Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Andy_G
Staff
Staff

Created on ‎06-04-2020 08:33 AM

Article Id 190468

Technical Note: [FortiSOAR / Cybersponse Tricks'n'Tips] Incident Response Workflow Playbook

Description

Incident Response(IR)


 Incident Response is an organized approach to addressing and managing the aftermath of a security breach or cyber attack, also known as an IT incident. The goal of incident response is to handle the situation in a way that limits damage and reduces recovery time and costs.

 Ideally incident response activities are conducted by SOC analyst. The process, if not automated, is time consuming and requires SOC analyst to look at through results of various tools, which can be error prone.


Challenge


 To implement a workflow that an analyst would follow as per a documented playbook for a malware incident response. Such workflow consists of multiple steps, which are mostly manual tasks to be performed by analyst. Task that an analyst for a malware incident response include tasks such as analyzing an alert , extracting observables, enriching them by looking up threat intel resources, etc . For any of the tasks listed, a SOC analyst has to manually perform the  task, which is a time consuming. We a need a quick way to automate certain or all tasks in a playbook so that response is quick and effective enough to contain damage, after which begins the the important process of eradication of the threat. The solution for this is a playbook which defines a IR cycle.


Solution


Playbook

 This playbook follows the incident phase, and for each phase performs a set of actions. These  actions can be to create a manual task for a SOC analyst or an automated step which performs that action. Once a manual task is complete , then next manual task is added to workflow. The playbook also updates the incident with relevant comments describing the action required or performed. User can replace manual playbook steps to with automated steps using automated way using CyOPs™ Connectors.


Prerequisites

 You will have to import the attached MMD of the Incident module before importing the playbook. You will also require to install the following CyOPs™ connectors:

 

  1. CarbonBlack Response
  2. Joe Sandbox Cloud


Note: These connectors are used in this example playbook but can be changed as per the requirements of each SOC integrations.


How to use

This Sample Playbook has following

  1. Incident Modules MMD
  2. IR playbook to demonstrate an IR lifecycle.

 

 

  Import the Incident module’s configuration and publish same.


To run the sample playbook open an incident  and from the Execute list click the Malware - IR Life Cycle option:


The Malware IR Life Cycle playbook:




Continue below





IncidentsMMD-SVT.json
IncidentPhase.json
Sample IR Playbook.json
652
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.