FortiSOAR

FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

  • 1.  FortiSOAR IR Content Pack: Out-of-the-box Use Cases & Playbook Collections

    Posted 4 days ago

    The FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) provides you with a snapshot of the configuration data and other items that can help you to optimally use and experience FortiSOAR's incident response.

    This article provides a listing and brief description of the various types of playbook collections included in the Content Pack. You can use the playbooks to perform varied operations used to automate security processes across your organization. These playbooks can also be used to simulate use cases and provide training for FortiSOAR.

    The playbooks are categorized as follows based on the type of function they perform such as ingestion, enrichment, triaging, etc.  

    Ingestion Playbook Collection


    You can use the playbooks in the 01-Ingest collection to ingest data from external SIEM solutions like LogRhythm. and other third-party sources like threat intelligence platforms like ThreatQ, email solutions, etc.

    Following is a table that lists the playbooks that are part of the "01-Ingest" collection in the Content Pack:

    Name of the playbook

    Usage of the playbook

    Elastic > Create Alert

    Receives 'Login Failure Events' from Elastic using Watcher.

    > Elastic > Create Alert (Single Record)

    Creates an alert record for events created in Elastic.

    Email > Extract Indicators

    Extracts indicators from the body and header of the email.

    Email (Manual Attach) > File to Alert (Suspicious Email)

    Attaches an email to an alert of type 'Suspicious Email', which is further used for investigations.

    Email (Manual Upload) > Extract Attachments

    Extracts attachments from emails, creates indicators, and then links them to the parent alert.

    Email (Manual Upload) > Investigate

    Extracts email metadata from an email file that is uploaded, e.g. mail.eml or mail.msg.

    Indicator > Import Bulk Indicators

    Extracts indicators from the specified text.

    >> JASK >  Create Alert for Insight

    Creates alerts for JASK Insight.

    >> JASK > Create or Find Indicator and Comment

    Creates or finds an indicator and associated comments from JASK Insight.

    >> JASK >  Get Signal Details

    Retrieves details of JASK Signals.

    JASK > Ingest Insights

    Pulls insight data from JASK.

    LogRhythm > Fetch Alarms

    Pulls alarms created between the specified duration from LogRhythm.

    > LogRhythm > Generate LogRhythm Records

    Creates LogRhythm records.

    Phishing/Suspicious Email Alert > Extract Indicators

    Extract Indicators from the body and header of alerts that are of type "Phishing" and "Suspicious Email".

    Symantec CloudSOC > Fetch Incidents

    Retrieves incidents from Symantec CloudSOC.

    > Symantec CloudSOC > Fetch Incidents > Create Single Alert

    Creates a single alert for Symantec CloudSOC incidents.

    Symantec Email.Cloud > Fetch Alert

    Retrieves alerts from Symantec Email.Cloud.

    Tenable.io > Fetch Assets

    Retrieves assets for the specified scan from Tenable.io.

    > Tenable.io > Fetch Assets > Ingest Asset

    Creates a new asset record in Tenable.io and builds the relation between the scan and the asset.

    Tenable.io > Fetch Scan

    Retrieves scans for the specified scan from Tenable.io.

    > Tenable.io > Fetch Scan > Ingest Scan

    Creates a new scan record.

    Tenable.io > Fetch Vulnerabilities

    Retrieves vulnerabilities for the specified asset from Tenable.io.

    > Tenable.io > Fetch Vulnerabilities > Ingest Vulnerabilities

    Creates a new vulnerability record in Tenable.io and builds the relationship between the asset and the vulnerabilities.

    Tenable.io > Fetch Vulnerability Details

    Retrieves vulnerability information for the specified vulnerability from Tenable.io.

    Threat Intel > Create Indicators

    Retrieves indicators that have been created or updated in the past 24 Hours from ThreatQ.

    Note:
    > sign indicates child playbooks
    >> sign indicates reference playbooks

    Enrichment Playbook Collection


    You can use the playbooks in the 02-Enrich collection to perform enrichment of data, which is one of the first incident response tasks. Automating data enrichment tasks help to better manage increasing volumes of threats and provide more actionable context to the analysts. An example of an enrichment type playbook would be retrieving the reputation of a file, domain, URL, etc. from threat intelligence platforms such as Anomali ThreatStream and VirusTotal

    Following is a table that lists the playbooks that are part of the "02-Enrich" collection in the Content Pack:

    Name of the playbook

    Usage of the playbook

    Asset > Get Running Process

    Retrieves a list of all processes that are running on the specified host.

    Attachment > Get File Reputation

    Retrieves the reputation of a file that is submitted from FortiSOAR to VirusTotal.

    >> Create Indicators (Batch)

    Creates indicator records in bulk.

    Extract Indicators

    Extracts and creates indicators from the specified data and then enriches specific fields in alerts with the indicator data.

    Extract Indicators > Manual

    Extracts and creates indicators from the specified alert records and then enriches specific fields in alerts with the indicator data.

    >> Fotinet Fortisandbox (Get Reputation) > Get Scan Results

    Retrieves the job verdict details for submitted samples based on the specified job ID.

    Get Related IOCs For An IP

    Retrieves related IOCs for a specified IP address from threat intel sources.

    Get Reputation After Specified Time

    Re-enriches indicators after a specified time.

    Indicator (Manual Trigger)  > Get Latest Reputation

    Retrieves the reputation of indicators using configured threat intelligence tools.

    Indicator (Type All) > Get Latest Reputation

    Retrieves the reputation of indicators using configured threat intelligence tools.

    Indicator (Type Domain) > Get Reputation

    Retrieves the reputation of indicators of type 'Domain' using configured threat intelligence tools.

    Indicator (Type Email) > Get Reputation

    Retrieves the reputation of indicators of type 'Email Address' using configured threat intelligence tools.

    Indicator (Type File) > Get Reputation

    Uploads a file to a sandbox and then retrieves its reputation using configured threat intelligence tools.

    Indicator (Type File) > Get Reputation (Fortinet Sandbox)

    Submits a file to Fortinet Sandbox and then retrieves its reputation.

    Indicator (Type File - MD5) > Get Reputation

    Retrieves the reputation of a file, identified by its MD5 hash, using configured threat intelligence tools.

    Indicator (Type Host) > Get Reputation

    Retrieves the reputation of indicators of type 'Host' using configured threat intelligence tools.

    Indicator (Type IP) > Get Reputation

    Retrieves the reputation of indicators of type 'IP Address' using configured threat intelligence tools.

    Indicator (Type Port) > Get Reputation

    Retrieves the reputation of indicators of type 'Port' using configured threat intelligence tools.

    Indicator (Type Process) > Get Reputation

    Retrieves the reputation of indicators of type 'Process' using configured threat intelligence tools.

    Indicator (Type URL) > Get Reputation

    Retrieves the reputation of indicators of type 'URL' using configured threat intelligence tools.

    Indicator (Type User Account) > Get Details

    Retrieves the details of indicators of type 'User Account' using configured threat intelligence tools.

    Note:
    > sign indicates child playbooks
    >> sign indicates reference playbooks

     

    Following is a table that lists the playbooks that are part of the "02-Enrich (Pluggable)" collection in the Content Pack:

    Name of the playbook

    AlienValut OTX - File MD5 Reputation

    AlienValut OTX - IP Reputation

    AlienValut OTX - URL Reputation

    AlienVault-OTX - Domain Reputation

    Anomali Threatstream - Email Reputation

    Anomali Threatstream - File MD5 Reputation

    Anomali Threatstream - IP Reputation

    Anomali Threatstream - URL Reputation

    Cisco Threat Grid - File Reputation

    Fortinet Web Filter Lookup - Domain Reputation

    Fortinet Web Filter Lookup - URL Reputation

    IP Stack - Domain Geo Location

    IP Stack - IP Reputation

    Indicator (Domain) > Get Latest Reputation

    Indicator (Email) > Get Latest Reputation

    Indicator (File MD5) > Get Latest Reputation

    Indicator (File) > Get Latest Reputation

    Indicator (IP Address) > Get Latest Reputation

    Indicator (Manual Trigger)  > Get Latest Reputation

    Indicator (Type All) > Get Latest Reputation

    Indicator (Type File - MD5) > Get Reputation

    Indicator (Type Host) > Get Latest Reputation

    Indicator (Type Process) > Get Latest Reputation

    Indicator (URL) > Get latest Reputation

    MXToolBox - IP Reputation

    Symantec Deepsight Intelligence - File MD5 Reputation

    ThreatQ - Email Reputation

    URLVoid - Domain Reputation

    URLVoid - URL Reputation

    VirusTotal - Domain Reputation

    VirusTotal - URL Reputation

    Virustotal - File MD5 Reputation

    Virustotal - File Reputation

    Virustotal - IP Reputation

    Whois - IP Reputation

    Triaging Playbook Collection


    You can use the playbooks in the 03-Triage collection to perform actions such as sorting, systematize, computing, etc. your enriched data, enabling you to quickly investigate the incident and take decisions for containment and resolution of the incident.

    Following is a table that lists the playbooks that are part of the "03-Triage" collection in the Content Pack:

    Name of the playbook

    Usage of the playbook

    Compute Alert Priority Weight (Post Update)

    Computes and sets the priority weight for an alert, when the alert is updated. The priority weight is calculated based on indicators related to the alert.

    Compute Alert Priority Weight (Post Update - Indicator Linked)

    Computes and sets the priority weight for an alert, when an indicator related to the alert is updated. The priority weight is calculated based on indicators related to the alert.

    Compute Alert Priority Weight (Post Update - Indicator Reputation Update)

    Computes and sets the priority weight for an alert, when the reputation of an indicator is updated. The priority weight is calculated based on indicators related to the alert.

    Find and Relate Similar Alerts

    Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts.

    Find and Relate Similar Alerts - ML

    Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts using the recommendation APIs (ML).

    Flag Indicators Linked across multiple alerts

    Flags change in indicators that are linked to multiple alerts.

    Map Historical Alerts and Escalate for malicious Indicators

    Creates a mapping for historical alerts and then escalates the alerts to incidents if malicious indicators are found. If the incident already exists, then the information is updated into the incident; else a new incident is created.

    Prioritize Alerts With VIP Assets

    Raises the severity of the alert if it is associated with a supercritical asset.

    Update Alert Severity for Malicious Indicators

    Set the alert's severity to 'Critical' if its associated indicators are found to be 'malicious'.

    Use Cases Playbook Collection


    You can use the playbooks in the 04-Use Cases collection to understand and perform various tasks or steps needed to deal with an incident, such as a Phishing attack or a Brute Force Attempt.

    Following is a table that lists the playbooks that are part of the "04-Use Cases" collection in the Content Pack:

    Name of the playbook

    Usage of the playbook

    Investigate and Escalate Symantec Email.Cloud Phishing Alert

    Investigates an alert ingested from Symantec Email.Cloud of type 'Phishing', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'.

    Investigate Brute Force Attempt

    Investigates login failures and also identifies other impacted assets.

    Investigate Brute Force Attempt (FortiSIEM)

    Investigates login failures from FortiSIEM and also identifies other impacted assets.

    Investigate C2 Malware Traffic

    Investigates C2 Malware Traffic and blocks malicious content if indicators associated with the alert are found to be 'Malicious'.

    Investigate Command & Control

    Enriches alerts for C&C behavior.

    Investigate Compliance Alert

    Investigates alerts of type 'Compliance'.

    Investigate Concurrent login from different geolocation

    Investigates alerts of type 'Concurrent Login' by checking if the source IP address is in the specified CIDR range, and then performs remediation tasks based on the result.

    Investigate Data Leakage Alert (Symantec CloudSOC)

    Investigates a data leakage alert that is ingested from Symantec CloudSOC and performs containment and remediation tasks if sensitive data is leaked.

    Investigate DNS Exfiltration

    Investigates an alert ingested from Splunk using threat intelligence reports retrieved from Intel471 and by querying Splunk. Containment tasks are performed if malicious activity is found.

    Investigate Firewall Policy Violation

    Investigates policy violations and retrieves information about Destination and Source IP addresses along with the Protocol and Port used and then disables the system from the domain.

    Investigate Lateral Movement & VPN Breach Detection

    Investigates a FortiDeceptor Malicious IP Lateral Movement and performs containment and remediation tasks if a breach is detected.

