Fortinet-FortiGate-ResponseOnBlockURL
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes URL's, by adding the URLs to the Microsoft Sentinel URL blocked group.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 5 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
fortinetconnector |
Managed | 0 | 2 |
teams |
Managed | 1 | 0 |
FortinetCustomConnector |
Custom | 1 | 0 |
function |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3)_3 | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
fortinetconnector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_an_address_object | post | /api/v2/cmdb/firewall/address |
— |
| Update_pre-defined_address_group | put | /api/v2/cmdb/firewall/addrgrp/@{encodeURIComponent(variables('Pre-definedGroupName'))} |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Address_group_details | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',variables('functionAppName'),'/functions/Fortinet-GetEntityDetails')] |
| Check_address_object_is_already_exist_in_firewall | GET | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',variables('functionAppName'),'/functions/Fortinet-GetEntityDetails')] |
Additional Documentation
📄 Source: Fortinet_ResponseOnURL/readme.md
Fortinet - ResponseOnURL
Summary
This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes URL's, by adding the URLs to the Sentinel URL blocked group. Learn more about Threat Intelligence in Fortinet policy
This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore ::
This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration ::
Prerequisites
- Sentinel URL block group should create in the VM
- FortinetConnector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
- Fortinet-GetRestAPIFunctionAPP needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the Function doc page.
- FortinetConnector need to be authenticated with an API key. Relevant instructions can be found in the connector doc page.
- This playbook will add new address object to existing VM.
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill the required parameteres:
- Playbook Name: Enter the playbook name here (ex:Fortinet_ResponseOnURL)
- Team Channel ID: Enter the teams channel id
- Teams group ID: Enter the teams channel id
- Pre-defined Group Name: Group name which is created in firewall
- Function app Name: Enter Function app name which is created as Prerequisite
- Managed Identities Name: Enter the managed identity name (ex: managed identities name)
Post-Deployment instructions
- Go to logic app designer.
- Look for the function call actions. You can find them by the titles:
- Fetch the details of the address object.
- Get address group details.
- For each one of the above function call actions and perform the below mentioned steps:
- Go to "Managed identity" dropdown and select user identity.
- Save playbook.
- Go to Microsoft Sentinel, hook playbook to Microsoft Sentinel rules.
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource.
- Click edit API connection.
- Click Authorize.
- Sign in.
- Click Save.
- Repeat steps for other connection such as Team's connection
##Playbook steps explained
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with URL Entity.
- Configure the automation rules to trigger this playbook.
When Microsoft Sentinel incident creation rule is triggered
- Microsoft Sentinel incident is created. The playbook receives the incident as the input.
Get Entities as URLs
- Get the list of risky/malicious URLs as entities from the Incident.
Initialize variables
Action Name (type-String) - To determine the action name to be displayed in the adaptive card such as Block or Unblock URL from predefined address group.
Adaptive card body(type-Array) - To determine the dynamic adaptive card body
Address group Members(type-Array) - To determine the body of predefined address group
URL Address Action(type-Array) - Consolidated actions summary on each URL to display in adaptive card
Predefined group name(type-String)- You can change the pre-defined address group name here
Post an adaptive card to the SOC channel
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel