Fortinet-FortiGate-ResponseOnBlockIP
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes IPs, by adding/removing the IPs to the Microsoft Sentinel IP blocked group.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 5 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
fortinetconnector |
Managed | 0 | 2 |
teams |
Managed | 1 | 0 |
FortinetCustomConnector |
Custom | 1 | 0 |
function |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3)_3 | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
fortinetconnector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_an_address_object | post | /api/v2/cmdb/firewall/address |
— |
| Update_address_group | put | /api/v2/cmdb/firewall/addrgrp/@{encodeURIComponent(variables('Pre-definedGroupName'))} |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Address_group_details | GET | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',variables('functionAppName'),'/functions/Fortinet-GetEntityDetails')] |
| Check_address_object_is_already_exist_in_firewall | GET | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',variables('functionAppName'),'/functions/Fortinet-GetEntityDetails')] |
Additional Documentation
📄 Source: Fortinet_ResponseOnIP/readme.md
Fortinet - ResponseOnIP
Summary
This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes IPs, by adding/removing the IPs to the Microsoft Sentinel IP blocked group. Learn more about Threat Intelligence in Fortinet policy
This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:
This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:
Prerequisites
- Sentinel IP block group should create in the VM
- FortinetConnector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
- Function App needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the Function doc page.
- FortinetConnector need to be authenticated with an API key. Relevant instructions can be found in the connector doc page.
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill the required parameters:
- Playbook Name: Enter the playbook name here (ex:Fortinet_ResponseOnIP)
- Team Channel ID: Enter the teams channel id
- Teams group ID: Enter the teams channel id
- Pre-defined Group Name: Group name which is created in firewall
- Function app Name: Enter Function app name which is created as Prerequisites
- Managed Identities Name: Enter the managed identity name (ex: managed identities name) Create user assigned manage identity
Post-Deployment instructions
- Go to logic app designer.
- Look for the function call actions. You can find them by the titles:
- Fetch the details of the address object.
- Get address group details.
- For each one of the above function call actions and perform the below mentioned steps:
- Go to "Managed identity" dropdown and select user identity.
- Save playbook.
- Go to Microsoft Sentinel, hook playbook to Microsoft Sentinel rules.
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource.
- Click edit API connection.
- Click Authorize
- Sign in.
- Click Save
- Repeat steps for other connection such as Team's connection
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with IP Entity.
- Configure the automation rules to trigger this playbook
Playbook steps explained
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with IP Entity.
- Configure the automation rules to trigger this playbook.
When Microsoft Sentinel incident creation rule is triggered
- Microsoft Sentinel incident is created. The playbook receives the incident as the input.
Get Entities as IP's
- Get the list of risky/malicious IPs as entities from the Incident.
Initialize variables
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel