Fortinet black logo

Playbooks Guide

Tutorial: Creating a Sample Playbook to determine maliciousness of an indicator in FortiSOAR

Copy Link
Copy Doc ID 923e85b9-1d0e-11ec-8c53-00505692583a:83828
Download PDF

Tutorial: Creating a Sample Playbook to determine maliciousness of an indicator in FortiSOAR

Purpose

This tutorial aims to walk you through the steps you require to create a simple playbook in FortiSOAR. This playbook aims to determine whether a specific indicator (of type “Domain”) is malicious or not.

This tutorial aims to provide you with examples of how to use Playbook Triggers and Steps, Connectors, and Dynamic Values that have been explained previously in this guide.

Steps to create the sample playbook

  1. Log on to FortiSOAR using your credentials.
  2. Click Automation > Playbooks.
  3. On the Playbook Collections tab, click + New Collection and in the Add New Playbook Collection dialog, add a name for the new playbook collection. For our example, type the name of the playbook collection as Test.
  4. In the Test playbook collection, click Add Playbook to add a new playbook and in the Add New Playbook dialog, add a name for the new playbook. For our example, type the name of the playbook Determine whether Domain is Malicious and click Create.
    This displays the Playbook Designer.
  5. In the Playbook Designer, select the On Create Trigger as the Trigger step, since we want to run this playbook once an Indicator of type Domain is added in FortiSOAR. The Step Name can be retained as Start. From the Resource drop-down list, select Indicators. In the Trigger Condition section, click Add Condition. In the Condition Builder add Type Equals Domain, as shown in the following image:
    Setting Trigger Condition: Type Equals Domain
    Click Save to save the Start step.
  6. The next step in this playbook is to check the reputation of the domain once an Indicator record of type "Domain" is added in FortiSOAR.
    For this, you can use any third-party services that analyze suspicious domains. FortiSOAR supports a number of such services or tools in the form of connectors that you can very quickly configure and directly use as a step, in playbooks, to check reputations of domains, files, IP address, URLs, etc. Add another step i.e., the Connectors step and join the Connector step to the Start step. For our sample, we are using the VirusTotal connector (assumption here is that the VirusTotal connector is configured in your system).
    On the Connectors page, in the Search Connectors text box, type VirusTotal:
    Connector Step - Search Connectors
    Click the VirusTotal row to add the connector step.
    In the Step Name, type Get Domain Reputation.
    From the Configuration drop-down list, select the configuration you have created for VirusTotal. From the Action drop-down list, select Get Domain Reputation since in our example we want to retrieve the reputation for a domain.
    In the Inputs section, in Domain use Dynamic Values to populate the value of the domain you have added from the record:
    Inputs section - Using Dynamic Values for populating Domain field
    Dynamic Values will populate {{vars.input.records[0].value}} in the Domain field as shown in the following image:
    Value of the Domain field
    Click Save to save the Connectors step.
  7. Add a Decision step to determine whether the domain is malicious or not. Currently, choose the Decision Step and add the step name as Is Malicious. We will add the conditions after we add the other steps. Click Save to save the Decision step.
  8. Update the Record if the Domain is determined to be Malicious. Add the Update Record step. In the Step Name, type Set as Malicious.
    From the Model drop-down list, select Indicators.
    In Records IRI use Dynamic Values select the ID of the newly added record:
    Inputs section - Using Dynamic Values for populating Record IRI field
    Dynamic Values will populate {{vars.input.records[0]['@id']}} in the Record IRI field as shown in the following image:
    Value of the Record IRI field
    In the Description field, add the description that you want to see in the Indicator record. You can use formatting and Dynamic Values in the Description field.
    For our example, we have added Aggregate Information that is gathered from VirusTotal about the domain and the Verbose message:
    Setting up the Description field
    You should also select Malicious in the Reputation field, so that the reputation of the indicator in the record will be updated to Malicious.
    Click Save to save the Update Record step.
  9. Similarly, Update the Record if the Domain is determined not to be Malicious. Add the Update Record step.
    In the Step Name, type Set as Good.
    From the Model drop-down list, select Indicators.
    In Records IRI use Dynamic Values select the ID of the newly added record or add {{vars.input.records[0]['@id']}}.
    In the Description field, add the description that you want to see in the Indicator record, similar to what you have added in the Set as Malicious step.
    You should also select Good in the Reputation field, so that the reputation of the indicator in the record will be updated to Good.
    Click Save to save the Update Record step.
  10. Add conditions to the Is Malicious decision step:
    To add conditions, click Add Condition.
    To add conditions for updating the record if the domain is Malicious:
    In the Condition 1 section, click the Show Advanced link.
    In the Condition box, use Dynamic Values to determine the domain reputation value retrieved from VirusTotal:
    Setting up the conditions for the Decision step for Set as Malicious option
    This will add the condition vars.steps.Get_Domain_Reputation.data.aggregate.
    Now for our example, we will set a domain to Malicious if its aggregate value is greater than or equal to 5. Therefore, the condition must appear as vars.steps.Get_Domain_Reputation.data.aggregate >= 5.
    Then, from the Select A Step To Execute box, select the Set As Malicious step. You can also provide a tooltip for the branch in the Branch Tooltip field, in this case, added Yes:
    Selecting the Set as Malicious to be executed
    Similarly, click Add Conditions again to add conditions for updating the record if the domain is Good:
    Click Add Condition and in the Condition box, add the condition vars.steps.Get_Domain_Reputation.data.aggregate < 5 since for our example, we will set a domain to Good if its aggregate value is lesser than 5.
    Then, from the Selected A Step To Execute select Set As Good, and provide the tooltip No for the branch in the Branch Tooltip field.
    Click Save to save the Decision step.
  11. Click Save to save the playbook and ensure that the playbook is active:
    Saving the completed sample playbook
    If the playbook is not active then click the Inactive button to activate the playbook.
  12. To check if the playbook is working as expected, click Incident Response > Indicators and on the Indicators page, click + Add Indicator.
  13. In the Create New Indicator dialog, from the Type drop-down list, select Domain and in the Value field, type SPIT.COM (whose domain reputation is Good) and click Save.
    Creating an Indicator with Good reputation
    This will trigger the playbook, and the domain reputation will be retrieved from VirusTotal as shown in the detailed view of the record:
    Detailed view of indicator with Good reputation
    Similarly, if you add a domain whose reputation is malicious, for example, gumblar.cn, the playbook will again be triggered, and the domain reputation will be retrieved from VirusTotal as shown in the detailed view of the record:
    Detailed view of indicator with Malicious reputation

