Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Amit1
Staff
Staff

Created on ‎08-16-2021 06:30 AM Edited on ‎08-06-2022 10:42 PM By Community Manager

Article Id 220039

FortiDeceptor Content Pack

Introduction

This content pack enable users to integrate with FortiDeceptor by providing a good default mapping for SysLog Ingestion of FortiDeceptor alerts, changes in default modules to accommodate event information, use case playbooks and more. 

Based on deception technology, FortiDeceptor complements an organization’s existing breach protection strategy. It is designed to deceiveexpose and eliminate external and internal threats early in the attack kill chain before any significant damage occurs. Integration with FortiSOAR allows to automate the response to alerts received from FortiDeceptor, ensuring a quick co-ordinated response action across various protection tools like FortiEDR, FortiNAC, FortiGate and FortiEMS, while getting information from users, Active Directory, FSR Asset inventory and other sources. 

 

Inside The Content Pack

1. Ingestion Playbooks for fetching alerts from FortiDeceptor, via SysLog
2. Default mapping within FortiDeceptor alert meta data and FortiSOAR alert fields
3. Use Case Playbook - Lateral Movement Investigation and Response 
4. Use Case Playbook - VPN Breach Detection and Response

Required

- Base IR Content Pack - https://community.fortinet.com/t5/FortiSOAR/Incident-Response-Content-Pack-7-0-1/ta-p/220150
- Configuring FortiSOAR SysLog Connector with FortiDeceptor instance's SysLog configurations

Integrations Used

FortiEDR, FortiNAC, FortiGate, FortiEMS, Active Directory, SysLog

 

Solution Summary

Upon installation of this content pack and activating the playbooks, you will start getting alerts from your FortiDeceptor via syslog. Once alerts are ingested, FortiSOAR indicator extraction and enrichment workflows will auto-trigger and extract-enrich all the relevant observables from the FDC alert data, like Source IP, Destination IP, User Details etc. All the necessary correlations with existing indicators, assets, user data is also made to present a good informative alert for the analyst to investigate. The alert is also tagged with #FortiDeceptor tags and the severity is raised depending on the enrichment workflow results. 

A very common use case that FortiDeceptor users use the product for is to detect Lateral Movement and VPN Breach Detection using deception lures for attackers. There are out-of-the-box use case playbooks provided as part of this content pack that to investigate and respond to these type of alert detections from FortiDeceptor.


Lateral Movement Use Case Workflow 

  1. Ingest Demo Alert (SysLog)
  2. Auto Extract Decoy Details (under Destination IP)
  3. Auto Extract Attacker IP Details (Under SourceIP or AttackerIP) - tag it as Malicious 
  4. Auto Extract User Information (the username on the FDC alert can be from a deception Lure that not exists on AD, so if the username in the alert does not exist in AD, we need to get the username from the endpoint that attacks the decoy. For example, a deception SSH lure to access a Decoy will not be in the AD, so we need to get the logon Username on the infected endpoint and disable him on the AD )
  5. Auto Extract Details of Decoy Asset - Pull details from FSR Asset DB (e.g. HostName)
  6. Initiate Block of AttackerIP in FortiEDR, FortiNAC, FortiGate
  7. Search User In Active Directory (AD)
  8. If User found, Disable in AD 
  9. If User Not Found, then Notify IT teams about the same

VPN Breach Use Case Workflow 

  1. Ingest Demo Alert (SysLog)
  2. Auto Extract Decoy Details (under Destination IP)
  3. Auto Extract Attacker IP Details (Under SourceIP or AttackerIP) - tag it as Malicious
  4. Auto Extract User Information
  5. Playbook has a list of VPN Pool IPs available (configurable)
  6. Search for the AttackerIP in the VPN Pool. If found, block the same in FortiEMS (Asset details can be extracted from FSR Asset DB where records against each VPN Pool IP is present)
  7. Most of the time, the username for the VPN access is the AD username, so besides blocking on FortiEMS, we also need to block the compromised username on the AD to avoid the attacker to access more resources.
  8. If not found in VPN Pool, ask the User if they want to block the AttackerIP in FortiNAC, FortiEDR and FortiGates
  9. If Yes, block the same.

 

Playbook Screenshots

 

AKJTDpcDQ6uDzcODzcRl_FDC_Playbook-L.jpgAKJTDpcDQ6uDzcODzcRl_FDC_Playbook-L.jpg


MRZ838DXSsqS4dJIaQEK_Screenshot 2021-08-16 at 6.35.12 PM.pngMRZ838DXSsqS4dJIaQEK_Screenshot 2021-08-16 at 6.35.12 PM.png
 
iAAAFAepTE6umKBWJ1DF_Screenshot 2021-08-16 at 6.37.16 PM.pngiAAAFAepTE6umKBWJ1DF_Screenshot 2021-08-16 at 6.37.16 PM.png
 

 

How To Install Content Pack

​1. Ensure you have the base IR Content Pack installed.
2. To install this add-on content pack, go to Settings > Configuration Import
3. Unzip the attached file, upload (JSON) and initiate the guided Import Process
4. Review import artifacts and import the pack


Video Demonstration


#FortiSOAR
#FortiDeceptor

FDC Content Pack-2021816649.json.zip
Labels:
703
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.