get Details

Retrieves the details of indicators of type 'User Account' using configured threat intelligence tools.

Note:
> sign indicates child playbooks
>> sign indicates reference playbooks

 

Following is a table that lists the playbooks that are part of the "02-Enrich (Pluggable)" collection in the Content Pack:

Name of the playbook

AlienValut OTX - File MD5 Reputation

AlienValut OTX - IP Reputation

AlienValut OTX - URL Reputation

AlienVault-OTX - Domain Reputation

Anomali Threatstream - Email Reputation

Anomali Threatstream - File MD5 Reputation

Anomali Threatstream - IP Reputation

Anomali Threatstream - URL Reputation

Cisco Threat Grid - File Reputation

Fortinet Web Filter Lookup - Domain Reputation

Fortinet Web Filter Lookup - URL Reputation

IP Stack - Domain Geo Location

IP Stack - IP Reputation

Indicator (Domain) > Get Latest Reputation

Indicator (Email) > Get Latest Reputation

Indicator (File MD5) > Get Latest Reputation

Indicator (File) > Get Latest Reputation

Indicator (IP Address) > Get Latest Reputation

Indicator (Manual Trigger)  > Get Latest Reputation

Indicator (Type All) > Get Latest Reputation

Indicator (Type File - MD5) > Get Reputation

Indicator (Type Host) > Get Latest Reputation

Indicator (Type Process) > Get Latest Reputation

Indicator (URL) > Get latest Reputation

MXToolBox - IP Reputation

Symantec Deepsight Intelligence - File MD5 Reputation

ThreatQ - Email Reputation

URLVoid - Domain Reputation

URLVoid - URL Reputation

VirusTotal - Domain Reputation

VirusTotal - URL Reputation

Virustotal - File MD5 Reputation

Virustotal - File Reputation

Virustotal - IP Reputation

Whois - IP Reputation

Triaging Playbook Collection


You can use the playbooks in the 03-Triage collection to perform actions such as sorting, systematize, computing, etc. your enriched data, enabling you to quickly investigate the incident and take decisions for containment and resolution of the incident.

Following is a table that lists the playbooks that are part of the "03-Triage" collection in the Content Pack:

Name of the playbook

Usage of the playbook

Compute Alert Priority Weight (Post Update)

Computes and sets the priority weight for an alert, when the alert is updated. The priority weight is calculated based on indicators related to the alert.

Compute Alert Priority Weight (Post Update - Indicator Linked)

Computes and sets the priority weight for an alert, when an indicator related to the alert is updated. The priority weight is calculated based on indicators related to the alert.

Compute Alert Priority Weight (Post Update - Indicator Reputation Update)

Computes and sets the priority weight for an alert, when the reputation of an indicator is updated. The priority weight is calculated based on indicators related to the alert.

Find and Relate Similar Alerts

Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts.

Find and Relate Similar Alerts - ML

Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts using the recommendation APIs (ML).

Flag Indicators Linked across multiple alerts

Flags change in indicators that are linked to multiple alerts.

Map Historical Alerts and Escalate for malicious Indicators

Creates a mapping for historical alerts and then escalates the alerts to incidents if malicious indicators are found. If the incident already exists, then the information is updated into the incident; else a new incident is created.

Prioritize Alerts With VIP Assets

Raises the severity of the alert if it is associated with a supercritical asset.

Update Alert Severity for Malicious Indicators

Set the alert's severity to 'Critical' if its associated indicators are found to be 'malicious'.

Use Cases Playbook Collection


You can use the playbooks in the 04-Use Cases collection to understand and perform various tasks or steps needed to deal with an incident, such as a Phishing attack or a Brute Force Attempt.

Following is a table that lists the playbooks that are part of the "04-Use Cases" collection in the Content Pack:

Name of the playbook

Usage of the playbook

Investigate and Escalate Symantec Email.Cloud Phishing Alert

Investigates an alert ingested from Symantec Email.Cloud of type 'Phishing', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'.

Investigate Brute Force Attempt

Investigates login failures and also identifies other impacted assets.

Investigate Brute Force Attempt (FortiSIEM)

Investigates login failures from FortiSIEM and also identifies other impacted assets.

Investigate C2 Malware Traffic

Investigates C2 Malware Traffic and blocks malicious content if indicators associated with the alert are found to be 'Malicious'.

Investigate Command & Control

Enriches alerts for C&C behavior.

Investigate Compliance Alert

Investigates alerts of type 'Compliance'.

Investigate Concurrent login from different geolocation

Investigates alerts of type 'Concurrent Login' by checking if the source IP address is in the specified CIDR range, and then performs remediation tasks based on the result.

Investigate Data Leakage Alert (Symantec CloudSOC)

Investigates a data leakage alert that is ingested from Symantec CloudSOC and performs containment and remediation tasks if sensitive data is leaked.

Investigate DNS Exfiltration

Investigates an alert ingested from Splunk using threat intelligence reports retrieved from Intel471 and by querying Splunk. Containment tasks are performed if malicious activity is found.

Investigate Firewall Policy Violation

Investigates policy violations and retrieves information about Destination and Source IP addresses along with the Protocol and Port used and then disables the system from the domain.

Investigate Lateral Movement & VPN Breach Detection

Investigates a FortiDeceptor Malicious IP Lateral Movement and performs containment and remediation tasks if a breach is detected.

Investigate Lost / Stolen device

Investigates lost or stolen devices using ServiceNow and Active Directory.

> Investigate Malicious Indicator >> Hunt

Referenced by 'Investigate Malicious Indicator' playbook.

> Investigate Malicious Indicator >> Hunt >> QRadar Threat Hunt

Performs QRadar Threat Hunting on last 7 days on the specified IOC.

Investigate Malicious Indicators

Hunts malicious indicators and provides their summary for review by analysts.

Investigate Malware Infection

Investigates a malware infection by querying ElasticSearch and Active Directory

Investigate Reconnaissance

Investigates alerts of type 'Reconnaissance'.

Investigate S3 Bucket Permission Change

Investigate a change in the S3 permissions, and performs containment and remediation tasks if the change is in violation of the S3 policy.

Investigate Suspicious Email

Investigates an alert of type 'Suspicious Email', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'.

Investigate Symantec EMail.Cloud Alert

Investigates an alert ingested from Symantec EMail.Cloud of type 'Suspicious Email'.

Investigate Windows Sysmon event

Investigates a Windows Sysmon event, and escalates the alert to an 'Incident' if malware is detected.

Phishing Alert > Investigate and Escalate

Investigates an alert of type 'Phishing', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'.

Process CarbonBlack Bit9 Approval Requests

Creates tasks against an incident to complete all requests listed in CarbonBlack Bit9 and sends requests for their approval process.

> Process CarbonBlack Bit9 >> Approval  Requests (Subroutine)

The subroutine of CarbonBlack Bit9 approval process.

Rapid7 - Fetch Scan and Deploy Patch

Automates patch deployments by looking up Rapid7 Scan results.

Rapid7 - Fetch Scan and Deploy Patch (Scheduled)

Creates schedules to initiate patch deployments.

> Rapid7 >>  Patch (Subroutine)

Deploys patches using MS SCCM.

Remediate Malware Alert (Symantec EDR / ATP)

Investigates an alert ingested from Symantec EDR / ATP of type 'Malware', and blocks entities that are found to be 'Malicious'.

Note:
> sign indicates child playbooks
>> sign indicates reference playbooks

Actions Playbook Collection


You can use the playbooks in the 05-Actions collection to perform various operations or actions such as blocking or unblocking domains, URLs, hosts, etc.

Following is a table that lists the playbooks that are part of the "05-Actions" collection in the Content Pack. Note that we have not included a brief description or usage of the playbooks since the names are self-explanatory.

Name of the playbook

Action > Asset Mitigation

Action - Domain - Block (Indicator)

Action - Domain - Block (Specified by User)

Action - Domain - Unblock (Indicator)

Action - Domain - Unblock (Specified by User)

Action - Email Address - Block (Indicator)

Action - Email Address - Block (Specified by User)

Action - Email Address - Unblock (Indicator)

Action - Email Address - Unblock (Specified by User)

Action - File - Block (Indicator)

Action - File - Block (Specified by User)

Action - File MD5 - Block (Indicator)

Action - File MD5 - Block (Specified by User)

Action - File MD5- Unblock (Indicator)

Action - File MD5 - Unblock (Specified by User)

Action - File - Unblock (Indicator)

Action - File - Unblock (Specified by User)

Action - Host - Block (Indicator)

Action - Host - Block (Specified by User)

Action - Host - Isolate Host

Action - Host - Unblock (Indicator)

Action - Host - Unblock (Specified by User)

Action - IP Address - Block (Forticlient EMS)

Action - IP Address - Block (Fortigate,FortiEDR)

Action - IP Address - Block (Indicator)

Action - IP Address - Block (Specified by User)

Action - IP Address - Unblock (Indicator)

Action - IP Address - Unblock (Specified by User)

Action (Type All) > Block Indicators

Action - URL - Block (Indicator)

Action - URL - Block (Specified by User)

Action - URL - Unblock (Indicator)

Action - URL - Unblock (Specified by User)

Alert > Disable Specific User (FortiDeceptor)

Asset > Deploy Patch

Incident > Get Running Process

Hunt Playbook Collection


You can use the playbooks in the 06-Hunt collection to automate threat hunting processes and search and identify suspicious domains, malware, and other indicators in your environment and create alerts based on them.

Following is a table that lists the playbooks that are part of the "06-Hunt" collection in the Content Pack:

Name of the playbook

Usage of the playbook

Hunt Indicators

Searches for specified indicators in your environment using EDR tools, and create alerts for ones that are found.

ChatOps Playbook Collection


You can use the playbooks in the 07 - ChatOps collection to perform various operations such as fetching alert and incident details, using a Bot.

Following is a table that lists the playbooks that are part of the "07-Chatops" collection in the Content Pack:

Name of the playbook

Usage of the playbook

Bot command > Display Options

Displays the Bot Commands.

Bot Command > Get Alerts

Retrieves the details for a specific alert whose alert ID is provided.

Bot Command > Get Incidents

Retrieves the details for a specific incident whose incident ID is provided.

Bot Command > GetLocation

Retrieves the geolocation details for a specific indicator.

Bot Command > Get Reputation

Retrieves the reputation for a specific indicator.

Bot Command > Get Similar Alerts

Retrieves the alert records that are similar to a specific alert whose alert ID is provided.

Bot > Execute commands

Executes a specific Bot Command when fired.

code snippet

Executes the provided Python code.

Case Management Playbook Collection


You can use the playbooks in the 08 – Case Management collection to automate processes related to cases, including operations such as adding a user as a record owner, checking for SLA violations, calculating queued and resolution time for alerts, etc.

Following is a table that lists the playbooks that are part of the "08-Case Management" collection in the Content Pack:

Name of the playbook

Add a User to the Owners List

Alert > [01] Capture All SLA (Upon Create)

Alert > [02] Capture Ack SLA (Upon Update)

Alert > [03] Capture Response SLA (Upon Update)

Alert > [04] Check for SLA violations

Alert > [05] Update Ack and Response Due dates (Post Severity Change)

Alert > Close Corresponding SIEM Alert

> Alert >> Periodic Update Alert SLA Status

Alert > Set Metrics (Upon Close)

> Alert >> Update SLA Details

Approval > On Create

Approval > On Email Receipt (Exchange)

Approval > On Email Receipt (IMAP)

Approval > On Email Receipt >> Process Email

Assign Random User to Unassigned Alerts

Assign Random User to Unassigned Incidents

Escalated Alert > Copy Related Records to Incidents

Escalated Alert > Related Asset Records to Incidents

Export Selected Records

>> Fetch SLA Details

Import Data

Incident > [01] Capture All SLA (Upon Create)

Incident > [02] Capture Ack SLA (Upon Update)

Incident > [03] Capture Response SLA (Upon Update)

Incident > [04] Check for SLA violations

Incident > [05] Update Response and Ack Due date (Post Severity Change)

> Incident >> Periodic Update Incident SLA Status

Incident (Post Create) Phase Change

Incident (Post Update) Phase Change

>> Incident - Set Phase Dates

Incident Summary Notification

> Incidents >> Update SLA Details

Indicator > Check Expiry Status

Indicator > Set Default Expiry Date

Indicator > Set First Seen Date

Indicator > Set Last Seen Date

Notify Blocked Indicator Status to Linked Alerts

Pause SLA - Alerts

Pause SLA - Incidents

Prompt when Indicator  linked is to Campaign

Set Prompt to an Alert

<Temp> Create Demo Approval

<Temp> Pull Emails - Manual (Exchange)

<Temp> Pull Emails - Manual (IMAP)

 

Following is a table that lists the playbooks that are part of the "08-Case Management (Extended)" collection in the Content Pack:

Name of the playbook

Incident > [06] Check for Ack SLA violations

Incident > [07] Check for Response SLA violations

>> Notify Ack SLA Violation

>> Notify Response SLA Violation

Incident Response Playbook Collection


You can use the playbooks in the 09 – Incident Response collection to help you plan your response to an incident such as a malware attack, etc.

