The FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) provides you with a snapshot of the configuration data and other items that can help you to optimally use and experience FortiSOAR’s incident response.
This article provides a listing and brief description of the various types of playbook collections included in the Content Pack. You can use the playbooks to perform various operations used to automate security processes across your organization. These playbooks can also be used to simulate use cases and provide training for FortiSOAR.
The playbooks are categorized based on the type of functions they perform such as ingestion, enrichment, triaging, etc.
You can use the playbooks in the 01-Ingest collection to ingest data from external SIEM solutions like LogRhythm. and other third-party sources like threat intelligence platforms like ThreatQ, email solutions, etc.
Following is a table that lists the playbooks that are part of the “01-Ingest” collection in the Content Pack:
Name of the playbook | Description |
Elastic > Create Alert | Receives ‘Login Failure Events’ from Elastic using Watcher and creates alert records in FortiSOAR. |
> Elastic > Create Alert (Single Record) | Creates an alert record for events created in Elastic. |
Email > Extract Indicators | Extracts indicators from the body and header of the email. |
Email (Manual Attach) > File to Alert (Suspicious Email) | Attaches an email to an alert of type ‘Suspicious Email’, which is further used for investigations. |
Email (Manual Upload) > Extract Attachments | Extract attachments from emails, creates indicators, and then links them to the parent alert. |
Email (Manual Upload) > Investigate | Extracts email metadata from an email file that is uploaded, e.g. mail.eml or mail.msg. |
Indicator > Import Bulk Indicators | Extracts indicators from the specified text. |
>> JASK > Create Alert for Insight | Creates alerts for JASK Insight. |
>> JASK > Create or Find Indicator and Comment | Creates or finds an indicator and associated comments from JASK Insight. |
>> JASK > Get Signal Details | Retrieves details of JASK Signals. |
JASK > Ingest Insights | Pulls insight data from JASK. |
LogRhythm > Fetch Alarms | Pulls alarms created between the specified duration from LogRhythm. |
> LogRhythm > Generate LogRhythm Records | Creates LogRhythm records. |
Phishing/Suspicious Email Alert > Extract Indicators | Extract Indicators from the body and header of alerts that are of type "Phishing" and "Suspicious Email". |
Symantec CloudSOC > Fetch Incidents | Retrieves incidents from Symantec CloudSOC. |
> Symantec CloudSOC > Fetch Incidents > Create Single Alert | Creates a single alert for Symantec CloudSOC incidents. |
Symantec Email.Cloud > Fetch Alert | Retrieves alerts from Symantec Email.Cloud. |
Tenable.io > Fetch Assets | Retrieves assets for the specified scan from Tenable.io. |
> Tenable.io > Fetch Assets > Ingest Asset | Creates a new asset record in Tenable.io and builds the relationship between the scan and the asset. |
Tenable.io > Fetch Scan | Retrieves scans for the specified scan from Tenable.io. |
> Tenable.io > Fetch Scan > Ingest Scan | Creates a new scan record. |
Tenable.io > Fetch Vulnerabilities | Retrieves vulnerabilities for the specified asset from Tenable.io. |
> Tenable.io > Fetch Vulnerabilities > Ingest Vulnerabilities | Creates a new vulnerability record in Tenable.io and builds the relation between the asset and the vulnerabilities. |
Tenable.io > Fetch Vulnerability Details | Retrieves vulnerability information for the specified vulnerability from Tenable.io. |
Threat Intel > Create Indicators | Retrieves indicators that have been created or updated in the past 24 Hours from ThreatQ. |
Note: | |
You can use the playbooks in the 02-Enrich collection to perform enrichment of data, which is one of the first incident response tasks. Automating data enrichment tasks help to better manage increasing volumes of threats and provide more actionable context to the analysts. An example of an enrichment type playbook would be retrieving the reputation of a file, domain, URL, etc. from threat intelligence platforms such as Anomali ThreatStream and VirusTotal.
Following is a table that lists the playbooks that are part of the “02-Enrich” collection in the Content Pack:
Name of the playbook | Description |
Asset > Get Running Process | Retrieves a list of all processes that are running on the specified host. |
Attachment > Get File Reputation | Retrieves the reputation of a file that is submitted from FortiSOAR to VirusTotal. |
>> Create Indicators (Batch) | Creates indicator records in bulk. |
Extract Indicators | Extracts and creates indicators from the specified data and then enriches specific fields in alerts with the indicator data. |
Extract Indicators > Manual | Extracts and creates indicators from the specified alert records and then enriches specific fields in alerts with the indicator data. |
>> Fotinet Fortisandbox (Get Reputation) > Get Scan Results | Retrieves the job verdict details for submitted samples based on the specified job ID. |
Get Related IOCs For An IP | Retrieves related IOCs for a specified IP address from threat intel sources. |
Get Reputation After Specified Time | Re-enriches indicators after a specified time. |
Indicator (Manual Trigger) > Get Latest Reputation | Retrieves the reputation of indicators using configured threat intelligence tools. You can trigger this playbook by manually selecting the indicator(s). |
Indicator (Type All) > Get Latest Reputation | Based on the type of indicator, this playbook retrieves the reputation of indicators using configured threat intelligence tools. |
Indicator (Type Domain) > Get Reputation | Retrieves the reputation of indicators of type ‘Domain’ using configured threat intelligence tools. |
Indicator (Type Email) > Get Reputation | Retrieves the reputation of indicators of type ‘Email Address’ using configured threat intelligence tools. |
Indicator (Type File) > Get Reputation | Uploads a file to a sandbox and then retrieves its reputation using configured threat intelligence tools. |
Indicator (Type File) > Get Reputation (Fortinet Sandbox) | Submits a file to Fortinet Sandbox and then retrieves its reputation. |
Indicator (Type File - MD5) > Get Reputation | Retrieves the reputation of a file, identified by its MD5 hash, using configured threat intelligence tools. |
Indicator (Type Host) > Get Reputation | Retrieves the reputation of indicators of type ‘Host’ using configured threat intelligence tools. |
Indicator (Type IP) > Get Reputation | Retrieves the reputation of indicators of type ‘IP Address’ using configured threat intelligence tools. |
Indicator (Type Port) > Get Reputation | Retrieves the reputation of indicators of type ‘Port’ using configured threat intelligence tools. |
Indicator (Type Process) > Get Reputation | Retrieves the reputation of indicators of type ‘Process’ using configured threat intelligence tools. |
Indicator (Type URL) > Get Reputation | Retrieves the reputation of indicators of type ‘URL’ using configured threat intelligence tools. |
Indicator (Type User Account) > Get Details | Retrieves the details of indicators of type ‘User Account’ using configured threat intelligence tools. |
Note: | |
Following is a table that lists the playbooks that are a part of the “02-Enrich (Pluggable)” collection in the Content Pack.
The function of the playbooks in both Enrich and Enrich (Pluggable) collection is the same; however, the design approach is different. In the standard Enrich playbook, all the threat intelligence platforms for a particular indicator type are configured in a single playbook. In Enrich (Pluggable) collection, every threat intelligence platform for a particular indicator type has a separate playbook, which can be plugged/referenced in the Enrichment playbook.
Name of the playbook | Description |
AlienValut OTX - File MD5 Reputation | Retrieves the reputation of indicators of type 'FileHash-MD5' using AlienValut OTX. |
AlienValut OTX - IP Reputation | Retrieves the reputation of indicators of type 'IP Address' using AlienValut OTX. |
AlienValut OTX - URL Reputation | Retrieves the reputation of indicators of type 'URL' using AlienValut OTX. |
AlienVault-OTX - Domain Reputation | Retrieves the reputation of indicators of type 'Domain' using AlienValut OTX. |
Anomali Threatstream - Email Reputation | Retrieves the reputation of indicators of type 'Email' using Anomali Threatstream. |
Anomali Threatstream - File MD5 Reputation | Retrieves the reputation of indicators of type 'FileHash-MD5' using Anomali Threatstream. |
Anomali Threatstream - IP Reputation | Retrieves the reputation of indicators of type 'IP Address' using Anomali Threatstream. |
Anomali Threatstream - URL Reputation | Retrieves the reputation of indicators of type 'URL' using Anomali Threatstream. |
Cisco Threat Grid - File Reputation | Submits a file to Cisco Threat Grid and then retrieves its reputation. |
Fortinet Web Filter Lookup - Domain Reputation | Retrieves the reputation of indicators of type 'Domain' using Fortinet Web Filter Lookup. |
Fortinet Web Filter Lookup - URL Reputation | Retrieves the reputation of indicators of type 'URL' using Fortinet Web Filter Lookup. |
IP Stack - Domain Geo Location | Retrieves the geolocation of indicators of type 'Domain' using IP Stack. |
IP Stack - IP Reputation | Retrieves the geolocation of indicators of type 'IP Address' using IP Stack. |
Indicator (Domain) > Get Latest Reputation | Retrieves the reputation of indicators of type 'Domain' using configured threat intelligence playbooks. |
Indicator (Email) > Get Latest Reputation | Retrieves the reputation of indicators of type 'Email' using configured threat intelligence playbooks. |
Indicator (File MD5) > Get Latest Reputation | Retrieves the reputation of indicators of type 'Filehash' using configured threat intelligence playbooks. |
Indicator (File) > Get Latest Reputation | Uploads a file to a sandbox and then retrieves its reputation using configured threat intelligence tools playbooks. |
Indicator (IP Address) > Get Latest Reputation | Retrieves the reputation of indicators of type 'IP Address' using configured threat intelligence playbooks. |
Indicator (Manual Trigger) > Get Latest Reputation | Retrieves the reputation of indicators using configured threat intelligence tools. You can trigger this playbook by manually selecting the indicator(s). |
Indicator (Type All) > Get Latest Reputation | Based on the type of indicator, this playbook retrieves the reputation of indicators using configured threat intelligence tools. |
Indicator (Type File - MD5) > Get Reputation | Retrieves the reputation of a file, identified by its MD5 hash, using configured threat intelligence tools. |
Indicator (Type Host) > Get Latest Reputation | Retrieves the reputation of indicators of type 'Host' using configured threat intelligence playbooks. |
Indicator (Type Process) > Get Latest Reputation | Retrieves the reputation of indicators of type 'Process' using configured threat intelligence tools. |
Indicator (URL) > Get latest Reputation | Retrieves the reputation of indicators of type 'URL' using configured threat intelligence playbooks. |
MXToolBox - IP Reputation | Retrieves the reputation of indicators of type 'IP Address' using MXToolBox. |
Symantec Deepsight Intelligence - File MD5 Reputation | Retrieves the reputation of a file, identified by its MD5 hash, using Symantec DeepSight Intelligence. |
ThreatQ - Email Reputation | Retrieves the reputation of indicators of type 'Email' using ThreatQ. |
URLVoid - Domain Reputation | Retrieves the reputation of indicators of type 'Domain' using URLVoid. |
URLVoid - URL Reputation | Retrieves the reputation of indicators of type 'URL' using URLVoid. |
VirusTotal - Domain Reputation | Retrieves the reputation of indicators of type 'Domain' using VirusTotal. |
VirusTotal - URL Reputation | Retrieves the reputation of indicators of type 'URL' using VirusTotal. |
Virustotal - File MD5 Reputation | Retrieves the reputation of indicators of type 'File Hash MD5' using VirusTotal. |
Virustotal - File Reputation | Submits a file to VirusTotal and then retrieves its reputation. |
Virustotal - IP Reputation | Retrieves the reputation of indicators of type 'IP Address' using VirusTotal. |
Whois - IP Reputation | Retrieves whois data for indicators of type 'IP Address' using Whois RDAP. |
You can use the playbooks in the 03-Triage collection to perform actions such as sorting, systematize, computing, etc. your enriched data, enabling you to quickly investigate the incident and take decisions for containment and resolution of the incident.
Following is a table that lists the playbooks that are part of the “03-Triage” collection in the Content Pack:
Name of the playbook | Description |
Compute Alert Priority Weight (Post Update) | Computes and sets the priority weight for an alert, when the alert is updated. The priority weight is calculated based on indicators related to the alert. |
Compute Alert Priority Weight (Post Update - Indicator Linked) | Computes and sets the priority weight for an alert, when an indicator related to the alert is updated. The priority weight is calculated based on indicators related to the alert. |
Compute Alert Priority Weight (Post Update - Indicator Reputation Update) | Computes and sets the priority weight for an alert, when the reputation of an indicator is updated. The priority weight is calculated based on indicators related to the alert. |
Find and Relate Similar Alerts | Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts. |
Find and Relate Similar Alerts - ML | Finds similar alerts based on the filter criteria you have specified and adds correlations to similar alerts using the recommendation APIs (ML). |
Flag Indicators Linked across multiple alerts | Flags changes made in indicators that are linked to multiple alerts. |
Map Historical Alerts and Escalate for malicious Indicators | Creates a mapping for historical alerts and then escalates the alerts to incidents if malicious indicators are found in the historical alerts. If the incident already exists, then the information is updated into the incident; else a new incident is created. |
Prioritize Alerts With VIP Assets | Raises the severity of the alert if it is associated with a super critical asset. |
Update Alert Severity for Malicious Indicators | Sets the severity of the alert to ‘Critical’ if its associated indicators are found to be ‘malicious’. |
You can use the playbooks in the 04-Use Cases collection to understand and perform various tasks or steps needed to deal with an incident, such as a Phishing attack or a Brute Force Attempt.
Following is a table that lists the playbooks that are part of the “04-Use Cases” collection in the Content Pack:
Name of the playbook | Description |
Investigate and Escalate Symantec Email.Cloud Phishing Alert | Investigates an alert ingested from Symantec Email.Cloud of type ‘Phishing’, and escalates the alert to an ‘Incident’ if indicators associated with the alert are found to be ‘Malicious’. |
Investigate Brute Force Attempt | Investigates login failures and also identifies other impacted assets that have been victims of the brute force attempts from a particular source of attack |
Investigate Brute Force Attempt (FortiSIEM) | Investigates login failures from FortiSIEM and also identifies other impacted assets that have been victims of the brute force attempts from a particular source of attack. |
Investigate C2 Malware Traffic | Investigates C2 Malware Traffic and blocks malicious content if indicators associated with the alert are found to be ‘Malicious’. |
Investigate Command & Control | Enriches alerts for command-and-control behavior by identifying the reputation of related artifacts such as source IP addresses and file hashes. Also, investigates any anomalous processes running on the host on which the attack has occurred and terminates those processes. |
Investigate Compliance Alert | The security analyst manually investigates compliance alerts and provides their findings. |
Investigate Concurrent login from different geo location | Investigates alerts of type ‘Concurrent Login’ by checking if the source IP address is in the specified CIDR range, and then performs remediation tasks based on the result. |
Investigate Data Leakage Alert (Symantec CloudSOC) | Investigates a data leakage alert that is ingested from Symantec CloudSOC and performs containment and remediation tasks if sensitive data is leaked. |
Investigate DNS Exfiltration | Investigates an alert ingested from Splunk using threat intelligence reports retrieved from Intel471 and by querying Splunk. Containment tasks are performed if malicious activity is found. |
Investigate Firewall Policy Violation | Investigates policy violations and retrieves information of the destination and source IP addresses along with the protocols and ports used, and then disables the system from the domain. |
Investigate Lateral Movement & VPN Breach Detection | Investigates a FortiDeceptor Malicious IP Lateral Movement and performs containment and remediation tasks if a breach is detected. |
Investigate Lost / Stolen device | Investigates lost or stolen devices using ServiceNow and Active Directory. |
> Investigate Malicious Indicator >> Hunt | Referenced by 'Investigate Malicious Indicator' playbook to perform a hunt on malicious indicators using QRadar, Splunk, and FortiEDR. |
> Investigate Malicious Indicator >> Hunt >> QRadar Threat Hunt | Performs QRadar Threat Hunting for the last 7 days on the specified IOC. |
Investigate Malicious Indicators | Hunts malicious indicators and provides their summary for review by analysts. |
Investigate Malware Infection | Investigates a malware infection by querying ElasticSearch and Active Directory. |
Investigate Reconnaissance | Investigates alerts of type ‘Reconnaissance’ and blocks the source IP address on the firewall if it is found to be malicious. |
Investigate S3 Bucket Permission Change | Investigate a change in the S3 permissions, and performs containment and remediation tasks if the change is in violation of the S3 policy. |
Investigate Suspicious Email | Investigates an alert of type ‘Suspicious Email’, and escalates the alert to an ‘Incident’ if indicators associated with the alert are found to be ‘Malicious’. |
Investigate Symantec EMail.Cloud Alert | Investigates an alert ingested from Symantec EMail.Cloud of type ‘Suspicious Email’. |
Investigate Windows Sysmon event | Investigates a Windows Sysmon event, and escalates the alert to an ‘Incident’ if malware is detected. |
Phishing Alert > Investigate and Escalate | Investigates an alert of type ‘Phishing’, and escalates the alert to an ‘Incident’ if indicators associated with the alert are found to be ‘Malicious’. |
Process CarbonBlack Bit9 Approval Requests | Creates tasks against an incident to complete all requests listed in CarbonBlack Bit9 and sends requests for their approval process. |
> Process CarbonBlack Bit9 >> Approval Requests (Subroutine) | Subroutine of CarbonBlack Bit9 approval process. |
Rapid7 - Fetch Scan and Deploy Patch | Automates patch deployments by looking up Rapid7 Scan results. |
Rapid7 - Fetch Scan and Deploy Patch (Scheduled) | Creates schedules to initiate patch deployments. |
> Rapid7 >> Patch (Subroutine) | Deploys patches using MS SCCM. |
Remediate Malware Alert (Symantec EDR / ATP) | Investigates an alert ingested from Symantec EDR / ATP of type ‘Malware’, and blocks entities that are found to be ‘Malicious’. |
Investigate Suspicious Network Activity | Investigates suspicious network activity and blocks any malicious indicators associated with the alert on the firewall. |
Get Microsoft CASB Alert Information | Fetches details related to a Microsoft cloud access security broker (CASB) alert and extracts indicators from the alert activities. This is reference playbook to the“Pickup and Enrich Microsoft CASB Alert”playbook. |
Pickup and Enrich Microsoft CASB Alert | Picks up and enriches an alert that is generated from Microsoft CASB, and performs further investigations, if any malicious indicator is found. |
Investigate Malware Alert | Investigates a malware alert by checking if any malicious indicator found on the endpoint and then performs hunt for malicious indicator to block the same on firewall. Also performs a full scan of the infected endpoint. |
Note: | |
You can use the playbooks in the 05-Actions collection to perform various operations or actions such as blocking or unblocking domains, URLs, hosts, etc.
Following is a table that lists the playbooks that are a part of the “05-Actions” collection in the Content Pack:
Name of the playbook | Description |
Action > Asset Mitigation | Carries out a sequence of processes such as Clean Asset, AV scan, etc. in order to decide whether to keep an asset in isolation or remove it from isolation. |
Action - Domain - Block (Indicator) | Blocks the indicators of type 'Domain' on the firewall and marks the indicator as "Blocked" based on its Block status. |
Action - Domain - Block (Specified by User) | Creates an indicator for the domain name specified by the user, blocks the domain on the firewall, and also marks the status of the indicator 'Blocked’. The indicator is also linked to the record on which the playbook is triggered. |
Action - Domain - Unblock (Indicator) | Unblocks the indicators of type 'Domain' on the firewall and marks the indicator as "Unblocked" based on its block status. |
Action - Domain - Unblock (Specified by User) | Creates indicator for the domain name specified by the user, unblocks the domain on the firewall, and also marks the status of the indicator as ‘Unblocked’. The indicator is also linked to the record on which the playbook is triggered. |
Action - Email Address - Block (Indicator) | Blocks the indicators of type 'Email Address' on the firewall and marks indicator as "Blocked" based on its block status. |
Action - Email Address - Block (Specified by User) | Creates indicator for the email address specified by the user, blocks the email on the firewall, and marks the status of the indicator as ‘Blocked’. The indicator is also linked to the record on which the playbook is triggered. |
Action - Email Address - Unblock (Indicator) | Unblocks the indicators of type 'Email Address' on the firewall and mark indicator as "Unblocked" based on its block status. |
Action - Email Address - Unblock (Specified by User) | Creates indicators for the email address specified by the user, unblocks the email on the firewall, and also marks the status of the indicator as Unblocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - File - Block (Indicator) | Blocks the indicators of type 'File' on the firewall and marks the indicator as "Blocked" based on its block status. |
Action - File - Block (Specified by User) | Creates indicators for the file specified by the user, blocks the file on the firewall and also marks the status of the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - File MD5 - Block (Indicator) | Blocks the indicators of type 'Filehash' on the firewall and marks the indicator as "Blocked" based on its block status. |
Action - File MD5 - Block (Specified by User) | Creates indicators for the filehash specified by the user, blocks the indicator on the firewall, and also marks the status of the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - File MD5- Unblock (Indicator) | Unblocks the indicators of type 'Filehash' on the firewall and marks the indicator as "Unblocked" based on its block status. |
Action - File MD5 - Unblock (Specified by User) | Creates indicators for the filehash specified by the user, unblocks the indicator on the firewall, and also marks the indicator as unblocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - File - Unblock (Indicator) | Unblocks the indicators of type 'File' on the firewall and marks the indicator as "Unblocked" based on its block status. |
Action - File - Unblock (Specified by User) | Creates indicators for the file specified by the user, unblocks the file on the firewall, and also mark the status of the indicator as unblocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - Host - Block (Indicator) | Blocks indicators of type 'Host' on the firewall and marks the indicator as "Blocked" based on its block status. |
Action - Host - Block (Specified by User) | Creates indicators for the host specified by the user, blocks the host on the firewall, and also marks the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - Host - Isolate Host | Isolates indicators of type 'Host' and marks the indicator as "Isolated" based on its block status. |
Action - Host - Unblock (Indicator) | Unblocks indicators of type 'Host' on the firewall and marks the indicators as "Unblocked" based on their block status. |
Action - Host - Unblock (Specified by User) | Creates indicators for the host specified by the user, unblocks the host on the firewall, and also marks the indicator as Unblocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - IP Address - Block (Forticlient EMS) | Quarantines endpoint with the specified IP address on FortiClient EMS. |
Action - IP Address - Block (Fortigate,FortiEDR) | Isolates and blocks specified IP addresses using FortiGate and FortiEDR. |
Action - IP Address - Block (Indicator) | Blocks indicators of type 'IP Address' on the firewall and marks the indicators as "Blocked" based on their block status. |
Action - IP Address - Block (Specified by User) | Creates indicators for the specified IP Address', blocks the IP address on the firewall, and marks the indicators as blocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - IP Address - Unblock (Indicator) | Unblocks indicators of type 'IP Address' on the firewall and marks the indicator as "Unblocked" based on their block status. |
Action - IP Address - Unblock (Specified by User) | Creates indicators for the specified 'IP Address', unblocks the IP address on the firewall, and marks the indicators as unblocked. The indicator is also linked to the record on which the playbook is triggered. |
Action (Type All) > Block Indicators | Blocks all types of indicators on the firewall based on their block status. |
Action - URL - Block (Indicator) | Blocks indicators of type 'URL' on the firewall and marks the indicators as "Blocked" based on their block status. |
Action - URL - Block (Specified by User) | Creates indicators for the specified 'URL', blocks the URL on the firewall, and marks the indicator as blocked. The indicator is also linked to the record on which the playbook is triggered. |
Action - URL - Unblock (Indicator) | Unblocks indicators of type 'URL' on the firewall and marks the indicators as "Unblocked" based on their block status. |
Action - URL - Unblock (Specified by User) | Creates indicators for the specified 'URL', unblocks the URL on the firewall, and marks the indicator as unblocked. The indicator is also linked to the record on which the playbook is triggered. |
Alert > Disable Specific User | Disables the specified User Account from the Active Directory. |
Asset > Deploy Patch | Deploys the specified Patch on the selected asset using 'Microsoft SCCM'. |
Incident > Get Running Process | Retrieves details for all the running processes on the specified host. |
You can use the playbooks in the 06-Hunt collection to automate threat hunting processes and search and identify suspicious domains, malware, and other indicators in your environment and create alerts based on them.
Following is a table that lists the playbooks that are part of the “06-Hunt” collection in the Content Pack:
Name of the playbook | Description |
Hunt Indicators | Searches for the specified indicators in your environment using EDR tools, and create alerts for ones that are found. |
You can use the playbooks in the 07 - ChatOps collection to perform various operations such as fetching alert and incident details, using a Bot.
Following is a table that lists the playbooks that are part of the “07-Chatops” collection in the Content Pack:
Name of the playbook | Description |
Bot command > Display Options | Displays a list of all the Bot commands. |
Bot Command > Get Alerts | Retrieves details of a specific alert based on the provided alert ID. |
Bot Command > Get Incidents | Retrieves details of a specific incident based on the provided incident ID. |
Bot Command > GetLocation | Retrieves the geolocation details for the specified indicator. |
Bot Command > Get Reputation | Retrieves the reputation for the specified indicator. |
Bot Command > Get Similar Alerts | Retrieves the alert records that are similar to a specific alert based on the provided alert ID. |
Bot > Execute commands | Executes the specified Bot Command. |
code snippet | Executes the provided Python code. |
You can use the playbooks in the 08 – Case Management collection to automate processes related to cases, including operations such as adding a user as a record owner, checking for SLA violations, calculating queued and resolution time for alerts, etc.
Following is a table that lists the playbooks that are part of the “08-Case Management” collection in the Content Pack:
Name of the playbook | Description |
Add a User to the Owners List | Checks if the specified module is user ownable, and then adds the selected user as an owner of the record / records irrespective of which team the user belongs. |
Alert > [01] Capture All SLA (Upon Create) | Updates the alert's acknowledgement due date and response due date based on the alert’s severity. |
Alert > [02] Capture Ack SLA (Upon Update) | Updates the alert's acknowledgement date and SLA Status based on when the alert status is changed. |
Alert > [03] Capture Response SLA (Upon Update) | Updates the alert's response date and SLA Status based on when the alert status is changed. |
Alert > [04] Check for SLA violations | Checks periodically for violations of acknowledgement SLA of the open alerts. |
Alert > [05] Update Ack and Response Due dates (Post Severity Change) | Updates the alert’s acknowledge due date and response due date for change in the severity of alerts |
Alert > Close Corresponding SIEM Alert | Closes the alert on the corresponding SIEM when an alert is closed in FortiSOAR. |
> Alert >> Periodic Update Alert SLA Status | This is a subroutine playbook to periodically check violations of acknowledgement and response SLA of the open alerts. |
Alert > Set Metrics (Upon Close) | Calculates queued and resolution time for a closed alert. |
> Alert >> Update SLA Details | Updates an alert's acknowledgement due date and response due date based on the severity of the alert. |
Approval > On Create | This playbook is triggered whenever an approval record is created, and an email is sent out to the intended approver(s). |
Approval > On Email Receipt (Exchange) | This playbook is triggered whenever an email is received via Exchange; the playbook determines whether the received email is an approval mail, and, if yes, checks its approval status. |
Approval > On Email Receipt (IMAP) | This playbook is triggered whenever an email is received via IMAP and it checks whether the received email is an approval mail along with its approval status. |
Approval > On Email Receipt >> Process Email | Checks if the email is an approval email and returns its approval status. |
Assign Random User to Unassigned Alerts | Auto assigns alerts if their assignments were missed during alert creation. |
Assign Random User to Unassigned Incidents | Auto assigns incidents if their assignments were missing during incident creation. |
Escalated Alert > Copy Related Records to Incidents | Links related data from the alert to the incident, when an alert is escalated. |
Escalated Alert > Related Asset Records to Incidents | Links related assets from the alert to the incident, when an alert is escalated. |
Export Selected Records | Exports all selected records to a JSON file and creates an attachment record for the same. |
>> Fetch SLA Details | Fetches SLA Details for incidents as per Service, that is, for MSSP or Enterprise. |
Import Data | Imports a valid JSON file to a relevant module and creates subsequent records. |
Incident > [01] Capture All SLA (Upon Create) | Updates an alert's acknowledgement due date and response due date based on the severity of the incident. |
Incident > [02] Capture Ack SLA (Upon Update) | Updates an incident's acknowledgement date and SLA status when the status of the incident is changed. |
Incident > [03] Capture Response SLA (Upon Update) | Update an incident's response date and SLA status when the status of the incident is changed. |
Incident > [04] Check for SLA violations | Periodically check Acknowledgement SLA violations of the Open Incidents. |
Incident > [05] Update Response and Ack Due date (Post Severity Change) | Update an incident's acknowledgement due date and response due date following a change in severity. |
> Incident >> Periodic Update Incident SLA Status | This is a subroutine playbook to check and update an incident’s SLA status. |
Incident (Post Create) Phase Change | Sets an incident's phase dates upon incident creation. |
Incident (Post Update) Phase Change | Updates an incident's phase dates when incident phase is changed. |
>> Incident - Set Phase Dates | Updates an incident's phase dates based on incident phase. |
Incident Summary Notification | Sends a daily summary of incidents created and closed. |
> Incidents >> Update SLA Details | Updates an alert's acknowledgement due date and response due date based on incident severity. |
Indicator > Check Expiry Status | Checks periodically for the expiry date of the indicator and marks it as expired, if matched. |
Indicator > Set Default Expiry Date | Sets the default expiry date when an indicator is created. |
Indicator > Set First Seen Date | Sets the first seen date when an indicator is created. |
Indicator > Set Last Seen Date | Tracks the occurrence of an indicator by updating the last seen date. |
Notify Blocked Indicator Status to Linked Alerts | Adds a note about an indicator being blocked. |
Pause SLA - Alerts | Pauses the alert's acknowledgement or response when its respective SLA status is changed to 'Awaiting Action'. |
Pause SLA - Incidents | Pauses the incident's acknowledgement or response SLA when its respective SLA status is changed to 'Awaiting Action'. |
Prompt when Indicator linked is to Campaign | Notifies an analyst via manual input when an indicator is linked to a campaign. |
Set Prompt to an Alert | Displays a prompt on alerts when an indicator is linked to campaign. |
The Case Management (Extended) collection playbooks are for special use cases and can be enabled, if required, by the SOC management. Following is a table that lists the playbooks that are part of the “08-Case Management (Extended)” collection in the Content Pack:
Name of the playbook | Description |
Incident > [06] Check for Ack SLA violations | Notifies users of violation of Acknowledgement SLA. |
Incident > [07] Check for Response SLA violations | Notifies users of violation of Response SLA. |
>> Notify Ack SLA Violation | Checks every 5 minutes, for Acknowledgement SLA violations of open incidents. |
>> Notify Response SLA Violation | Checks every 5 minutes for Response SLA violations of acknowledged incidents. |
You can use the playbooks in the 09 – Incident Response collection to help you plan your response to an incident such as a malware attack.
Following is a table that lists the playbooks that are part of the “09- Incident Response” collection in the Content Pack:
Name of the playbook | Description |
Incident Response Plan (Type - Malware) | Investigates incidents of type ‘Malware’ and executes the different phases of incident response using CarbonBlack Response. |
Incident Response Plan (Type - NIST 800-61 - Generic) | Creates tasks for incident response and handling as per the guidelines provided in NIST 800-61. |
NIST 800-61 - Upfront Tasks | Creates tasks for incident response and handling as per the guidelines provided in NIST 800-61. |
You can use the playbooks in the 10 – Utilities collection to perform various operations in FortiSOAR such as creating and linking assets to specified emails, alerts, or incidents, exporting all records or a specified module, or scheduling the health check of connectors and send appropriate notifications.
Following is a table that lists the playbooks that are part of the “10- Utilities” collection in the Content Pack:
Name of the playbook | Description |
Add Attacker Tag to Indicator (FortiDeceptor) | Finds the Attacker IP Address in a FortiDeceptor alert and adds the Attacker Tag to the indicator as well as updates the reputation of the indicator to Malicious. |
Create and Link Asset | Creates an asset (if it doesn't exist already), and links it to the specified email, alert, or incident record. |
Create and Link Indicator | Create an indicator (if it doesn't exist already), and links it to the specified email, alert, or incident record. |
Download and Create Attachment | Downloads the file from a specified URL and creates an attachment record for the same. |
Export as CSV | Export all records of the given module with specified filters in the CSV format. |
> Get Paginated Records | Gets paginated records data and appends them in a .CSV file. This playbook is a reference playbook for 'Export as CSV'. |
Notify Connector Health Check Failures | Scheduled to check connectors’ health status and notify the specified recipients of any failed health check. |
Notify Failed Playbook Executions | Notifies specified recipients of any playbook failure. It can be scheduled to run at specific intervals. |
You can use the playbooks in the 11 – Demo collection to create various artifacts required to demonstrate various scenarios, such as the creation of a demo incident record to demonstrate a malware incident response, creation of global various required by playbooks, creation of default SLA templates, etc.
Following is a table that lists the playbooks that are part of the “11- Demo” collection in the Content Pack:
Name of the playbook | Description |
Add to Exclude List | Adds specified indicators as global variables, which excludes them from being considered as IoCs. |
Create Default Global Variables | Creates default global variables and SLA templates required for playbooks. |
Create Default SLA Templates | Creates default SLA templates for varying severity of alerts and incidents. |
Create Demo Campaigns | Creates demo campaigns and corelates different observables against the campaign record. |
Create Sample Records - IR, Threat Intelligence and Vulnerability Management | Creates sample records for Alerts, Incidents, Indicators, Campaigns, Vulnerabilities, Assets, and Scans in order to carry out mock incident response, threat intelligence, and vulnerability management. This playbook is referenced in Demo Incident Response Records. |
Create Sample Records - Legal, Physical Incidents | Generates sample records for legal and physical incidents. |
Demo Incident Response Records | Creates sample records for Alerts, Incidents, Indicators, Campaigns, Vulnerabilities, Assets, and Scans in order to carry out mock incident response. |
Demo Scenario #1 - Compromised Credential | Generates alert from a FortiSIEM incident for the ‘Compromised Credentials’ Scenario. |
Download and Create Attachment | Downloads the file from a specified URL and creates an attachment record for the same. |
Email Based Alert Ingestion | Ingests an incident from a FortiSIEM email notification and creates alerts for the same. |
>> (Email Based Ingestion) Create Alert | Generates alerts for email-based alert ingestion. |
Generate > Attachment Records | Generates attachment records for the file downloaded from a specified URL. |
Generate > Malware Incident | Creates a demo incident record for demonstration of Malware IR. |
Generate > Tenable Scan, Assets and Vulnerabilities | Creates sample Scan, Assets, Vulnerabilities records from Tenable.io. |
>> Get Similar Alerts > Fetch Similar Alerts | Retrieves a list of alerts related to the specified indicator. |
Reset Sample Records (Database) | Clears all records from different modules by directly connecting to the database using a Python script. |
Sample > Create FortiSOAR Users | Creates FortiSOAR users for demo purposes. |
Sample > Reset Environment | Clears all records from different modules using FortiSOAR APIs. |
> Sample Users | This is a reference playbook that creates FortiSOAR users. |
Send Counseling Email | Sends the offending user a counseling email. |
> Setup Connector Configurations > Setup Connector | Configures the specified connectors. This is a reference playbook for Setup Connector Configurations. |
Setup Connector Configurations | Configures all connectors that are listed in the connector configuration file. |
Setup Default Appliance Roles | Auto Configures the appliance roles for playbook execution. |
Setup Default Configuration for Code Snippet | Creates default configuration for the Code Snippet connector. |
Setup Default Configuration for SLA Calculator | Creates default configuration for the SLA Calculator connector. |
Setup Default Configuration for SOC Simulator | Creates default configuration for the SOC Simulator connector. |
You can use the playbooks in the 12 – Training collection to provide FortiSOAR training.
