Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 25.3.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiRecon 25.3.a User Guide
    25.3.a
    26.1.a
    26.1.0
    25.4.a
    25.4.0
    25.3.a
    25.3.0
    25.2.a
    25.2.0
    25.1.a
    25.1.0
    24.4.b
    24.4.a
    24.4.0
    24.3.a
    24.3.0
    24.2.b
    24.2.a
    24.2.0
    24.1.b
    24.1.a
    24.1.0
    23.4.a
    23.4.0
    23.3.a
    23.3.0
    23.2.b
    23.2.a
    23.2.0
    23.1.b
    23.1.a
    23.1.0
    22.4.a
    22.4.0
    22.3.0
    22.2.0

    Configuring and Running a Standalone Playbook

    Configuring and Running a Standalone Playbook

    Follow these steps to configure and run a standalone playbook:

    1. Navigate to Security Orchestration > Home tab. You can also run predefined playbooks or create and run new playbooks from Security Orchestration > Playbooks. See Playbooks.

    2. Select a desired collection in the Playbook Collections section.

      For example, select the Ransomware Group Profile playbook under the Ransomware Intelligence collection.

    3. Click Configure.

    4. In the Configure Playbook window, perform the following steps.

      1. Click Start.

      2. Configure the required connectors. For example, the Ransomware Group Profile playbook requires Fortinet FortiRecon ACI and SMTP connectors.

        1. The SMTP connector comes preconfigured. If you require a different server, update its configuration.

        2. For the Fortinet FortiRecon ACI connector, provide the following details:

          • Configuration Name: Enter a descriptive name.

          • Server URL: The URL https://api.fortirecon.forticloud.com/.

          • API Key and Organization ID: Fetch both details from Profile Settings > Profile page.

          • Verify SSL: Enable this toggle if required.

          • Tags: Add tags if required.

        3. Click Save.

      For detailed information on configuring connectors, see Connectors.

    5. The Configuring Connector status dialog displays information about the configuration process. Ensure the Health Check Status is Available to confirm the connector is configured properly. If the status shows Disconnected, reconfigure the connector.

    6. Click Close.

    7. Click Next and then Close.

      Note

      If you configure a connector in one playbook, its configuration becomes available in all other playbooks that use the same connector. You can also configure connectors directly from Security Orchestration > Content Hub > Installed tab.

    8. Once successfully configured, you can run the automation. Click Run Automation.

      The playbook designer window opens, displaying the configured steps. For this example, the playbook begins by prompting you to enter a ransomware group name, then uses the Fortinet FortiRecon ACI connector to fetch relevant data. It then sets a variable with this data and proceeds to send an email notification.

      The Email Notification is a referenced playbook. This referenced playbook starts by using a Utilities connector to convert JSON data to CSV format, then prompts you to enter an email ID, and finally uses an SMTP connector to send the email.

    9. Click Run.

    10. Select Provide sample input, leave it blank, and click Trigger Playbook. See Playbook Designer.

      Note

      You can also execute standalone playbooks from the Action menu in supported FortiRecon pages. Remove any applied filters to view all available playbooks.

    11. For the example, after you click Trigger Playbook, an Enter Ransomware Name dialog opens. This is a step in the playbook. Enter a ransomware group name (e.g., "Black Byte").

    12. A success message displays if the step executes completely. Next, provide an email address in the subsequent step, which is part of the referenced playbook. This step takes your email ID as input, converts the output JSON to CSV, and then sends an email with the CSV attachment to the provided email ID.

    13. You can view the details of each step in the execution history, including environment data in the INPUT and OUTPUT sections. Toggle to the canvas view for a visual representation. See Execution Logs.

    Previous
    Next

    Configuring and Running a Standalone Playbook

    Configuring and Running a Standalone Playbook

    Follow these steps to configure and run a standalone playbook:

    1. Navigate to Security Orchestration > Home tab. You can also run predefined playbooks or create and run new playbooks from Security Orchestration > Playbooks. See Playbooks.

    2. Select a desired collection in the Playbook Collections section.

      For example, select the Ransomware Group Profile playbook under the Ransomware Intelligence collection.

    3. Click Configure.

    4. In the Configure Playbook window, perform the following steps.

      1. Click Start.

      2. Configure the required connectors. For example, the Ransomware Group Profile playbook requires Fortinet FortiRecon ACI and SMTP connectors.

        1. The SMTP connector comes preconfigured. If you require a different server, update its configuration.

        2. For the Fortinet FortiRecon ACI connector, provide the following details:

          • Configuration Name: Enter a descriptive name.

          • Server URL: The URL https://api.fortirecon.forticloud.com/.

          • API Key and Organization ID: Fetch both details from Profile Settings > Profile page.

          • Verify SSL: Enable this toggle if required.

          • Tags: Add tags if required.

        3. Click Save.

      For detailed information on configuring connectors, see Connectors.

    5. The Configuring Connector status dialog displays information about the configuration process. Ensure the Health Check Status is Available to confirm the connector is configured properly. If the status shows Disconnected, reconfigure the connector.

    6. Click Close.

    7. Click Next and then Close.

      Note

      If you configure a connector in one playbook, its configuration becomes available in all other playbooks that use the same connector. You can also configure connectors directly from Security Orchestration > Content Hub > Installed tab.

    8. Once successfully configured, you can run the automation. Click Run Automation.

      The playbook designer window opens, displaying the configured steps. For this example, the playbook begins by prompting you to enter a ransomware group name, then uses the Fortinet FortiRecon ACI connector to fetch relevant data. It then sets a variable with this data and proceeds to send an email notification.

      The Email Notification is a referenced playbook. This referenced playbook starts by using a Utilities connector to convert JSON data to CSV format, then prompts you to enter an email ID, and finally uses an SMTP connector to send the email.

    9. Click Run.

    10. Select Provide sample input, leave it blank, and click Trigger Playbook. See Playbook Designer.

      Note

      You can also execute standalone playbooks from the Action menu in supported FortiRecon pages. Remove any applied filters to view all available playbooks.

    11. For the example, after you click Trigger Playbook, an Enter Ransomware Name dialog opens. This is a step in the playbook. Enter a ransomware group name (e.g., "Black Byte").

    12. A success message displays if the step executes completely. Next, provide an email address in the subsequent step, which is part of the referenced playbook. This step takes your email ID as input, converts the output JSON to CSV, and then sends an email with the CSV attachment to the provided email ID.

    13. You can view the details of each step in the execution history, including environment data in the INPUT and OUTPUT sections. Toggle to the canvas view for a visual representation. See Execution Logs.

    Previous
    Next