A Playbook is a chain of actions that are taken based on logic programmed by a user. A Playbook can only be added, modified, or deleted through FortiSOAR. Playbooks can be executed on an event or incident. After creating a FortiSIEM user in FortiSOAR and configuring Playbook on FortiSIEM, playbooks can be executed through FortiSIEM. Additional information can also be found in Writing FortiSIEM Compatible FortiSOAR Playbooks available in the Appendix.

FortiSIEM provides a number of sample FortiSOAR playbooks that are compatible with FortiSIEM.

Download the sample FortiSIEM compatible FortiSOAR playbooks here that contains:

  • Playbook for getting IP address reputation via VirusTotal

  • Playbook for getting Domain reputation via VirusTotal, Anomali, FortiGuard, MX Toolbox, URLVoid, Alienvault OTX

  • Playbook for getting URL reputation via VirusTotal, Anomali, FortiGuard, MX Toolbox, URLVoid

  • Playbook for getting file hash reputation via VirusTotal

and then import the above playbooks into FortiSOAR. The playbooks are tagged with “FortiSIEM”; only FortiSIEM tagged playbooks are then imported into FortiSIEM.

It is necessary to configure the Connectors that these playbooks reference, for example the VirusTotal Connector with valid credentials.

The following sections provide information on Playbooks: