Created on 08-07-2020 01:46 PM Edited on 08-06-2022 10:40 PM By shaveta
This article describes the FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK) enables users to experience the power of FortiSOAR™ incident response. FortiSOAR™ is built using modular architecture and the FSR IR Content Pack is the implementation of best practices to configure and use FortiSOAR™ in an optimal manner. The FSR Content Pack also contains a lot of sample/simulation/training data that enables you to experience FortiSOAR™ without having all the devices.
This article covers the following:
Important: Before you install the content pack, ensure that there are no records such as alerts, indicators, incidents, etc., in your FortiSOAR™ system.
Use the following procedure as a root user to deploy the content pack:
yum install fsr-ir-content-pack -y
Before you begin using the content pack, you should configure connectors such as AlienVault, VirusTotal, and IP Stack, so that you can experience the default enrichments of records using these connectors. To configure these connectors all you need to do is create accounts for all the above products; which can be created for free and do not necessarily require a corporate account. Once you have created your account, enter the account details, such as the Server URL and API Key, in the respective connector’s configuration page.
You should also configure the ElasticSearch, SSH, and FortiSOAR SOC Simulator connector.
To configure this connector, open the ElasticSearch Connector and in its "Configuration Page" enter the following values for the configuration parameters:
The SSH connector is used in the enrichment playbooks to find the hostname of an asset. To configure this connector, open the SSH Connector and in its "Configuration Page" enter the following values for the configuration parameters:
The FortiSOAR SOC Simulator connector is used to create various scenarios. To configure this connector, open the FortiSOAR SOC Simulator Connector and in its "Configuration Page" enter the following values for the configuration parameters:
Once you have configured the FortiSOAR SOC Simulator connector, sample scenarios get created in Help > Scenario and now, you are all set to start using the content pack and creating demo records.
The content pack consists of the following:
Once you log on to FortiSOAR™, the FortiSOAR™ UI appears as a collection of modules, as shown in the following image:
Each module, such as "Incidents" provide access to individual data models within the FortiSOAR™ database.
A brief about each module collection follows:
When you log on to your FortiSOAR™ instance you will notice that the instance does not contain any scenarios or demo records; you have to create the same by clicking Incident Response > Alerts in the left navigation and then clicking the Demo IR Records button.
Once you click the Demo IR Records button, the following actions are performed:
When you click an alert and view its Collaboration Panel, you will observe that the alert is enriched, its associated indicators such as its file hashes are extracted and their reputations are checked using the configured connectors. The severity of the alert is also changed to “Critical”, since the alert contains a malicious indicator:
You can further use cases based on your requirements by running playbooks that associated with alerts.
For example, if you click on the Repeated Login Failure alert, you will observe that the alert is of type “Brute Force Attempts”, and you can click Execute > Investigate Brute Force, to run the associated playbook and further investigate the alert:
As observed in the following image, running the playbook conducts further investigation on the alert such as, extracting the source IP address, getting the reputation of that IP address using the VirusTotal connector, getting details of the user who has attempted the brute force attack, etc.:
You can perform additional actions now on the enriched alert, for example, blocking the user who attempted the brute force, or marking an indicator as malicious, block the malicious indicator, i.e., IP address. To block an IP address, go to the Indicators tab in the alert, click the indicator that you want to block and click Execute > Block IP Address:
A dialog displaying a text box is displayed, where you can specify the reason for blocking the IP address, such as “Found malicious during investigation” and click Block.
To complete the block operation, click the indicator to open the indicator record, then click the Pending items icon, which displays the block dialog on which you can confirm the blocking of the indicator.
Now, you can see that a new task added which confirms that the linked IP address has been blocked:
Once all the tasks on this alert are completed, you can close this alert by selecting “Closed” from the Status drop-down list in the alert, provide the reason for closing the alert, and click Update. You can also choose to close the alert on the SIEM:
Now, you can see that a new task added which confirms that the alert on the SIEM has closed, and it also shows metrics of queue time, time for acknowledging the alert and the time for resolving the investigation:
Users can also use various scenarios to understand how FortiSOAR™ handles various scenarios. To view scenarios, click Help > Scenario. The Scenario page displays various scenarios, such as Data Leakage, Phishing Emails, etc.
Some scenarios demonstrate particular features of FortiSOAR™, such as FortiSOAR™ recommendation engine which lists alerts containing similar hosts etc, providing you with a complete picture of the incident. Some scenarios demonstrate an investigation process and therefore contain associated investigation playbooks, etc.
For example, in the Stolen Credentials scenario, click the down-arrow on the “Stolen credential leading to data exfiltration” row, and the description of this scenario is displayed:
To run this scenario, select Stolen credential leading to data exfiltration and click Run Scenario. Clicking Run Scenario creates alerts and/or incidents corresponding to this scenario. Clicking an alert created by this scenario, for example, the “Windows User Created”, opens the alert and when you click on the Recommendations tab, you observe that many similar alerts have been created, giving you an idea that related operations are taking place, and therefore, the task of a SOC analyst to go through a number of alerts to figure out what is similar is solved by FortiSOAR™ Recommendation engine. Now, you can select all the similar alerts and link them and also escalate them to create a Security Incident.
To view the source for the Stolen credential leading to data exfiltration scenario, click Help > Scenario > Stolen credential leading to data exfiltration. Then click on the Source tab, the “Steps” section, contains data used by playbooks to create the demo records. Once the alerts are created their IDs are listed in the “Created Alerts” section:
If you want to delete the records created by this scenario, you can click the Reset Scenario button on the “Scenario” page.
You can also click the Run Selected Scenario to create a specific scenario from the “Alerts” page.
MITRE Attack Technique Module allows you to download MITRE techniques from MITRE.org. These techniques are stored with FortiSOAR™ for reference. A default playbook to download MITRE techniques is shipped with a content pack.
These techniques are auto-related to specific alerts based on MITRE techniques they match.
Note: For MITRE tech correlation to work, the ‘MITRE ATT&CK ID’ field in alerts requires to be populated by the ingestion playbooks. These IDs can then be added to the alert / event generation rules in SIEM or another log aggregator.
If users have a content pack installed, then the rpm will upgrade to a new version to be in sync with the base product. However, the contents of the content pack will not be changed or upgraded. To update the contents, users can download the latest contents from the support portal, review the changes, and then manually update the contents. This is done to prevent overwriting changes that might be done by users.
Before you proceed to upgrade the contents of the content pack manually, you must take a backup of your current configuration using the “Configuration Manager”. You can export all the modules along with their MMDs, SVTs, and all the required playbooks.
While importing MMDs/ SVTs using the configuration manager, you must take care that you do not delete any field that belongs to an existing module.
For example, in the following image, when you are importing the “Alerts” module using the configuration manager, you must ensure that "Custom Field 1" and retained and not deleted:
Note: SVT changes might get lost during import and therefore, you can restore them using the configuration that you have backed up.
After you have imported the MMDs and SVTs, you can import the desired playbooks.
FortiSOAR IR Content Pack: Out-of-the-box use cases & playbook collections list can be found here