Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Anonymous
Not applicable

Created on ‎08-16-2021 06:30 AM Edited on ‎10-07-2025 08:18 AM By Community Manager

Article Id 220039

Technical Tip: FortiDeceptor Content Pack

Description

 

This article describes the FortiDeceptor Content Pack.

 

Scope

 

FortiDeceptor.

 

Solution

 

This content pack enables users to integrate with FortiDeceptor by providing a good default mapping for SysLog Ingestion of FortiDeceptor alerts, changes in default modules to accommodate event information, use case playbooks and more. 

Based on deception technology, FortiDeceptor complements an organization’s existing breach protection strategy. It is designed to deceiveexpose and eliminate external and internal threats early in the attack kill chain before any significant damage occurs. Integration with FortiSOAR allows to automate the response to alerts received from FortiDeceptor, ensuring a quick co-ordinated response action across various protection tools like FortiEDR, FortiNAC, FortiGate and FortiClient EMS, while getting information from users, Active Directory, FSR Asset inventory and other sources. 

 

Inside the content pack:

  1. Ingestion Playbooks for fetching alerts from FortiDeceptor, via SysLog
  2. Default mapping within FortiDeceptor alert meta data and FortiSOAR alert fields
  3. Use Case Playbook - Lateral Movement Investigation and Response
  4. Use Case Playbook - VPN Breach Detection and Response

 

Required:

Integrations used:

FortiEDR, FortiNAC, FortiGate, FortiClient EMS, Active Directory, SysLog

 

Solution summary:
Upon installation of this content pack and activation of the playbooks, alerts from FortiDeceptor will start arriving via syslog. Once alerts are ingested, FortiSOAR indicator extraction and enrichment workflows will auto-trigger and extract-enrich all the relevant observables from the FDC alert data, like Source IP, Destination IP, User Details etc. All the necessary correlations with existing indicators, assets, user data is also made to present a good informative alert for the analyst to investigate. The alert is also tagged with #FortiDeceptor tags and the severity is raised depending on the enrichment workflow results. 

A very common use case that FortiDeceptor users use the product for is to detect Lateral Movement and VPN Breach Detection using deception lures for attackers. There are out-of-the-box use case playbooks provided as part of this content pack that to investigate and respond to these type of alert detections from FortiDeceptor.


Lateral movement use case workflow:

  1. Ingest Demo Alert (SysLog)
  2. Auto Extract Decoy Details (under Destination IP)
  3. Auto Extract Attacker IP Details (Under SourceIP or AttackerIP) - tag it as Malicious 
  4. Auto-Extract User Information (the username on the FDC alert can originate from a deception lure that does not exist in AD; if the username in the alert does not exist in AD, obtain the username from the endpoint that attacks the decoy. For example, a deception SSH lure to access a decoy will not be in AD; therefore, obtain the logon username on the infected endpoint and disable the corresponding account in AD.)
  5. Auto Extract Details of Decoy Asset - Pull details from FSR Asset DB (e.g. HostName)
  6. Initiate Block of AttackerIP in FortiEDR, FortiNAC, FortiGate
  7. Search User In Active Directory (AD)
  8. If User found, Disable in AD 
  9. If User Not Found, then Notify IT teams about the same

VPN Breach Use Case Workflow:

  1. Ingest Demo Alert (SysLog)
  2. Auto Extract Decoy Details (under Destination IP)
  3. Auto Extract Attacker IP Details (Under SourceIP or AttackerIP) - tag it as Malicious
  4. Auto Extract User Information
  5. Playbook has a list of VPN Pool IPs available (configurable)
  6. Search for the AttackerIP in the VPN Pool. If found, block the same in FortiClient EMS(Asset details can be extracted from FSR Asset DB where records against each VPN Pool IP is present)
  7. Most of the time, the username for VPN access is the AD username; therefore, in addition to blocking on FortiClient EMS, block the compromised username in AD to prevent the attacker from accessing additional resources.
  8. If not found in VPN Pool, ask the User whether to block AttackerIP in FortiNAC, FortiEDR, and FortiGates.
  9. If Yes, block the same.

 

Playbook Screenshots:

 

AKJTDpcDQ6uDzcODzcRl_FDC_Playbook-L.jpgAKJTDpcDQ6uDzcODzcRl_FDC_Playbook-L.jpg
MRZ838DXSsqS4dJIaQEK_Screenshot 2021-08-16 at 6.35.12 PM.pngMRZ838DXSsqS4dJIaQEK_Screenshot 2021-08-16 at 6.35.12 PM.png
 
iAAAFAepTE6umKBWJ1DF_Screenshot 2021-08-16 at 6.37.16 PM.pngiAAAFAepTE6umKBWJ1DF_Screenshot 2021-08-16 at 6.37.16 PM.png
 

How to install the content pack:

  1. Ensure the base IR Content Pack is installed.
  2. To install this add-on content pack, go to Settings -> Configuration Import.
  3. Unzip the attached file, upload (JSON) and initiate the guided Import Process.
  4. Review import artifacts and import the pack.

Video demonstration:

 

 

FDC Content Pack-2021816649.json.zip
Labels:
1136
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.