Conclusion

This tutorial demonstrates how you can create a very simple playbook to determine the reputation of a domain.

Using this as a base you can create very complicated playbooks to automate all your security investigation workflows, for example you can use the alert data that you have received from your SIEM to check the reputation of the IP address or domain directly in the alert data and if it is determined to be malicious then directly block that IP address or domain, without the need of intervention from analysts and analysts can focus on more critical aspects of investigation.

>

Tutorial: Creating a Sample Playbook to determine maliciousness of an indicator in FortiSOAR

Purpose

This tutorial aims to walk you through the steps you require to create a simple playbook in FortiSOAR. This playbook aims to determine whether a specific indicator (of type “Domain”) is malicious or not.

This tutorial aims to provide you with examples of how to use Playbook Triggers and Steps, Connectors, and Dynamic Values that have been explained previously in this guide.

Steps to create the sample playbook

  1. Log on to FortiSOAR using your credentials.
  2. Click Automation > Playbooks.
  3. On the Playbook Collections tab, click + New Collection and in the Add New Playbook Collection dialog, add a name for the new playbook collection. For our example, type the name of the playbook collection as Test.
  4. In the Test playbook collection, click Add Playbook to add a new playbook and in the Add New Playbook dialog, add a name for the new playbook. For our example, type the name of the playbook Determine whether Domain is Malicious and click Create.
    This displays the Playbook Designer.
  5. In the Playbook Designer, select the On Create Trigger as the Trigger step, since we want to run this playbook once an Indicator of type Domain is added in FortiSOAR. The Step Name can be retained as Start. From the Resource drop-down list, select Indicators. In the Trigger Condition section, click Add Condition. In the Condition Builder add Type Equals Domain, as shown in the following image:
    Setting Trigger Condition: Type Equals Domain
    Click Save to save the Start step.
  6. The next step in this playbook is to check the reputation of the domain once an Indicator record of type "Domain" is added in FortiSOAR.
    For this, you can use any third-party services that analyze suspicious domains. FortiSOAR supports a number of such services or tools in the form of connectors that you can very quickly configure and directly use as a step, in playbooks, to check reputations of domains, files, IP address, URLs, etc. Add another step i.e., the Connectors step and join the Connector step to the Start step. For our sample, we are using the VirusTotal connector (assumption here is that the VirusTotal connector is configured in your system).
    On the Connectors page, in the Search Connectors text box, type VirusTotal:
    Connector Step - Search Connectors
    Click the VirusTotal row to add the connector step.
    In the Step Name, type Get Domain Reputation.
    From the Configuration drop-down list, select the configuration you have created for VirusTotal. From the Action drop-down list, select Get Domain Reputation since in our example we want to retrieve the reputation for a domain.
    In the Inputs section, in Domain use Dynamic Values to populate the value of the domain you have added from the record:
    Inputs section - Using Dynamic Values for populating Domain field
    Dynamic Values will populate {{vars.input.records[0].value}} in the Domain field as shown in the following image:
    Value of the Domain field
    Click Save to save the Connectors step.
  7. Add a Decision step to determine whether the domain is malicious or not. Currently, choose the Decision Step and add the step name as Is Malicious. We will add the conditions after we add the other steps. Click Save to save the Decision step.
  8. Update the Record if the Domain is determined to be Malicious. Add the Update Record step. In the Step Name, type Set as Malicious.
    From the Model drop-down list, select Indicators.
    In Records IRI use Dynamic Values select the ID of the newly added record:
    Inputs section - Using Dynamic Values for populating Record IRI field
    Dynamic Values will populate {{vars.input.records[0]['@id']}} in the Record IRI field as shown in the following image:
    Value of the Record IRI field
    In the Description field, add the description that you want to see in the Indicator record. You can use formatting and Dynamic Values in the Description field.
    For our example, we have added Aggregate Information that is gathered from VirusTotal about the domain and the Verbose message:
    Setting up the Description field
    You should also select Malicious in the Reputation field, so that the reputation of the indicator in the record will be updated to Malicious.
    Click Save to save the Update Record step.
  9. Similarly, Update the Record if the Domain is determined not to be Malicious. Add the Update Record step.
    In the Step Name, type Set as Good.
    From the Model drop-down list, select Indicators.
    In Records IRI use Dynamic Values select the ID of the newly added record or add {{vars.input.records[0]['@id']}}.
    In the Description field, add the description that you want to see in the Indicator record, similar to what you have added in the Set as Malicious step.
    You should also select Good in the Reputation field, so that the reputation of the indicator in the record will be updated to Good.
    Click Save to save the Update Record step.
  10. Add conditions to the Is Malicious decision step:
    To add conditions, click Add Condition.
    To add conditions for updating the record if the domain is Malicious:
    In the Condition 1 section, click the Show Advanced link.
    In the Condition box, use Dynamic Values to determine the domain reputation value retrieved from VirusTotal:
    Setting up the conditions for the Decision step for Set as Malicious option
    This will add the condition vars.steps.Get_Domain_Reputation.data.aggregate.
    Now for our example, we will set a domain to Malicious if its aggregate value is greater than or equal to 5. Therefore, the condition must appear as vars.steps.Get_Domain_Reputation.data.aggregate >= 5.
    Then, from the Select A Step To Execute box, select the Set As Malicious step. You can also provide a tooltip for the branch in the Branch Tooltip field, in this case, added Yes:
    Selecting the Set as Malicious to be executed
    Similarly, click Add Conditions again to add conditions for updating the record if the domain is Good:
    Click Add Condition and in the Condition box, add the condition vars.steps.Get_Domain_Reputation.data.aggregate < 5 since for our example, we will set a domain to Good if its aggregate value is lesser than 5.
    Then, from the Selected A Step To Execute select Set As Good, and provide the tooltip No for the branch in the Branch Tooltip field.
    Click Save to save the Decision step.
  11. Click Save to save the playbook and ensure that the playbook is active:
    Saving the completed sample playbook
    If the playbook is not active then click the Inactive button to activate the playbook.
  12. To check if the playbook is working as expected, click Incident Response > Indicators and on the Indicators page, click + Add Indicator.
  13. In the Create New Indicator dialog, from the Type drop-down list, select Domain and in the Value field, type SPIT.COM (whose domain reputation is Good) and click Save.
    Creating an Indicator with Good reputation
    This will trigger the playbook, and the domain reputation will be retrieved from VirusTotal as shown in the detailed view of the record:
    Detailed view of indicator with Good reputation
    Similarly, if you add a domain whose reputation is malicious, for example, gumblar.cn, the playbook will again be triggered, and the domain reputation will be retrieved from VirusTotal as shown in the detailed view of the record:
    Detailed view of indicator with Malicious reputation

Conclusion

This tutorial demonstrates how you can create a very simple playbook to determine the reputation of a domain.

Using this as a base you can create very complicated playbooks to automate all your security investigation workflows, for example you can use the alert data that you have received from your SIEM to check the reputation of the IP address or domain directly in the alert data and if it is determined to be malicious then directly block that IP address or domain, without the need of intervention from analysts and analysts can focus on more critical aspects of investigation.

>