Following is a table that lists the playbooks that are part of the “12- Training” collection in the Content Pack:
Name of the playbook | Description |
01 - Investigate Filehash (Manual) | This is a manually triggered playbook and the security analyst use to determine the filehash reputation. |
02 - Investigate Filehash (Semi Automated) | This is a manually triggered playbook that investigates filehash reputation using VirusTotal. |
03 - Investigate Filehash (Fully Automated) | This playbook is triggered automatically following the creation of an alert; it investigates filehash reputation using VirusTotal. |
The MITRE ATT&CK Playbook Collections demonstrate various MITRE ATT&CK Techniques.
Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™-CREDENTIAL ACCESS” collection in the Content Pack:
Name of the playbook | Description |
>> Create and Link Alerts from Hunt (Host-based) | Creates and links the alert from a host-based sensor to a Hunt. |
HUNTS - Credential Dumping (T1003) | Hunts for non-Windows processes accessing the lsass.exe process, which can be indicative of credential dumping. |
HUNTS - Credential Dumping (T1003) Part2 | Enriches LSASS.exe access information using Splunk or ElasticSearch. |
Following is a table that lists the playbooks that are part of the “13 - MITRE ATT&CK™-DEFENSE EVASION” collection in the Content Pack:
Name of the playbook | Description |
HUNTS- Deobfuscate/Decode Files or Information (T1140 | Identifies the use of Certutil or copy /b to deobfuscate data/files. |
HUNTS-DCShadow (T1207) | Hunts for execution of network traffic generated by Mimikatz module ‘DCShadow’. The network-based portion of this playbook requires network detection signatures. |
Following is a table that lists the playbooks that are part of the “13 - MITRE ATT&CK™- Modulars” collection in the Content Pack:
Name of the playbook | Description |
Create Alert from Network Sensor and Link to Hunt | Creates and links an alert from a network-based sensor to a Hunt. |
Create and Link Alerts from Asset (Host-based) | Creates and links alerts to an asset. |
Create and Link Alerts from Hunt (Host-based) | Creates and links an alert from a host-based sensor to a Hunt. |
Create and Link Indicator from Alert | Creates and links indicators when an alert is created. |
Create and Link User | Creates a user (if it doesn't exist already), and links to specified emails, alerts or incidents. |
Create Asset from Alert | Links an asset to an alert if the hostname is present. |
Create User from Alert (Host) | Retrieves incidents related to the specified alert and creates and links users to that alert. |
Deduplicate Comments (Asset) | Deduplicates comments on asset records. |
Deduplicate Comments (Hunt) | Deduplicates comments on Hunt records. |
Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- PERSISTENCE” collection in the Content Pack:
Name of the playbook | Description |
HUNTS- AppInit DLLs (T1103) | Hunts for modification to AppInit DLLs registry keys. |
HUNTS- Hidden Files and Directories (T1158) | Hunts for the use of attrib.exe to hide files. |
HUNTS- Netsh Helper DLL (T1128) | Hunts for abnormal DLL loads and processes spawned by netsh.exe. |
HUNTS- Screensaver (T1180) | Hunts for use of Windows Screensaver to enable attacker persistence. It hunts for abnormal screensaver executions, processes spawned by a screensaver, and abnormal modifications to screensaver registry keys. |
HUNTS- Winlogon Helper DLL (T1004) | Hunts for abnormal DLL loads and processes spawned by Winlogon. |
Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- PRIVILEGE ESCALATION” collection in the Content Pack:
Name of the playbook | Description |
HUNT- SID-History Injection (T1178) | Hunts for SID-History injection using ‘Mimikatz’ and other tools. It also hunts for SID-History added to accounts (success and failure). Adding SID-History might allow escalated privileges if SID filtering is not enabled. |
Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- PROCESS EXECUTION” collection in the Content Pack:
Name of the playbook | Description |
>ASSETS- Service Execution (Enrichment) (T1035) | Enriches service data and queries VirusTotal for filehash reputation. Queries the SIEM for all instances of any malicious hash that is observed. |
ASSETS- Service Execution (T1035) | Identifies on-OS services on a host and passes information to the next playbook for enrichment. |
HUNTS- CMSTP (T1191) | Identifies processes spawned by CMSTP.exe and creates corresponding alerts. |
HUNTS- Compiled HTML File (T1223) | Identifies processes spawned by hh.exe. |
HUNTS- Control Panel Items (T1196) | Identifies processes spawned by Control Panel files and execution of non-standard .cpl files. |
HUNTS- Dynamic Data Exchange (T1173) | Identifies processes spawned by a Microsoft Office product. |
HUNTS- InstallUtil (T1118) | Identifies processes that are executed using ‘InstallUtil’, which are run from the command line (CMD, PS, WMIC) and creates corresponding alerts. |
HUNTS- LSASS Driver (T1177) | Identifies execution of processes by loading an illegitimate LSASS driver (DLL). This technique can be used to execute a binary whenever LSASS gets executed. |
HUNTS- Mshta (T1170) | Identifies processes spawned by Mshta.exe. |
HUNTS- Regsvcs/Regasm (T1121) | Identifies processes spawned by Regsvcs and Regasm. |
HUNTS- Rundll32 (T1085) | Identifies processes spawned by rundll32.exe where the DLL that is loaded exists outside of System32/SysWOW64 or Program Files. This playbook may require additional tuning to reduce false positives. |
HUNTS- XSL Script Processing (T1220) | Detects execution of processes using XSL scripts. XSL scripts can allow a user to bypass application whitelisting by executing code through trusted OS binaries. |
Following is a table that lists the playbooks that are part of the “13- MITRE ATT&CK™- Pull-Technique-Details” collection in the Content Pack:
Name of the playbook | Description |
Link ATT&CK technique to Alert | Links MITRE ATT&CK technique to alerts based on the attack technique ID. |
You can use the playbooks in the 14 – Communications collection to automate various communication-related tasks such as sending a notification email or adding a note to a communication thread.
Following is a table that lists the playbooks that are part of the “14- Communications” collection in the Content Pack:
Name of the playbook | Description |
Add Note for Communication Linked | Adds a note stating a new communication has been linked to alert. |
Add Note for Communication Linked (Received) | Adds a note stating a new communication that was received has been linked to alert. |
Link Communication Record | Links the communication record to the corresponding alert based on the message ID. |
Link Previous Communications | Links existing communications records to create a conversation thread. |
Manual Send Notification | Sends email notification for any selected communication record that is in either “Draft” or “Sending” state to the intended recipients. |
Create Communication Record | Creates a record in the communications module and links it to an alert based off the information that is entered by the security analyst. |
Create Communication Record (Email Reply) | Creates a record in the communications module based off a reply to a received email. |
Send Notification | Sends auto-notification of any new communication record that is in the “Sending” state to the intended recipients. . |
You can use the playbooks in the 15 – Hunt - Sunburst to demonstrate the Sunburst Hunt techniques.
Following is a table that lists the playbooks that are part of the “15- Hunt - Sunburst” collection in the Content Pack:
Name of the playbook | Description |
Block Sunburst Indicators | Blocks Sunburst indicators on FortiGate and FortiEDR. |
Hunt Sunburst IOCs | Download IOCs from the threat intelligence feeds and hunt them. |
Hunt Sunburst Indicator | Performs a hunt on the specified Sunburst indicators using Splunk and FortiEDR. |
You can use the Scenario Playbook Collections to set up various scenarios in FortiSOAR such as brute force attempt, comprised credentials, etc., and demonstrate how FortiSOAR is used to respond to these scenarios.
Following is a table that lists the playbooks that are part of the “16- Scenario” collection in the Content Pack:
Name of the playbook | Description |
Generate > Brute Force Attempt | Generates an alert and corresponding task for brute force attempt. |
Generate > Compliance Alert | Generates a compliance alert. |
Generate > Device Lost/Stolen | Generates an alert for lost/stolen device. |
Generate > DLP Alert | Generates a DLP Alert and escalates it to an incident and creates a task for the same. |
Generate > FortiAnalyzer (C&C Alert) | Generates a demo incident from a FortiAnalyzer incident with the 'Command and Control' type. |
Generate > FortiAnalyzer (User login from SSH) | Generates a demo alert from a FortiAnalyzer incident for User login from SSH. |
Generate > IDS Alert | Generates an alert for Snort IDS. |
Generate > Malware Alert (Host1) | Creates an alert for the incidents fetched from Symantec ATP with an IOC that is similar to the IOC on other hosts (Host 2 and Host 3). The analyst can then decide the actions that need to be carried out in relation to the alert. |
Generate > Malware Alert (Host2) | Creates an alert for the incidents fetched from Symantec ATP with an IOC that is similar to the IOC on other hosts (Host 1 and Host 3). The analyst can then decide the actions that need to be carried out in relation to the alert. |
Generate > Malware Alert (Host3) | Creates an alert for the incidents fetched from Symantec ATP with an IOC that is similar to the IOC on other hosts (Host 1 and Host 2). The analyst can then decide the actions that need to be carried out in relation to the alert. |
Generate > PaloAlto Blocked C2 Connection Alert | Generates demo alert and task for a C2 Connection blocked by Palo Alto. |
Generate > PaloAlto Panorama Threat Alert | Generates Palo Alto Panorama Threat Alert. |
Generate > S3 Bucket Alert | Generates an alert and task for S3 Bucket Alert. |
Following is a table that lists the playbooks that are part of the “16- Scenario - Brute Force Attack Scenario” collection in the Content Pack:
Name of the playbook | Description |
Generate > FortiSIEM (Brute Force Attack) | Generates a demo record - Brute Force Attack. |
Following is a table that lists the playbooks that are part of the “16- Scenario - Compromised Credentials Scenario” collection in the Content Pack:
Name of the playbook | Description |
Generate > FortiSIEM (01 - Initial Access - Firewall Configuration Change - Port Forwarding) | Generates a demo alert from a FortiSIEM incident, which is created when there is a change in the firewall configuration related to port forwarding. |
Generate > FortiSIEM (02 - Initial Access - Firewall Configuration Change - Policy Change) | Generates a demo alert from a FortiSIEM incident, which is created when there is a change in the firewall configuration related to policy. |
Generate > FortiSIEM (03 - Persistence - Domain User Created) | Generates a demo alert from a FortiSIEM incident, when a domain user is created and a persistence threat is detected. |
Generate > FortiSIEM (04 - Persistence - User Password Reset) | Generates a demo alert from a FortiSIEM incident, which is created when the user password has been reset and a persistence threat is detected. |
Generate > FortiSIEM (05 - Persistence - User Added to Administrator Group) | Generates a demo alert from a FortiSIEM incident, which is created when the user password has been reset and a persistence threat is detected. |
Generate > FortiSIEM (06 - Persistence - Schedule Task) | Generates an alert from a FortiSIEM incident for ‘Persistence - Schedule Task’ scenario. Generates a demo alert from a FortiSIEM incident, which is created when the ‘Schedule Task’ scenario is executed. |
Generate > FortiSIEM (07 - Exfiltration - File Transfer) | Generates an alert from a FortiSIEM incident for ‘Exfiltration - File Transfer’ scenario. Generates a demo alert from a FortiSIEM incident, which is created when a data exfiltration event has occurred. |
Following is a table that lists the playbooks that are part of the “16- Scenario - FortiDeceptor” collection in the Content Pack:
Name of the playbook | Description |
Generate > FortiDeceptor Alerts | Generates an alert from FortiDeceptor CEF. |
Following is a table that lists the playbooks that are part of the “16- Scenario - FortiSIEM” collection in the Content Pack:
Name of the playbook | Description |
Generate > FortiSIEM (Concurrent Successful Authentications To Same Account From Multiple Countries) | Generates a demo alert from a FortiSIEM incident, which is created when concurrent successful authentications to the same account have been detected from multiple countries. |
Generate > FortiSIEM (Excessive Denied Connections) | Generates a demo alert from a FortiSIEM incident, which is created when excessive denied connections events have been detected. |
Generate > FortiSIEM (Important process down) | Generates a demo alert from a FortiSIEM incident, which is created when an important process is not running. |
Generate > FortiSIEM (Large Outbound Transfer) | Generates a demo alert from a FortiSIEM incident, which is created when large outbound transfer has been detected. |
Generate > FortiSIEM (Process Stopped) | Generates a demo alert from a FortiSIEM incident, which is created when a process has been stopped. |
Generate > FortiSIEM (Sudden Increase in System Memory Usage) | Generates a demo record for the event - Sudden Increase in System Memory Usage. Generates a demo alert from a FortiSIEM incident, which is created when a sudden increase in system memory usage has been detected. |
Following is a table that lists the playbooks that are part of the “16- Scenario - Microsoft CASB” collection in the Content Pack:
Name of the playbook | Description |
Generate Microsoft CASB (Malware Infection) Alert | Generates a demo alert from a Microsoft CASB alert, which is created when a malware infection is detected. |
Following is a table that lists the playbooks that are part of the “16- Scenario - LogRhythm” collection in the Content Pack:
Name of the playbook | Description |
Generate > LogRhythm Alarms | Generates alerts for alarms pulled from LogRhythm during the specified duration. |
Following is a table that lists the playbooks that are part of the “16- Scenario - Phishing Scenario” collection in the Content Pack:
Name of the playbook | Description |
Generate > Phishing Alert | Generates an alert and a corresponding task for a phishing event. |
Following is a table that lists the playbooks that are part of the “16- Scenario - Sunburst” collection in the Content Pack:
Name of the playbook | Description |
Generate > Sunburst Alert | Generates a Sunburst alert. |
Following is a table that lists the playbooks that are part of the “16- Scenario - Symantec” collection in the Content Pack:
Name of the playbook | Description |
Generate > Symantec CloudSOC (External Filesharing Alert) | Generates an alert for Symantec CloudSOC Events. |
Generate > Symantec Email.Cloud | Generates an alert for a list of IOCs downloaded from Symantec Email.Cloud specific to a particular domain. |
There are also other various playbook collections, such as SLA Management Playbooks, System Notification and Escalation Playbooks, War Room Automation, etc., that are included by default as ‘System Fixtures’ in FortiSOAR. For more information on System Fixtures, see the FortiSOAR Administration Guide. The following tables list the various playbook collections that are part of System Fixtures.
Following is a table that lists the playbooks that are part of the “Approval/Manual Task Playbooks” collection:
Name of the playbook | Description |
Approval > Notify Owners | Sends an approval notification email to its assigned users or teams. |
Approval > Notify Updated Owners | Sends an approval notification email to the newly assigned approver. |
Manage Approval via API | Manages approvals by making API calls to the FortiSOAR endpoint. |
Manual Task > Resume Playbook | Resumes a paused workflow on the completion of the manual task. |
Following is a table that lists the playbooks that are part of the “Comment Notifications” collection:
Name of the playbook | Description |
> Comment - Send Email Notification | Fetches the email IDs of people who are tagged in the specified comment and sends them an email notification. |
Comment > Notify Mentioned/Tagged People on Comment Create | This playbook is triggered whenever a new comment record is created. This playbook sends an email notification to the people tagged in the comment. |
Comment > Notify Mentioned/Tagged People on Comment Update | This playbook is triggered whenever a comment record is updated. This playbook sends an email notification to the people tagged in the comment. |
Following is a table that lists the playbooks that are part of the “Report Management Playbooks” collection:
Name of the playbook | Description |
> Generate Incident Summary Report > Generated Report and Link to Incidents | Generates a report for the specified report ID and adds links to related incidents as a comment. |
Export Report | Generates a report for the specified report ID in the PDF format. |
Generate Incident Summary Report | Generates the incident summary report for the selected incident records. |
Generate Report from Schedule | Generates a report using the scheduler in FortiSOAR. |
Following is a table that lists the playbooks that are part of the “SLA Management Playbooks” collection:
Name of the playbook | Description |
Alert > Set Assigned Date (upon creation) | Updates the assigned date of the alert when a person is assigned to the alert. |
Alert > Set Assigned Date (upon reassignment) | Updates the assigned date of the alert when a person is reassigned to the alert. |
Alert > Set Resolved Date | Updates the resolved date of an alert when its state is marked as "Closed". |
Incident > Set Assigned Date (upon creation) | Updates the assigned date of an incident when a lead is assigned to the incident. |
Incident > Set Assigned Date (upon reassignment) | Updates the assigned date of the incident when a lead is reassigned to the incident. |
Incident > Set Resolved Date | Updates the resolved date of an incident when its state is marked as "Resolved". |
Following is a table that lists the playbooks that are part of the “Schedule Management Playbooks” collection:
Name of the playbook | Description |
Agent > Check For Missed Heartbeats | Scheduled workflow to check for missing heartbeats of agents for the configured time interval in the past. If any agent is found to be unreachable, its status is marked as “Failed”. |
Agent > Trigger Health Check | Scheduled workflow that initiates a heartbeat request from all agents on the instance. |
AuditLog Cleanup | Scheduled workflow for the cleanup of audit logs. |
Playbook execution history cleanup | Scheduled workflow for the cleanup of playbook execution history. |
Purge Integration Logs | Scheduled workflow to purge integration logs. |
Reclaim Disk Space (Playbook Logs) | Scheduled workflow to reclaim disk space of playbook execution logs. |
Following is a table that lists the playbooks that are part of the “System Notification and Escalation Playbooks” collection:
Name of the playbook | Description |
Alert > Escalate To Incident | Escalates the selected alert to an incident. |
Alert > Escalate To Incident (No Trigger) | Creates a new incident with the specified inputs and links the alert(s) to the newly created incident. |
Alert > Escalate to Incident (Link Relations) | Extracts related records and assigns them to a created incident. |
Alert > Notify Creation (Email) | Sends email notifications to the assignee about the assignment of the alert. |
Alert > Notify Creation (System) | Notifies the assignee about the assignment of the alert. |
Alert > Notify Updation (System) | Notifies the assignee about the alert updation. |
Incident > Notify Creation (Email) | Sends an email notification to the assignee about the assignment of a new incident. |
Incident > Notify Creation (System) | Notifies the assignee about the assignment of a new incident. |
Incident > Notify Updation | Notifies the assignee about the incident updation. |
Resolve Alert | Marks the specified Security Alert as closed. |
Tasks > Notify Creation (Email) | Sends an email notification to the assignee about assignment of a task. |
Tasks > Notify Creation (System) | Notifies the assignee about the creation of a task. |
Tasks > Notify Updation | Notifies the assignee about the Task updation. |
Tasks > Post-Create: Assign user owner | Sets the assigned user as the user owner of the new task. |
Tasks > Post-Update: Assign user owner | Sets the newly assigned user as the user owner of the task. |
Following is a table that lists the playbooks that are part of the “Utilities Playbooks” collection:
Name of the playbook | Description |
Link Similar Alerts | Links all selected similar alerts with the parent alert. |
Link Similar Emails | Links all selected similar emails with the parent email. |
Link Similar Incidents | Links all selected similar incidents with the parent incident. |
Link Similar Indicators | Links all selected similar indicators with the parent indicator. |
Following is a table that lists the playbooks that are part of the “War Room Automation” collection:
Name of the playbook | Description |
Cascade Ownership for Newly Linked Records | Assigns war room responders as owners in all newly linked records such as alerts, incidents, indicators, etc. |
Generate War Room Report | Generates a War Room Report and adds a link to the specific War Room record as a comment. |
Notify New Announcement | Sends an email notification to the war room owner and user owners whenever a new announcement is created. |
Notify Newly Linked Team | Sends an email notification to the new team that has been linked to the War Room record. |
Notify Newly Linked User(s) | Sends an email notification to the new users that have been linked to the War Room record. |
Send Email | This a child playbook of Send Email Notification. It sends an email notification to war room owners and user owners related to any changes in the War Room record. |
Send Email Notification | Fetches details of War Room owners and user owners and sends them an email notification related to any changes in the war room record. |
Send War Room Summary Email | Generates and sends the War Room Summary report to the response team or to specified user(s). |
Set War Room Live and Notify Responders | Updates the war room status to "Live" and sends the email notification to the responders. |
Set up War Room from Alerts | Sets up a War Room based off the selected alert(s). |
Set up War Room from Incidents | Sets up a War Room based off the selected incident(s). |
Update War Room Close Date | Updates the ‘Close Date’ of the War Room record, when its status is marked as "Closed". |
