Fortinet black logo

FortiSOAR SOC Simulator

Home FortiSOAR Connectors FortiSOAR SOC Simulator

FortiSOAR SOC Simulator v2.0.0

2.0.0
2.0.0
1.0.0
Copy Link
Copy Doc ID ee503a50-c149-11ec-9fd1-fa163e15d75b:256

About the connector

The FortiSOAR SOC Simulator connector is a special type of connector that is used to simulate a SOC environment. It creates various scenarios-based artifacts such as alerts, incidents, etc. in FortiSOAR™. You can use this connector to learn how FortiSOAR™ works and handles various types of attacks on your environment using both automated and manual methods.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 7.2.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the FortiSOAR SOC Simulator connector in version 2.0.0:

  • Code Optimizations.
  • Enhanced the connector to support Content Hub and Solution Packs deployments. Note: Removed the import scenario. Now, scenarios are deployed using the respective Solution Packs.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-fortisoar-soc-simulator

Minimum Permissions Required

  • Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the FortiSOAR SOC Simulator connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter Description
Load Threat Intelligence (Optional) Select this option to dynamically generates different artifacts files such as malicious_ips.txt, malicious_urls.txt, malicious_domains.txt, and malware_hashes.txt.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Fetch Malicious IP Fetches a known malicious IP from the file generated at the time of configuring the connector. bad_ip
Investigation
Fetch Malicious URL Fetches a known malicious URL from the file generated at the time of configuring the connector. bad_url
Investigation
Fetch Malicious Filehash Fetches a known malicious file hash from the file generated at the time of configuring the connector. bad_filehash
Investigation
Fetch Malicious Domain Fetches a known malicious domain from the file generated at the time of configuring the connector. bad_domain
Investigation
Replace Variables Replaces variables such as <<TR_MALICIOUS_IP>> with its actual value.
Create Malicious File Indicator Create a new malicious file indicator to be used within a scenario. malicious_file_indicator
Create Simulated Alert Create a new simulated alert based on the alert JSON data, which supports dynamic lookup values. create_simulated_alert

Note: These operations are used internally by the SOC Simulator Solution Pack.

operation: Fetch Malicious IP

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious IP.

Output

The output contains a non-dictionary value.

operation: Fetch Malicious URL

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious URL.

Output

The output contains a non-dictionary value.

operation: Fetch Malicious Filehash

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious file hash.

Output

The output contains a non-dictionary value.

operation: Fetch Malicious Domain

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious domain.

Output

The output contains a non-dictionary value.

operation: Replace Variables

Input parameters

Parameter Description
Variable String Variables in the string format that you want to replace with their actual value.

Output

The output contains a non-dictionary value.

operation: Create Malicious File Indicator

Input parameters

Parameter Description
File Name The file name that you want to assign to the malicious file indicator that you want to create.
Embedded Malicious URL A malicious URL to be embedded within the docx file to be extracted as an indicator.
Embedded Malicious Email A malicious Email to be embedded within the docx file to be extracted as an indicator.
Custom Indicator Parameters A JSON dictionary with various parameters you want to set for the newly created file indicator.
Also Create Attachment Select this option to create an attachment file while creating the indicator file.

Output

The output contains a non-dictionary value.

operation: Create Simulated Alert

Input parameters

Parameter Description
Alert Data The JSON data for any alert based on which you want to create a simulated alert. You can copy the JSON data from any FortiSOAR alert using a browser Development Tools.
Fields To Ignore The CSV list of the fields to be ignored from the alert data when the simulated alert is created.

Output

The output contains a non-dictionary value.

Previous
Next

About the connector

The FortiSOAR SOC Simulator connector is a special type of connector that is used to simulate a SOC environment. It creates various scenarios-based artifacts such as alerts, incidents, etc. in FortiSOAR™. You can use this connector to learn how FortiSOAR™ works and handles various types of attacks on your environment using both automated and manual methods.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 7.2.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the FortiSOAR SOC Simulator connector in version 2.0.0:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-fortisoar-soc-simulator

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the FortiSOAR SOC Simulator connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter Description
Load Threat Intelligence (Optional) Select this option to dynamically generates different artifacts files such as malicious_ips.txt, malicious_urls.txt, malicious_domains.txt, and malware_hashes.txt.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Fetch Malicious IP Fetches a known malicious IP from the file generated at the time of configuring the connector. bad_ip
Investigation
Fetch Malicious URL Fetches a known malicious URL from the file generated at the time of configuring the connector. bad_url
Investigation
Fetch Malicious Filehash Fetches a known malicious file hash from the file generated at the time of configuring the connector. bad_filehash
Investigation
Fetch Malicious Domain Fetches a known malicious domain from the file generated at the time of configuring the connector. bad_domain
Investigation
Replace Variables Replaces variables such as <<TR_MALICIOUS_IP>> with its actual value.
Create Malicious File Indicator Create a new malicious file indicator to be used within a scenario. malicious_file_indicator
Create Simulated Alert Create a new simulated alert based on the alert JSON data, which supports dynamic lookup values. create_simulated_alert

Note: These operations are used internally by the SOC Simulator Solution Pack.

operation: Fetch Malicious IP

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious IP.

Output

The output contains a non-dictionary value.

operation: Fetch Malicious URL

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious URL.

Output

The output contains a non-dictionary value.

operation: Fetch Malicious Filehash

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious file hash.

Output

The output contains a non-dictionary value.

operation: Fetch Malicious Domain

Input parameters

Parameter Description
Random Select this checkbox if you want to generate a random malicious domain.

Output

The output contains a non-dictionary value.

operation: Replace Variables

Input parameters

Parameter Description
Variable String Variables in the string format that you want to replace with their actual value.

Output

The output contains a non-dictionary value.

operation: Create Malicious File Indicator

Input parameters

Parameter Description
File Name The file name that you want to assign to the malicious file indicator that you want to create.
Embedded Malicious URL A malicious URL to be embedded within the docx file to be extracted as an indicator.
Embedded Malicious Email A malicious Email to be embedded within the docx file to be extracted as an indicator.
Custom Indicator Parameters A JSON dictionary with various parameters you want to set for the newly created file indicator.
Also Create Attachment Select this option to create an attachment file while creating the indicator file.

Output

The output contains a non-dictionary value.

operation: Create Simulated Alert

Input parameters

Parameter Description
Alert Data The JSON data for any alert based on which you want to create a simulated alert. You can copy the JSON data from any FortiSOAR alert using a browser Development Tools.
Fields To Ignore The CSV list of the fields to be ignored from the alert data when the simulated alert is created.

Output

The output contains a non-dictionary value.

Previous
Next