    Investigate Lost / Stolen device

    Investigates lost or stolen devices using ServiceNow and Active Directory.

    > Investigate Malicious Indicator >> Hunt

    Referenced by 'Investigate Malicious Indicator' playbook.

    > Investigate Malicious Indicator >> Hunt >> QRadar Threat Hunt

    Performs QRadar Threat Hunting on last 7 days on the specified IOC.

    Investigate Malicious Indicators

    Hunts malicious indicators and provides their summary for review by analysts.

    Investigate Malware Infection

    Investigates a malware infection by querying ElasticSearch and Active Directory

    Investigate Reconnaissance

    Investigates alerts of type 'Reconnaissance'.

    Investigate S3 Bucket Permission Change

    Investigate a change in the S3 permissions, and performs containment and remediation tasks if the change is in violation of the S3 policy.

    Investigate Suspicious Email

    Investigates an alert of type 'Suspicious Email', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'.

    Investigate Symantec EMail.Cloud Alert

    Investigates an alert ingested from Symantec EMail.Cloud of type 'Suspicious Email'.

    Investigate Windows Sysmon event

    Investigates a Windows Sysmon event, and escalates the alert to an 'Incident' if malware is detected.

    Phishing Alert > Investigate and Escalate

    Investigates an alert of type 'Phishing', and escalates the alert to an 'Incident' if indicators associated with the alert are found to be 'Malicious'.

    Process CarbonBlack Bit9 Approval Requests

    Creates tasks against an incident to complete all requests listed in CarbonBlack Bit9 and sends requests for their approval process.

    > Process CarbonBlack Bit9 >> Approval  Requests (Subroutine)

    The subroutine of CarbonBlack Bit9 approval process.

    Rapid7 - Fetch Scan and Deploy Patch

    Automates patch deployments by looking up Rapid7 Scan results.

    Rapid7 - Fetch Scan and Deploy Patch (Scheduled)

    Creates schedules to initiate patch deployments.

    > Rapid7 >>  Patch (Subroutine)

    Deploys patches using MS SCCM.

    Remediate Malware Alert (Symantec EDR / ATP)

    Investigates an alert ingested from Symantec EDR / ATP of type 'Malware', and blocks entities that are found to be 'Malicious'.

    Note:
    > sign indicates child playbooks
    >> sign indicates reference playbooks

    Actions Playbook Collection


    You can use the playbooks in the 05-Actions collection to perform various operations or actions such as blocking or unblocking domains, URLs, hosts, etc.

    Following is a table that lists the playbooks that are part of the "05-Actions" collection in the Content Pack. Note that we have not included a brief description or usage of the playbooks since the names are self-explanatory.

    Name of the playbook

    Action > Asset Mitigation

    Action - Domain - Block (Indicator)

    Action - Domain - Block (Specified by User)

    Action - Domain - Unblock (Indicator)

    Action - Domain - Unblock (Specified by User)

    Action - Email Address - Block (Indicator)

    Action - Email Address - Block (Specified by User)

    Action - Email Address - Unblock (Indicator)

    Action - Email Address - Unblock (Specified by User)

    Action - File - Block (Indicator)

    Action - File - Block (Specified by User)

    Action - File MD5 - Block (Indicator)

    Action - File MD5 - Block (Specified by User)

    Action - File MD5- Unblock (Indicator)

    Action - File MD5 - Unblock (Specified by User)

    Action - File - Unblock (Indicator)

    Action - File - Unblock (Specified by User)

    Action - Host - Block (Indicator)

    Action - Host - Block (Specified by User)

    Action - Host - Isolate Host

    Action - Host - Unblock (Indicator)

    Action - Host - Unblock (Specified by User)

    Action - IP Address - Block (Forticlient EMS)

    Action - IP Address - Block (Fortigate,FortiEDR)

    Action - IP Address - Block (Indicator)

    Action - IP Address - Block (Specified by User)

    Action - IP Address - Unblock (Indicator)

    Action - IP Address - Unblock (Specified by User)

    Action (Type All) > Block Indicators

    Action - URL - Block (Indicator)

    Action - URL - Block (Specified by User)

    Action - URL - Unblock (Indicator)

    Action - URL - Unblock (Specified by User)

    Alert > Disable Specific User (FortiDeceptor)

    Asset > Deploy Patch

    Incident > Get Running Process

    Hunt Playbook Collection


    You can use the playbooks in the 06-Hunt collection to automate threat hunting processes and search and identify suspicious domains, malware, and other indicators in your environment and create alerts based on them.

