FortiSOAR

FortiSOAR Content Pack 7.0.1 Release

  • 1.  FortiSOAR Content Pack 7.0.1 Release

    Posted Jul 22, 2021 03:52 AM

    The FortiSOAR Incident Response Content Pack (fsr-ir-content-pack) 7.0.1 Release splits the content pack into various use cases, which will enable users in the future to take only the use cases they requireImportant release highlights include enhancing the enrichment playbooks, updating use cases and scenarios, and enhancing the Pause SLA functionality. 

    New features and enhancements 

    Feature 

    Details 

    Split the Content Pack 

    The content of the Content Pack has been split as follows: 

    • fsr-ir-content-pack.json 
    • fsr-mitre-content-pack.json 
    • fsr-scenario-content-pack.json 
    • fsr-vm-content-pack 

    Future releases of CP will use the split content files to provide users with only the content that they require for their use case. 

    Added the QRadar Threat Hunt workflow 

    Added the 'QRadar Threat Hunt' workflow to the "Investigate Malicious Indicators" playbook in the '04-Use Cases' collection. 

    Enhanced the 'Enrichment' Playbook collection  

    • Updated all enrichment playbooks to use the VirusTotal v2.0.0 connector. VirusTotal 2.0.0 connector supports the latest API i.e, API v3. 
    • Enhanced the layout for the Indicator Description to include more information from VirusTotal API v3 for the following input types: IP Address, Domain, FileHash MD5, URL, and File, as shown in the following image: 
       

    Updated the Suspicious Email Use Case 

    Updated the Suspicious Email Use Case by adding logic that introduces uses to the concept of a 'Drive By Download' attack. A Drive By Download (DBD) attack refers to the unintentional download of malicious code to your computer or mobile device leaving you open to a cyberattack. 

    Enhanced 'Pause SLA' functionality 

    The Pause SLA functionality has been enhanced as follows:  

    • Added two new fields: Ack SLA Paused on and Resp SLA paused to the Alerts and Incident schemas. 
    • Updated SLA Playbooks to capture paused and resume SLA values when the state is changed. 
    • Added new manual trigger playbooks to "Pause SLA - Alerts" and "Pause SLA - Incidents" to pause the SLA for alerts and incidents by triggering these playbooks using the 'Execute' drop-down in the detail view of an alert or incident record. 
    • Updated the SLA Count Down Widget to display paused SLA. 

    For more information about the 'fsr-ir-content-pack', see the Incident Response Content Pack article.