Simplify SOC Operations with Security Fabric Analytics

and Automation
Lab Guide
FFT-FAZ-r04-1744272232
Table of contents
1. Simplify SOC Operations with Security Fabric Analytics and Automation ......................... 4
1.1. Fast Track Program ........................................................................................................... 5
1.2. Topology .............................................................................................................................. 6
1.3. Agenda ................................................................................................................................ 7
1.4. Instructions ......................................................................................................................... 8
2. Analytics and Reporting .............................................................................................................. 9
2.1. Working with Fortinet Device Logs .............................................................................. 10
2.2. Working with Fabric (SIEM DB) Logs ............................................................................ 14
2.3. FortiView ........................................................................................................................... 18
2.4. Monitors ............................................................................................................................ 20
2.5. Security Reports .............................................................................................................. 23
2.6. Creating a Custom Report .............................................................................................. 25
3. Automation with Playbooks, Connectors and Event Handlers. .......................................... 31
3.1. Basic Event Handlers and FortiGate Automation Stitches ....................................... 32
3.1.1. Create a Basic Event Handler ..................................................................................... 33
3.1.2. Create an Automation Stitch ...................................................................................... 35
3.1.3. Review the Results ..................................................................................................... 38
3.2. Correlation Event Handlers using Fabric (SIEM) Logs ............................................... 40
3.2.1. Create An Event Hander Using Fabric Logs ................................................................ 41
3.2.2. Perform Brute Force Attack ........................................................................................ 44
3.2.3. Review Triggered Events ........................................................................................... 46
3.2.4. Quarantine the Endpoint with EMS Connector ........................................................... 48
3.3. Automation using Playbooks and Connectors ............................................................ 50
3.3.1. Create a Playbook ...................................................................................................... 51
3.3.2. Create a FortiOS Connector ....................................................................................... 54
3.3.3. Create an On-Demand Playbook ................................................................................ 56
3.3.4. Trigger the Playbook .................................................................................................. 58
3.3.5. Review the Incident ................................................................................................... 60
4. FortiGuard Security Services ................................................................................................... 63
4.1. FortiGuard Outbreak Detection Service ...................................................................... 64
4.1.1. Outbreak Alert Features ............................................................................................. 65
4.1.2. Outbreak Alert Event Handlers .................................................................................. 66
4.1.3. Attack The Organization's GeosServer Instance ........................................................ 67
4.1.4. View the Events in FortiAnalzyer ................................................................................ 69
4.1.5. Indicator Enrichment .................................................................................................. 71
4.1.6. Reporting Outbreak Alerts ......................................................................................... 73
4.2. FortiGuards's IOC Service ............................................................................................... 74
4.2.1. Create an Automation Stitch ...................................................................................... 75
4.2.2. Verify the Automation Stitch is Triggered .................................................................. 77
4.2.3. Disable the Automation Stitch and Release the Quarantined Hosts ........................... 79
4.2.4. FortiView - Indicators of Compromise ........................................................................ 80
5. SOAR with FortiSOAR ................................................................................................................ 82
5.1. Using the FortiAnalzyer Connector ............................................................................... 83
5.2. Alerts & Enriching Indicators with FortiGuard Connector ........................................ 87
5.3. Responding to an Alert Using FortiGate Connector to Quarantine a Host ............ 90
5.4. Verify the Host has been Quarantined ......................................................................... 93

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 2 of 100 Fortinet Training Institute
6. Using FortAI - Your AI Assistant .............................................................................................. 94
6.1. Investigating an IP of Interest, Creating an Incident and Running a Report ........ 95
7. Conclusion ................................................................................................................................... 99
7.1. Conclusion ....................................................................................................................... 100

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 3 of 100 Fortinet Training Institute
1. Simplify SOC Operations with Security Fabric Analytics and Automation
Simplify SOC Operations with Security Fabric Analytics and Automation

Security teams around the world are struggling with the complexity of operations. Common issues include:

Too many consoles

Too many alerts
Manual and slow response
Shortage of cybersecurity personnel

The Fortinet Security Fabric provides a solution to these security challenges:

Broad visibility and control of an organization’s entire digital attack surface minimizes risk.
An integrated solution reduces the complexity of supporting multiple-point products.
Automation of security workflows increases the speed of operation.

All of these features enable an organization to maximize the impact and effectiveness of a lean security team.

FortiAnalyzer, a core part of the Security Fabric, enables teams to simplify security operations, enabling enterprises at any
stage of security operations center (SOC) maturity to smoothly integrate security visibility and automation.

Click Continue to move to the next page.

(Note: When you click Continue an initialization script will run to prepare your environment.)

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 4 of 100 Fortinet Training Institute
1.1. Fast Track Program

Fast Tracks are free instructor-led hands-on workshops that introduce Fortinet solutions for securing your digital
infrastructure. These workshops are only an introduction to what Fortinet security solutions can do for your organization.

For more in-depth training, we encourage you to investigate our full portfolio of NSE training courses
at [Link]

Click Continue to move to the next page.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 5 of 100 Fortinet Training Institute
1.2. Topology

Click Continue to move to the next page.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 6 of 100 Fortinet Training Institute
1.3. Agenda

Agenda

The following is the agenda for this workshop. You do not have to do these exercises in order, nor do you need to complete
all the exercises. Please select the ones of most interest to you.

LAB TOPIC Time (minutes) Prerequisite

2.0 Analytics & Reporting 20 -
3.0 Automation with Playbooks, Connectors, and Event Handlers -
3.1 •Basic Event Handlers and FortiGate Automation Stitches 10 -
3.2 •Correlation Event Handlers using Fabric (SIEM) Logs 10 -
3.3 •Automation using Playbooks & Connectors 15 -
4.0 FortiGuard Security Services -
4.1 •Outbreak Detection Service 10 -
4.2 •IOC Service 10 -
5.0 SOAR with FortiSOAR 15 -
6.0 FortiAI for FortiAnalzyer – Your AI Assistant 10 -

Click Continue to move to the next page.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 7 of 100 Fortinet Training Institute
1.4. Instructions

Instructions

Access to all of the required devices for this Fast Track is available from the sidebar menu on the left side of the Lab Activity
tab. The sidebar organizes devices based on their location within the network topology. Some devices may have several
access methods available, and the exercises will guide you on which one to use for each activity. It is recommended that
once you access a device, that you leave its browser tab open as you will usually be returning to each device several times.
You can complete the labs in any order; however, once you start a lab by clicking Continue, you must complete it before you
can start the next lab.

Unless otherwise indicated all usernames/passwords for the various web consoles are:

Username: admin
Password: Fortinet1!

Click Continue to move to the next page.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 8 of 100 Fortinet Training Institute
2. Analytics and Reporting
Analytics & Reporting

FortiAnalyzer is a powerful log management, analytics, and reporting platform.

Any organization, whether it has deployed only a few FortiGates or hundreds, needs to log network activity and generate
reports. Logging is essential to understanding what is happening and can help identify performance and security issues.
FortiAnalyzer provides not only a unified and centralized logging solution for all Fortinet devices across the enterprise, but
also for 3rd Party devices.

Organizations also require customizable reporting and tools that help demonstrate compliance to auditors. Fortinet’s
compliance reporting support via FortiAnalyzer includes prebuilt reports for standards such as the Payment Card Industry
Data Security Standard (PCI DSS), Suspicious Activity Report (SAR), Center for Internet Security (CIS), and National Institute
of Standards and Technology (NIST). FortiAnalyzer also provides audit logging and role-based access control (RBAC) to
ensure that employees can only access the information they need to perform their duties.

FortiAnalyzer enables organizations to leverage FortiGuard Labs' threat intelligence to identify anomalies in their
network—in real time. FortiAnalyzer leverages an integrated analytics engine to correlate threat data collected throughout
the Security Fabric. Risk scoring is used to prioritize the identified anomalies and share this threat intelligence across the
Security Fabric. The Security Fabric analytics engine also powers visualization of the Security Fabric in real time. These
visualizations enable members of the IT, security, and SOC teams to identify and investigate potential threats to the network
immediately.

In this section the exercises you will complete:

Working with Fortinet Device Logs: Work with the logs ingested and indexed from Fortinet devices.
Working with Fabric (SIEM DB) Logs: Work with the logs ingested and indexed from non-Fortinet devices.
FortiView: Use the FortiView pane to see real-time and historical data used to monitor the organization's network.
Monitors: Use the Monitor view to display real-time security and performance information designed for network and
security operation centers as well as create a custom monitor.
Security Reports: Generate a Threat Report to examine the current threats discovered from the analytic logs.
Create a Custom Report: Create a custom report from the analytic logs.

Estimated time to complete: 20 minutes

Click Start to start this section.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 9 of 100 Fortinet Training Institute
2.1. Working with Fortinet Device Logs

In this lab, you will work with Analytics logs received from FortiGate devices.

