Tutorial: Creating a Sample Playbook to determine maliciousness of an indicator in FortiSOAR
Purpose
This tutorial aims to walk you through the steps you require to create a simple playbook in FortiSOAR. This playbook aims to determine whether a specific indicator (of type “Domain”) is malicious or not.
This tutorial aims to provide you with examples of how to use Playbook Triggers and Steps, Connectors, and Dynamic Values that have been explained previously in this guide.
Steps to create the sample playbook
- Log on to FortiSOAR using your credentials.
- Click Automation > Playbooks.
- On the Playbook Collections tab, click + New Collection and in the Add New Playbook Collection dialog, add a name for the new playbook collection. For our example, type the name of the playbook collection as Test.
- In the Test playbook collection, click Add Playbook to add a new playbook and in the
Add New Playbook
dialog, add a name for the new playbook. For our example, type the name of the playbookDetermine whether Domain is Malicious
and click Create.
This displays the Playbook Designer. - In the Playbook Designer, select the On Create Trigger as the Trigger step, since we want to run this playbook once an Indicator of type
Domain
is added in FortiSOAR. The Step Name can be retained as Start. From the Resource drop-down list, select Indicators. In the Trigger Condition section, click Add Condition. In the Condition Builder add Type Equals Domain, as shown in the following image:
Click Save to save the Start step. - The next step in this playbook is to check the reputation of the domain once an Indicator record of type "Domain" is added in FortiSOAR.
For this, you can use any third-party services that analyze suspicious domains. FortiSOAR supports a number of such services or tools in the form of connectors that you can very quickly configure and directly use as a step, in playbooks, to check reputations of domains, files, IP address, URLs, etc. Add another step i.e., the Connectors step and join the Connector step to the Start step. For our sample, we are using the VirusTotal connector (assumption here is that the VirusTotal connector is configured in your system).
On theConnectors
page, in the Search Connectors text box, type VirusTotal:
Click the VirusTotal row to add the connector step.
In the Step Name, typeGet Domain Reputation
.
From the Configuration drop-down list, select the configuration you have created for VirusTotal. From the Action drop-down list, select Get Domain Reputation since in our example we want to retrieve the reputation for a domain.
In theInputs
section, in Domain use Dynamic Values to populate the value of the domain you have added from the record:
Dynamic Values will populate{{vars.input.records[0].value}}
in the Domain field as shown in the following image:
Click Save to save the Connectors step. - Add a Decision step to determine whether the domain is malicious or not. Currently, choose the Decision Step and add the step name as Is Malicious. We will add the conditions after we add the other steps. Click Save to save the Decision step.
- Update the Record if the Domain is determined to be Malicious. Add the Update Record step.
In the Step Name, type
Set as Malicious
.
From the Model drop-down list, select Indicators.
In Records IRI use Dynamic Values select the ID of the newly added record:
Dynamic Values will populate{{vars.input.records[0]['@id']}}
in the Record IRI field as shown in the following image:
In the Description field, add the description that you want to see in the Indicator record. You can use formatting and Dynamic Values in the Description field.
For our example, we have added Aggregate Information that is gathered from VirusTotal about the domain and the Verbose message:
You should also select Malicious in the Reputation field, so that the reputation of the indicator in the record will be updated to Malicious.
Click Save to save the Update Record step. - Similarly, Update the Record if the Domain is determined not to be Malicious. Add the Update Record step.
In the Step Name, typeSet as Good
.
From the Model drop-down list, select Indicators.
In Records IRI use Dynamic Values select the ID of the newly added record or add{{vars.input.records[0]['@id']}}
.
In the Description field, add the description that you want to see in the Indicator record, similar to what you have added in the Set as Malicious step.
You should also select Good in the Reputation field, so that the reputation of the indicator in the record will be updated to Good.
Click Save to save the Update Record step. - Add conditions to the Is Malicious decision step:
To add conditions, click Add Condition.
To add conditions for updating the record if the domain is Malicious:
In theCondition 1
section, click the Show Advanced link.
In the Condition box, use Dynamic Values to determine the domain reputation value retrieved from VirusTotal:
This will add the conditionvars.steps.Get_Domain_Reputation.data.aggregate
.
Now for our example, we will set a domain to Malicious if its aggregate value is greater than or equal to 5. Therefore, the condition must appear asvars.steps.Get_Domain_Reputation.data.aggregate >= 5
.
Then, from the Select A Step To Execute box, select the Set As Malicious step. You can also provide a tooltip for the branch in the Branch Tooltip field, in this case, addedYes
:
Similarly, click Add Conditions again to add conditions for updating the record if the domain is Good:
Click Add Condition and in the Condition box, add the conditionvars.steps.Get_Domain_Reputation.data.aggregate < 5
since for our example, we will set a domain to Good if its aggregate value is lesser than 5.
Then, from the Selected A Step To Execute select Set As Good, and provide the tooltipNo
for the branch in the Branch Tooltip field.
Click Save to save the Decision step. - Click Save to save the playbook and ensure that the playbook is active:
If the playbook is not active then click the Inactive button to activate the playbook. - To check if the playbook is working as expected, click Incident Response > Indicators and on the Indicators page, click + Add Indicator.
- In the Create New Indicator dialog, from the Type drop-down list, select Domain and in the Value field, type
SPIT.COM
(whose domain reputation is Good) and click Save.
This will trigger the playbook, and the domain reputation will be retrieved from VirusTotal as shown in the detailed view of the record:
Similarly, if you add a domain whose reputation is malicious, for example,gumblar.cn
, the playbook will again be triggered, and the domain reputation will be retrieved from VirusTotal as shown in the detailed view of the record:
Conclusion
This tutorial demonstrates how you can create a very simple playbook to determine the reputation of a domain.
Using this as a base you can create very complicated playbooks to automate all your security investigation workflows, for example you can use the alert data that you have received from your SIEM to check the reputation of the IP address or domain directly in the alert data and if it is determined to be malicious then directly block that IP address or domain, without the need of intervention from analysts and analysts can focus on more critical aspects of investigation.
>