Created on
08-16-2021
06:30 AM
Edited on
08-06-2022
10:42 PM
By
apiMigrationUse
Introduction
This content pack enable users to integrate with FortiDeceptor by providing a good default mapping for SysLog Ingestion of FortiDeceptor alerts, changes in default modules to accommodate event information, use case playbooks and more.
Based on deception technology, FortiDeceptor complements an organization’s existing breach protection strategy. It is designed to deceive, expose and eliminate external and internal threats early in the attack kill chain before any significant damage occurs. Integration with FortiSOAR allows to automate the response to alerts received from FortiDeceptor, ensuring a quick co-ordinated response action across various protection tools like FortiEDR, FortiNAC, FortiGate and FortiEMS, while getting information from users, Active Directory, FSR Asset inventory and other sources.
Inside The Content Pack
1. Ingestion Playbooks for fetching alerts from FortiDeceptor, via SysLog
2. Default mapping within FortiDeceptor alert meta data and FortiSOAR alert fields
3. Use Case Playbook - Lateral Movement Investigation and Response
4. Use Case Playbook - VPN Breach Detection and Response
Required
- Base IR Content Pack - https://community.fortinet.com/t5/FortiSOAR/Incident-Response-Content-Pack-7-0-1/ta-p/220150
- Configuring FortiSOAR SysLog Connector with FortiDeceptor instance's SysLog configurations
Integrations Used
FortiEDR, FortiNAC, FortiGate, FortiEMS, Active Directory, SysLog
Solution Summary
Upon installation of this content pack and activating the playbooks, you will start getting alerts from your FortiDeceptor via syslog. Once alerts are ingested, FortiSOAR indicator extraction and enrichment workflows will auto-trigger and extract-enrich all the relevant observables from the FDC alert data, like Source IP, Destination IP, User Details etc. All the necessary correlations with existing indicators, assets, user data is also made to present a good informative alert for the analyst to investigate. The alert is also tagged with #FortiDeceptor tags and the severity is raised depending on the enrichment workflow results.
A very common use case that FortiDeceptor users use the product for is to detect Lateral Movement and VPN Breach Detection using deception lures for attackers. There are out-of-the-box use case playbooks provided as part of this content pack that to investigate and respond to these type of alert detections from FortiDeceptor.
Lateral Movement Use Case Workflow
VPN Breach Use Case Workflow
Playbook Screenshots
How To Install Content Pack
1. Ensure you have the base IR Content Pack installed.
2. To install this add-on content pack, go to Settings > Configuration Import
3. Unzip the attached file, upload (JSON) and initiate the guided Import Process
4. Review import artifacts and import the pack
Video Demonstration
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.