Help
FortiSOAR Discussions
mohamed44
New Contributor

Created on ‎06-12-2024 04:51 AM

FortiSOAR Update Record Step in Correlation

Hi Team

I have an alert and I have investigated the destination Ip of that alert and I want to update the record correlations to change the indicator description

thanks, on advance

FortiSOAR 

#Update Record Correlations

Muhammed
Muhammed
252
0 Kudos
1 Solution
Jtamboli
Staff
Staff

Created on ‎06-12-2024 07:07 AM Edited on ‎06-12-2024 07:11 AM

Hi Muhammed,

As per your question, I assume you have an alert with a destination IP, and the indicators are already extracted and linked to this alert. In this case, there will be an indicator linked to the alert.

Based on your investigation of that IP, you can update the correlated indicator's description in the following way:

  1. Create a Manual Trigger Step: Add a manual trigger step on the alert record (as shown in screenshot 1).
  2. Get IP Reputation: Use a VirusTotal Premium connector to get the IP reputation.(as shown in screenshot 2)
  3. Find the Linked Indicator: Use the 'Find Record' step to locate the indicator linked to the alert record.(as shown in screenshot 3)
  4. Update the Indicator Description: Use the 'Update Record' step to update the description of the indicator with the new information from your investigation.(as shown in screenshot 4 and screenshot 5)
  5. ( Screenshot 6 ) shows the indicator record got updated.

     

    Thanks :)

Junaid

View solution in original post

Preview file
355 KB
Preview file
496 KB
Preview file
632 KB
Preview file
798 KB
Preview file
942 KB
231
3 REPLIES 3
Jtamboli
Staff
Staff

Created on ‎06-12-2024 07:07 AM Edited on ‎06-12-2024 07:11 AM

Hi Muhammed,

As per your question, I assume you have an alert with a destination IP, and the indicators are already extracted and linked to this alert. In this case, there will be an indicator linked to the alert.

Based on your investigation of that IP, you can update the correlated indicator's description in the following way:

  1. Create a Manual Trigger Step: Add a manual trigger step on the alert record (as shown in screenshot 1).
  2. Get IP Reputation: Use a VirusTotal Premium connector to get the IP reputation.(as shown in screenshot 2)
  3. Find the Linked Indicator: Use the 'Find Record' step to locate the indicator linked to the alert record.(as shown in screenshot 3)
  4. Update the Indicator Description: Use the 'Update Record' step to update the description of the indicator with the new information from your investigation.(as shown in screenshot 4 and screenshot 5)
  5. ( Screenshot 6 ) shows the indicator record got updated.

     

    Thanks :)

Junaid
Preview file
355 KB
Preview file
496 KB
Preview file
632 KB
Preview file
798 KB
Preview file
942 KB
232
Jtamboli
Staff
Staff
In response to Jtamboli

Created on ‎06-12-2024 07:08 AM

.

Junaid
Preview file
464 KB
229
0 Kudos
Ravi01
New Contributor

Created on ‎06-12-2024 08:08 AM

thanks

220
0 Kudos
Announcements

Welcome to your new FortiSOAR Community!

View More

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.