Following is a table that lists the playbooks that are part of the "09- Incident Response" collection in the Content Pack:

Name of the playbook

Incident Response Plan (Type - Malware)

Incident Response Plan (Type - NIST 800-61 - Generic)

NIST 800-61 - Upfront Tasks

Utilities Playbook Collection


You can use the playbooks in the 10 – Utilities collection to perform various operations in FortiSOAR such as creating and linking assets to specified emails, alerts, or incidents, exporting all records or a specified module, or scheduling the health check of connectors and send appropriate notifications.

Following is a table that lists the playbooks that are part of the "10- Utilities" collection in the Content Pack:

Name of the playbook

Add Attacker Tag to Indicator (FortiDeceptor)

Create and Link Asset

Create and Link Indicator

Download and Create Attachment

Export as CSV

> Get Paginated Records

Notify Connector Health Check Failures

Notify Failed Playbook Executions

Demo Playbook Collection


You can use the playbooks in the 11 – Demo collection to create various artifacts required to demonstrate various scenarios, such as the creation of a demo incident record to demonstrate a malware incident response, creation of global various required by playbooks, creation of default SLA templates, etc.

Following is a table that lists the playbooks that are part of the "11- Demo" collection in the Content Pack:

Name of the playbook

Add to Exclude List

Create Default Global Variables

Create Default SLA Templates

Create Demo Campaigns

Create Sample Records - IR, Threat Intelligence and Vulnerability Management

Create Sample Records - Legal , Physical Incidents

Demo Incident Response Records

Demo Scenario #1 - Compromised Credential

Download and Create Attachment

Email Based Alert Ingestion

>> (Email Based Ingestion) Create Alert

Generate > Attachment Records

Generate > Malware Incident

Generate > Tenable Scan, Assets and Vulnerabilities

>> Get Similar Alerts > Fetch Similar Alerts

Reset Sample Records (Database)

Sample > Create FortiSOAR Users

Sample > Reset Environment

> Sample Users

Send Counseling Email

Setup Connector

Setup Connector Configurations

Setup Default Appliance Roles

Setup Default Configuration for Code Snippet

Setup Default Configuration for SLA Calculator

Setup Default Configuration for SOC  Simulator

Training Playbook Collection


You can use the playbooks in the 12 – Training collection to provide FortiSOAR training.

Following is a table that lists the playbooks that are part of the "12- Training" collection in the Content Pack:

Name of the playbook

01 - Investigate Filehash (Manual)

02 - Investigate Filehash (Semi Automated)

03 - Investigate Filehash (Fully Automated)

MITRE ATT&CK™ Playbook Collections


The MITRE ATT&CK Playbook Collections demonstrate various MITRE ATT&CK Techniques.

Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™-CREDENTIAL ACCESS" collection in the Content Pack:

Name of the playbook

>> Create and Link Alerts from Hunt (Host-based)

HUNTS- Credential Dumping (T1003)

HUNTS- Credential Dumping (T1003) Part2

 

Following is a table that lists the playbooks that are part of the "13 - MITRE ATT&CK™-DEFENSE EVASION" collection in the Content Pack:

Name of the playbook

HUNTS- Deobfuscate/Decode Files or Information (T1140

HUNTS-DCShadow (T1207)

 

Following is a table that lists the playbooks that are part of the "13 - MITRE ATT&CK™- Modulars" collection in the Content Pack:

Name of the playbook

Create Alert from Network Sensor and Link to Hunt

Create and Link Alerts from Asset (Host-based)

Create and Link Alerts from Hunt (Host-based)

Create and Link Indicator from Alert

Create and Link User

Create Asset from Alert

Create User from Alert (Host)

Deduplicate Comments (Asset)

Deduplicate Comments (Hunt)

 

Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- PERSISTENCE" collection in the Content Pack:

Name of the playbook

HUNTS- AppInit DLLs (T1103)

HUNTS- Hidden Files and Directories (T1158)

HUNTS- Netsh Helper DLL (T1128)

HUNTS- Screensaver (T1180)

HUNTS- Winlogon Helper DLL (T1004)

 

Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- PRIVILEGE ESCALATION" collection in the Content Pack:

Name of the playbook

HUNT- SID-History Injection (T1178)

 

Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- PROCESS EXECUTION" collection in the Content Pack:

Name of the playbook

>ASSETS- Service Execution (Enrichment) (T1035)

ASSETS- Service Execution (T1035)

HUNTS- CMSTP (T1191)

HUNTS- Compiled HTML File (T1223)

HUNTS- Control Panel Items (T1196)

HUNTS- Dynamic Data Exchange (T1173)

HUNTS- InstallUtil (T1118)

HUNTS- LSASS Driver (T1177)

HUNTS- Mshta (T1170)

HUNTS- Regsvcs/Regasm (T1121)

HUNTS- Rundll32 (T1085)

HUNTS- XSL Script Processing (T1220)

 

Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- Pull-Technique-Details" collection in the Content Pack:

Name of the playbook

Link ATT&CK technique to Alert

Communication Playbook Collection


You can use the playbooks in the 14 – Communications collection to automate various communication-related tasks such as sending a notification email or adding a note to a communication thread.

Following is a table that lists the playbooks that are part of the "14- Communications" collection in the Content Pack:

Name of the playbook

Add Note for Communication Linked

Add Note for Communication Linked (Received)

Link Communication Record

Link Previous Communications

Manual Send Notification

Notify > Email

Notify > Email Reply

Send Notification

Hunt - Sunburst Playbook Collection


You can use the playbooks in the 15 – Hunt - Sunburst to demonstrate the Sunburst Hunt techniques.

Following is a table that lists the playbooks that are part of the "15- Hunt - Sunburst" collection in the Content Pack:

Name of the playbook

Block Sunburst Indicators

Hunt Sunburst IOCs

Hunt Sunburst Indicator

Scenario Playbook Collections


You can use the Scenario Playbook Collections to set up various scenarios in FortiSOAR such as Brute Force Attempt, Comprised Credentials, etc., and demonstrate how FortiSOAR is used to respond to these scenarios.

Following is a table that lists the playbooks that are part of the "16- Scenario" collection in the Content Pack:

Name of the playbook

Generate > Brute Force Attempt

Generate > Compliance Alert

Generate > Device Lost/Stolen

Generate > DLP Alert

Generate > FortiAnalyzer (C&C Alert)

Generate > FortiAnalyzer (User login from SSH)

Generate > IDS Alert

Generate > Malware Alert (Host1)

Generate > Malware Alert (Host2)

Generate > Malware Alert (Host3)

Generate > PaloAlto Blocked C2 Connection Alert

Generate > PaloAlto Panorama Threat Alert

Generate > S3 Bucket Alert

 

Following is a table that lists the playbooks that are part of the "16- Scenario - Brute Force Attack Scenario" collection in the Content Pack:

Name of the playbook

Generate > FortiSIEM (Brute Force Attack)

 

Following is a table that lists the playbooks that are part of the "16- Scenario - Compromised Credentials Scenario" collection in the Content Pack:

Name of the playbook

Generate > FortiSIEM (01 - Initial Access - Firewall Configuration Change - Port Forwarding)

Generate > FortiSIEM (02 - Initial Access - Firewall Configuration Change - Policy Change)

Generate > FortiSIEM (03 - Persistence - Domain User Created)

Generate > FortiSIEM (04 - Persistence - User Password Reset)

Generate > FortiSIEM (05 - Persistence - User Added to Administrator Group)

Generate > FortiSIEM (06 - Persistence - Schedule Task)

Generate > FortiSIEM (07 - Exfiltration - File Transfer)

 

Following is a table that lists the playbooks that are part of the "16- Scenario - FortiDeceptor" collection in the Content Pack:

Name of the playbook

Generate > FortiDeceptor Alerts

 

Following is a table that lists the playbooks that are part of the "16- Scenario - FortiSIEM" collection in the Content Pack:

Name of the playbook

Generate > FortiSIEM (Concurrent Successful Authentications To Same Account From Multiple Countries)

Generate > FortiSIEM (Excessive Denied Connections)

Generate > FortiSIEM (Important process down)

Generate > FortiSIEM (Large Outbound Transfer)

Generate > FortiSIEM (Process Stopped)

Generate > FortiSIEM (Sudden Increase in System Memory Usage)

 

Following is a table that lists the playbooks that are part of the "16- Scenario - LogRhythm" collection in the Content Pack:

Name of the playbook

Generate > LogRhythm Alarms

 

Following is a table that lists the playbooks that are part of the "16- Scenario - Phishing Scenario" collection in the Content Pack:

