Configuring FortiSOAR for FortiSIEM Integration
To set up FortiSOAR with a role so FortiSIEM integration can occur, take the following steps.
Set Up Authentication
HTTP Basic Authentication for API is used for authentication. A user that FortiSIEM can use to read, execute playbooks and connectors can be created by taking the following steps.
-
Click the Setting icon on top right hand of the FortiSOAR GUI.
-
Select Roles on left hand toolbar.
-
Click Add.
-
Give the Role a Name. For example, "FortiSIEM-Role".
-
In Set Role Permissions, set the following:
-
For All Modules Except for Users, set to Read allow.
-
Set Connectors to Read + Execute.
-
Set Playbooks to Read + Execute.
-
Click Save.
-
-
Select Users on left hand toolbar.
-
Click Add.
-
Set the following:
-
Fill out the First Name and Last Name fields, such as First Name "FortiSIEM", and "Last Name" User".
-
For User Type, select Vendor.
-
Enter a valid email address, such as
yourname@yourdomain.tld
. -
Select your Desired Team.
Note: You must assign the user to a Team in addition to a Role, otherwise authentication for executing playbooks will fail.
-
For Select Role, you can select FortiSIEM-Role for minimal access, or a desired Role.
-
Under Authentication, for User Type, select Application User.
-
Under Authentication, specify the username. Note, it can be different from the Name display value: fortisiem-user.
-
Click Save. An email will be sent to the email address provided to change the password.
-
Keep a record of the changed password.
At this point, you can configure FortiSIEM for FortiSOAR Playbooks and FortiSOAR Connectors.
For additional information on the FortiSOAR for FortiSIEM Integration solution, see here.
Sample playbooks are available here. This contains:
-
Playbook for getting IP address reputation via VirusTotal
-
Playbook for getting Domain reputation via VirusTotal, Anomali, FortiGuard, MX Toolbox, URLVoid, Alienvault OTX
-
Playbook for getting URL reputation via VirusTotal, Anomali, FortiGuard, MX Toolbox, URLVoid
-
Playbook for getting file hash reputation via VirusTotal