The FortiSOAR SOC Simulator connector is a special type of connector that is used to simulate a SOC environment. It creates various scenarios-based artifacts such as alerts, incidents, etc. in FortiSOAR™. You can use this connector to learn how FortiSOAR™ works and handles various types of attacks on your environment using both automated and manual methods.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.2.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the FortiSOAR SOC Simulator connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortisoar-soc-simulator
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the FortiSOAR SOC Simulator connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Load Threat Intelligence | (Optional) Select this option to dynamically generates different artifacts files such as malicious_ips.txt, malicious_urls.txt, malicious_domains.txt, and malware_hashes.txt. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Fetch Malicious IP | Fetches a known malicious IP from the file generated at the time of configuring the connector. | bad_ip Investigation |
Fetch Malicious URL | Fetches a known malicious URL from the file generated at the time of configuring the connector. | bad_url Investigation |
Fetch Malicious Filehash | Fetches a known malicious file hash from the file generated at the time of configuring the connector. | bad_filehash Investigation |
Fetch Malicious Domain | Fetches a known malicious domain from the file generated at the time of configuring the connector. | bad_domain Investigation |
Replace Variables | Replaces variables such as <<TR_MALICIOUS_IP>> with its actual value. |
|
Create Malicious File Indicator | Create a new malicious file indicator to be used within a scenario. | malicious_file_indicator |
Create Simulated Alert | Create a new simulated alert based on the alert JSON data, which supports dynamic lookup values. | create_simulated_alert |
Note: These operations are used internally by the SOC Simulator Solution Pack.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious IP. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious URL. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious file hash. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious domain. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Variable String | Variables in the string format that you want to replace with their actual value. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Name | The file name that you want to assign to the malicious file indicator that you want to create. |
Embedded Malicious URL | A malicious URL to be embedded within the docx file to be extracted as an indicator. |
Embedded Malicious Email | A malicious Email to be embedded within the docx file to be extracted as an indicator. |
Custom Indicator Parameters | A JSON dictionary with various parameters you want to set for the newly created file indicator. |
Also Create Attachment | Select this option to create an attachment file while creating the indicator file. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert Data | The JSON data for any alert based on which you want to create a simulated alert. You can copy the JSON data from any FortiSOAR alert using a browser Development Tools. |
Fields To Ignore | The CSV list of the fields to be ignored from the alert data when the simulated alert is created. |
The output contains a non-dictionary value.
The FortiSOAR SOC Simulator connector is a special type of connector that is used to simulate a SOC environment. It creates various scenarios-based artifacts such as alerts, incidents, etc. in FortiSOAR™. You can use this connector to learn how FortiSOAR™ works and handles various types of attacks on your environment using both automated and manual methods.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.2.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the FortiSOAR SOC Simulator connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortisoar-soc-simulator
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the FortiSOAR SOC Simulator connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Load Threat Intelligence | (Optional) Select this option to dynamically generates different artifacts files such as malicious_ips.txt, malicious_urls.txt, malicious_domains.txt, and malware_hashes.txt. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Fetch Malicious IP | Fetches a known malicious IP from the file generated at the time of configuring the connector. | bad_ip Investigation |
Fetch Malicious URL | Fetches a known malicious URL from the file generated at the time of configuring the connector. | bad_url Investigation |
Fetch Malicious Filehash | Fetches a known malicious file hash from the file generated at the time of configuring the connector. | bad_filehash Investigation |
Fetch Malicious Domain | Fetches a known malicious domain from the file generated at the time of configuring the connector. | bad_domain Investigation |
Replace Variables | Replaces variables such as <<TR_MALICIOUS_IP>> with its actual value. |
|
Create Malicious File Indicator | Create a new malicious file indicator to be used within a scenario. | malicious_file_indicator |
Create Simulated Alert | Create a new simulated alert based on the alert JSON data, which supports dynamic lookup values. | create_simulated_alert |
Note: These operations are used internally by the SOC Simulator Solution Pack.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious IP. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious URL. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious file hash. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Random | Select this checkbox if you want to generate a random malicious domain. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Variable String | Variables in the string format that you want to replace with their actual value. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
File Name | The file name that you want to assign to the malicious file indicator that you want to create. |
Embedded Malicious URL | A malicious URL to be embedded within the docx file to be extracted as an indicator. |
Embedded Malicious Email | A malicious Email to be embedded within the docx file to be extracted as an indicator. |
Custom Indicator Parameters | A JSON dictionary with various parameters you want to set for the newly created file indicator. |
Also Create Attachment | Select this option to create an attachment file while creating the indicator file. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Alert Data | The JSON data for any alert based on which you want to create a simulated alert. You can copy the JSON data from any FortiSOAR alert using a browser Development Tools. |
Fields To Ignore | The CSV list of the fields to be ignored from the alert data when the simulated alert is created. |
The output contains a non-dictionary value.