Skip to main content

Cyware Threat Intelligence eXchange

FortiSOAR

Connector Category: Security Orchestration Automation Response

About Integration

FortiSOAR is a comprehensive security orchestration, automation, and response (SOAR) platform that unifies case management, automation, real-time collaboration, and threat intel management to serve security teams across the incident lifecycle.

You can integrate Intel Exchange and FortiSOAR in the following way:

  • Trigger playbooks in the FortiSOAR application from the Intel Exchange application. This integration enables your security operations teams to trigger playbooks defined on the FortiSOAR that can create multi-step workflows for incident management of your resources.

The FortiSOAR internal application in Intel Exchange supports the following action:

  • Trigger FortiSOAR Playbook V3

Perform the following to integrate FortiSOAR with Intel Exchange:

  1. Configure FortiSOAR App in CTIX 

  2. Enable Trigger Playbooks 

  3. Create a Rule in CTIX to Trigger Playbooks in FortiSOAR 

Configure FortiSOAR App in CTIX

Before you start 

  • Ensure that you have the URL, username, and API key of your FortiSOAR account.

  • Ensure that you have View Tool Integrations and Update Tool Integrations permissions.

Steps 

Use the following steps to configure the app in the Intel Exchange application and get started:

  1. Navigate to Administration, open Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Security Orchestration Automation Response.

  3. Search FortiSOAR and click on the app.

  4. Click Add Instance.

  5. Enter a unique account name to identify the instance, such as Prod_FortiSOAR.

  6. Enter the base URL to directly connect to the application's server.

  7. Enter the API Key to authenticate the user.

  8. Enter the Collection 

  9. Select Verify SSL to verify and secure the connection between the Intel Exchange and FortiSOAR servers.

    If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.

  10. Click Save.

Enable Trigger Playbooks

After configuring the application on Intel Exchange, enable the action to trigger playbooks in FortiSOAR. 

Steps 

  1. Navigate to Administration, open Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Security Orchestration Automation Response.

  3. Select FortiSOAR.

  4. Click the ellipsis on the top right corner and click Manage.

  5. Click Manage Actions(s) and select an action.

  6. Enable the toggle to trigger the playbooks.

  7. Click Save.

Create a Rule in CTIX to Trigger Playbooks in FortiSOAR

Create a rule in the Intel Exchange application to trigger the playbooks in FortiSOAR.

Before you Start 

Ensure that you have View Rules, Create Rules, and Update Rules permissions.

Steps 

  1. Navigate to Main Menu and select Rules under Actions.

  2. Click New Rule.

  3. Enter a rule name and a description.

  4. To easily identify and categorize components in Intel Exchange, select Tags.

  5. Click Submit.

  6. Set the following optional Basic Details for a rule:

    1. Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.

    2. Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.

    3. Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.

    4. Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected, and no false positives are included. This option ignores any conditions configured in the rule to remove false-positive threat data objects.

    5. Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected, and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.

  7. Define the sources and collections, and the conditions for the rule. For more information, see Automation Rules.

  8. In Actions, configure the following:

    1. Actions: Trigger FortiSOAR Playbook V3

    2. Application: FortiSOAR

    3. Account: Select a FortiSOAR account

    4. Playbook Name (Optional): Provide the playbook name along with the source path

9. Click Save.

When you run the rule, objects are retrieved based on the configured sources and conditions. The retrieved indicators are submitted to the FortiSOAR platform for action.