FortiAnalyzer can collect logs from the following device types: FortiADC, FortiAnalyzer, FortiAuthenticator, FortiCache,
FortiCarrier, FortiCASB, FortiClient, FortiDDoS, FortiDeceptor, FortiEDR, FortiGate, FortiIsolator, FortiMail, FortiManager,
FortiNAC, FortiNDR, FortiPAM, FortiProxy, FortiSandbox, FortiSOAR, FortiSRA, FortiWeb, and Syslog servers.

Logs collected by FortiAnalyzer are in one of the following phases:

Real-time log: Log entries that have just arrived and have not been added to the SQL database.
Analytics logs (or historical logs): Indexed in the SQL database and online.
Archive logs: Compressed on hard disks and offline.

In this objective, you will work with Analytics Logs.

Tasks

Logon to FortiAnalyzer using the HTTPS option and select the Fabric ADOM
Go to Log View > Logs and select the All tab.

Under All, you will see parsed, normalized, and correlated logs from Fortinet and non-Fortinet products.
To view Fortinet device logs, click on the Fortinet Logs tab. Here you will see icons for all the supported Fortinet
devices.

To view the FortiGate logs click on the FortiGate icon. Here you can see 3 sections corresponding to the three log types
FortiGate sends to FortiAnalyzer: Traffic, Security, and Event.

Traffic logs: record the traffic flowing through the FortiGate unit(s).
Security Logs: record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering,
data leak prevention, vulnerability scan, DNS, and VoIP activity on the managed devices.
Event logs: record administration management and Fortinet device system activity, these logs provide valuable
information about how the device is performing.

Click on the Security drop down and select Intrusion Prevention. Here you can see all the security events discovered
by the IPS engine.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 10 of 100 Fortinet Training Institute
 To view more details for a log message, double-click on any entry. This will open the details panel to the right of the
message list. (note: if you have limited screen space the details panel may open at the bottom below the message
list)(note: don’t click on the username in the Source column, as this will display the endpoint information and not the
details panel.)

From the details panel locate Event Type under the Type section. In this example, we can see it is a botnet detection,
and under Threat, we can see the Attack Name is Emotet. These hosts are communicating with a C&C server. (Note:
There is an exercise that uses this log information to create an Event Handler to detect this botnet and then it is used to
trigger an automation on FortiGate to quarantine hosts communicating with thic C&C server.)

Close the details panel by clicking on the X in the top right corner of the details panel.

Customizing Display Columns

The Device ID column shows the serial number of the FortiGate device, which isn’t very user-friendly, change the Device ID
to the Device name.

From the current window click on the Gear icon.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 11 of 100 Fortinet Training Institute
 In the Search field input device and then select Device Name unselect Device ID and click Save as Default.

The new Device Name column will appear on the far right, select the Device Name column header, use your mouse,
and drag it in front of the Severity column.

Filtering Messages

Let us now find the users on the FGT-ISFW device connecting to a host that we have reason to believe is malicious.

Click on the Security drop-down and select Web Filter.

Click + Add Filter icon.

From the Filters window select Device Name, select FGT-ISFW under Suggestions and press Apply.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 12 of 100 Fortinet Training Institute
 Click + Add Filter a second time and select Host Name and input [Link] and press Enter.

Here you can see all the users making connections to the host in question. In a futher exercise you will see how these
filters can be used to generate custom reports.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 13 of 100 Fortinet Training Institute
2.2. Working with Fabric (SIEM DB) Logs

FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products, Apache and Nginx web servers,
and the security event logs of Windows and Linux hosts (with Fabric Agent integration) as well as other product logs via
syslog. The SIEM logs are displayed in Log View > Logs > All and can be used when generating reports and when creating
event handlers (There is also a lab on this). Note these logs are also referred to as Fabric logs.

In this objective, you will review the log parsers and generate and review windows events in FortiAnalyzer. You will also
create a custom view for the Windows Event Logs.

Tasks

Logon toFortiAnalyzer using the HTTPS option and select the Fabric ADOM.
Go to Incidents & Events > Log Parsers and select the Assigned Parsers tab. Here you will see the parsers selected
for the Fortinet and 3rd party devices.

Note the non-Fortinet device, Windows, in the Application/Vendor column and the assigned parser, Windows Event
Log Parser Labs. This parser is used to map incoming Windows Events to FortiAnalyzer normalized fields.

View All Available Parsers

Click on the Log Parsers tab. Here you can see all available log parsers. Note that parsing is predefined by FortiAnalyzer
and does not require manual configuration by administrators. New and modified parsers are automatically updated with
the FortiAnalzyer monthly content packages. Administrators can also add custom parsers.

The Origin column indicates if the parser is predefined (Built-In), delivered in content packages (FortiGuard), or is
created by the administrator (Custom).

View the Windows Event Log Parser Labs

Locate and double-click the Windows Event Log Parser Labs parser to display the Log View for Windows Event Log
Parser Labs pane. This pane displays all related SIEM logs for the log parser in a table view. You can also see this by
going to Log View > Logs and applying the appropriate filter, which you will do next.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 14 of 100 Fortinet Training Institute
View the Fabric (SIEM) Logs

You will now view the Windows Event logs retrieved from Alice's machine and find those related to an RDP login and local
login.

Go to Log View > Logs and select the All tab.

Windows events have the Data Source Type of Windows XML Event. To select only the Windows events, with Filter
Mode selected click + Add Filter.

Input Data Source Type, click the corresponding entry to select it, then select Windows XML Event and click Apply.
(If Windows XML Event is not a selection, manually type it in and click Apply).

Customize Columns for Windows Event Logs

You will now create a Custom View. You use Custom Views to save the filter setting, device selection, and the time period
you have specified. In your case the custom view will be used to view Windows Events for all hosts.

Click on Create Custom View and Input Windows Event Logs.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 15 of 100 Fortinet Training Institute
 You will now arrange the columns to better suit Windows events for the needs of this lab. Click on the gear in the top
right-hand corner to edit the Column Settings.

De-select Data Source ID, Event Severity, Source IP, select Logon Type, User Domain, and User Name and click
Save as Default.

Generate Login Events

Now you will generate some login events on Alice's machine. Open Alice's Machine and select the RDP option.
Once you have logged in, right click on Command Prompt icon on the Task bar, then right click on the Command
Prompt and select Run as Administrator.

When prompted for the username input Administrator and the password input Fortinet1! and click Yes.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 16 of 100 Fortinet Training Institute
 Close the connection to Alice's machine by clicking on the Windows icon then the On/Off Icon and then select
Disconnect.

Return to FortiAnalzyer and go to Log View > Custom Views. From the Windows Event Logs tab, in the search field
input event_id = 4624.

Here you should see the logon events you just completed. The latest one is the Administrator's, the Logon Type 2
indicates that it is a local login. For Alice you will see two logins, the first is Logon Type 3 indicating a Network logon
followed by Logon Type 10 indicating a RemoteInteractive i.e. Remote Desktop logon.

Note: For any reason if you don't see those event return toAlice's Machine, and select the RDP option, and repeat the
steps. If you do this a second time the Administrator's Logon Type will be 11, as the logon will be using cached credentials.

While Event ID 4624 indicates a successful login for both Alice and the Administrator, the Logon Types are different
indicating different logons: local vs remote.

You have just reviewed FortiAnalyzer's SIEM capabilities to parse and normalize non-Fortinet device logs. In a later section,
you will look at using these logs to set up a correlation event handler to look for failed remote logins to another window's
host and automatically generate an incident if it is followed by a successful login, indicating a successful brute force attack.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 17 of 100 Fortinet Training Institute
2.3. FortiView

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single
view. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and
more. Using FortiView dashboards, you can view summaries of log data such as top threats to your network, top sources of
network traffic, and top destinations of network traffic.

Tasks

From the FortiAnalyzer Fabric ADOM go to FortiView > Threats and select the Top Threats tab.

Displayed are the threats detected on the organization’s network.

Double-click on the Emotet Threat.

Listed are all endpoints communicating with the C&C server.

Double-click on any entry to see the log view.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 18 of 100 Fortinet Training Institute
 Displayed is the number of times the source has made a connection to the C&C Server over the past hour (the default
time frame).
In a future exercise, you will look at opening incidents to deal with these threats.

Question

Stop and Think:

FortiView allows you to use multiple filters in the consoles, enabling you to narrow your view to a specific time, by user ID or
local IP address, by application, and other criteria. You can use it to investigate traffic activity such as user
uploads/downloads or videos watched on YouTube on a network-wide user group or on an individual-user level.

Using the FortiView dashboards, did Lisa Dune access YouTube in the past hour?

Select the correct answer(s)

Yes

No

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 19 of 100 Fortinet Training Institute
2.4. Monitors

Monitors are predefined dashboards designed for network and security operation centers where dashboards are displayed
across multiple large monitors. While the monitors are designed to be displayed on large monitors in an operations center,
they also provide detailed information to the security analyst. FortiAnalyzer comes with 5 pre-defined dashboards and these
provide a visual representation of the threats discovered, traffic, and performance in the organization's network.