Name of the playbook

Generate > Phishing Alert

 

Following is a table that lists the playbooks that are part of the "16- Scenario - Sunburst" collection in the Content Pack:

Name of the playbook

Generate > Sunburst Alert

 

Following is a table that lists the playbooks that are part of the "16- Scenario - Symantec" collection in the Content Pack:

Name of the playbook

Generate > Symantec CloudSOC (External Filesharing Alert)

Generate > Symantec Email.Cloud

System Fixtures Playbook Collections


There are also other various playbook collections, such as SLA Management Playbooks, System Notification and Escalation Playbooks, War Room Automation, etc., that are included by default as 'System Fixtures' in FortiSOAR. For more information on System Fixtures, see the FortiSOAR Administration Guide. The following tables list the various playbook collections that are part of System Fixtures.

Following is a table that lists the playbooks that are part of the "Approval/Manual Task Playbooks" collection:

Name of the playbook

Approval > Notify Owners

Approval > Notify Updated Owners

Manage Approval via API

Manual Task > Resume Playbook

 

Following is a table that lists the playbooks that are part of the "Comment Notifications" collection:

Name of the playbook

> Comment - Send Email Notification

Comment > Notify Mentioned/Tagged People on Comment Create

Comment > Notify Mentioned/Tagged People on Comment Update

 

Following is a table that lists the playbooks that are part of the "Report Management Playbooks" collection:

Name of the playbook

> Generate Report

Export Report

Generate Incident Summary Report

Generate Report from Schedule

 

Following is a table that lists the playbooks that are part of the "SLA Management Playbooks" collection:

Name of the playbook

Alert > Set Assigned Date (upon creation)

Alert > Set Assigned Date (upon reassignment)

Alert > Set Resolved Date

Incident > Set Assigned Date (upon creation)

Incident > Set Assigned Date (upon reassignment)

Incident > Set Resolved Date

 

Following is a table that lists the playbooks that are part of the "Schedule Management Playbooks" collection:

Name of the playbook

Agent > Check For Missed Heartbeats

Agent > Trigger Health Check

AuditLog Cleanup

Playbook execution history cleanup

Purge Integration Logs

 

Following is a table that lists the playbooks that are part of the "System Notification and Escalation Playbooks" collection:

Name of the playbook

Alert > Escalate To Incident

Alert > Escalate To Incident (No Trigger)

Alert > Escalate to Incident (Link Relations)

Alert > Notify Creation (Email)

Alert > Notify Creation (System)

Alert > Notify Updation (System)

Incident > Notify Creation (Email)

Incident > Notify Creation (System)

Incident > Notify Updation

Resolve Alert

Tasks > Notify Creation (Email)

Tasks > Notify Creation (System)

Tasks > Notify Updation

Tasks > Post-Create: Assign user owner

Tasks > Post-Update: Assign user owner

 

Following is a table that lists the playbooks that are part of the "Utilities Playbooks" collection:

Name of the playbook

Link Similar Alerts

Link Similar Emails

Link Similar Incidents

Link Similar Indicators

 

Following is a table that lists the playbooks that are part of the "War Room Automation" collection:

Name of the playbook

Cascade Ownership for Newly Linked Records

Generate War Room Report

Notify New Announcement

Notify Newly Linked Team

Notify Newly Linked User(s)

Send Email

Send Email Notification

Send War Room Summary Email

Set War Room Live and Notify Responders

Set up War Room from Alerts

Set up War Room from Incidents

Update War Room Close Date

 

11 REPLIES 11
Daniel_Smart

Thanks Amit.
It would appear that using the MS AD Connector to sync users to this module would give us targets.

What does "on notice" mean?  Not familiar with this term.

-=Dan=-
Dan Smart
Info Security Manager
Vulcan Materials Company


-------------------------------------------
Original Message:
Sent: 3/23/2022 1:51:00 AM
From: Amit
Subject: RE: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Dan, The need of this module was born out of various use cases, which needed an interface with HR data, of employees who were on notice period in an organisation. This was to fetch and sync on that data from HR systems, so that various use cases and alerts from DLP systems, CASBs etc., could be supplemented with more information around the user, and raise the severity if the user was found on this watchlist.

------------------------------
Amit
------------------------------
-------------------------------------------
Original Message:
Sent: Mar 22, 2022 08:57 AM
From: Daniel Smart
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Correction to the second question.  What is the purpose of the Employee Watchlist module?  I see now this is for employees.  Is this for managing threat targets or for high risk users and privileged account monitoring?

-=Dan=-
Dan Smart
Info Security Manager
Vulcan Materials Company



Original Message:
Sent: 3/21/2022 6:53:00 PM
From: Daniel
Subject: RE: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Thanks for the reply.

Can you also expand on the use of the Sensitive Files module? How should this be used?
Can you expand on the use of the Users module?  Is this for storing "threat actors" or "target users"?

TIA
-=Dan=-


Original Message:
Sent: Mar 18, 2022 10:10 PM
From: Mahdi Naili
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

FortiSOAR design is meant to be flexible to reflect any customer process, so Emails module is not mandatory (nor Alerts for that matter) you have the freedom to select which modules to use or even create your own and include them in the automation workflow. This being said, typically our customers use the Email module to store a carbon copy of the suspicious emails with all its components as evidence, some added a hash code field to prevent tempering.
Original Message:
Sent: Mar 18, 2022 08:20 AM
From: Daniel Smart
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Thanks for the suggestion.  Using the API was our first thought as well.  

Can you describe the workflow that was intended for using the Emails module?  Why should we use this instead of just using the Alerts module directly?  We use case does this solve?

TIA
Original Message:
Sent: Mar 17, 2022 06:27 PM
From: Mahdi Naili
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Extending the current GSuite connector is probably the best solution. Google has a pretty well documented Send Email API
-Naili
Original Message:
Sent: Mar 16, 2022 09:51 AM
From: Daniel Smart
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

I'm working on a new install of FSR 7.0.2 with the Incident and MITRE feature packs.  
The main use-case is suspicious phishing email investigation.  We are a Google Workspace Gmail customer.
We currently use the Gmail "Compliance" and Quarantine functionality to hold suspicious email for investigation.  The analyst will then either deliver or reject the email for quarantine.

We want to replace this process with FortiSOAR.  Or current thought is to use GMail Compliance to "modify" the message instead of sending to quarantine. We would then make the following modifications to the incoming email:
  1. Modify Message Headers
    1. Add X-Gm-Original-To header to capture the original envelope recipient.  This functionality is native to Gmail Compliance / Modify.
    2. Add X-Gm-Spam and X-Gm-Phishy headers - to record the reputation that Gmail  safety determined.  This functionality is native to Gmail Compliance / Modify
    3. Add X-VMC-Compliance custom header to the name of the compliance rule that was triggered.
  2. Change Envelope Recipient
    1. Change to suspicious@ vmcmail.com
  3. Suspicious@ vmcmail.com is an IMAP mailbox, so FSR will pull emails from this box

So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module.  It would appear from your documentation that the Emails module was its intent.  The description sounds like exactly what we want.  What is your recommendation?

Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOAR™ extracts, and stores the Email Headers for further investigation. FortiSOAR™ also creates an alert with a link to the email.

How to handle False Positives

Here's the issue.  If the email is a false positive, how do we send this back to Gmail for delivery?  We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration.  Has anyone solved this issue?  Options we see are:

1. There is an Gmail API that can allow sending a message.  This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To  and using the "inbound gateway" function to stop breaking SPF/DMARC.

https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP.  Not sure how.

Any recommendations here?
TIA
<<Dan>>
Dan Smart

Daniel_Smart

I reviewed the IR functionality, and it does include a module called "Users".  This doesn't appear to be a list of "Threat Actors" as is described in the IR addon documentation:

  • Vulnerability Management: The Vulnerability Management section is a collection of all modules typically related to vulnerabilities that exist in your system. It contains the following modules:
    • Users: Users represent a list of users who could potentially cause harm to your systems.


However, this doesn't appear to be either Targets or Threat Actors.  It looks like a way to manage FortiSOAR access maybe?  Can you shed light on the Users module?

uM6cAXyTSMmEy44RRB77_2022-03-23 11_35_24-User-M.pnguM6cAXyTSMmEy44RRB77_2022-03-23 11_35_24-User-M.png
-------------------------------------------
Original Message:
Sent: Mar 23, 2022 08:31 AM
From: Daniel Smart
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Thanks Amit.
It would appear that using the MS AD Connector to sync users to this module would give us targets.

What does "on notice" mean?  Not familiar with this term.

