Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Parag
Staff
Staff

Created on ‎07-21-2021 10:53 AM Edited on ‎08-06-2022 10:43 PM By Community Manager

Article Id 220045

Ingest Advisories from PDF, Excel, CSV files

Summary - Most of the Financial Institutes, Insurance Companies, Government departments, etc receive advisories from TIPs and various organisations.  Most advisories contain - IPs, Domain names, Hash, URL, etc. Advisories are generally delivered via email having attachments in PDF, Excel or CSV format. Also the advisories would be defanged example:

  • Brackets are added to domain names; for example, www.example.com is replaced with www[.]example[.]com
  • Brackets are added to the IP address; for example, 8.8.8.8 is replaced with 8[.]8[.]8[.]8


Automation Use Case

  • Monitor dedicated email box for new advisories and ingest new email into FortiSOAR - default data ingestion playbook for exchange
  • Extract pdf, excel or csv file attached within the email
  • Identify file type - pdf, excel or csv
  • Read the file - number of pages, lines, etc
  • Extract all the indicators within the file - IP, hash, domains, URL, etc
  • Refang the indicators 8[.]8[.]8[.]8 --> 8.8.8.8
  • Ingest advisories into FortiSOAR indicators module and run enrichment playbook from IR content pack
  • Send email to user with complied report for indicators ingested
  • Optional - most clients will ask to push these indicators to firewall, EDR, etc. as a part of automation


Pre-requisite

Process Flow

a703ea9a7303494e8f644fa39850ef07.pnga703ea9a7303494e8f644fa39850ef07.png



Notes

  1. Download the playbook and import them into FortiSOAR playbook module
  2. Use default data ingestion playbook for Exchange connector (OOB)
  3. Use default playbook for enrichment from IR content pack (OOB)
  4. The extraction playbook is on-create and will identify newly ingested email with attachment having a file - pdf, excel and csv. The playbook will run only on this condition
  5. Optional - you can modify the playbook initiation trigger from comments, incidents, manual triggers etc. 

Important
** Change email address all the playbook on "Exchange" step
** Configure exchange connector (this will also work with SMTP or gsuite connector) as well.

Extract Advisories from PDF, Excel, CSV.json.zip
Labels:
563
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.