In this exercise you will review the Threats & Events monitor, examine the Top Threats widget and drill down into the log
details. You will also have the options of creating a custom Monitor.

Tasks

Logon to FortiAnalyzer and from the Fabric ADOM go to FortiView > Theats & Events and
select the Threats tab, if not already selected. Here you can view the Threats & Events pre-
defined dashboards.

The Threats monitor allows you to monitor the Top Threats to your network. In the Top Threats widget, hover the
cursor over data points to see the Threat, Theat Type, Threat Score, Threat Level, and the number of incidents
(blocked and allowed). In the screenshot below we the results when hovering over the Emotet threat.

Click on any data point in the Top Threats widget. This will take you to the events view corresponding to the data point,
including a graph showing the events over time.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 20 of 100 Fortinet Training Institute
 Clicking on any entry will take you to the corresponding logs.

Clicking on any log will display detailed information about the log entry.
Monitors provide high-level information and allow security analysts to drill down to detailed information.

Create a Custom Monitor (Optional)

FortiAnalyzer allows users to create custom montiors to meet an organization’s needs. In this exercise you will create a
custom dashboard to track the Top Threats and Top Applications used in the organization.

Go to FortiView > Customer Views.

For the Name input Top Threats & Applications, select Blank for Create from and Generic for Subtype, and click
OK.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 21 of 100 Fortinet Training Institute
 Under Threats click Top Threats and under Applications & Websites click Top Applications and then click Save
Changes.

Your custom monitor is now available. You can optimize the layout by clicking on Edit Layout and repositioning and
adjusting the size of the widgets.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 22 of 100 Fortinet Training Institute
2.5. Security Reports

Analytics-powered log management from FortiAnalyzer delivers customizable reporting capabilities so organizations can
track user behavior online, assess potential threats, and intervene before harm occurs. FortiAnalyzer has many reports to
help an organization from a security, compliance, and network operations point of view.

Tasks

In this exercise, you run the threat report, which reports on malware, bots, and intrusion events.

From FortiAnalyzer for the Fabric ADOM go to Reports > Report Definitions select the All Reports tab and expand
the SOC Reports group.

From the SOC Reports group select Threat Report and click Edit.

Click Settings and set Time Period to Today. Click Apply.

Note: If you click Advanced Settings, there are different customizations you can apply to the look of the report.

Click Generated Reports and click Run Report.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 23 of 100 Fortinet Training Institute
 Once the report is ready, click PDF in the Format column.

The report opens in a new browser tab. Review the Report and then continue when finished.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 24 of 100 Fortinet Training Institute
2.6. Creating a Custom Report

There are many ways to create reports: you can customize an existing report or template or create one from scratch. In this
exercise, you create a report from the log views, in order to generate a custom report for compromised hosts in the
AcmeCorp organization due to the Emotet bot you located on the network.

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single
view. You can view summaries of log data in FortiView such as top threats to your network, top sources of network traffic,
and top destinations of network traffic. In this exercise, you focus on top threats.

Tasks

Go to FortiView > Threats and select the Top Threats tab.

Here FortiAnalyzer lists the top threats to the network. The following are considered threats:
Risky applications detected by application control
Intrusion incidents detected by IPS
Malicious websites detected by web filtering
Malware/botnets detected by antivirus

Double-click the entry for the threat Emotet.

Here you can see all the hosts connecting to the botnet.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 25 of 100 Fortinet Training Institute
 Click the export icon and select Export to Report Chart.

When prompted, enter the Name Compromised_Host_Chart and for Export views, select Source and Destination.
(Note: If you entered a different name, remember it, as you will use this chart to build a report in the next section.)

Click OK.

When the export is finished, click Close.

Creating the Report

Go to the Reports > Report Definitions and from the Report dropdown select Create New.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 26 of 100 Fortinet Training Institute
 For Name input Compromised_Host_Report, set Create from to Blank, and set Save to Folder to All Reports.

Click OK.

Click Settings and set the Time Period to Today and Devices to All Devices.

Click Apply.

Note: You can use the Enable Schedule setting to schedule the report to run every hour, day, week, or month. You can
also use the Enable Notification setting to send notifications and reports to recipients.

Click Editor, enter a heading, Hosts Compromised by Emotet and press return, and click Insert Chart.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 27 of 100 Fortinet Training Institute
 Select Traffic from the first drop-down.

Click the second drop-down labeled Click to select.

Scroll down until you find the chart, Compromised_Host_Chart (Destinations). (This is the name of the chart you
were asked to create in the last section, if you named it differently search on the name you used)

For Title, enter Emotet Threat Destinations and click OK.

Insert a second chart below the first. Set Chart to Compromised_Host_Chart (Sources) (This is the name of the
chart you were asked to create in the last section, if you named it differently search on the name you used)
and Title to Emotet Threat Sources and click OK.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 28 of 100 Fortinet Training Institute
 Click Apply.

Click Generated Reports and click Run Report.

Once the report is ready, click PDF in the Format column.

You should now see your custom report displayed in a new tab. Close the tab when you are finished reviewing it.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 29 of 100 Fortinet Training Institute
 Simplify SOC Operations with Security Fabric
Analytics and Automation Lab Guide
Page 30 of 100 Fortinet Training Institute
3. Automation with Playbooks, Connectors and Event Handlers.
Due to limited resources, organizations must automate security and network operations as much as possible. FortiAnalyzer
offers powerful automation capabilities through playbooks, connectors, and event handlers, enabling security teams to
streamline incident response and improve overall security posture.

Playbooks are automated workflows that define a sequence of actions to be taken in response to specific events or
incidents. They allow you to automate repetitive tasks, such as incident investigation, threat containment, and reporting.
Playbooks are triggered by events, incidents, schedules, or on-demand.

Connectors enable FortiAnalyzer to integrate with other systems and devices, allowing for the exchange of data and the
execution of remote actions.

Event handlers are rules that define how FortiAnalyzer responds to specific log events. They allow you to filter, correlate,
and prioritize events, and trigger automated actions based on predefined criteria.

How They Work Together for Automation:

Event handlers detect specific events in log data.

These events can trigger playbooks.
Playbooks use connectors to interact with other systems and devices, automating security actions.

FortiAnalyzer's playbooks, connectors, and event handlers work together to create a powerful automation framework that
enhances security operations and incident response.

In this section, you will perform the following exercise:

Automation using Basic Event Handlers and FortiGate Automation Stitches to Quarantine Endpoints
Correlation Event Handlers Using Fabric (SIEM) Logs to Detect Successful RDP Brute Force Attack
Automation using Playbooks and Connectors to Create and Enrich an Incident as well as Quarantine Endpoints

Estimated Time to Complete 35 minutes.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 31 of 100 Fortinet Training Institute
3.1. Basic Event Handlers and FortiGate Automation Stitches

Basic Event Handlers and FortiGate Automation Stitches

FortiAnalyzer uses event handlers to determine what events are generated from logs. There are two types of event handlers,
basic and correlation. For basic event handlers, an event is generated when one of the rules in the event handler is met. For
correlation event handlers, an event is generated when a set of rules are met in a correlation sequence.

In this exercise, you will create a custom basic event handler in FortiAnalyzer to detect hosts making connections to the
Emotet C&C server. You will then create an automation stitch on Fortigate using this event handler as a trigger. The action
that will be performed is to add the host to the user quarantine list using a CLI command.

Estimated time to complete 10 minutes.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 32 of 100 Fortinet Training Institute
3.1.1. Create a Basic Event Handler

You will first create the Basic Event Handler in FortiAnalzyer.

Tasks

Create a FortiGate Event Handler

Logon to FortiAnalyzer and from the Fabric ADOM go to Incident & Events > Event Handlers. Click Create New.

Fill in the Add New Basic Event Handler window with the following information:
Status: Toggle OFF
Name: Emotet_Event_Handler
Event Handler Type: select Basic
MITRE Tech id: select T1584.005
Automation Stitch: Toggle ON

Click Add New Rule.

Fill in the Add New Rule with the following information:

Name: Rule-1
Event Severity: select High
For Choose Your Logs:
Log Device Type: select FortiGate
Log Type: select IPS(ips) from the dropdown menu.
Log Field: select Source Endpoint (endpoint) from the dropdown menu.
For Refine Your Logs:
Log Filters:
Log Field: select Attack Name (attack)
Match Criteria: Equal To
Value: Emotet
Advanced Setting:
Tags: C&C, Botnet (input each tag and press enter)
Indicators (click on the + icon):
Log Field: select Source IP
Indicator Type: select IP
Count: Select 1

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 33 of 100 Fortinet Training Institute
 Click OK to save the new rule.

Click OK to save the Basic Event Handler.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 34 of 100 Fortinet Training Institute
3.1.2. Create an Automation Stitch

Now that you have created the event handler, you will logon to the root FortiGate in the Security Fabric and create an
automation stitch. The automation stitch will use the event handler you created as a trigger.

Tasks

Create an Automation Stitch

Logon FGT-EDGE using the HTTPS option.

Go to Security Fabric > Automation.
Click Create New.
For the Name enter Emotet_Botnet_Handler.
Under Stitch, click Add Trigger and then click Create from the slide-out window.

Select FortiAnalyzer Event Handler under Security Fabric.

For the Name input Emotet_Trigger and select Emotet_Event_Handler from the drop-down menu for the Event
handler name and click OK.

Highlight the newly created trigger and click Apply.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 35 of 100 Fortinet Training Institute
 You should now see the Emotet_Trigger trigger under Trigger.

Click Add Action and then click Create from the slide-out window.

Under General select CLI Script.

For Name enter Add-To-Compromised-Host-List.

For the Script paste in the following:

diagnose user banned-ip add src4 %%[Link]%% 300 admin

For the Administrator profile select super_admin from the drop-down menu.

Toggle On Execute on Security Fabric.

Click OK.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 36 of 100 Fortinet Training Institute
 Highlight the newly created Action and click Apply.

Click OK.

You should see the following with the Last Trigger Time column currently empty:

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 37 of 100 Fortinet Training Institute
3.1.3. Review the Results

Tasks

Review the Results

Return to FortiAnalyzer and return to Incidents & Events > Event Handlers and from the Event Handlers tab
double-click on the Emotet_Event_Handler to edit it.

Toggle the Status ON and click OK.

Wait a few minutes and confirm that some events have been generated. Events are generated when the Events column is
populated. (Note: to refresh the page you can hit F5)

Return to FGT-EDGE, Security Fabric > Automation, and confirm that the Last Trigger Time Column is populated
indicating the stitch has been triggered (Note: It may take a few minutes for the stitch to be triggered).

Go to Dashboard >Assets and Identities.

Hover over the Quarantine widget and select Expand it to full screen.

Here you will see all the hosts quarantined by the stitch.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 38 of 100 Fortinet Training Institute
Disable the Stitch

Important: Please make sure to disable the automation stitch so it will not impact other labs.

Return to FGT-EDGE and Securtiy Fabric > Automation.

Select the Emotet_Trigger automation stitch and from the Set Status drop down select Disable.

Releasing the Quarantined IPs

The quarantined IPs will be automatically released after 5 minutes of being quarantined, so you should not need to remove
them.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 39 of 100 Fortinet Training Institute
3.2. Correlation Event Handlers using Fabric (SIEM) Logs

Correlation Event handlers using Fabric (SIEM) Logs

Event handlers use logic to determine what events are generated from logs. A Basic Event Handler generates an event when
one rule is triggered. A Correlated Event Handler generates an event when a set of rules are met.

In this section you will create a Correlated Event Handler to generate an event from a successful brute force attack against
an exposed RDP service is successful.

Estimated time to complete 10 minutes.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 40 of 100 Fortinet Training Institute
3.2.1. Create An Event Hander Using Fabric Logs

You will now create an event handler with two rules. The first rule looks for multiple failed network logon requests for RDP
attempts. The second rule will look for a successful login. The correlation rule will be triggered if the second rule occurs
after the first. The first rule involves looking for Windows Logs events with an Event ID 4625 and Login Type 3. The second
rule looks for Event ID 4624 indicating a successful login.

TASKS

Return to FortiAnalyzer and from the Fabric ADOM go to Incidents & Events > Event Handlers and from the Event
Handlers tab click Create New.

For the Name input Detect Successful Brute Force RDP Logon.
For the Event Handler Type select Correlation.
For the Mitre Tech ID, click Click to select and input 1110 and select T1110 Brute Force, and click OK.

Toggle ON Automatically Create Incident.

Under Correlation Sequence click + to Add New Rule.

For Name input Rule-1.

Under the Choose Your Logs section:
For Log Device Type select Fabric from the drop-down and leave the Log Type as Normalized Log.
In the Log Field select Endpoint from the drop down.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 41 of 100 Fortinet Training Institute
 Under the Refine Your Logs section
For Log Filters select All Filters.
For Log Field from the drop-down select Event ID for Match Criteria leave Equal To and for value input 4625. Under
Action click + to add a new line.
For Log Field from the drop-down select Logon Type for Match Criteria leave Equal To and for value input 3.

Under the Define Event Conditions Section:

input A group contains 25 or more occurences.

Click OK to save the rule.

Click on the + to add a second rule.

For Name input Rule-2.

Under the Choose Your Logs section:
For Log Device Type select Fabric from the drop-down and leave the Log Type as Normalized Log.
In the Log Field select Endpoint from the drop down.

Under the Refine Your Logs section

For Log Filters select All Filters.
For Log Field from the drop-down select Event ID for Match Criteria leave Equal To and for value input 4624.

Under the Define Event Conditions Section:

input A group contains 1 or more occurrences.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 42 of 100 Fortinet Training Institute
 Click OK to save Rule-2.
You should now see the following:

Under Correlation Criteria click the + icon. The following correlation role should automatically be configured.

Under Handler Settings:

For Event Message enter Successful login during Brute Force Attack.
For Event Severity select High.

Click OK.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 43 of 100 Fortinet Training Institute
3.2.2. Perform Brute Force Attack

You will now perform a brute force attack against a Windows machine, on AcmeCorp's network, that has the RDP service
exposed.

As the attacker you have done a port scan and found port 3333 open on AcmeCorp's firewall with the Microsoft terminal
services (RDP- remote desktop) running, this isn't the default port for RDP. Most likely this has been set up for an
administrator to remotely access some internal host.

TASKS

To perform the attack access the Kali Hostand select the RDP option.
Click the Terminal Emulator to start a terminal shell

Input the following command crowbar -s [Link]/32 -b rdp -p 3333 -u administrator -C

[Link] -v.

When the command runs you should see the following, indicating that the brute force attack was successful and the
attacker was able to authenticate using the administrator's account.

View the Events in FortiAnalyzer

Return to FortiAnalyzer and from the Fabric ADOM go to the Custom View you created earlier (or if you did not create
one go to Log View > Logs and from the All tab click Add Filter and input Data Source Type and then select
Windows XML Event and click Apply).

From Custom View inpute event_id="4625" (note that event_id is case sensitive). (If you did NOT create a Custom
View earlier then from Log View > Logs click Add Filter a second time and input Event ID and then select
= and input 4625 and click Apply).

If you did NOT create a custom view earlier, you can now arrange the columns to better suit windows events for the
needs of this lab. Click on the gear in the top right hand corner to edit the Column Settings.

De-select Data Source ID, Event Severity, Destination IP , select Logon Type, User Domain and User Name and
select Save as Default.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 44 of 100 Fortinet Training Institute
 Here you can see the multiple failed network Logon attempts.

You can also see the source IP for the attacker.

If you add an OR search with event_id="4624" (the Event ID for a successful login) you should see 1 additional log entry.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 45 of 100 Fortinet Training Institute
3.2.3. Review Triggered Events

You will now review the generated event generated from the Correleate Event Handler.

Tasks

Return to FortiAnalyzer and from the Fabric ADOM continuing from Incidents & Events > Event Handlers on the
Event Handlers tab, for the Event Handler "Detect Successful Brute Force RDP Logon" you should see the Events
column populated with 1 (you may need to refresh the page).

Click on the 1 in the Events column. This will bring you to the Event Monitor page with a filter for the current event
handler. The event is grouped by the endpoint name, [Link], which was what you configured
in the Event Handler's rules.

View the Incident

The Event Handler was configured to create an Incident . To view the Incident, go to Incidents & Events > Incidents.
Your view may be different depending on previous exercises, however, you should see a new incident with the name
starting with "Detect Successful Brute Force RDP Logon".
Double-click on the entry to open the Incident for analysis.

Here you can see all the information on the event and the host in question. The Incident Analysis page includes widgets
such as Incident Summary, Affected Endpoint/User, Incident Timeline, and more.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 46 of 100 Fortinet Training Institute
 Notice that two playbooks were executed when this incident was created, one playbook was used to get the Vulnerabilities
for the host and the other to retrieve the Software Inventory List.

The output from these playbooks can be seen in the Software and Vulnerabilites widgets.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 47 of 100 Fortinet Training Institute
3.2.4. Quarantine the Endpoint with EMS Connector

Quarantine Endpoint

You have decided to isolate this host until the incident has been verified and resolved. This host currently has FortiClient
running and FortiAnalzyer has the EMS Connector in stalled.

The EMS Connector allows you to perform actions such as Quarantining the endpoint directly from FortiAnalzyer.

TASKS

Continuing fromFortiAnalyzer and the Fabric ADOM , from the Incidents & Events > Incidents page, double-click on
the event named "Detect Successful Brute Force RDP Logon: Successful Login during Brute Force Attack" if it is
not already opened from the last task.
Click on the Quarantine button

The Endpoint and Connector fields should automatically be populated. Click OK.

You should see the green banner pop up.

Go to Incidents & Events > Automation and select the Playbook Monitor tab. Here you should see the playbook,
Quarantine Endpoint by EMS has been successfully completed.

Review Endpoint Status in FortiClient EMS

Logon to FortiClient EMS using the HTTPS option.

Go to Endpoints > All Endpoints and in the top banner, you should see the Quarantine Widget with the number 1.

Click on the Quarantined Widget. This will take you to the SRV-DMZ-WS-A2 endpoint. If you click on this entry, it will
expand the information for this endpoint. You will see the status showing it is Quarantined.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 48 of 100 Fortinet Training Institute
Unquarantine Host

Unquarantine the host for further labs.

Go to Endpoints > All Endpoints select the host SRV-DMZ-WA-AS click on the Actions drop-down and select
Unquarantine.

You should see the Quarantine Widget update to 0.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 49 of 100 Fortinet Training Institute
3.3. Automation using Playbooks and Connectors

Automation using Playbooks and Connectors

FortiAnalyzer enables analysts to automate SOC tasks through Playbooks. Playbooks are made up of triggers and tasks.
Triggers determine when a playbook is to be executed and are always the first step in a playbook. Tasks are automated
actions that take place on FortiAnalyzer or devices with configured connectors.

Connectors are used by tasks to perform actions. The Following Connectors are available:

FortiOS, Local (FortiAnalyzer), FortiGuard, FortiClient EMS / FortiClient EMS Cloud, FortiMail, FortiCASB, FortiAuthenticator,
FortiWeb, FortiSandbox, ServiceNow, Slack, MS Teams, Generic webhook, VirusTotal

Connectors can be used for automation in playbooks, and each enabled connector displays a set of predefined actions to be
used within playbooks.

In this exercise, you will create two playbooks. The first playbook will be used to automatically create an incident based on a
trigger. As part of the playbook, tasks automatically attach relevant events and a report to the incident. The second
playbook invokes a FortiOS connector to quarantine the host.

Estimated time to complete: 15 minutes.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 50 of 100 Fortinet Training Institute
3.3.1. Create a Playbook

Tasks

Create a Playbook

FromFortiAnalyzer select the Fabric ADOM and go to Incidents & Events > Automation, from the Playbook tab
click Create New.

Select the Critical Intrusion Incident template. You will customize this playbook as opposed to creating one from
scratch. (note: make sure to choose the Critical Intrusion Incident playbook)

When the playbook editor opens click on the playbook’s title field and change the name to Botnet Host Incident and
press Enter.

Click on the description and edit it to read Playbook to create incident on FortiAnalyzer for detected
botnet communication and press Enter.

When a playbook template is selected, the playbook designer window is automatically populated with a trigger and one or
more tasks. In this exercise,e you configure the trigger filter condition and tasks to customize the playbook.

Hover your mouse over EVENT_TRIGGER and click the Edit icon. (note: if the edit window doesn’t open, refresh your
browse by pressing F5).

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 51 of 100 Fortinet Training Institute
 From the drop-down selects, select Basic Handler Name, Equal To, and Custom_Event_Handler (this handler has
been created for you and you will enable it shortly).

Delete the second entry by clicking on the trash icon. Click Save.

Once the playbook is triggered from the event handler, 3 tasks will be started, RUN_REPORT, GET_EVENTS, and
CREATE_INCIDENT. Some of these tasks need to be configured.

Hover over the RUN_REPORT task and click the Edit icon.

For the Report select the Threat Report from the dropdown, for the Time Period select Today, for Devices select All
Devices and click OK. Click OK.

Hover over the GET_EVENTS task and click the Edit icon. For Description, remove "in IPS events". Here you can see that
FortiAnalyzer will then retrieve the events for the endpoint in question, retrieved from trigger, ${[Link]}, over the
last 7 days for Event Type equal to IPS. Delete the Event Type == IPS, by clicking on the Trash icon, to retrieve all the
Event Type logs. Click OK.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 52 of 100 Fortinet Training Institute
 Hover over the CREATE_INCIDENT task and click the Edit icon.

For Incident Name click the A icon and input, Botnet Communication. Update the Description to Emotet botnet
communication detected, for Mitre Information select Playbook Starter and mitre_info from their respective drop-
downs. Click OK.

The next two tasks attach the events and the report to the incident and do not need to be modified.

Click Save Playbook.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 53 of 100 Fortinet Training Institute
3.3.2. Create a FortiOS Connector

The FortiOS connector is added after the first FortiGate has been authorized. The actions available via the FortiOS
connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming
Webhook trigger must be created in FortiOS before they are available as connector actions.

Tasks

Viewing the FOS Connectors

From FortiAnalyzer go to Incidents & Events and select the Active Connectors tab and click on devices connected
found on the FortiOS Conector. (Note: there is a gui bug, which is being fixed in the next release, where the FortiOS
Connector shows not connected, when it actual is. If you toggle on/off any other connector for example, the FortiClient
EMS connector and this will update the FortiOS Connector status.)

Here you can see that no automation rules have been configured yet. Click Close.

Create an Automation Stitch

Access FGT-EDGE using the HTTPS option. Log in with: username: admin password: Fortinet1!

Go to Security Fabric > Automation. Click Create New.

For the Name enter Quarantine_Compromised_Host_2

Under Stitch, click Add Trigger and click Incoming Webhook Call from the slide-out window, and then click Apply.

Click Add Action and select IP_Ban.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 54 of 100 Fortinet Training Institute
 Click OK to save the stitch.

You should see the following:

Review the FortiOS Connector

Return to FortiAnalyzer and from the Fabric ADOM go to Incidents & Events, select the Active Connectors tab, and
click on devices connected found on the FortiOS Connector. (Note: It may take a few minutes for it to appear, you will
have to refresh the screen by pressing F5).

Click Close.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 55 of 100 Fortinet Training Institute
3.3.3. Create an On-Demand Playbook

Tasks

Create a Second Playbook

From FortiAnalyzer for the Fabric ADOM, go to Incidents & Events > Automation, from the Playbook tab click
Create New.

Select Quarantine Endpoint by FortiOS template.

When the playbook editor opens, click on the playbook’s title field and change the name to Quaranite Endpoint by
FortiOS.

Click on the description and edit it to read “Playbook to quarantine endpoint by FOS Connector using
Endpoint IP and Device ID”.

When this playbook template is selected, the playbook designer window is automatically populated with a trigger and one
task. In this exercise, you leave the trigger filter condition as on-demand as you will run it from the analysis window.

Hover your mouse over WebHook and click the Edit icon.

For the Device select FGVM01TM19002139, From the Automation dropdown select the Incoming Webhook Call
trigger from the stitch you created earlier, for Device ID select FGT-EDGE(FGVM01TM19002139), for the scrip click
the A icon and input ${[Link]}. Click OK.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 56 of 100 Fortinet Training Institute
 Click Save Playbook.

From the Incidents & Events > Automation > Playbook, you can view the two configured playbooks.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 57 of 100 Fortinet Training Institute
3.3.4. Trigger the Playbook

The playbook is trigger when the Custom_Event_Handler generates an event. This handler is currently disabled, you will now
enable it.

Tasks

Turn on the Custom Event Handler

From FortiAnalyzer go to Incidents & Events > Event Handlers and select the Custom_Event_handler and from the
More dropdown select Enable.

Verify the Event Handler has been Triggered

Refresh incidents & Events > Event Handlers and verify that the handler has been triggered. (It is triggered if the
Events column is 1 or greater, it may take a few minutes, click on Incidents & Events > Event Handlers every few
seconds until you see an event).

Once you see an Event, disable the Custom_Event_Hander by selecting it and selecting Disable from the More
dropdown list.

Go to Incidents & Events > Automation and select the Playbook Monitor tab. Here you should see that the status is
running or Success. (It may take a few minutes for the playbook to appear)

Double click on any entry to see the Playbook Tasks. Here you will see the status of each task in the playbook.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 58 of 100 Fortinet Training Institute
 Click Cancel.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 59 of 100 Fortinet Training Institute
3.3.5. Review the Incident

Incidents are created to track and analyze events. In this exercise, you automatically create one, but they can also be
manually created from evens. Incidents contain event details, as well as information and actions helpful for administrator
analysis. From the incident's analysis page, administrators can assign incidents, view audit history, and manage attached
reports, events, comments and run playbooks.

Tasks

Reviewing the Incident

From FortiAnalyzer using the Fabric ADOM, go to Incidents & Events > Incidents, select the first incident with the
Name of Botnet Communication, and double-click it to go to Incident Analysis.

Review the incident and notice how the Events and Reports section has been populated by the playbook. (note: it may
be different in your case from the screenshot)

You can now quarantine the host with the playbook configured earlier. Click Execute Playbook.

