Fortinet-FortiGate-IPEnrichment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This playbook enriches the incident with address object and address group.

Attribute	Value
Type	Playbook
Solution	Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
azuresentinel	Managed	1	2
function	Built-in	0	2

Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)	post	/Incidents/Comment	—
Entities_-_Get_IPs	post	/entities/ip	—

function (Built-in)

Action	Method	Endpoint	Other
Fetch_the_details_of_the_address_object	GET	—	functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',variables('functionAppName'),'/functions/Fortinet-GetEntityDetails')]
Get_address_group_details	GET	—	functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',variables('functionAppName'),'/functions/Fortinet-GetEntityDetails')]

Additional Documentation

📄 Source: Fortinet_IncidentEnrichment/readme.md

Fortinet-Incident enrichment

Summary

This playbook enriches the incident with address object and address group.

When a new Microsoft Sentinel is created, this playbook gets triggered and performs below actions:

• It fetches details of the address object.
• It retrieve the details of address groups which address object is belongs to.
• Add the Summary of address object and its groups details to an incident.

Prerequisites

• Sentinel IP block group should create in the VM
• Function App needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the Function doc page

Deployment instructions

• Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.

• Fill the required parameters:
  • Playbook Name: Enter the playbook name here (ex:Fortinet_EnrichmentwithIP)
  • Function app Name: Enter Function app name which is created as Prerequisite
  • Address Group: Pre-defined address group name which is created in VM
  • Managed Identities Name: Enter the managed identity name (ex: managed identities name)Create user assigned manage identity.

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

1. Click the Microsoft Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save

b. Configurations in Sentinel

• In Microsoft sentinel analytical rules should be configured to trigger an incident with IP Entity.
• Configure the automation rules to trigger this playbook

Playbook steps explained

When Microsoft Sentinel incident creation rule is triggered

• Capture IP and check for existence and if IP does not exist, create an address object for IP's

For each-malicious IP received from the incident

Iterates on the IPs found in this incident (probably one) and performs the following:

• Fetches the address object details
• Retrieve the address groups details
• construct HTML Table with details of address object and address groups
• Add comment for an incident with summary of the address object and address groups.

Enrich Incident with address object and address groups details look as follows

Known Issues and Limitations

• When pre-defined group reaches the max limit user must create the new pre-defined group and change in the play book

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel