Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Andy_G
Staff
Staff

Created on ‎04-08-2020 08:37 AM

Article Id 198207

Technical Note: CSTN: 00050 - Synchronization of records in bulk between master and tenant nodes

Description

You can use the attached JSONs to synchronize records in bulk between master and tenant nodes if the records at the master node are not replicated at the tenant nodes or vice-versa. 

You can synchronize records with or without the corresponding correlated records.

To synchronize records without correlated records, use the Bulk Sync without correlation records.json file.

To synchronize records with correlated records, use the Bulk Sync with correlation records.json file.


Solution

Synchronizing alert records in bulk on a tenant node

If the master nodes' records have not been synchronized at a tenant node and you want to synchronize those records, without the correlated records, then perform the following steps:

  1. Download the attached Bulk Sync without correlation records.json file.
    Important: This JSON file will synchronize records only of the "Alerts" module.
  2. Log on to the tenant node as a user who is assigned a role that has Create, Read, Update, Delete and Execute privileges on the playbook module and also Create, Read, Update, Delete privileges on the module on which the playbook will be triggered.
  3. From the left navigation, click Automation > Playbooks.
  4. On the Playbooks page, click Import to import the Bulk Sync without correlation records.json file.
    This imports the "Bulk Sync" playbook collection.
  5. Navigate to the Alerts module and click Execute > Bulk Sync Batch Wise Alerts to synchronize the alert records.
     This playbook synchronizes alerts in batches of 100 on the tenant node.

Note: If you want to synchronize records between the tenant and master, with the correlated records, then follow the same steps as mentioned above, using the attached  Bulk Sync with correlation records.json file. However, in this case you must ensure that records for which you are creating correlations exist on the node you are Bulk Sync playbooks. If the records do not exist, then the records get replicated, however, the correlated records do not get created.


Synchronizing records other than alerts in bulk on a tenant node 

The Bulk Sync without correlation records.json file synchronizes only alert records. In case you want to synchronize records of any other module, perform the following steps:

  1. Log on to the tenant node as a user who is assigned a role that has Create, Read, Update, Delete and Execute privileges on the playbook module and also Create, Read, Update, Delete privileges on the module on which the playbook will be triggered.
  2. From the left navigation, click Automation > Playbooks.
  3. On the Playbooks page, from the Bulk Sync playbook collection, open the "Bulk Sync Batch Wise Alerts" playbook.
  4. Open the Start (trigger) step and in the Execution Behavior section, from the Choose record modules on which the playbook would be available on drop-down list remove "Alerts" and add the module on which you want to trigger this playbook. For example, "Incidents".
  5. Open the Get Alert step and from the Module drop-down list choose the module whose records you want to synchronize. For example, Incidents.
    You can also change the other parameters of this step, such as the name of the step and then save the step.
  6. Open the Reference a Playbook step and open the referenced playbook, i.e., "Bulk Sync".
  7. In the "Bulk Sync" playbook, open the Utilities step, and update the IRI field to reflect the module whose records you want to synchronize.
    By default, this is set as /api/3/update/alerts.
    If you want to synchronize incident records, change this to /api/3/update/incidents and save the step and the playbook.
  8. Save the "Bulk Sync Batch Wise Alerts" playbook.
  9. Navigate to the module whose records you want to synchronize, for example, Incidents, and click Execute > Bulk Sync Batch Wise Incidents to synchronize the incident records.

Synchronizing correlations in bulk on a tenant node

The Bulk Sync with correlation records.json file adds correlations only between the "Indicators" module and the "Alerts" Module. If you want to add any other correlations, such as adding correlations between the "Assets" module and the "Assets" module, perform the following steps.

Important: If the records do not exist, then the records get replicated, however, the correlated records do not get created.

  1. Log on to the tenant node as a user who is assigned a role that has Create, Read, Update, Delete and Execute privileges on the playbook module and also Create, Read, Update, Delete privileges on the module on which the playbook will be triggered.
  2. From the left navigation, click Automation > Playbooks.
  3. On the Playbooks page, from the Bulk Sync playbook collection, open the "Bulk Sync Batch Wise" playbook.
  4. Open the Start (trigger) step and in the Execution Behavior section, from the Choose record modules on which the playbook would be available on drop-down list remove "Alerts" and add the module on which you want to trigger this playbook. For example, "Assets".
  5. Open the Get Alert step and from the Module drop-down list choose the module for correlations. For example, Assets.
    You can also change the other parameters of this step, such as the name of the step and then save the step.
  6. Open the Reference a Playbook step and open the referenced playbook, i.e., "Bulk Sync".
  7. In the "Bulk Sync" playbook, open the Create Request Body step, and update the updateRecords variable to add in the fields that the user wants to replicate from the master side along with mandatory fields of the module to be synchronized in the "array" format.
    For example, you can change this, which defines indicators correlated with alerts:
    "__selectFields":["typeofindicator","value","file","reputation","description","sources","alerts"]
    to
    "__selectFields":["hostname","name","ip","alerts"]
    which defines assets correlated with alerts.
  8. In the "Bulk Sync" playbook, open the Utilities step, and update the IRI field to reflect that you want to update the correlated assets.
    By default, this is set as /api/3/update/indicators?$relationship=true
    If you want to synchronize asset records with existing alerts, change this to /api/3/update/assets?$relationship=true and save the step and the playbook.
  9. Save the "Bulk Sync Batch Wise" playbook.
  10. Navigate to the Assets module and execute the playbook to create correlations between existing alerts and assets.

Bulk Sync without correlation records.json
Bulk Sync with correlation records.json
Labels:
248
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.