Select Quarantine Endpoint by FortiOS and click Run.

Input epip (the endpoint ip) associated with this event and click OK. (note: it may be different in your case from the
screenshot)

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 60 of 100 Fortinet Training Institute
 You should see a blue banner stating Started Playbook Quarantine Endpoint by FortiOS.

The Playbook Tasks windows will open, you should shortly see a Status of Success. Click Cancel to close the task window
and click Close to close the Select Playbook to Run window.

Remaining on the Incident Analysis page, click the Refresh button in the top right hand corner. Now locate the
Executed Playbooks widget. This is where you will see the executed playbooks for this incident.

Verify the host has been quarantined

Return to FGT-EDGE.
Go to Dashboard > Assets & Identities and click on the Quarantine widget.

Here you should see the endpoint in question on the Banned IP list indicating the playbook using the FortiOS connector
has been successful.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 61 of 100 Fortinet Training Institute
 Click Remove All to remove the host from quarantine in order not to impact other exercises.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 62 of 100 Fortinet Training Institute
4. FortiGuard Security Services
FortiGuard Labs offers services covering NIST Cybersecurity Framework's 5 Areas: Protect, Detect, Respond, Recover, and
Identify. The following Services and Subscriptions are used by FortiAnalzyer.

FortiGuard Outbreak Detection Service delivers automated content package downloads for detecting the latest
malware, including a summary of outbreaks and kill chain mapping for how the malware works. The package includes a
FortiGuard Report for the outbreak, an Event Handler, and a Report Template to detect outbreaks.

FortiGuard Indicators of Compromise Service empowers security teams with forensic data from 500 000 IOCs daily,
used in combination with FortiAnalyzer analytics to identify suspicious usage and artifacts observed on the network or in an
operations system, have been determined with high confidence to be malicious infections or intrusions, and historical rescan
of logs for threat hunting.

OT Security Service provides security teams with advanced OT analytics, risk and compliance reports, OT event handlers,
and use-case correlation rules.

Security Rating and Compliance Service helps security teams design, implement, and maintain their security posture,
and provides actionable configuration recommendations as well as key performance and risk indicators.

Security Automation Service subscription enables further automation for incident response with enhanced monitoring
and escalation, built-in incident management workflows, connectors, playbooks, and more.

In this section, you will have a lab on the Outbreak Detection Service and the Indicators of Compromise Service.

Estimated time to complete: 20 minutes.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 63 of 100 Fortinet Training Institute
4.1. FortiGuard Outbreak Detection Service

Automation using Outbreak Alerts

When a cybersecurity incident/attack/event occurs that has large ramifications for the cybersecurity industry and affects
numerous organizations, FortiGuard Outbreak Alerts will be the mechanism for communicating important information to
Fortinet’s customers and partners.

These Outbreak Alerts will help the security analyst understand what happened, the technical details of the attack, and how
organizations can protect themselves from the attack and others like it.

The Alert will include:

Details of the attack including timeline, technology affected, and where applicable patches/ mitigation recommendations
can be found
Recommended Fortinet products that would break the attack sequence, and threat hunting tools to help you determine if
you were affected
Additional related research from FortiGuard Labs
The Fortinet FortiGuard Outbreak Alerts are organized according to the NIST Cybersecurity Framework, Identify, Protect,
Detect, Respond, and Recover.

In this exercise, you will act as a threat actor and attack the organization's Web Application, and then you will switch hats
and as the security analyst use the Outbreak Alert to understand the attack.

Estimated time to complete: 10 minutes.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 64 of 100 Fortinet Training Institute
4.1.1. Outbreak Alert Features

TASKS

View Outbreak Alerts

Logon to FortiAnalyzer using the HTTPS option and select the Fabric Adom.
Go to Incidents and Events > Outbreak Alerts.

Here you will see all the Outbreak Alerts published by FortiGuard. (You can also see the Outbreak alerts by going directly to
[Link]

In the search field input GeoServer and double-click on the GeoServer RCE Attack to review its
Outbreak Alert.

Here you will see the published Outbreak Alert for the vulnerability affecting GeoServer. The Outbreak Alert is broken
down into 5 sections. Overview, Analysis, Solutions, Threat Intelligence, and References.

Click on the Solutions tab, you will see the FortiGuard Services & corresponding Fortinet products mapped to NIST
CyberSecurity Framework's 5 stages.

You will now exploit this vulnerability on a Web Server running in AcmeCorp's environment.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 65 of 100 Fortinet Training Institute
4.1.2. Outbreak Alert Event Handlers

The Outbreak Alerts Service includes Event Handlers used to identify anomalies in the logs related to the outbreak. You will
now examine the Event Hander for the GeoServer RCE Attack.

TASKS

From FortiAnalzyer using the Fabric ADOM go to Incidents & Events > Event Handlers and from the Event
Handlers tab search for GeoServer. Select the Outbreak Alert - GeoServer RCE Event-Handler - Labs event
handler. (This is a clone of the original event handler with some modifications for this exercise). Click Edit.

Here you will see that:

The Event Handler is enabled.
An incident will automatically be created when this event handler is triggered.
There are 3 rules which can trigger an event.

Question

Which of the following FortiGate logs does the Event Handler monitor for events?

Question

IPS

Antivirus

DNS

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 66 of 100 Fortinet Training Institute
4.1.3. Attack The Organization's GeosServer Instance

You are now going to take on the role of a threat actor and launch an attack against the organization's GeoServer instance.
You will use metasploit, a popular tool used to discover and exploit vulnerabilities. Metaspoilt contains an exploit for the
GeoServer vulnerability that allows an attacker to gain remote access to a server running a vulnerable instance of
GeoServer.

TASKS

Access theKali host and select the RDP option.

Go to Applications > Exploitations Tools > Metasploit.

When prompted input the password “Fortinet1!”

From the msf6> prompt input resource /home/kali/.msf4/[Link] and press enter.

You should see the following output indicating the attack has been successful and a meterpreter session should now be
opened between the attacker’s machine (kali host) and the GeoServer’s host.

From the meterpreter shell run the commands sysinfo, to see the host's system information and getuid, to determine
the privileges the backdoor is running under, which are now the privileges the attacker has on the system.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 67 of 100 Fortinet Training Institute
 The attacker is now inside the organization and has control over the web server running the vulnerable GeoServer
software.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 68 of 100 Fortinet Training Institute
4.1.4. View the Events in FortiAnalzyer

TASKS

Return toFortiAnalyzer and go to Incidents & Events > Event Handlers and select the Event Handlers tab. Find the
event handler named _Outbreat Alert - GdoServer RCE Event-Handler - Labs and click on the 1 hyperlink under the
Events column.

You will be redirected to Incidents & Events > Event Monitor with the filter triggername="_Outbreak Alert -
GeoServer RCE Event-Handler - Labs" AND handler_type="basic" applied.

Here you can see the 1 events associated with the attack you performed from the Kali host. Click on the + icon infront of
[Link] to expand the entry.

Double-click on the event Attack [Link] detected. This will bring up the
corresponding log, which triggered the event. Double-click on the entry to access and review the log details.

Click the X in the upper right corner when you have finished reviewing the details.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 69 of 100 Fortinet Training Institute
 Simplify SOC Operations with Security Fabric
Analytics and Automation Lab Guide
Page 70 of 100 Fortinet Training Institute
4.1.5. Indicator Enrichment

Indicators are possible signs of an attack and can be used to find other threats on the network. Indicators can be extracted
from logs via Event Handlers.

In this lab, you will examine the indicator extracted from the GeoServer Event handler and use the FortiGuard connector to
evaluate it. This operation is known as enrichment. The indicator enrichment feature empowers security analysts by
providing them with comprehensive threat intelligence on identified IP addresses, domains, and URLs. This enriched context
allows for a deeper understanding of security incidents, leading to more informed and effective response decisions.

Tasks

Continuing from Incidents & Events > Event Monitor and on the All Events tab, to see the Indicators column click
on the gear icon and select Indicators.

You should see 1 indicator in the indicator column.

Click on the 1 indicator hyperlink.

Here you can see the indicator is an IP, it was a source IP with a value of [Link]

Indicators

The Indicators pane consolidates all detected indicators for centralized analysis. This streamlines threat evaluation and
enables SOC analysts to take swift action to mitigate risks.

You are going to use the Enrichment feature to find out more information on the IP indicator. There are two Enrichment
connectors. FortiGuard and Virus Total. In this lab you will used FortiGuard.
Go to Incidents & Events > Indicators.
Select the IP Indicator, [Link], which was extracted from the Outbreak Alert - GeoServer RCE Event-Handler -
Labs event handler, and click Enrich.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 71 of 100 Fortinet Training Institute
 A new window will open up and shortly the following information will be displayed (note: IP, URLs and Domains are being
constantly evaluated and re-valuated, it is possilbe that the threat intelligence on this IP may change and the result will be
different when you are doing this workshop.)

Click Cancel to close the Enrich History window.

You should now see the enrichment information saved in the indicators pane for the IP address.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 72 of 100 Fortinet Training Institute
4.1.6. Reporting Outbreak Alerts

Outbreak Alerts also come with predefined reports allowing the organization to quickly generate reports based on incidients
generated from the event handlers.

Tasks

From FortiAnalyzer using the Fabric ADOM go to Reports > Report Definitions.
Input GeoServer into the Search box.
Right-click the Outbreak Alert – GeoServer RCE Report and select Edit.

Select the Settings tab, for Time Period select Today, and click Apply.

Select the Generated Reports tab and click on Run Report.

When the report has been generated, click on PDF under Format to view the report.

The report will open in a new tab. Review the report and close the tab when done.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 73 of 100 Fortinet Training Institute
4.2. FortiGuards's IOC Service

FortiAnalyzer's Indicators of Compromise Service (IOC) scans the IP, domain, and URLs in log entries it receives from devices
against its threat database to find compromised hosts. When a match is found it displays the endpoint in the Compromised
Hosts monitor. FortiGate can use this event to trigger an automation stitch and take action.

In this exercise, you will used you will use FortiView to review compromosed hosts detected by FortiAnalzyer's IOC service,
then you will create an automation stitch to quarantine these compromised hosts to mitigate the risk they pose to the
organization.

Estimated time to complete: 15 minutes

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 74 of 100 Fortinet Training Institute
4.2.1. Create an Automation Stitch

You will first create an automation stitch that will be executed when an IOC event is triggered by FortiAnalyzer.

Tasks

Logon toFGT-EDGE using the HTTPS option.

Go to Security Fabric > Automation.
Click Create New.
For the Name enter Quarantine_Compromised_Host.
Under Stitch, click Add Trigger select Compromised Host from the slide-out window, and click Apply.

Click Add Action select IP Ban from the slide-out window and click Apply.

Click OK to save the stitch.

You should see the following:

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 75 of 100 Fortinet Training Institute
 Simplify SOC Operations with Security Fabric
Analytics and Automation Lab Guide
Page 76 of 100 Fortinet Training Institute
4.2.2. Verify the Automation Stitch is Triggered

There is a script running in the background which will trigger the Compromised Host event. To validate if the stitch has been
triggered you will search for the message Stitch: Quarantined_Host_Compromised is triggered. You will then go to FGT-Edge
and validate that the host has been quarantined.

Tasks

Verify That the Automation Stitch Has Been Triggered

From FortiAnalyzer for the Fabric ADOM, go to Log View > Logs, from the Fortinet Logs tab select FortiGate, and
from the Event drop-down select System.

Click + Add Filter and select Message, input stitch select the ~ symbol and click Apply.

Here you should see that the stitch has been triggered. (Note: It may take a few minutes for traffic to be generated which
will trigger the IOC).

Verify the Hosts Are Quarantined

Return toFGT-EDGE and return to Dashboard > Assets & Identities.

Click anywhere in the Quarantine widget to expand to full screen.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 77 of 100 Fortinet Training Institute
 Here you will see all the hosts quarantined by the stitch. (Note: your view may be slightly different)

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 78 of 100 Fortinet Training Institute
4.2.3. Disable the Automation Stitch and Release the Quarantined Hosts

You need to turn off the stitch and release the compromised hosts from quarantine to continue with the exercises.

Tasks

From FGT-EDGE, and return to Security Fabric > Automation.

Click on the Quarantine_Compromised_Host to select it, from the Set Status drop down select Disabled.

Release Quarantined Hosts

Return to FGT-Edge and return to Dashboard > Assets & Identities.

Click on the Quarantine widget to expand it to full screen.

Click on the first entry under the Banned IP header and select Remove All.

Click OK to confirm.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 79 of 100 Fortinet Training Institute
4.2.4. FortiView - Indicators of Compromise

Review Hosts detected by Indicators of Compromise Service

The results for each affected endpoint are displayed in the Indicator of Compromise. You can drill down from the table to
review the details of the affected host, including the detection pattern and detection method for each indicator of
compromise. You can also drill down further from these detections to review the logs where the matches were initially found
in FortiAnalyzer.

TASKS

From FortiAnalyzer using the Fabric ADOM go FortiView > Threats and select the Indicator of Comprise tab.

Here you can see the endpoints in with the Infected verdict.

Double-click on any entry

Here you can see the log entries corresponding to the IOC triggered for this host. Notice the Log Types which
FortiAnalzyer uses to locate the IOCs, traffic, webfilter and attack, as well as they type of IOC detected, infected-ip,
Infected-url and infected-ip.
Double-click on any entry to see the log details.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 80 of 100 Fortinet Training Institute
 You have just finished reviewing the compromised endpoints.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 81 of 100 Fortinet Training Institute
5. SOAR with FortiSOAR
SOAR with FortiSOAR

FortiSOAR is a Security Orchestration, Automation, and Response workbench, designed for SOC teams to efficiently respond
to the ever-increasing influx of alerts, repetitive manual processes, and shortage of resources. With broad integrations, rich
functions, hundreds of pre-built playbooks, and simple customization, FortiSOAR is designed to be the central hub for the
critical operations that protect and power an organization.

The two FortiSOAR components you will be looking at in this lab are Connectors and Playbooks.

Connectors are used to send and retrieve data from Fortinet devices and various third-party sources. Using connectors, you
can connect to external cyber security tools and perform various automated interactions using FortiSOAR™ playbooks.

Playbooks in FortiSOAR allow you to automate your security processes across external systems while respecting the
business process required for your organization to function. Playbook templates can be customized to follow an
organization's current procedures while leveraging the automation capabilities of FortiSOAR.

Estimated time to complete: 15 minutes

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 82 of 100 Fortinet Training Institute
5.1. Using the FortiAnalzyer Connector

A FortiSOAR Connector is an integration module that enables FortiSOAR to interact with Fortinet devices and third-party
security tools, IT systems, and cloud services. These connectors allow FortiSOAR to automate security operations,
orchestrate incident response, and streamline workflows across different security environments.

In this lab, you will use the Fortinet FortiAnalzyer connector to ingest events. This works as follows:

1. The FortiAnalzyer connector playbook is used to ingestion the FortiAnalzyer events, using the Get Events action, and
creates a FortiSOAR alert.
2. As part of the alert creation, indicators are extracted from the logs and inserted into the indicators table.
3. Also, the Get Endpoint Information action is used to retrieve information on the endpoint corresponding to the event.
4. The FortiGuard connector playbook is automatically executed, on a new indicator creation, to enrich the indicator.

Review the FortiAnalyzer Connector

The FortiAnalyzer Connector is used to integrate with FortiAnalyzer, it includes both Playbooks to ingest data and create
alerts from events, as well as Actions that can be used in playbooks.

Logon to FortiSOAR using the HTTPS method (user: csadmin password: Fortinet1!).
You can expand/contract the left panel navigation by clicking on the arrow.

Go to Automation > Connectors and in the search field input FortiAnalyzer. You may notice that you have been
redirected to the Content Hub with a Filter of Connectors applied.

Double-click on the Fortinet FortiAnalyzer Connector. This will open on the Configuration tab. This connector has
already been installed and configured to use the FortiAnalzyer device in this workshop. You should see the
CONFIGURATION field showing COMPLETED and HEALTH CHECK showing AVAILABLE, indicating FortiSOAR can
communicate with FortiAnalzyer. You will also notice a Configure Data Ingestion button, this allows the administrator
to view, and if needed override, the mappings used to normalize the FortiAnalyzer data into FortiSOAR fields.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 83 of 100 Fortinet Training Institute
 Click on the Actions & Playbooks tab. Here you will see the Playbooks and Actions included with the connector. The
Actions that will be used for the Data Ingestion are Get Events, as well as Get Endpoint Information. The Get Events will
be used to ingest the FortiAnalzyer events and create FortiSOAR alerts and the Get Endpoint Information will import the
corresponding asset (endpoint) corresponding to the event. We will need this information for the Fortinet FortiGate
connector to quarantine the host in the following lab.

Close the connector by clicking on the X in the upper left corner of the window.

Data Ingestion

Import the FortiAnalzyer events.

Go to Automation > Data Ingestion, locate the Fortinet FortiAnalyzer connector and click on the down arrow beside
the 1 Configuration(s) Availabe. Wait for the status to turn to Available then click on Trigger Ingestion Now.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 84 of 100 Fortinet Training Institute
 Click on the Playbook icon in the upper right-hand window.

For the Playbook Name Input FortiAnalyzer Ingest and click Apply.

Here you can see the playbook, and its status, in the screenshot, it shows ACTIVE with the execution time

Expand the FortiAnalyzer > Ingest entry clicking on the down arrow, and expand the correspdoning FortiAnalyzer >
Fetch playbook by clicking on its corresponding down arrow.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 85 of 100 Fortinet Training Institute
 Here you can see the 3 Playbooks involved with importing the data. Click on the executed playbook >> FortiAnalyzer >
Related Assets for Event > Create.

