FortiSIEM is a highly flexible solution providing a wide collection of inbuilt Remediation Scripts, integrating FortiSOAR Playbooks or giving the user the ability to create his own custom remediation scripts.

Predefined and custom FortiSIEM scripts can be invoked on-demand (manually) or automatically when the incident happens. A common situation for using remediation scripts includes blocking sources and/or destinations IP address for reported attacks or suspicious activities (ex. port scanning activities, communication with a C&C server, botnets, etc.).

These situations can also be addressed in an easy and reliable way by using a new remediation method based on a FortiSIEM publishing script leveraging Fortinet Security Fabric External Connectors and/or 3^rd party NGFW Connectors. 

Implementation:

1. Configure FortiSIEM Supervisor
   • Connect to Supervisor console (ex. using SSH)
   • Install pathlib library (this will be used by the script while automatically creating the IP lists html file):
     • # cd /usr/local
     • # pip2.7 install pathlib
   • Create a local folder by running the following commands:
     • #mkdir /script
   • Copy the src_ip.py script file to the previously created folder or build the file from scratch using vi editor, by running the following commands::
     • # > src_ip.py
     • # vi src_ip.py (insert the script code in the file and save it)
     • src_ip.py script extracts Source IP Address from Incident XML file. If Destination IP Address are needed you have to copy/create the "dst_ip.py" script file.
   • Run the sript using #python src_ip.py command. Upon running this command, HTML file lists will be automatically created, and the script will become executable with admin rights (this way the admin user will be able to trigger/run the script from the web GUI). Ignore the console messages after running the “#python src_ip.py” CLI command. If Destination IP Address are needed you have to run the "dst_ip.py" script file.
     • HTML list file will be automatically created in the /var/www/HTML folder
     • HTML list file will have a similar name as the script name (for example running script "src_ip.py" creates a "src_ip.HTML" file
2. Configure FortiGate Security Fabric External Connectors
   • Connect to FortiManager GUI and select "Security Fabric View":
   • Create a New Fabric Connector:
   • Fill in the "URI of external resources" filed with supervisor FQDN or IP address followed by the generated HTML file list name (ex.https://fortisiem.com/src_ip.html):
   • Press the "OK" button and check if the newly created Threat Feed is listed in the "Connectors" section:
   • Configure appropriate Policy Rules using the newly created Fabric Connector List:
   • Use FortiManager Install Wizard to Install the Policy(during this process, Fortinet Security Fabric Exteral Connectors will be configured on FortiGate Firewalls):

1). Ad-hoc remediation test using inbuild FortiGate demo alerts and inbuild FortiSIEM Rules

2). Automatic remediation test based on sample logs and custom Parsers, Rules and Notification Policies

1. Edit "send_syslog.py" script and replace "192.168.0.25" IP address with your Supervisor/Collector IP address
2. Create a FortiSIEM custom parser (to pars the "syslog_msg.txt" logs) using the "TestEventParser_A.xml" file as a reference. More info about working with parser in FortiSIEM is available at: https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/Configuring_parsers.htm
3. Create a new FortiSIEM Rule using as a reference the "Allerting_Rule_Event_Type_A.xml" file. More info about creating a custom Rule is available at https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/Rules.htm
4. Create a new FortiSIEM Notification Policy based on previously created Rule and the needed remediation script (ex. src_ip.py). More info about creating a Notification Policy is available at: https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/Notification_Settings.htm. 
5.  Connect to Supervisor/Collector or 3^rd party computer (the one used in step 1) and run the "python send_syslog.py" command to generate the testing syslog messages (and corresponding Incidents):
   • Check if the generated logs (based on fake IP address written in "syslog_msg.txt" file) are being properly received and parsed by FortiSIEM. You can import the Report_Event_Type_A.xml file and run it as a built-in search, using "Table" or "Link Graph" view options (more information about using FortiSIEM Analytics and Reports as a built-in search is available at https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/Running_a_built-in_search.htm:(
     
   • Check if Incidents based on Type A Events are correctly reported in "Incidents" tab:
   • Check if Fortinet Security Fabric Connectors correctly receives the same IP address lists on all existing Firewalls. Connect on protected Workstations (behind Firewalls) and test (ex. using ping/traceroute/tracepath) if policy enforcement works according to your firewall rules.
   • Check if the IP address received by HQ FortiGate firewall (ex. HQ_FGT1 listed bellow) are identical to those used in "send_syslog.txt" file
   • Check if the IP address received by branch FortiGate firewall (ex. FCT_Branch_1 listed bellow) are identical to those used in "send_syslog.txt" file:
   • Check if the IP address received by the second branch FortiGate firewall (ex. FGT_Branch_2 listed bellow) are identical to those used in "send_syslog.txt" file:
   • 

Miscellaneous:

• Delays must be taken into consideration depending on FGT External Connectors refresh rate. Delays are measured from the moment FSM publishes the IP address list until FGT fetches it.
• HTTP basic authentication should be considered when configuring FortiGate External Connectors
• IP Lists expires could be implemented using an additional scheduled script (to automate deletion of IP address from the list)
• This method might be extended to use(publish) Hash and URL lists (not just IP address lists)