Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.6 Administration Guide
    7.4.6
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Playbook examples

    Playbook examples

    This topic includes the following playbook examples:

    Example: Using a FortiGuard connector

    The FortiGuard connector is automatically configured when a valid Indicators of Compromise Service license has been applied to FortiAnalyzer. For more information about this license, see Viewing Indicators of Compromise.

    The FortiGuard connector can be used to perform an indicator lookup, which is used to determine the threat related information for indicator value types IP, URL, domain, and more.

    For example, an admin investigating an Incident in FortiAnalyzer notices some traffic with unknown URLs. With the help of the FortiGuard real-time threat intelligence service, the admin can determine the enrichment information of the URL and then conclude if it is suspicious or not.

    In the below example, a playbook is created to manually perform the indicator lookup and attach the data to an existing incident.

    1. In Fabric View > Automation > Playbook, create a new playbook from scratch.

    2. For Triggers, select ON_DEMAND.

    3. Create a task using the FortiGuard connector with the following configuration:

      Name Enter a name for the connector.
      Description Optionally, enter a description for the connector.

      Connector

      Select FortiGuard Connector.

      Action

      Select Lookup Indicator. The Indicator Value field displays.

      Indicator Value

      Select Playbook Starter and indicator_value.

    4. Create a task using the FortiAnalyzer (local) connector with the following configuration:

      Name Enter a name for the connector.
      Description Optionally, enter a description for the connector.

      Connector

      Select Local Connector.

      Action

      Select Attach Data to Incident. The Incident ID and Attachment fields display.

      Incident ID

      Toggle to text mode and enter the Incident ID to attach the results to.

      Attachment

      Select Indicator_Lookup and indicators.

    5. Save the playbook.

    6. When you run the playbook, you must enter an indicator_value.

      This indicator_value is a malicious IP, URL, or domain. The FortiGuard connector checks the FortiGuard threat database for information related to the indicator. If there is a match for the entered IP, URL, or domain in the threat database, the information from FortiGuard will be attached to the incident.

    7. In Incidents & Events > Incidents, open the Incident Analysis pane for the incident.

    8. To view the attached results from the playbook, go to the Indicators tab.

    9. For the threat details pulled from FortiGuard, click Detail.

    Example: Using generic connectors in a playbook

    The below playbook is configured to get the channel ID from one task and then use it in another task to send the alerts to a protected server.

    This example uses generic webhook connectors. For information about configuring generic connectors, see Creating or editing ITSM connectors.

    Note

    While the URL is included when configuring a generic connector, you will be required to enter the URL again when using the generic webhook connector in the playbook. See the url field in the example below.

    Previous
    Next

    Playbook examples

    Playbook examples

    This topic includes the following playbook examples:

    Example: Using a FortiGuard connector

    The FortiGuard connector is automatically configured when a valid Indicators of Compromise Service license has been applied to FortiAnalyzer. For more information about this license, see Viewing Indicators of Compromise.

    The FortiGuard connector can be used to perform an indicator lookup, which is used to determine the threat related information for indicator value types IP, URL, domain, and more.

    For example, an admin investigating an Incident in FortiAnalyzer notices some traffic with unknown URLs. With the help of the FortiGuard real-time threat intelligence service, the admin can determine the enrichment information of the URL and then conclude if it is suspicious or not.

    In the below example, a playbook is created to manually perform the indicator lookup and attach the data to an existing incident.

    1. In Fabric View > Automation > Playbook, create a new playbook from scratch.

    2. For Triggers, select ON_DEMAND.

    3. Create a task using the FortiGuard connector with the following configuration:

      Name Enter a name for the connector.
      Description Optionally, enter a description for the connector.

      Connector

      Select FortiGuard Connector.

      Action

      Select Lookup Indicator. The Indicator Value field displays.

      Indicator Value

      Select Playbook Starter and indicator_value.

    4. Create a task using the FortiAnalyzer (local) connector with the following configuration:

      Name Enter a name for the connector.
      Description Optionally, enter a description for the connector.

      Connector

      Select Local Connector.

      Action

      Select Attach Data to Incident. The Incident ID and Attachment fields display.

      Incident ID

      Toggle to text mode and enter the Incident ID to attach the results to.

      Attachment

      Select Indicator_Lookup and indicators.

    5. Save the playbook.

    6. When you run the playbook, you must enter an indicator_value.

      This indicator_value is a malicious IP, URL, or domain. The FortiGuard connector checks the FortiGuard threat database for information related to the indicator. If there is a match for the entered IP, URL, or domain in the threat database, the information from FortiGuard will be attached to the incident.

    7. In Incidents & Events > Incidents, open the Incident Analysis pane for the incident.

    8. To view the attached results from the playbook, go to the Indicators tab.

    9. For the threat details pulled from FortiGuard, click Detail.

    Example: Using generic connectors in a playbook

    The below playbook is configured to get the channel ID from one task and then use it in another task to send the alerts to a protected server.

    This example uses generic webhook connectors. For information about configuring generic connectors, see Creating or editing ITSM connectors.

    Note

    While the URL is included when configuring a generic connector, you will be required to enter the URL again when using the generic webhook connector in the playbook. See the url field in the example below.

    Previous
    Next