This playbook is responsible for creating the Alert in FortiSOAR and adding the corresponding endpoint as an Asset.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 86 of 100 Fortinet Training Institute
5.2. Alerts & Enriching Indicators with FortiGuard Connector

In the previous exercise, you used playbooks to ingest the FortiAnalzyer Events and corresponding Endpoints. You will now
review this data in FortiSOAR.

Alerts

Review the created Alerts.

Go to Incidents Response > Alerts and you will see the data being pulled in in real time.

Click on any alert with source Fortinet FortiAnalyzer (select one of the first created so that the associated playbooks
should be finished running, for example, Incident number 6).

The alert has 3 sections, Alert Details, Playbooks and Audit Logs. The Alert Details has multiple sections that are updated
based on the connector mapping, as well as playbooks that are automatically started when the alert is created. In this
alert we can see that it was generated from traffic logs from the FGT-ISFW device. (The Alert you click on may show
different Information).

Scroll down to the graph element, here you can see a visual representation of the Alerts, Indicators and Assets, this is
updated as data is being ingested, so your view might not yet show the same amount of detail yet.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 87 of 100 Fortinet Training Institute
 Scroll down to the next section and select the Indicators tab. Here you will see the indicators pulled from the event. The
indicator status is automatically updated using the playbook run at data ingest time.

FortiGuard Connector

The FortiGuard Connector is used to enrich Extracted Indicators

Scroll back to the top and click on the Playbooks tab, here you can see the executed playbooks when the alert was
created. The Extract Indicators (Alerts) is a playbook triggered when an Alert is created. It extracts the indicators and
uses the FortiGuard connector to enrich any extracted indicators. Noticed it finished successfully.

Assets

Assets represent a unique piece of hardware and any information known about that hardware, such as MAC address,
hostname, or IP address. During the import of FortiAnalzyer events, the playbook also used the action Get Endpoint
Information. Asset information is useful when we want to take action, for example quaratine the endpoint (Which you will
do in the next lab using the FortiGate connector).

To see the retrieved assets

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 88 of 100 Fortinet Training Institute
 Go to Resources > Assets. Here you will see the assets imported by the playbook.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 89 of 100 Fortinet Training Institute
5.3. Responding to an Alert Using FortiGate Connector to Quarantine a Host

Review the Fortinet FortiGate Connector

Alerts can be reviewed and remediated by SOC Level 1 analyst or escalated to a Level 2 analyst using Incidents.

In our example, the SOC analyst is going to respond to the event by quarantining the endpoint. To do this they will use the
Fortinet FortiGate connector.

TASKS

Go to Content Hub select the Managed tab and input FortiGate into the search field. Double-click on the Fortinet
FortiGate Connector to review it.

From the Configuration tab, you can see the CONFIGURATION is COMPLETED, and the HEALTH CHECK shows
AVAILABLE.

Click on the Actions & Playbooks tab to see the playbooks and available actions that the connector provides. To see
the playbooks, under Playbooks click on SAMPLE - FORTINET FORTIGATE - 5.3.0.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 90 of 100 Fortinet Training Institute
 This will redirect you to Automation > Playbooks and bring you to the Sample - Fortinet FortiGate playbook
collection where you can see all the playbooks this connector provides. The connector you will be using is Host:
Quarantine Host.

Click on the Host: Quarantine Host to open the playbook. Here you can see it has 3 steps. The Start step is manual,
the Find Asset step looks for the endpoint in the Asset database, and the Quarantine Host step uses the MAC address
found in the previous step to invoke the Quarantine Host action on the FortiGate configured in the Connector.

Use the FortiGate Connector to remediate an Alert.

Go to Incident Response > Alerts and select an alert with Source Fortinet FortiAnalyzer and click on the alert to open
it. (Note: Pick one of the first alerts to make sure the indicators have been extracted and enriched.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 91 of 100 Fortinet Training Institute
 Click on the alert to open it and from the Alert Details tab scroll down to the Indicators section and select the private IP
(in the screenshot below itis [Link], but yours may be different, but it will be from the subnet [Link]/16).

With the host's IP Address selected click on Execute and select Fortinet FortiGate: Quarantine Host from the drop
down.

A banner will display Triggered action "Host:Quarantine Host" on 1 record(s) with a green check mark indicating
the playbook executed successfully.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 92 of 100 Fortinet Training Institute
5.4. Verify the Host has been Quarantined

You will now verify that the host has been quarantined on the FortiGate device.

TASKS

Go to FGT-ISFWand select the HTTPS option.

Go to Dashboard > Assets & Identities and select the Quarantine Widget.

Here you should see the host has been quarantined with the description Quarantined By FortiSOAR.

Remove the Quarantined Host

Remove the quarantined host so that it will not affect any other labs.

Select the quarantined device and click Delete.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 93 of 100 Fortinet Training Institute
6. Using FortAI - Your AI Assistant
FortiAI is a generative AI security assistant that uses FortiGuard lab's high-fidelity security data and is continuously
monitored and improved by FortiGuard Security experts. (Note: due to constant improvment you results for the prompts in
this lab may be different than when it was recorded.)

Administrators can use the FortiAI Assistant to answer questions and get help with configurations using FortiAI's advanced
natural language processing capabilities.

FortiAI can be used in FortiAnalyzer for incident investigation, response, and threat hunting. The assistant can interpret
security events, generate detailed summaries, identify potential impacts, and make remediation recommendations. FortiAI
can also simplify platform usage with natural language prompts. For example, the assistant can create complex database
queries, generate reports, write event handler and correlation rules, and execute many other FortiAnalyzer functions during
typical workflow.

In this lab, you will review the Top Threats and using FortiAI to find the reputation of the destionation IP of the Emotet
Threat, you will then identify the endpoints communicating with this IP and create an indicent as well as create a report on
the incident.

Estimated time to complete: 10 minutes

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 94 of 100 Fortinet Training Institute
6.1. Investigating an IP of Interest, Creating an Incident and Running a Report

FortAI can automate tasks that a security analyst performs. In this exercise you will use FortiAI to find the reputation on an IP
associated with an Emotet threat, find the endpoints that are communicating with it and create an incident and print out a
report.

Tasks

Review the Emotet top threat and find the Destination IP associated with the threat.

Logon to FortiAnalyzer and from the Fabric ADOM go to FortiView > Threats and select the Top Threats tab.

Click on Emotet and select View Related Logs.

You will be taken to the Log View > Logs > Fortinet Logs to the Traffic logs with a filter of threat='Emotet'.

Here you can see the Destination IP associated with the Emotet Threat is [Link].

Reputation of the the IP address

You will now use FortiAI to find the reputation of the IP address [Link].

Click on the FortiAI icon to access FortiAI.

Input the prompt Find the reputation for [Link] and click send.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 95 of 100 Fortinet Training Institute
 You should see the following output (Note: It is possible that this IP reputation may haved change since this lab was
created, in which cause your result may be different, but you should still be able to create the incidient).

Add the IP address to the Indicators Pane

You will now use FortiAI to add this IP address to the Indictors pane in order to keep track of it.

Input the prompt add IP to indicatorsand click send.

You should see the following result.

Without closing the FortiAI window, go to Incidents & Events > Indicators. Here you should see the IP addess has been
added.

Find the Endpoints communication with this IP

Input the prompt "List the endpoints with traffic going to the destination IP [Link]?"

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 96 of 100 Fortinet Training Institute
 If you are prompted to return to the Traffic Log View page input Yes. You should see similar output to the following:

Create An Incident

Use FortAI to create an incident to investigate these IPs and take action.

Input the prompt Create only one incident for these endpoints and click send.

You should see a similar output to this.

Generate an Incident Report

Use FortiAI to generate an incident report

Input the prompt Generate an incident report this incident and click send.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 97 of 100 Fortinet Training Institute
 You should see an output similar to the following with a download icon allowing you to download the report.

Click on the download icon to download and review the report.

Review the report and close it when finished. This is a simple example of using FortiAI to help automate your workload as
a Security Analyst.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 98 of 100 Fortinet Training Institute
7. Conclusion

This concludes the Fast Track workshop lab activity. We hope you found the information provided useful and the user
experience compelling.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 99 of 100 Fortinet Training Institute
7.1. Conclusion

You have completed the Hands-On labs for the Fast Track!

To get more information on this or other Fortinet solutions, please consider looking at the NSE Training from Fortinet:
[Link]

In particular you may be interetsted in the FortiAnalzyer Analyst training FortiAnalyzer Analyst

For detailed descriptions about each of these Workshops please visit the Fast Track Workshop Abstracts page.

Simplify SOC Operations with Security Fabric

Analytics and Automation Lab Guide
Page 100 of 100 Fortinet Training Institute