-=Dan=-
Dan Smart
Info Security Manager
Vulcan Materials Company



Original Message:
Sent: 3/23/2022 1:51:00 AM
From: Amit
Subject: RE: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Dan, The need of this module was born out of various use cases, which needed an interface with HR data, of employees who were on notice period in an organisation. This was to fetch and sync on that data from HR systems, so that various use cases and alerts from DLP systems, CASBs etc., could be supplemented with more information around the user, and raise the severity if the user was found on this watchlist.

------------------------------
Amit
------------------------------

Original Message:
Sent: Mar 22, 2022 08:57 AM
From: Daniel Smart
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Correction to the second question.  What is the purpose of the Employee Watchlist module?  I see now this is for employees.  Is this for managing threat targets or for high risk users and privileged account monitoring?

-=Dan=-
Dan Smart
Info Security Manager
Vulcan Materials Company



Original Message:
Sent: 3/21/2022 6:53:00 PM
From: Daniel
Subject: RE: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Thanks for the reply.

Can you also expand on the use of the Sensitive Files module? How should this be used?
Can you expand on the use of the Users module?  Is this for storing "threat actors" or "target users"?

TIA
-=Dan=-


Original Message:
Sent: Mar 18, 2022 10:10 PM
From: Mahdi Naili
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

FortiSOAR design is meant to be flexible to reflect any customer process, so Emails module is not mandatory (nor Alerts for that matter) you have the freedom to select which modules to use or even create your own and include them in the automation workflow. This being said, typically our customers use the Email module to store a carbon copy of the suspicious emails with all its components as evidence, some added a hash code field to prevent tempering.
Original Message:
Sent: Mar 18, 2022 08:20 AM
From: Daniel Smart
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Thanks for the suggestion.  Using the API was our first thought as well.  

Can you describe the workflow that was intended for using the Emails module?  Why should we use this instead of just using the Alerts module directly?  We use case does this solve?

TIA
Original Message:
Sent: Mar 17, 2022 06:27 PM
From: Mahdi Naili
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

Extending the current GSuite connector is probably the best solution. Google has a pretty well documented Send Email API
-Naili
Original Message:
Sent: Mar 16, 2022 09:51 AM
From: Daniel Smart
Subject: FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

I'm working on a new install of FSR 7.0.2 with the Incident and MITRE feature packs.  
The main use-case is suspicious phishing email investigation.  We are a Google Workspace Gmail customer.
We currently use the Gmail "Compliance" and Quarantine functionality to hold suspicious email for investigation.  The analyst will then either deliver or reject the email for quarantine.

We want to replace this process with FortiSOAR.  Or current thought is to use GMail Compliance to "modify" the message instead of sending to quarantine. We would then make the following modifications to the incoming email:
  1. Modify Message Headers
    1. Add X-Gm-Original-To header to capture the original envelope recipient.  This functionality is native to Gmail Compliance / Modify.
    2. Add X-Gm-Spam and X-Gm-Phishy headers - to record the reputation that Gmail  safety determined.  This functionality is native to Gmail Compliance / Modify
    3. Add X-VMC-Compliance custom header to the name of the compliance rule that was triggered.
  2. Change Envelope Recipient
    1. Change to suspicious@ vmcmail.com
  3. Suspicious@ vmcmail.com is an IMAP mailbox, so FSR will pull emails from this box

So my first question is whether to send these to the Alert module or the send them to the new IR" Emails" module.  It would appear from your documentation that the Emails module was its intent.  The description sounds like exactly what we want.  What is your recommendation?

Emails: Stores emails, which can contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOAR™ extracts, and stores the Email Headers for further investigation. FortiSOAR™ also creates an alert with a link to the email.

How to handle False Positives

Here's the issue.  If the email is a false positive, how do we send this back to Gmail for delivery?  We have the original envelope recipient stored in X-Gm-Original-To, and the old message is actually still stored in the suspicious@ vmcmail.com in the processed folder based on the current connector configuration.  Has anyone solved this issue?  Options we see are:

1. There is an Gmail API that can allow sending a message.  This may allow us to send the message without changing the FROM address.
2. Use SMTP to send the message, setting the envelope recipient to the X-GM-Original-To  and using the "inbound gateway" function to stop breaking SPF/DMARC.

https://support.google.com/a/answer/60730?product_name=UnuFlow&hl=en&visit_id=637830460580148425-414...
3. Somehow deliver the message using IMAP.  Not sure how.

Any recommendations here?
TIA
<<Dan>>
Dan Smart