    Following is a table that lists the playbooks that are part of the "06-Hunt" collection in the Content Pack:

    Name of the playbook

    Usage of the playbook

    Hunt Indicators

    Searches for specified indicators in your environment using EDR tools, and create alerts for ones that are found.

    ChatOps Playbook Collection


    You can use the playbooks in the 07 - ChatOps collection to perform various operations such as fetching alert and incident details, using a Bot.

    Following is a table that lists the playbooks that are part of the "07-Chatops" collection in the Content Pack:

    Name of the playbook

    Usage of the playbook

    Bot command > Display Options

    Displays the Bot Commands.

    Bot Command > Get Alerts

    Retrieves the details for a specific alert whose alert ID is provided.

    Bot Command > Get Incidents

    Retrieves the details for a specific incident whose incident ID is provided.

    Bot Command > GetLocation

    Retrieves the geolocation details for a specific indicator.

    Bot Command > Get Reputation

    Retrieves the reputation for a specific indicator.

    Bot Command > Get Similar Alerts

    Retrieves the alert records that are similar to a specific alert whose alert ID is provided.

    Bot > Execute commands

    Executes a specific Bot Command when fired.

    code snippet

    Executes the provided Python code.

    Case Management Playbook Collection


    You can use the playbooks in the 08 – Case Management collection to automate processes related to cases, including operations such as adding a user as a record owner, checking for SLA violations, calculating queued and resolution time for alerts, etc.

    Following is a table that lists the playbooks that are part of the "08-Case Management" collection in the Content Pack:

    Name of the playbook

    Add a User to the Owners List

    Alert > [01] Capture All SLA (Upon Create)

    Alert > [02] Capture Ack SLA (Upon Update)

    Alert > [03] Capture Response SLA (Upon Update)

    Alert > [04] Check for SLA violations

    Alert > [05] Update Ack and Response Due dates (Post Severity Change)

    Alert > Close Corresponding SIEM Alert

    > Alert >> Periodic Update Alert SLA Status

    Alert > Set Metrics (Upon Close)

    > Alert >> Update SLA Details

    Approval > On Create

    Approval > On Email Receipt (Exchange)

    Approval > On Email Receipt (IMAP)

    Approval > On Email Receipt >> Process Email

    Assign Random User to Unassigned Alerts

    Assign Random User to Unassigned Incidents

    Escalated Alert > Copy Related Records to Incidents

    Escalated Alert > Related Asset Records to Incidents

    Export Selected Records

    >> Fetch SLA Details

    Import Data

    Incident > [01] Capture All SLA (Upon Create)

    Incident > [02] Capture Ack SLA (Upon Update)

    Incident > [03] Capture Response SLA (Upon Update)

    Incident > [04] Check for SLA violations

    Incident > [05] Update Response and Ack Due date (Post Severity Change)

    > Incident >> Periodic Update Incident SLA Status

    Incident (Post Create) Phase Change

    Incident (Post Update) Phase Change

    >> Incident - Set Phase Dates

    Incident Summary Notification

    > Incidents >> Update SLA Details

    Indicator > Check Expiry Status

    Indicator > Set Default Expiry Date

    Indicator > Set First Seen Date

    Indicator > Set Last Seen Date

    Notify Blocked Indicator Status to Linked Alerts

    Pause SLA - Alerts

    Pause SLA - Incidents

    Prompt when Indicator  linked is to Campaign

    Set Prompt to an Alert

    <Temp> Create Demo Approval

    <Temp> Pull Emails - Manual (Exchange)

    <Temp> Pull Emails - Manual (IMAP)

     

    Following is a table that lists the playbooks that are part of the "08-Case Management (Extended)" collection in the Content Pack:

    Name of the playbook

    Incident > [06] Check for Ack SLA violations

    Incident > [07] Check for Response SLA violations

    >> Notify Ack SLA Violation

    >> Notify Response SLA Violation

    Incident Response Playbook Collection


    You can use the playbooks in the 09 – Incident Response collection to help you plan your response to an incident such as a malware attack, etc.

    Following is a table that lists the playbooks that are part of the "09- Incident Response" collection in the Content Pack:

    Name of the playbook

    Incident Response Plan (Type - Malware)

    Incident Response Plan (Type - NIST 800-61 - Generic)

    NIST 800-61 - Upfront Tasks

    Utilities Playbook Collection


    You can use the playbooks in the 10 – Utilities collection to perform various operations in FortiSOAR such as creating and linking assets to specified emails, alerts, or incidents, exporting all records or a specified module, or scheduling the health check of connectors and send appropriate notifications.

    Following is a table that lists the playbooks that are part of the "10- Utilities" collection in the Content Pack:

    Name of the playbook

    Add Attacker Tag to Indicator (FortiDeceptor)

    Create and Link Asset

    Create and Link Indicator

    Download and Create Attachment

    Export as CSV

    > Get Paginated Records

    Notify Connector Health Check Failures

    Notify Failed Playbook Executions

    Demo Playbook Collection


    You can use the playbooks in the 11 – Demo collection to create various artifacts required to demonstrate various scenarios, such as the creation of a demo incident record to demonstrate a malware incident response, creation of global various required by playbooks, creation of default SLA templates, etc.

    Following is a table that lists the playbooks that are part of the "11- Demo" collection in the Content Pack:

    Name of the playbook

    Add to Exclude List

    Create Default Global Variables

    Create Default SLA Templates

    Create Demo Campaigns

    Create Sample Records - IR, Threat Intelligence and Vulnerability Management

    Create Sample Records - Legal , Physical Incidents

    Demo Incident Response Records

    Demo Scenario #1 - Compromised Credential

    Download and Create Attachment

    Email Based Alert Ingestion

    >> (Email Based Ingestion) Create Alert

    Generate > Attachment Records

    Generate > Malware Incident

    Generate > Tenable Scan, Assets and Vulnerabilities

    >> Get Similar Alerts > Fetch Similar Alerts

    Reset Sample Records (Database)

    Sample > Create FortiSOAR Users

    Sample > Reset Environment

    > Sample Users

    Send Counseling Email

    Setup Connector

    Setup Connector Configurations

    Setup Default Appliance Roles

    Setup Default Configuration for Code Snippet

    Setup Default Configuration for SLA Calculator

    Setup Default Configuration for SOC  Simulator

    Training Playbook Collection


    You can use the playbooks in the 12 – Training collection to provide FortiSOAR training.

    Following is a table that lists the playbooks that are part of the "12- Training" collection in the Content Pack:

    Name of the playbook

    01 - Investigate Filehash (Manual)

    02 - Investigate Filehash (Semi Automated)

    03 - Investigate Filehash (Fully Automated)

    MITRE ATT&CK™ Playbook Collections


    The MITRE ATT&CK Playbook Collections demonstrate various MITRE ATT&CK Techniques.

    Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™-CREDENTIAL ACCESS" collection in the Content Pack:

    Name of the playbook

    >> Create and Link Alerts from Hunt (Host-based)

    HUNTS- Credential Dumping (T1003)

    HUNTS- Credential Dumping (T1003) Part2

     

    Following is a table that lists the playbooks that are part of the "13 - MITRE ATT&CK™-DEFENSE EVASION" collection in the Content Pack:

    Name of the playbook

    HUNTS- Deobfuscate/Decode Files or Information (T1140

    HUNTS-DCShadow (T1207)

     

    Following is a table that lists the playbooks that are part of the "13 - MITRE ATT&CK™- Modulars" collection in the Content Pack:

    Name of the playbook

    Create Alert from Network Sensor and Link to Hunt

    Create and Link Alerts from Asset (Host-based)

    Create and Link Alerts from Hunt (Host-based)

    Create and Link Indicator from Alert

    Create and Link User

    Create Asset from Alert

    Create User from Alert (Host)

    Deduplicate Comments (Asset)

    Deduplicate Comments (Hunt)

     

    Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- PERSISTENCE" collection in the Content Pack:

    Name of the playbook

    HUNTS- AppInit DLLs (T1103)

    HUNTS- Hidden Files and Directories (T1158)

    HUNTS- Netsh Helper DLL (T1128)

    HUNTS- Screensaver (T1180)

    HUNTS- Winlogon Helper DLL (T1004)

     

    Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- PRIVILEGE ESCALATION" collection in the Content Pack:

    Name of the playbook

    HUNT- SID-History Injection (T1178)

     

    Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- PROCESS EXECUTION" collection in the Content Pack:

    Name of the playbook

    >ASSETS- Service Execution (Enrichment) (T1035)

    ASSETS- Service Execution (T1035)

    HUNTS- CMSTP (T1191)

    HUNTS- Compiled HTML File (T1223)

    HUNTS- Control Panel Items (T1196)

    HUNTS- Dynamic Data Exchange (T1173)

    HUNTS- InstallUtil (T1118)

    HUNTS- LSASS Driver (T1177)

    HUNTS- Mshta (T1170)

    HUNTS- Regsvcs/Regasm (T1121)

    HUNTS- Rundll32 (T1085)

    HUNTS- XSL Script Processing (T1220)

     

    Following is a table that lists the playbooks that are part of the "13- MITRE ATT&CK™- Pull-Technique-Details" collection in the Content Pack:

    Name of the playbook

    Link ATT&CK technique to Alert

    Communication Playbook Collection


    You can use the playbooks in the 14 – Communications collection to automate various communication-related tasks such as sending a notification email or adding a note to a communication thread.

    Following is a table that lists the playbooks that are part of the "14- Communications" collection in the Content Pack:

    Name of the playbook

    Add Note for Communication Linked

    Add Note for Communication Linked (Received)

    Link Communication Record

    Link Previous Communications

    Manual Send Notification

    Notify > Email

    Notify > Email Reply

    Send Notification

    Hunt - Sunburst Playbook Collection


    You can use the playbooks in the 15 – Hunt - Sunburst to demonstrate the Sunburst Hunt techniques.

    Following is a table that lists the playbooks that are part of the "15- Hunt - Sunburst" collection in the Content Pack:

    Name of the playbook

    Block Sunburst Indicators

    Hunt Sunburst IOCs

    Hunt Sunburst Indicator

    Scenario Playbook Collections


    You can use the Scenario Playbook Collections to set up various scenarios in FortiSOAR such as Brute Force Attempt, Comprised Credentials, etc., and demonstrate how FortiSOAR is used to respond to these scenarios.

    Following is a table that lists the playbooks that are part of the "16- Scenario" collection in the Content Pack:

    Name of the playbook

    Generate > Brute Force Attempt

    Generate > Compliance Alert

    Generate > Device Lost/Stolen

    Generate > DLP Alert

    Generate > FortiAnalyzer (C&C Alert)

    Generate > FortiAnalyzer (User login from SSH)

    Generate > IDS Alert

    Generate > Malware Alert (Host1)

    Generate > Malware Alert (Host2)

    Generate > Malware Alert (Host3)

    Generate > PaloAlto Blocked C2 Connection Alert

    Generate > PaloAlto Panorama Threat Alert

    Generate > S3 Bucket Alert

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - Brute Force Attack Scenario" collection in the Content Pack:

    Name of the playbook

    Generate > FortiSIEM (Brute Force Attack)

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - Compromised Credentials Scenario" collection in the Content Pack:

    Name of the playbook

    Generate > FortiSIEM (01 - Initial Access - Firewall Configuration Change - Port Forwarding)

    Generate > FortiSIEM (02 - Initial Access - Firewall Configuration Change - Policy Change)

    Generate > FortiSIEM (03 - Persistence - Domain User Created)

    Generate > FortiSIEM (04 - Persistence - User Password Reset)

    Generate > FortiSIEM (05 - Persistence - User Added to Administrator Group)

    Generate > FortiSIEM (06 - Persistence - Schedule Task)

    Generate > FortiSIEM (07 - Exfiltration - File Transfer)

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - FortiDeceptor" collection in the Content Pack:

    Name of the playbook

    Generate > FortiDeceptor Alerts

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - FortiSIEM" collection in the Content Pack:

    Name of the playbook

    Generate > FortiSIEM (Concurrent Successful Authentications To Same Account From Multiple Countries)

    Generate > FortiSIEM (Excessive Denied Connections)

    Generate > FortiSIEM (Important process down)

    Generate > FortiSIEM (Large Outbound Transfer)

    Generate > FortiSIEM (Process Stopped)

    Generate > FortiSIEM (Sudden Increase in System Memory Usage)

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - LogRhythm" collection in the Content Pack:

    Name of the playbook

    Generate > LogRhythm Alarms

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - Phishing Scenario" collection in the Content Pack:

    Name of the playbook

    Generate > Phishing Alert

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - Sunburst" collection in the Content Pack:

    Name of the playbook

    Generate > Sunburst Alert

     

    Following is a table that lists the playbooks that are part of the "16- Scenario - Symantec" collection in the Content Pack:

    Name of the playbook

    Generate > Symantec CloudSOC (External Filesharing Alert)

    Generate > Symantec Email.Cloud

    System Fixtures Playbook Collections


    There are also other various playbook collections, such as SLA Management Playbooks, System Notification and Escalation Playbooks, War Room Automation, etc., that are included by default as 'System Fixtures' in FortiSOAR. For more information on System Fixtures, see the FortiSOAR Administration Guide. The following tables list the various playbook collections that are part of System Fixtures.

    Following is a table that lists the playbooks that are part of the "Approval/Manual Task Playbooks" collection:

    Name of the playbook

    Approval > Notify Owners

    Approval > Notify Updated Owners

    Manage Approval via API

    Manual Task > Resume Playbook

     

    Following is a table that lists the playbooks that are part of the "Comment Notifications" collection:

    Name of the playbook

    > Comment - Send Email Notification

    Comment > Notify Mentioned/Tagged People on Comment Create

    Comment > Notify Mentioned/Tagged People on Comment Update

     

    Following is a table that lists the playbooks that are part of the "Report Management Playbooks" collection:

    Name of the playbook

    > Generate Report

    Export Report

    Generate Incident Summary Report

    Generate Report from Schedule

     

    Following is a table that lists the playbooks that are part of the "SLA Management Playbooks" collection:

    Name of the playbook

    Alert > Set Assigned Date (upon creation)

    Alert > Set Assigned Date (upon reassignment)

    Alert > Set Resolved Date

    Incident > Set Assigned Date (upon creation)

    Incident > Set Assigned Date (upon reassignment)

    Incident > Set Resolved Date

     

    Following is a table that lists the playbooks that are part of the "Schedule Management Playbooks" collection:

    Name of the playbook

    Agent > Check For Missed Heartbeats

    Agent > Trigger Health Check

    AuditLog Cleanup

    Playbook execution history cleanup

    Purge Integration Logs

     

    Following is a table that lists the playbooks that are part of the "System Notification and Escalation Playbooks" collection:

    Name of the playbook

    Alert > Escalate To Incident

    Alert > Escalate To Incident (No Trigger)

    Alert > Escalate to Incident (Link Relations)

    Alert > Notify Creation (Email)

    Alert > Notify Creation (System)

    Alert > Notify Updation (System)

    Incident > Notify Creation (Email)

    Incident > Notify Creation (System)

    Incident > Notify Updation

    Resolve Alert

    Tasks > Notify Creation (Email)

    Tasks > Notify Creation (System)

    Tasks > Notify Updation

    Tasks > Post-Create: Assign user owner

    Tasks > Post-Update: Assign user owner

     

    Following is a table that lists the playbooks that are part of the "Utilities Playbooks" collection:

    Name of the playbook

    Link Similar Alerts

    Link Similar Emails

    Link Similar Incidents

    Link Similar Indicators

     

    Following is a table that lists the playbooks that are part of the "War Room Automation" collection:

    Name of the playbook

    Cascade Ownership for Newly Linked Records

    Generate War Room Report

    Notify New Announcement

    Notify Newly Linked Team

    Notify Newly Linked User(s)

    Send Email

    Send Email Notification

    Send War Room Summary Email

    Set War Room Live and Notify Responders

    Set up War Room from Alerts

    Set up War Room from Incidents

    Update War Room Close Date