Fetch Threat Intel from fortiwebcloud

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack

Attribute Value
Type Playbook
Solution Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel
Source View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 1
fortiweb Managed 0 2
FortiWebCloud Custom 1 0
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_(V3) post /Incidents/Comment

fortiweb (Managed)

Action Method Endpoint Other
Get_Attack_Log_Detail get /v1/application/@{encodeURIComponent(parameters('ep_id'))}/attack_logs/@{encodeURIComponent(items('For_each_2')?['msg_id'])}
Get_Attack_Logs_List get /v1/application/@{encodeURIComponent(parameters('ep_id'))}/attack_logs

Additional Documentation

📄 Source: FortiWebPlaybooks/FortiWeb-enrichment/readme.md

FortiWeb-enrichment Info Playbook

Summary

When a new Microosft Sentinel incident is created, this playbook gets triggered and performs below actions

  1. Fetches the list of Ip's from incident entites .
  2. Make the APi call to get the latest threat information/details from cloud console and update the same incidents comments with result. image image

Prerequisites

  1. FortiWeb Cloud Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
  2. API key. To get API Key, login into your FortiWeb cloud instance dashboard and navigate to Global --> system settings --> API Key.

Deployment instructions

  1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard. Deploy to Azure Deploy to Azure Gov

  2. Fill in the required paramteres:

    • Playbook Name: Enter the playbook name here (Ex: FortiWeb-BlockIP-URL)
    • Custom Connector Name: Enter the FortiWeb custom connector name here (Ex: FortiWebCloud)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  1. Click the Microosft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for Fortiweb Api Connection (For authorizing the Fortiweb API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. In Microosft Sentinel analytical rules should be configured to trigger an incident with risky URL or IP Address.
  2. Configure the automation rules to trigger this playbook , mapping of IP and URL entities is necessary

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel