FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Namrata
Staff
Staff
Article Id 220037

The FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) provides you with a snapshot of the configuration data and other items that can help you to optimally use and experience FortiSOAR’s incident response.

This article provides a listing and brief description of the various types of playbook collections included in the Content Pack. You can use the playbooks to perform various operations used to automate security processes across your organization. These playbooks can also be used to simulate use cases and provide training for FortiSOAR.

The playbooks are categorized based on the type of functions they perform such as ingestion, enrichment, triaging, etc.

Ingestion Playbook Collection

You can use the playbooks in the 01-Ingest collection to ingest data from external SIEM solutions like LogRhythm. and other third-party sources like threat intelligence platforms like ThreatQ, email solutions, etc.

Following is a table that lists the playbooks that are part of the “01-Ingest” collection in the Content Pack:

Name of the playbook

Description

Elastic > Create Alert

Receives ‘Login Failure Events’ from Elastic using Watcher and creates alert records in FortiSOAR.

> Elastic > Create Alert (Single Record)

Creates an alert record for events created in Elastic.

Email > Extract Indicators

Extracts indicators from the body and header of the email.

Email (Manual Attach) > File to Alert (Suspicious Email)

Attaches an email to an alert of type ‘Suspicious Email’, which is further used for investigations.

Email (Manual Upload) > Extract Attachments

Extract attachments from emails, creates indicators, and then links them to the parent alert.

Email (Manual Upload) > Investigate

Extracts email metadata from an email file that is uploaded, e.g. mail.eml or mail.msg.

Indicator > Import Bulk Indicators

Extracts indicators from the specified text.

>> JASK >  Create Alert for Insight

Creates alerts for JASK Insight.

>> JASK > Create or Find Indicator and Comment

Creates or finds an indicator and associated comments from JASK Insight.

>> JASK >  Get Signal Details

Retrieves details of JASK Signals.

JASK > Ingest Insights

Pulls insight data from JASK.

LogRhythm > Fetch Alarms

Pulls alarms created between the specified duration from LogRhythm.

> LogRhythm > Generate LogRhythm Records

Creates LogRhythm records.

Phishing/Suspicious Email Alert > Extract Indicators

Extract Indicators from the body and header of alerts that are of type "Phishing" and "Suspicious Email".

Symantec CloudSOC > Fetch Incidents

Retrieves incidents from Symantec CloudSOC.

> Symantec CloudSOC > Fetch Incidents > Create Single Alert

Creates a single alert for Symantec CloudSOC incidents.

Symantec Email.Cloud > Fetch Alert

Retrieves alerts from Symantec Email.Cloud.

Tenable.io > Fetch Assets

Retrieves assets for the specified scan from Tenable.io.

> Tenable.io > Fetch Assets > Ingest Asset

Creates a new asset record in Tenable.io and builds the relationship between the scan and the asset.

Tenable.io > Fetch Scan

Retrieves scans for the specified scan from Tenable.io.

> Tenable.io > Fetch Scan > Ingest Scan

Creates a new scan record.

Tenable.io > Fetch Vulnerabilities

Retrieves vulnerabilities for the specified asset from Tenable.io.

> Tenable.io > Fetch Vulnerabilities > Ingest Vulnerabilities

Creates a new vulnerability record in Tenable.io and builds the relation between the asset and the vulnerabilities.

Tenable.io > Fetch Vulnerability Details

Retrieves vulnerability information for the specified vulnerability from Tenable.io.

Threat Intel > Create Indicators

Retrieves indicators that have been created or updated in the past 24 Hours from ThreatQ.

Note:
> sign indicates child playbooks
>> sign indicates reference playbooks

Enrich Playbook Collection

You can use the playbooks in the 02-Enrich collection to perform enrichment of data, which is one of the first incident response tasks. Automating data enrichment tasks help to better manage increasing volumes of threats and provide more actionable context to the analysts. An example of an enrichment type playbook would be retrieving the reputation of a file, domain, URL, etc. from threat intelligence platforms such as Anomali ThreatStream and VirusTotal.

Following is a table that lists the playbooks that are part of the “02-Enrich” collection in the Content Pack:

Name of the playbook

Description

Asset > Get Running Process

Retrieves a list of all processes that are running on the specified host.

Attachment > Get File Reputation

Retrieves the reputation of a file that is submitted from FortiSOAR to VirusTotal.

>> Create Indicators (Batch)

Creates indicator records in bulk.

Extract Indicators

Extracts and creates indicators from the specified data and then enriches specific fields in alerts with the indicator data.

Extract Indicators > Manual

Extracts and creates indicators from the specified alert records and then enriches specific fields in alerts with the indicator data.

>> Fotinet Fortisandbox (Get Reputation) > Get Scan Results

Retrieves the job verdict details for submitted samples based on the specified job ID.

Get Related IOCs For An IP

Retrieves related IOCs for a specified IP address from threat intel sources.

Get Reputation After Specified Time

Re-enriches indicators after a specified time.

Indicator (Manual Trigger)  > Get Latest Reputation

Retrieves the reputation of indicators using configured threat intelligence tools. You can trigger this playbook by manually selecting the indicator(s).

Indicator (Type All) > Get Latest Reputation

Based on the type of indicator, this playbook retrieves the reputation of indicators using configured threat intelligence tools.

Indicator (Type Domain) > Get Reputation

Retrieves the reputation of indicators of type ‘Domain’ using configured threat intelligence tools.

Indicator (Type Email) > Get Reputation

Retrieves the reputation of indicators of type ‘Email Address’ using configured threat intelligence tools.

Indicator (Type File) > Get Reputation

Uploads a file to a sandbox and then retrieves its reputation using configured threat intelligence tools.

Indicator (Type File) > Get Reputation (Fortinet Sandbox)

Submits a file to Fortinet Sandbox and then retrieves its reputation.

Indicator (Type File - MD5) > Get Reputation

Retrieves the reputation of a file, identified by its MD5 hash, using configured threat intelligence tools.

Indicator (Type Host) > Get Reputation

Retrieves the reputation of indicators of type ‘Host’ using configured threat intelligence tools.

Indicator (Type IP) > Get Reputation

Retrieves the reputation of indicators of type ‘IP Address’ using configured threat intelligence tools.

Indicator (Type Port) > Get Reputation

Retrieves the reputation of indicators of type ‘Port’ using configured threat intelligence tools.

Indicator (Type Process) > Get Reputation

Retrieves the reputation of indicators of type ‘Process’ using configured threat intelligence tools.

Indicator (Type URL) > Get Reputation

Retrieves the reputation of indicators of type ‘URL’ using configured threat intelligence tools.

Indicator (Type User Account) > Get Details

Retrieves the details of indicators of type ‘User Account’ using configured threat intelligence tools.

Note:
> sign indicates child playbooks
>> sign indicates reference playbooks

Following is a table that lists the playbooks that are a part of the “02-Enrich (Pluggable)” collection in the Content Pack.

The function of the playbooks in both Enrich and Enrich (Pluggable) collection is the same; however, the design approach is different. In the standard Enrich playbook, all the threat intelligence platforms for a particular indicator type are configured in a single playbook. In Enrich (Pluggable) collection, every threat intelligence platform for a particular indicator type has a separate playbook, which can be plugged/referenced in the Enrichment playbook.

Name of the playbook

Description

AlienValut OTX - File MD5 Reputation

Retrieves the reputation of indicators of type 'FileHash-MD5' using AlienValut OTX.

AlienValut OTX - IP Reputation

Retrieves the reputation of indicators of type 'IP Address' using AlienValut OTX.

AlienValut OTX - URL Reputation

Retrieves the reputation of indicators of type 'URL' using AlienValut OTX.

AlienVault-OTX - Domain Reputation

Retrieves the reputation of indicators of type 'Domain' using AlienValut OTX.

Anomali Threatstream - Email Reputation

Retrieves the reputation of indicators of type 'Email' using Anomali Threatstream.

Anomali Threatstream - File MD5 Reputation

Retrieves the reputation of indicators of type 'FileHash-MD5' using Anomali Threatstream.

Anomali Threatstream - IP Reputation

Retrieves the reputation of indicators of type 'IP Address' using Anomali Threatstream.

Anomali Threatstream - URL Reputation

Retrieves the reputation of indicators of type 'URL' using Anomali Threatstream.

Cisco Threat Grid - File Reputation

Submits a file to Cisco Threat Grid and then retrieves its reputation.

Fortinet Web Filter Lookup - Domain Reputation

Retrieves the reputation of indicators of type 'Domain' using Fortinet Web Filter Lookup.

Fortinet Web Filter Lookup - URL Reputation

Retrieves the reputation of indicators of type 'URL' using Fortinet Web Filter Lookup.

IP Stack - Domain Geo Location

Retrieves the geolocation of indicators of type 'Domain' using IP Stack.

IP Stack - IP Reputation

Retrieves the geolocation of indicators of type 'IP Address' using IP Stack.

Indicator (Domain) > Get Latest Reputation

Retrieves the reputation of indicators of type 'Domain' using configured threat intelligence playbooks.

Indicator (Email) > Get Latest Reputation

Retrieves the reputation of indicators of type 'Email' using configured threat intelligence playbooks.

Indicator (File MD5) > Get Latest Reputation

Retrieves the reputation of indicators of type 'Filehash' using configured threat intelligence playbooks.

Indicator (File) > Get Latest Reputation

Uploads a file to a sandbox and then retrieves its reputation using configured threat intelligence tools playbooks.

Indicator (IP Address) > Get Latest Reputation

Retrieves the reputation of indicators of type 'IP Address' using configured threat intelligence playbooks.

Indicator (Manual Trigger)  > Get Latest Reputation

Retrieves the reputation of indicators using configured threat intelligence tools. You can trigger this playbook by manually selecting the indicator(s).

Indicator (Type All) > Get Latest Reputation

Based on the type of indicator, this playbook retrieves the reputation of indicators using configured threat intelligence tools.

Indicator (Type File - MD5) > Get Reputation

Retrieves the reputation of a file, identified by its MD5 hash, using configured threat intelligence tools.

Indicator (Type Host) > Get Latest Reputation

Retrieves the reputation of indicators of type 'Host' using configured threat intelligence playbooks.

Indicator (Type Process) > Get Latest Reputation

Retrieves the reputation of indicators of type 'Process' using configured threat intelligence tools.

Indicator (URL) > Get latest Reputation

Retrieves the reputation of indicators of type 'URL' using configured threat intelligence playbooks.

MXToolBox - IP Reputation

Retrieves the reputation of indicators of type 'IP Address' using MXToolBox.

Symantec Deepsight Intelligence - File MD5 Reputation

Retrieves the reputation of a file, identified by its MD5 hash, using Symantec DeepSight Intelligence.

ThreatQ - Email Reputation

Retrieves the reputation of indicators of type 'Email' using ThreatQ.

URLVoid - Domain Reputation

Retrieves the reputation of indicators of type 'Domain' using URLVoid.

URLVoid - URL Reputation

Retrieves the reputation of indicators of type 'URL' using URLVoid.

VirusTotal - Domain Reputation

Retrieves the reputation of indicators of type 'Domain' using VirusTotal.

VirusTotal - URL Reputation

Retrieves the reputation of indicators of type 'URL' using VirusTotal.

Virustotal - File MD5 Reputation

Retrieves the reputation of indicators of type 'File Hash MD5' using VirusTotal.

Virustotal - File Reputation

Submits a file to VirusTotal and then retrieves its reputation.

Virustotal - IP Reputation

Retrieves the reputation of indicators of type 'IP Address' using VirusTotal.

Whois - IP Reputation

Retrieves whois data for indicators of type 'IP Address' using Whois RDAP.

Triaging Playbook Collection

You can use the playbooks in the 03-Triage collection to perform actions such as sorting, systematize, computing, etc. your enriched data, enabling you to quickly investigate the incident and take decisions for containment and resolution of the incident.

Following is a table that lists the playbooks that are part of the “03-Triage” collection in the Content Pack:

Name of the playbook

Description

Compute Alert Priority Weight (Post Update)

Computes and sets the priority weight for an alert, when the alert is updated. The priority weight is calculated based on indicators related to the alert.

Compute Alert Priority Weight (Post Update - Indicator Linked)

Computes and sets the priority weight for an alert, when an indicator related to the alert is updated. The priority weight is calculated based on indicators related to the alert.

Compute Alert Priority Weight (Post Update - Indicator Reputation Update)

Computes and sets the priority weight for an alert, when the reputation of an indicator is updated. The priority weight is calculated based on indicators related to the alert.

Find and Relate Similar Alerts

Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts.

Find and Relate Similar Alerts - ML

Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts using the recommendation APIs (ML).

Flag Indicators Linked across multiple alerts

Flags changes made in indicators that are linked to multiple alerts.

Map Historical Alerts and Escalate for malicious Indicators

Creates a mapping for historical alerts and then escalates the alerts to incidents if malicious indicators are found in the historical alerts. If the incident already exists, then the information is updated into the incident; else a new incident is created.

Prioritize Alerts With VIP Assets

Raises the severity of the alert if it is associated with a super critical asset.

Update Alert Severity for Malicious Indicators

Sets the severity of the alert to ‘Critical’ if its associated indicators are found to be ‘malicious’.

Use Cases Playbook Collection

You can use the playbooks in the 04-Use Cases collection to understand and perform various tasks or steps needed to deal with an incident, such as a Phishing attack or a Brute Force Attempt.

Following is a table that lists the playbooks that are part of the “04-Use Cases” collection in the Content Pack:

Name of the playbook

Description

Investigate and Escalate Symantec Email.Cloud Phishing Alert

Investigates an alert ingested from Symantec Email.Cloud of type ‘Phishing’, and escalates the alert to an ‘Incident’ if indicators associated with the alert are found to be ‘Malicious’.

Investigate Brute Force Attempt

Investigates login failures and also identifies other impacted assets that have been victims of the brute force attempts from a particular source of attack

Investigate Brute Force Attempt (FortiSIEM)

Investigates login failures from FortiSIEM and also identifies other impacted assets that have been victims of the brute force attempts from a particular source of attack.

Investigate C2 Malware Traffic

Investigates C2 Malware Traffic and blocks malicious content if indicators associated with the alert are found to be ‘Malicious’.

Investigate Command & Control

Enriches alerts for command-and-control behavior by identifying the reputation of related artifacts such as source IP addresses and file hashes. Also, investigates any anomalous processes running on the host on which the attack has occurred and terminates those processes.

Investigate Compliance Alert

 The security analyst manually investigates compliance alerts and provides their findings.

Investigate Concurrent login from different geo location

Investigates alerts of type ‘Concurrent Login’ by checking if the source IP address is in the specified CIDR range, and then performs remediation tasks based on the result.

Investigate Data Leakage Alert (Symantec CloudSOC)

Investigates a data leakage alert that is ingested from Symantec CloudSOC and performs containment and remediation tasks if sensitive data is leaked.

Investigate DNS Exfiltration

Investigates an alert ingested from Splunk using threat intelligence reports retrieved from Intel471 and by querying Splunk. Containment tasks are performed if malicious activity is found.

Investigate Firewall Policy Violation

Investigates policy violations and retrieves information of the destination and source IP addresses along with the protocols and ports used, and then disables the system from the domain.

Investigate Lateral Movement & VPN Breach Detection

Investigates a FortiDeceptor Malicious IP Lateral Movement and performs containment and remediation tasks if a breach is detected.

Investigate Lost / Stolen device

Investigates lost or stolen devices using ServiceNow and Active Directory.

> Investigate Malicious Indicator >> Hunt

Referenced by 'Investigate Malicious Indicator' playbook to perform a hunt on malicious indicators using QRadar, Splunk, and FortiEDR.

> Investigate Malicious Indicator >> Hunt >> QRadar Threat Hunt

Performs QRadar Threat Hunting for the last 7 days on the specified IOC.

Investigate Malicious Indicators

Hunts malicious indicators and provides their summary for review by analysts.

Investigate Malware Infection

Investigates a malware infection by querying ElasticSearch and Active Directory.

Investigate Reconnaissance

Investigates alerts of type ‘Reconnaissance’ and blocks the source IP address on the firewall if it is found to be malicious.

Investigate S3 Bucket Permission Change

Investigate a change in the S3 permissions, and performs containment and remediation tasks if the change is in violation of the S3 policy.

Investigate Suspicious Email

Investigates an alert of type ‘Suspicious Email’, and escalates the alert to an ‘Incident’ if indicators associated with the alert are found to be ‘Malicious’.

Investigate Symantec EMail.Cloud Alert

Investigates an alert ingested from Symantec EMail.Cloud of type ‘Suspicious Email’.

Investigate Windows Sysmon event

Investigates a Windows Sysmon event, and escalates the alert to an ‘Incident’ if malware is detected.

Phishing Alert > Investigate and Escalate

Investigates an alert of type ‘Phishing’, and escalates the alert to an ‘Incident’ if indicators associated with the alert are found to be ‘Malicious’.

Process CarbonBlack Bit9 Approval Requests

Creates tasks against an incident to complete all requests listed in CarbonBlack Bit9 and sends requests for their approval process.

> Process CarbonBlack Bit9 >> Approval  Requests (Subroutine)

Subroutine of CarbonBlack Bit9 approval process.

Rapid7 - Fetch Scan and Deploy Patch

Automates patch deployments by looking up Rapid7 Scan results.

Rapid7 - Fetch Scan and Deploy Patch (Scheduled)

Creates schedules to initiate patch deployments.

> Rapid7 >>  Patch (Subroutine)

Deploys patches using MS SCCM.

Remediate Malware Alert (Symantec EDR / ATP)

Investigates an alert ingested from Symantec EDR / ATP of type ‘Malware’, and blocks entities that are found to be ‘Malicious’.

Investigate Suspicious Network Activity

Investigates suspicious network activity and blocks any malicious indicators associated with the alert on the firewall.

Get Microsoft CASB Alert Information 

Fetches details related to a Microsoft cloud access security broker (CASB) alert and extracts indicators from the alert activities. This is reference playbook to the “Pickup and Enrich Microsoft CASB Alert” playbook.

Pickup and Enrich Microsoft CASB Alert

Picks up and enriches an alert that is generated from Microsoft CASB, and performs further investigations, if any malicious indicator is found.

Investigate Malware Alert

Investigates a malware alert by checking if any malicious indicator found on the endpoint and then performs hunt for malicious indicator to block the same on firewall. Also performs a full scan of the infected endpoint.

Note:
> sign indicates child playbooks
>> sign indicates reference playbooks

Actions Playbook Collection

You can use the playbooks in the 05-Actions collection to perform various operations or actions such as blocking or unblocking domains, URLs, hosts, etc.

Following is a table that lists the playbooks that are a part of the “05-Actions” collection in the Content Pack:

Name of the playbook

Description

Action > Asset Mitigation

Carries out a sequence of processes such as Clean Asset, AV scan, etc. in order to decide whether to keep an asset in isolation or remove it from isolation.

Action - Domain - Block (Indicator)

Blocks the indicators of type 'Domain' on the firewall and marks the indicator as "Blocked" based on its Block status.

Action - Domain - Block (Specified by User)

Creates an indicator for the domain name specified by the user, blocks the domain on the firewall, and also marks the status of the indicator 'Blocked’. The indicator is also linked to the record on which the playbook is triggered.

Action - Domain - Unblock (Indicator)

Unblocks the indicators of type 'Domain' on the firewall and marks the indicator as "Unblocked" based on its block status.

Action - Domain - Unblock (Specified by User)

Creates indicator for the domain name specified by the user, unblocks the domain on the firewall, and also marks the status of the indicator as ‘Unblocked’. The indicator is also linked to the record on which the playbook is triggered.

Action - Email Address - Block (Indicator)

Blocks the indicators of type 'Email Address' on the firewall and marks indicator as "Blocked" based on its block status.

Action - Email Address - Block (Specified by User)

Creates indicator for the email address specified by the user, blocks the email on the firewall, and marks the status of the indicator as ‘Blocked’. The indicator is also linked to the record on which the playbook is triggered.

Action - Email Address - Unblock (Indicator)

Unblocks the indicators of type 'Email Address' on the firewall and mark indicator as "Unblocked" based on its block status.

Action - Email Address - Unblock (Specified by User)

Creates indicators for the email address specified by the user, unblocks the email on the firewall, and also marks the status of the indicator as Unblocked. The indicator is also linked to the record on which the playbook is triggered.

Action - File - Block (Indicator)

Blocks the indicators of type 'File' on the firewall and marks the indicator as "Blocked" based on its block status.

Action - File - Block (Specified by User)

Creates indicators for the file specified by the user, blocks the file on the firewall and also marks the status of the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered.

Action - File MD5 - Block (Indicator)

Blocks the indicators of type 'Filehash' on the firewall and marks the indicator as "Blocked" based on its block status.

Action - File MD5 - Block (Specified by User)

Creates indicators for the filehash specified by the user, blocks the indicator on the firewall, and also marks the status of the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered.

Action - File MD5- Unblock (Indicator)

Unblocks the indicators of type 'Filehash' on the firewall and marks the indicator as "Unblocked" based on its block status.

Action - File MD5 - Unblock (Specified by User)

Creates indicators for the filehash specified by the user, unblocks the indicator on the firewall, and also marks the indicator as unblocked. The indicator is also linked to the record on which the playbook is triggered.

Action - File - Unblock (Indicator)

Unblocks the indicators of type 'File' on the firewall and marks the indicator as "Unblocked" based on its block status.

Action - File - Unblock (Specified by User)

Creates indicators for the file specified by the user, unblocks the file on the firewall, and also mark the status of the indicator as unblocked. The indicator is also linked to the record on which the playbook is triggered.

Action - Host - Block (Indicator)

Blocks indicators of type 'Host' on the firewall and marks the indicator as "Blocked" based on its block status.

Action - Host - Block (Specified by User)

Creates indicators for the host specified by the user, blocks the host on the firewall, and also marks the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered.

Action - Host - Isolate Host

Isolates indicators of type 'Host' and marks the indicator as "Isolated" based on its block status.

Action - Host - Unblock (Indicator)

Unblocks indicators of type 'Host' on the firewall and marks the indicators as "Unblocked" based on their block status.

Action - Host - Unblock (Specified by User)

Creates indicators for the host specified by the user, unblocks the host on the firewall, and also marks the indicator as Unblocked. The indicator is also linked to the record on which the playbook is triggered.

Action - IP Address - Block (Forticlient EMS)

Quarantines endpoint with the specified IP address on FortiClient EMS.

Action - IP Address - Block (Fortigate,FortiEDR)

Isolates and blocks specified IP addresses using FortiGate and FortiEDR.

Action - IP Address - Block (Indicator)

Blocks indicators of type 'IP Address' on the firewall and marks the indicators as "Blocked" based on their block status.

Action - IP Address - Block (Specified by User)

Creates indicators for the specified IP Address', blocks the IP address on the firewall, and marks the indicators as blocked. The indicator is also linked to the record on which the playbook is triggered.

Action - IP Address - Unblock (Indicator)

Unblocks indicators of type 'IP Address' on the firewall and marks the indicator as "Unblocked" based on their block status.

Action - IP Address - Unblock (Specified by User)

Creates indicators for the specified 'IP Address', unblocks the IP address on the firewall, and marks the indicators as unblocked. The indicator is also linked to the record on which the playbook is triggered.

Action (Type All) > Block Indicators

Blocks all types of indicators on the firewall based on their block status.

Action - URL - Block (Indicator)

Blocks indicators of type 'URL' on the firewall and marks the indicators as "Blocked" based on their block status.

Action - URL - Block (Specified by User)

Creates indicators for the specified 'URL', blocks the URL on the firewall, and marks the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered.

Action - URL - Unblock (Indicator)

Unblocks indicators of type 'URL' on the firewall and marks the indicators as "Unblocked" based on their block status.

Action - URL - Unblock (Specified by User)

Creates indicators for the specified 'URL', unblocks the URL on the firewall, and marks the indicator as unblocked. The indicator is also linked to the record on which the playbook is triggered.

Alert > Disable Specific User

Disables the specified User Account from the Active Directory.

Asset > Deploy Patch

Deploys the specified Patch on the selected asset using 'Microsoft SCCM'.

Incident > Get Running Process

Retrieves details for all the running processes on the specified host.

Hunt Playbook Collection

You can use the playbooks in the 06-Hunt collection to automate threat hunting processes and search and identify suspicious domains, malware, and other indicators in your environment and create alerts based on them.

Following is a table that lists the playbooks that are part of the “06-Hunt” collection in the Content Pack:

Name of the playbook

Description

Hunt Indicators

Searches for the specified indicators in your environment using EDR tools, and create alerts for ones that are found.

ChatOps Playbook Collection

You can use the playbooks in the 07 - ChatOps collection to perform various operations such as fetching alert and incident details, using a Bot.

Following is a table that lists the playbooks that are part of the “07-Chatops” collection in the Content Pack:

Name of the playbook

Description

Bot command > Display Options

Displays a list of all the Bot commands.

Bot Command > Get Alerts

Retrieves details of a specific alert based on the provided alert ID.

Bot Command > Get Incidents

Retrieves details of a specific incident based on the provided incident ID.

Bot Command > GetLocation

Retrieves the geolocation details for the specified indicator.

Bot Command > Get Reputation

Retrieves the reputation for the specified indicator.

Bot Command > Get Similar Alerts

Retrieves the alert records that are similar to a specific alert based on the provided alert ID.

Bot > Execute commands

Executes the specified Bot Command.

code snippet

Executes the provided Python code.

Case Management Playbook Collection

You can use the playbooks in the 08 – Case Management collection to automate processes related to cases, including operations such as adding a user as a record owner, checking for SLA violations, calculating queued and resolution time for alerts, etc.

Following is a table that lists the playbooks that are part of the “08-Case Management” collection in the Content Pack:

Name of the playbook

Description

Add a User to the Owners List

Checks if the specified module is user ownable, and then adds the selected user as an owner of the record / records irrespective of which team the user belongs.

Alert > [01] Capture All SLA (Upon Create)

Updates the alert's acknowledgement due date and response due date based on the alert’s severity.

Alert > [02] Capture Ack SLA (Upon Update)

Updates the alert's acknowledgement date and SLA Status based on when the alert status is changed.

Alert > [03] Capture Response SLA (Upon Update)

Updates the alert's response date and SLA Status based on when the alert status is changed.

Alert > [04] Check for SLA violations

Checks periodically for violations of acknowledgement SLA of the open alerts.

Alert > [05] Update Ack and Response Due dates (Post Severity Change)

Updates the alert’s acknowledge due date and response due date for change in the severity of alerts

Alert > Close Corresponding SIEM Alert

Closes the alert on the corresponding SIEM when an alert is closed in FortiSOAR.

> Alert >> Periodic Update Alert SLA Status

This is a subroutine playbook to periodically check violations of acknowledgement and response SLA of the open alerts.

Alert > Set Metrics (Upon Close)

Calculates queued and resolution time for a closed alert.

> Alert >> Update SLA Details

Updates an alert's acknowledgement due date and response due date based on the severity of the alert.

Approval > On Create

 This playbook is triggered whenever an approval record is created, and an email is sent out to the intended approver(s).

Approval > On Email Receipt (Exchange)

This playbook is triggered whenever an email is received via Exchange; the playbook determines whether the received email is an approval mail, and, if yes, checks its approval status.

Approval > On Email Receipt (IMAP)

This playbook is triggered whenever an email is received via IMAP and it checks whether the received email is an approval mail along with its approval status.

Approval > On Email Receipt >> Process Email

Checks if the email is an approval email and returns its approval status.

Assign Random User to Unassigned Alerts

Auto assigns alerts if their assignments were missed during alert creation.

Assign Random User to Unassigned Incidents

Auto assigns incidents if their assignments were missing during incident creation.

Escalated Alert > Copy Related Records to Incidents

Links related data from the alert to the incident, when an alert is escalated.

Escalated Alert > Related Asset Records to Incidents

Links related assets from the alert to the incident, when an alert is escalated.

Export Selected Records

Exports all selected records to a JSON file and creates an attachment record for the same.

>> Fetch SLA Details

Fetches SLA Details for incidents as per Service, that is, for MSSP or Enterprise.

Import Data

Imports a valid JSON file to a relevant module and creates subsequent records.

Incident > [01] Capture All SLA (Upon Create)

Updates an alert's acknowledgement due date and response due date based on the severity of the incident.

Incident > [02] Capture Ack SLA (Upon Update)

Updates an incident's acknowledgement date and SLA status when the status of the incident is changed.

Incident > [03] Capture Response SLA (Upon Update)

Update an incident's response date and SLA status when the status of the incident is changed.

Incident > [04] Check for SLA violations

Periodically check Acknowledgement SLA violations of the Open Incidents.

Incident > [05] Update Response and Ack Due date (Post Severity Change)

Update an incident's acknowledgement due date and response due date following a change in severity.

> Incident >> Periodic Update Incident SLA Status

This is a subroutine playbook to check and update an incident’s SLA status.

Incident (Post Create) Phase Change

Sets an incident's phase dates upon incident creation.

Incident (Post Update) Phase Change

Updates an incident's phase dates when incident phase is changed.

>> Incident - Set Phase Dates

Updates an incident's phase dates based on incident phase.

Incident Summary Notification

Sends a daily summary of incidents created and closed.

> Incidents >> Update SLA Details

Updates an alert's acknowledgement due date and response due date based on incident severity.

Indicator > Check Expiry Status

Checks periodically for the expiry date of the indicator and marks it as expired, if matched.

Indicator > Set Default Expiry Date

Sets the default expiry date when an indicator is created.

Indicator > Set First Seen Date

Sets the first seen date when an indicator is created.

Indicator > Set Last Seen Date

Tracks the occurrence of an indicator by updating the last seen date.

Notify Blocked Indicator Status to Linked Alerts

Adds a note about an indicator being blocked.

Pause SLA - Alerts

Pauses the alert's acknowledgement or response when its respective SLA status is changed to 'Awaiting Action'.

Pause SLA - Incidents

Pauses the incident's acknowledgement or response SLA when its respective SLA status is changed to 'Awaiting Action'.

Prompt when Indicator linked is to Campaign

Notifies an analyst via manual input when an indicator is linked to a campaign.

Set Prompt to an Alert

Displays a prompt on alerts when an indicator is linked to campaign.

The Case Management (Extended) collection playbooks are for special use cases and can be enabled, if required, by the SOC management. Following is a table that lists the playbooks that are part of the “08-Case Management (Extended)” collection in the Content Pack:

Name of the playbook

Description

Incident > [06] Check for Ack SLA violations

Notifies users of violation of Acknowledgement SLA.

Incident > [07] Check for Response SLA violations

Notifies users of violation of Response SLA.

>> Notify Ack SLA Violation

Checks every 5 minutes, for Acknowledgement SLA violations of open incidents.

>> Notify Response SLA Violation

Checks every 5 minutes for Response SLA violations of acknowledged incidents.

Incident Response Playbook Collection

You can use the playbooks in the 09 – Incident Response collection to help you plan your response to an incident such as a malware attack.

Following is a table that lists the playbooks that are part of the “09- Incident Response” collection in the Content Pack:

Name of the playbook

Description

Incident Response Plan (Type - Malware)

Investigates incidents of type ‘Malware’ and executes the different phases of incident response using CarbonBlack Response.

Incident Response Plan (Type - NIST 800-61 - Generic)

Creates tasks for incident response and handling as per the guidelines provided in NIST 800-61.

NIST 800-61 - Upfront Tasks

Creates tasks for incident response and handling as per the guidelines provided in NIST 800-61.

 

Utilities Playbook Collection

You can use the playbooks in the 10 – Utilities collection to perform various operations in FortiSOAR such as creating and linking assets to specified emails, alerts, or incidents, exporting all records or a specified module, or scheduling the health check of connectors and send appropriate notifications.

Following is a table that lists the playbooks that are part of the “10- Utilities” collection in the Content Pack:

Name of the playbook

Description

Add Attacker Tag to Indicator (FortiDeceptor)

Finds the Attacker IP Address in a FortiDeceptor alert and adds the Attacker Tag to the indicator as well as updates the reputation of the indicator to Malicious.

Create and Link Asset

Creates an asset (if it doesn't exist already), and links it to the specified email, alert, or incident record.

Create and Link Indicator

Create an indicator (if it doesn't exist already), and links it to the specified email, alert, or incident record.

Download and Create Attachment

Downloads the file from a specified URL and creates an attachment record for the same.

Export as CSV

Export all records of the given module with specified filters in the CSV format.

> Get Paginated Records

Gets paginated records data and appends them in a .CSV file. This playbook is a reference playbook for 'Export as CSV'.

Notify Connector Health Check Failures

Scheduled to check connectors’ health status and notify the specified recipients of any failed health check.

Notify Failed Playbook Executions

Notifies specified recipients of any playbook failure. It can be scheduled to run at specific intervals.

 

Demo Playbook Collection

You can use the playbooks in the 11 – Demo collection to create various artifacts required to demonstrate various scenarios, such as the creation of a demo incident record to demonstrate a malware incident response, creation of global various required by playbooks, creation of default SLA templates, etc.

Following is a table that lists the playbooks that are part of the “11- Demo” collection in the Content Pack:

Name of the playbook

Description

Add to Exclude List

Adds specified indicators as global variables, which excludes them from being considered as IoCs.

Create Default Global Variables

Creates default global variables and SLA templates required for playbooks.

Create Default SLA Templates

Creates default SLA templates for varying severity of alerts and incidents.

Create Demo Campaigns

Creates demo campaigns and corelates different observables against the campaign record.

Create Sample Records - IR, Threat Intelligence and Vulnerability Management

Creates sample records for Alerts, Incidents, Indicators, Campaigns, Vulnerabilities, Assets, and Scans in order to carry out mock incident response, threat intelligence, and vulnerability management. This playbook is referenced in Demo Incident Response Records.

Create Sample Records - Legal, Physical Incidents

Generates sample records for legal and physical incidents.

Demo Incident Response Records

Creates sample records for Alerts, Incidents, Indicators, Campaigns, Vulnerabilities, Assets, and Scans in order to carry out mock incident response.

Demo Scenario #1 - Compromised Credential

Generates alert from a FortiSIEM incident for the ‘Compromised Credentials’ Scenario.

Download and Create Attachment

Downloads the file from a specified URL and creates an attachment record for the same.

Email Based Alert Ingestion

Ingests an incident from a FortiSIEM email notification and creates alerts for the same.

>> (Email Based Ingestion) Create Alert

Generates alerts for email-based alert ingestion.

Generate > Attachment Records

 Generates attachment records for the file downloaded from a specified URL.

Generate > Malware Incident

Creates a demo incident record for demonstration of Malware IR.

Generate > Tenable Scan, Assets and Vulnerabilities

Creates sample Scan, Assets, Vulnerabilities records from Tenable.io.

>> Get Similar Alerts > Fetch Similar Alerts

Retrieves a list of alerts related to the specified indicator.

Reset Sample Records (Database)

Clears all records from different modules by directly connecting to the database using a Python script.

Sample > Create FortiSOAR Users

Creates FortiSOAR users for demo purposes.

Sample > Reset Environment

Clears all records from different modules using FortiSOAR APIs.

> Sample Users

This is a reference playbook that creates FortiSOAR users.

Send Counseling Email

Sends the offending user a counseling email.

> Setup Connector Configurations

 > Setup Connector

Configures the specified connectors. This is a reference playbook for Setup Connector Configurations.

Setup Connector Configurations

Configures all connectors that are listed in the connector configuration file.

Setup Default Appliance Roles

Auto Configures the appliance roles for playbook execution.

Setup Default Configuration for Code Snippet

Creates default configuration for the Code Snippet connector.

Setup Default Configuration for SLA Calculator

Creates default configuration for the SLA Calculator connector.

Setup Default Configuration for SOC  Simulator

Creates default configuration for the SOC Simulator connector.

Training Playbook Collection

You can use the playbooks in the 12 – Training collection to provide FortiSOAR training.

Following is a table that lists the playbooks that are part of the “12- Training” collection in the Content Pack:

Name of the playbook

Description

01 - Investigate Filehash (Manual)

This is a manually triggered playbook and the security analyst use to determine the filehash reputation.

02 - Investigate Filehash (Semi Automated)

This is a manually triggered playbook that investigates filehash reputation using VirusTotal.

03 - Investigate Filehash (Fully Automated)

 This playbook is triggered automatically following the creation of an alert; it investigates filehash reputation using VirusTotal.

MITRE ATT&CK™ Playbook Collections

The MITRE ATT&CK Playbook Collections demonstrate various MITRE ATT&CK Techniques.

Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™-CREDENTIAL ACCESS” collection in the Content Pack:

Name of the playbook

Description

>> Create and Link Alerts from Hunt (Host-based)

Creates and links the alert from a host-based sensor to a Hunt.

HUNTS - Credential Dumping (T1003)

Hunts for non-Windows processes accessing the lsass.exe process, which can be indicative of credential dumping.

HUNTS - Credential Dumping (T1003) Part2

Enriches LSASS.exe access information using Splunk or ElasticSearch.

Following is a table that lists the playbooks that are part of the “13 - MITRE ATT&CK™-DEFENSE EVASION” collection in the Content Pack:

Name of the playbook

Description

HUNTS- Deobfuscate/Decode Files or Information (T1140

Identifies the use of Certutil or copy /b to deobfuscate data/files.

HUNTS-DCShadow (T1207)

Hunts for execution of network traffic generated by Mimikatz module ‘DCShadow’. The network-based portion of this playbook requires network detection signatures.

Following is a table that lists the playbooks that are part of the “13 - MITRE ATT&CK™- Modulars” collection in the Content Pack:

Name of the playbook

Description

Create Alert from Network Sensor and Link to Hunt

Creates and links an alert from a network-based sensor to a Hunt.

Create and Link Alerts from Asset (Host-based)

Creates and links alerts to an asset.

Create and Link Alerts from Hunt (Host-based)

Creates and links an alert from a host-based sensor to a Hunt.

Create and Link Indicator from Alert

Creates and links indicators when an alert is created.

Create and Link User

Creates a user (if it doesn't exist already), and links to specified emails, alerts or incidents.

Create Asset from Alert

Links an asset to an alert if the hostname is present.

Create User from Alert (Host)

Retrieves incidents related to the specified alert and creates and links users to that alert.

Deduplicate Comments (Asset)

Deduplicates comments on asset records.

Deduplicate Comments (Hunt)

Deduplicates comments on Hunt records.

Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- PERSISTENCE” collection in the Content Pack:

Name of the playbook

Description

HUNTS- AppInit DLLs (T1103)

Hunts for modification to AppInit DLLs registry keys.

HUNTS- Hidden Files and Directories (T1158)

Hunts for the use of attrib.exe to hide files.

HUNTS- Netsh Helper DLL (T1128)

Hunts for abnormal DLL loads and processes spawned by netsh.exe.

HUNTS- Screensaver (T1180)

Hunts for use of Windows Screensaver to enable attacker persistence. It hunts for abnormal screensaver executions, processes spawned by a screensaver, and abnormal modifications to screensaver registry keys.

HUNTS- Winlogon Helper DLL (T1004)

Hunts for abnormal DLL loads and processes spawned by Winlogon.

Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- PRIVILEGE ESCALATION” collection in the Content Pack:

Name of the playbook

Description

HUNT- SID-History Injection (T1178)

Hunts for SID-History injection using ‘Mimikatz’ and other tools. It also hunts for SID-History added to accounts (success and failure). Adding SID-History might allow escalated privileges if SID filtering is not enabled.

Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- PROCESS EXECUTION” collection in the Content Pack:

Name of the playbook

Description

>ASSETS- Service Execution (Enrichment) (T1035)

Enriches service data and queries VirusTotal for filehash reputation. Queries the SIEM for all instances of any malicious hash that is observed.

ASSETS- Service Execution (T1035)

Identifies on-OS services on a host and passes information to the next playbook for enrichment.

HUNTS- CMSTP (T1191)

Identifies processes spawned by CMSTP.exe and creates corresponding alerts.

HUNTS- Compiled HTML File (T1223)

Identifies processes spawned by hh.exe.

HUNTS- Control Panel Items (T1196)

Identifies processes spawned by Control Panel files and execution of non-standard .cpl files.

HUNTS- Dynamic Data Exchange (T1173)

Identifies processes spawned by a Microsoft Office product.

HUNTS- InstallUtil (T1118)

Identifies processes that are executed using ‘InstallUtil’, which are run from the command line (CMD, PS, WMIC) and creates corresponding alerts.

HUNTS- LSASS Driver (T1177)

Identifies execution of processes by loading an illegitimate LSASS driver (DLL). This technique can be used to execute a binary whenever LSASS gets executed.

HUNTS- Mshta (T1170)

Identifies processes spawned by Mshta.exe.

HUNTS- Regsvcs/Regasm (T1121)

Identifies processes spawned by Regsvcs and Regasm.

HUNTS- Rundll32 (T1085)

Identifies processes spawned by rundll32.exe where the DLL that is loaded exists outside of System32/SysWOW64 or Program Files. This playbook may require additional tuning to reduce false positives.

HUNTS- XSL Script Processing (T1220)

Detects execution of processes using XSL scripts. XSL scripts can allow a user to bypass application whitelisting by executing code through trusted OS binaries.

Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- Pull-Technique-Details” collection in the Content Pack:

Name of the playbook

Description

Link ATT&CK technique to Alert

Links MITRE ATT&CK technique to alerts based on the attack technique ID.

Communication Playbook Collection

You can use the playbooks in the 14 – Communications collection to automate various communication-related tasks such as sending a notification email or adding a note to a communication thread.

Following is a table that lists the playbooks that are part of the “14- Communications” collection in the Content Pack:

Name of the playbook

Description

Add Note for Communication Linked

Adds a note stating a new communication has been linked to alert.

Add Note for Communication Linked (Received)

Adds a note stating a new communication that was received has been linked to alert.

Link Communication Record

Links the communication record to the corresponding alert based on the message ID.

Link Previous Communications

Links existing communications records to create a conversation thread.

Manual Send Notification

Sends email notification for any selected communication record that is in either “Draft” or “Sending” state to the intended recipients.

Create Communication Record

 Creates a record in the communications module and links it to an alert based off the information that is entered by the security analyst.

Create Communication Record (Email Reply)

Creates a record in the communications module based off a reply to a received email.

Send Notification

Sends auto-notification of any new communication record that is in the “Sending” state to the intended recipients. .

Hunt - Sunburst Playbook Collection

You can use the playbooks in the 15 – Hunt - Sunburst to demonstrate the Sunburst Hunt techniques.

Following is a table that lists the playbooks that are part of the “15- Hunt - Sunburst” collection in the Content Pack:

Name of the playbook

Description

Block Sunburst Indicators

Blocks Sunburst indicators on FortiGate and FortiEDR.

Hunt Sunburst IOCs

Download IOCs from the threat intelligence feeds and hunt them.

Hunt Sunburst Indicator

Performs a hunt on the specified Sunburst indicators using Splunk and FortiEDR.

Scenario Playbook Collections

You can use the Scenario Playbook Collections to set up various scenarios in FortiSOAR such as brute force attempt, comprised credentials, etc., and demonstrate how FortiSOAR is used to respond to these scenarios.

Following is a table that lists the playbooks that are part of the “16- Scenario” collection in the Content Pack:

Name of the playbook

Description

Generate > Brute Force Attempt

Generates an alert and corresponding task for brute force attempt.

Generate > Compliance Alert

Generates a compliance alert.

Generate > Device Lost/Stolen

Generates an alert for lost/stolen device.

Generate > DLP Alert

Generates a DLP Alert and escalates it to an incident and creates a task for the same.

Generate > FortiAnalyzer (C&C Alert)

Generates a demo incident from a FortiAnalyzer incident with the 'Command and Control' type.

Generate > FortiAnalyzer (User login from SSH)

Generates a demo alert from a FortiAnalyzer incident for User login from SSH.

Generate > IDS Alert

Generates an alert for Snort IDS.

Generate > Malware Alert (Host1)

Creates an alert for the incidents fetched from Symantec ATP with an IOC that is similar to the IOC on other hosts (Host 2 and Host 3). The analyst can then decide the actions that need to be carried out in relation to the alert.

Generate > Malware Alert (Host2)

Creates an alert for the incidents fetched from Symantec ATP with an IOC that is similar to the IOC on other hosts (Host 1 and Host 3). The analyst can then decide the actions that need to be carried out in relation to the alert.

Generate > Malware Alert (Host3)

Creates an alert for the incidents fetched from Symantec ATP with an IOC that is similar to the IOC on other hosts (Host 1 and Host 2).  The analyst can then decide the actions that need to be carried out in relation to the alert.

Generate > PaloAlto Blocked C2 Connection Alert

Generates demo alert and task for a C2 Connection blocked by Palo Alto.

Generate > PaloAlto Panorama Threat Alert

Generates Palo Alto Panorama Threat Alert.

Generate > S3 Bucket Alert

Generates an alert and task for S3 Bucket Alert.

Following is a table that lists the playbooks that are part of the “16- Scenario - Brute Force Attack Scenario” collection in the Content Pack:

Name of the playbook

Description

Generate > FortiSIEM (Brute Force Attack)

Generates a demo record - Brute Force Attack.

Following is a table that lists the playbooks that are part of the “16- Scenario - Compromised Credentials Scenario” collection in the Content Pack:

Name of the playbook

Description

Generate > FortiSIEM (01 - Initial Access - Firewall Configuration Change - Port Forwarding)

Generates a demo alert from a FortiSIEM incident, which is created when there is a change in the firewall configuration related to port forwarding.

Generate > FortiSIEM (02 - Initial Access - Firewall Configuration Change - Policy Change)

 Generates a demo alert from a FortiSIEM incident, which is created when there is a change in the firewall configuration related to policy.

Generate > FortiSIEM (03 - Persistence - Domain User Created)

Generates a demo alert from a FortiSIEM incident, when a domain user is created and a persistence threat is detected.

Generate > FortiSIEM (04 - Persistence - User Password Reset)

Generates a demo alert from a FortiSIEM incident, which is created when the user password has been reset and a persistence threat is detected.

Generate > FortiSIEM (05 - Persistence - User Added to Administrator Group)

Generates a demo alert from a FortiSIEM incident, which is created when the user password has been reset and a persistence threat is detected.

Generate > FortiSIEM (06 - Persistence - Schedule Task)

Generates an alert from a FortiSIEM incident for ‘Persistence - Schedule Task’ scenario. Generates a demo alert from a FortiSIEM incident, which is created when the ‘Schedule Task’ scenario is executed.

Generate > FortiSIEM (07 - Exfiltration - File Transfer)

Generates an alert from a FortiSIEM incident for ‘Exfiltration - File Transfer’ scenario. Generates a demo alert from a FortiSIEM incident, which is created when a data exfiltration event has occurred.

Following is a table that lists the playbooks that are part of the “16- Scenario - FortiDeceptor” collection in the Content Pack:

Name of the playbook

Description

Generate > FortiDeceptor Alerts

Generates an alert from FortiDeceptor CEF.

Following is a table that lists the playbooks that are part of the “16- Scenario - FortiSIEM” collection in the Content Pack:

Name of the playbook

Description

Generate > FortiSIEM (Concurrent Successful Authentications To Same Account From Multiple Countries)

 Generates a demo alert from a FortiSIEM incident, which is created when concurrent successful authentications to the same account have been detected from multiple countries.

Generate > FortiSIEM (Excessive Denied Connections)

Generates a demo alert from a FortiSIEM incident, which is created when excessive denied connections events have been detected.

Generate > FortiSIEM (Important process down)

 Generates a demo alert from a FortiSIEM incident, which is created when an important process is not running.

Generate > FortiSIEM (Large Outbound Transfer)

 Generates a demo alert from a FortiSIEM incident, which is created when large outbound transfer has been detected.

Generate > FortiSIEM (Process Stopped)

 Generates a demo alert from a FortiSIEM incident, which is created when a process has been stopped.

Generate > FortiSIEM (Sudden Increase in System Memory Usage)

Generates a demo record for the event - Sudden Increase in System Memory Usage. Generates a demo alert from a FortiSIEM incident, which is created when a sudden increase in system memory usage has been detected.

Following is a table that lists the playbooks that are part of the “16- Scenario - Microsoft CASB” collection in the Content Pack:

Name of the playbook

Description

Generate Microsoft CASB (Malware Infection) Alert

Generates a demo alert from a Microsoft CASB alert, which is created when a malware infection is detected.

Following is a table that lists the playbooks that are part of the “16- Scenario - LogRhythm” collection in the Content Pack:

Name of the playbook

Description

Generate > LogRhythm Alarms

Generates alerts for alarms pulled from LogRhythm during the specified duration.

Following is a table that lists the playbooks that are part of the “16- Scenario - Phishing Scenario” collection in the Content Pack:

Name of the playbook

Description

Generate > Phishing Alert

Generates an alert and a corresponding task for a phishing event.

Following is a table that lists the playbooks that are part of the “16- Scenario - Sunburst” collection in the Content Pack:

Name of the playbook

Description

Generate > Sunburst Alert

Generates a Sunburst alert.

Following is a table that lists the playbooks that are part of the “16- Scenario - Symantec” collection in the Content Pack:

Name of the playbook

Description

Generate > Symantec CloudSOC (External Filesharing Alert)

Generates an alert for Symantec CloudSOC Events.

Generate > Symantec Email.Cloud

Generates an alert for a list of IOCs downloaded from Symantec Email.Cloud specific to a particular domain.

System Fixtures Playbook Collections

There are also other various playbook collections, such as SLA Management Playbooks, System Notification and Escalation Playbooks, War Room Automation, etc., that are included by default as ‘System Fixtures’ in FortiSOAR. For more information on System Fixtures, see the FortiSOAR Administration Guide. The following tables list the various playbook collections that are part of System Fixtures.

Following is a table that lists the playbooks that are part of the “Approval/Manual Task Playbooks” collection:

Name of the playbook

Description

Approval > Notify Owners

Sends an approval notification email to its assigned users or teams.

Approval > Notify Updated Owners

 Sends an approval notification email to the newly assigned approver.

Manage Approval via API

Manages approvals by making API calls to the FortiSOAR endpoint.

Manual Task > Resume Playbook

Resumes a paused workflow on the completion of the manual task.

Following is a table that lists the playbooks that are part of the “Comment Notifications” collection:

Name of the playbook

Description

> Comment - Send Email Notification

Fetches the email IDs of people who are tagged in the specified comment and sends them an email notification.

Comment > Notify Mentioned/Tagged People on Comment Create

This playbook is triggered whenever a new comment record is created. This playbook sends an email notification to the people tagged in the comment.

Comment > Notify Mentioned/Tagged People on Comment Update

This playbook is triggered whenever a comment record is updated. This playbook sends an email notification to the people tagged in the comment.

Following is a table that lists the playbooks that are part of the “Report Management Playbooks” collection:

Name of the playbook

Description

> Generate Incident Summary Report  >  Generated Report and Link to Incidents

Generates a report for the specified report ID and adds links to related incidents as a comment.

Export Report

Generates a report for the specified report ID in the PDF format.

Generate Incident Summary Report

Generates the incident summary report for the selected incident records.

Generate Report from Schedule

Generates a report using the scheduler in FortiSOAR.

Following is a table that lists the playbooks that are part of the “SLA Management Playbooks” collection:

Name of the playbook

Description

Alert > Set Assigned Date (upon creation)

Updates the assigned date of the alert when a person is assigned to the alert.

Alert > Set Assigned Date (upon reassignment)

Updates the assigned date of the alert when a person is reassigned to the alert.

Alert > Set Resolved Date

Updates the resolved date of an alert when its state is marked as "Closed".

Incident > Set Assigned Date (upon creation)

Updates the assigned date of an incident when a lead is assigned to the incident.

Incident > Set Assigned Date (upon reassignment)

Updates the assigned date of the incident when a lead is reassigned to the incident.

Incident > Set Resolved Date

Updates the resolved date of an incident when its state is marked as "Resolved".

Following is a table that lists the playbooks that are part of the “Schedule Management Playbooks” collection:

Name of the playbook

Description

Agent > Check For Missed Heartbeats

Scheduled workflow to check for missing heartbeats of agents for the configured time interval in the past. If any agent is found to be unreachable, its status is marked as “Failed”.

Agent > Trigger Health Check

Scheduled workflow that initiates a heartbeat request from all agents on the instance.

AuditLog Cleanup

Scheduled workflow for the cleanup of audit logs.

Playbook execution history cleanup

Scheduled workflow for the cleanup of playbook execution history.

Purge Integration Logs

Scheduled workflow to purge integration logs.

Reclaim Disk Space (Playbook Logs)

Scheduled workflow to reclaim disk space of playbook execution logs.

Following is a table that lists the playbooks that are part of the “System Notification and Escalation Playbooks” collection:

Name of the playbook

Description

Alert > Escalate To Incident

 Escalates the selected alert to an incident.

Alert > Escalate To Incident (No Trigger)

Creates a new incident with the specified inputs and links the alert(s) to the newly created incident.

Alert > Escalate to Incident (Link Relations)

Extracts related records and assigns them to a created incident.

Alert > Notify Creation (Email)

Sends email notifications to the assignee about the assignment of the alert.

Alert > Notify Creation (System)

Notifies the assignee about the assignment of the alert.

Alert > Notify Updation (System)

Notifies the assignee about the alert updation.

Incident > Notify Creation (Email)

Sends an email notification to the assignee about the assignment of a new incident.

Incident > Notify Creation (System)

Notifies the assignee about the assignment of a new incident.

Incident > Notify Updation

Notifies the assignee about the incident updation.

Resolve Alert

Marks the specified Security Alert as closed.

Tasks > Notify Creation (Email)

Sends an email notification to the assignee about assignment of a task.

Tasks > Notify Creation (System)

Notifies the assignee about the creation of a task.

Tasks > Notify Updation

Notifies the assignee about the Task updation.

Tasks > Post-Create: Assign user owner

Sets the assigned user as the user owner of the new task.

Tasks > Post-Update: Assign user owner

Sets the newly assigned user as the user owner of the task.

Following is a table that lists the playbooks that are part of the “Utilities Playbooks” collection:

Name of the playbook

Description

Link Similar Alerts

Links all selected similar alerts with the parent alert.

Link Similar Emails

Links all selected similar emails with the parent email.

Link Similar Incidents

Links all selected similar incidents with the parent incident.

Link Similar Indicators

Links all selected similar indicators with the parent indicator.

Following is a table that lists the playbooks that are part of the “War Room Automation” collection:

Name of the playbook

Description

Cascade Ownership for Newly Linked Records

Assigns war room responders as owners in all newly linked records such as alerts, incidents, indicators, etc.

Generate War Room Report

Generates a War Room Report and adds a link to the specific War Room record as a comment.

Notify New Announcement

Sends an email notification to the war room owner and user owners whenever a new announcement is created.

Notify Newly Linked Team

Sends an email notification to the new team that has been linked to the War Room record.

Notify Newly Linked User(s)

Sends an email notification to the new users that have been linked to the War Room record.

Send Email

This a child playbook of Send Email Notification. It sends an email notification to war room owners and user owners related to any changes in the War Room record.

Send Email Notification

Fetches details of War Room owners and user owners and sends them an email notification related to any changes in the war room record.

Send War Room Summary Email

Generates and sends the War Room Summary report to the response team or to specified user(s).

Set War Room Live and Notify Responders

Updates the war room status to "Live" and sends the email notification to the responders.

Set up War Room from Alerts

Sets up a War Room based off the selected alert(s).

Set up War Room from Incidents

Sets up a War Room based off the selected incident(s).

Update War Room Close Date

Updates the ‘Close Date’ of the War Room record, when its status is marked as "Closed".

 

Contributors