Task 1 - Setup Azure CloudShell

1. Setup your AzureCloud Shell

• Login to Azure Cloud Portal https://portal.azure.com/ with the provided login/password

  

• Click the link “Skip for now (14 days until this is required)” do not click the “Next” button

  

• Click the “Next” button

  

• Click on Cloud Shell icon on the Top Right side of the portal

  

• Select Bash

  

• Click on Show advanced settings

  

• Select

  • Use existing Resource Group - it should auto populate with USERXX-workshop-sdwan (USERXX is your Username)
  • Use existing Storage account - it should auto populate with USERXX########## (########## is a random string)
  • Use existing File Share - type cloudshellshare

• Click “Attach Storage”

  

• You should now have access to Azure Cloud Shell console

  

Task 2 - Run Terraform

Task 2 - Launch resources using Terraform

All the components required for Lab1 and Lab2 are deployed through terraform.

Here is the Architecture diagram for Lab1:

Perform the following steps in your Cloudshell console to create your environment.

1. Clone the Github repo git clone https://github.com/FortinetCloudCSE/FortiWeb-Azure-ZTNA-FortiSoar
2. Change directory to the cd FortiWeb-Azure-ZTNA-FortiSoar/terraform folder
3. Run terraform init

git clone https://github.com/FortinetCloudCSE/FortiWeb-Azure-ZTNA-FortiSoar
cd FortiWeb-Azure-ZTNA-FortiSoar/terraform
terraform init

4. Set the Terraform environment variables (check in dedicated the e-mail send to you by the organizers):

   1. export TF_VAR_fortiflex_api_user='<api_user_sent_in_email>'
   2. export TF_VAR_fortiflex_api_password='<api_password_sent_in_email>'

5. Run terraform apply -var='username=UserXX' --auto-approve

   Your username can be found in the login email.
   Say your Azure account login is fweb11@ftntxxxxx.onmicrosoft.com, your username is fweb11

export TF_VAR_fortiflex_api_user='<api_user_sent_in_email>'
export TF_VAR_fortiflex_api_password='<api_password_sent_in_email>'
terraform apply  -var='username=UserXX' --auto-approve

6. Terraform deployment takes atleast 25-30 min to complete. Please copy the output once the deployment is succeeded.

Task 1 - EMS Setup

1. EMS Setup and licensing

1. RDP to the EMS Server IP address (Terraform output) using the all_username and all_password credentials.

   

2. FortiEMS is already installed on Windows Server.

   

3. Double-Click to open FortiEMS. On the first login, username is admin/password is blank. Click Signin.

   

4. We need to Set up new password here. Please note this password as we will use this to sign in to EMS.

   

5. The FortiEMS is not licensed. We need to upload the BYOL license. License is already provided through email for the Cloud CSE team. If license is not provided you can ITF the FortiEMS license with SKU: FC1-10-EMS04-429-01-12.

   

6. To activate the license, copy the hardware ID from EMS System » Dashoboard » Status.

   

7. Login to https://support.fortinet.com, register asset with the hardware ID. Download the license document.

   1. Paste the registration code from the license document, click Next
   2. Paste the Hardware ID from the EMS » register

   

8. On EMS Dashboard » Status - login with the FortiCloud Account the license is registered.

   

2. Updating License

1. On EMS, we see “SSL Certificate is not Secure” at the top.

   

2. To upload a certificate to EMS, Navigate to System Settings » EMS Server Certifcates » Add. on Upload PKCS12 tab, browse to find certificate from the Dekstop.

   

3. on the Desktop, there is a folder called ems_ssl_certificates » upload EMS_Demo_Server certificate. Password for the certifiactae is password (all lower case)

   

4. In System Settings » EMS settings, for WebServer certificate select the newly uploaded certificate and also enable “use webserver cert for end point control” , click Save.

   

5. On EMS » In Endpoint Policy and components » CA Certificates » Upload the CA Certificate from the ems_ssl_certificates folder on the Desktop.

   

6. Now you should see that the EMS Certificate is SSL secure at the top.

   

Task 2 - FortiWeb Setup

Licensing FortiWeb

1. Login to FortiWeb with https://<fortiweb_pip>:8443. Fortiweb_pip IP can be found from Terraform output. Use the all_unsername and all_password as login credentials.

2. For licensing FortiWeb, please check your email. License is already provided. After uploading the the FortiWeb will reboot.

Its a good idea to get some coffee while it is rebooting ;)

3. After FortiWeb is back up, in System » Config » Feature visibility, enable ZTNA and Firewall features.

Task 3 - Connect FortiWeb to EMS

Connect FortiWeb to EMS

1. To connect FortiWeb to EMS, go to Security Fabric » Fabric Connectors » FortiClient EMS

   

2. Enter the IP and Port for FortiWeb to connect to FortiClient EMS, click OK.

   

3. You will see a Certificate warning to connect to EMS. Click OK.

   

4. Login to FortiClient EMS, in Administration » Fabric Device » Authorize the FortiWeb.

   

5. Once Authorized we should see that the connection is up on FortiWeb.

   

Task 4 - ZTNA tags creation

Creating ZTNA tags on FortiEMS

We need to create ZTNA tags to tag endpoints that connect to FortiClient. These tags will sync with FortiWeb and can be used in ZTNA rules.

1. To create tags, on FortiClient EMS navigate to Zero Trust Tags » Zero Trust Tagging rule » Add.

   

2. Enter name: windowsclient, tag endpoint as: windows (Press Enter for creating a new tag), click Add rule

   

3. In the rule, Select Windows, in OS type: Windows, add the Windows version as shown below.

   

4. Repeat Same steps for Linux.

   

5. Also Create another tag for windows vulnerbale device as show below.

   

6. By default we cannot see ZTNA tags when Endpoints connect to Zero Trust telemetry. For ZTNA tags to be visible on FortiClient, you need to enable in FortiEMS.

On FortiEMS » Endpoint profiles » System Settings » Advanced » enable show zero trust tag on FortiClient GUI.

Task 1 - FortiWeb Policy setup

FortiWeb Policy setup

1. Before creating ZTNA profiles and Tags, We need to create a Server policy on FortiWeb. To create a server policy set up a server pool on FortiWeb.

   In Server Objects » Server Pool » Create new » Enter as shown below » Click OK

   

2. Click Create New to create a new server in Server pool as below.

   

3. Now, Create a Virtual Server. Server Objects » Virtual Server » Create new » click OK

   

Now we will create a Virtual Server to listen on Port1 IP address

4. Create a certificate in Server Objects » Certificates » CA Group

   

5. Create New CA group for FCTEMS and click OK.

   

6. Select Type CA, Select CA for FCTEMSXXXXXXX certificate as the CA, Click OK.

   

   

7. Create a Server policy , in Policy » Server Policy » Create New as shown below.

5. For Server pool, Virtual Server select the objects you created in Step 2 and 3. For HTTPS service select HTTPS

6. Click Advanced SSL settings, For Certification verification for HTTPS click create new:

   

7. In the New Certificate Verify Tab, select the CA you have created earlier in Step 6. Finally Clik OK on the server policy.

   

ZTNA Policies on FortiWeb

8. Before setting up FortiWeb ZTNA rules, check if the ZTNA tags synced from FortiClient EMS to FortiWeb. On FortiWeb navigate to ZTNA » ZTNA profile » ZTNA tags. FortiWeb Might have to scroll to the end to see the tags created in earlier step.

   

9. Create ZTNA rules to access the FortiWeb Web Server. Click OK.

   

10. Click on Add Condition, Select Type: ZTNA Tag, from Tag list Windows, Match condition: Any, click OK.

11. In ZTNA profile, Create ZTNA profile with name WebServerAccess, Set Default action to Alert and Deny. Click OK.

    

12. For ZTNA Profile Member » Create new » Update to Add the rule you created in Step 9.

    

    

13. Now go back to Server Policy » Policy » Edit the existing Policy.

    Scroll down to ZTNA profile and assign the profile created in previous step and click Save.

    

Task 2 - Verify North-South Traffic

Test ZTNA North-South Inspection

1. To Test N-S Access, RDP to Windows10 Client (windows_client_pip address is in Terraform Output)

2. on Windows 10 VM, the FortiClient is already installed. Double click on FortiClient EMS, Click on Zero trust telemetry

   

3. In Zero Trust Telemtry » Input the IP of your Windows » Click Connect

   

4. Once the FCT is connected to EMS, you should see a Windows Tag assigned to FCT.

   

5. Open a browser on Windows Cliet and type https://10.0.0.4 in the browser or the Public IP address of FortiWeb the Port1 is NAT’d. Remember Virtual Server we created is listening on Port1 of the FortiWeb with IP 10.0.0.4.

6. You can also check to get to the API documentation by typing https://10.0.0.4/docs

7. Repeat the same step from your local machine. You should not be able to get to the FastAPI web page since you are not conencted to FCTEMS.

Task 1 - East-West ZTNA traffic

East-West inspection

1. Now that Server policy is all setup, for microsegmentation within trusted network using ZTNA we need to edit the ZTNA profile. Also, since FortiWeb has a firewall we will be using a firewall policy to prevent traffic between trusted network.

2. lets create a static route to get to the internal VNET through port2 in Network » Route » Static route.

3. Also Lets create a firewall policy. In System » Firewall » Firewall Policy » Firewall Service.

   1. Create a Service for ICMP

   2. Create another service all, by leaving everything to default.

4. To create a firewall policy , set the default action to “Accept” also create policies as shown below to deny the icmp traffic and also all Port1 to port2 traffic.

   

5. SSH to the webserver_public_ip to register it to FortiEMS using the below command. forticlient_ems_server_public_ip can be found in Terraform output log.

   Once registered you should see the WebServer and APIServer on FortiEMS Endpoints module.

   forticlient epctrl register "<forticlient_ems_server_public_ip>"

   

6. Now in ZTNA profile, update the already created ZTNA rule to add Linux tag.

   

7. Linux VM is already connected to the EMS. You can check endpoints connected to EMS.

   

8. Now SSH to the other trusted Linux VM (IP address is in Terraform output) to get to the API server. once logged in type the below command.

   curl --insecure https://10.0.0.4

   curl --insecure https://10.0.0.4/docs

You should see hello world response from the first command and also swagger html as a response from the /docs

9. Now try the same to hit the trusted server directly.

   curl --insecure https://10.0.1.5

   curl --insecure https://10.0.1.5/docs

Task 1 - Preparation of FortiAnalyzer and FortiWeb

Prepare FortiAnalyzer and FortiWeb for the Lab

This Chapter includes necessary steps to setup Log shipping and Event Monitoring with FortiAnalyzer of FortiWeb. Please make sure you have completed this section before moving on!

FortiWeb Preparations

1. Login to FortiWeb with the give credentials

2. On the left sided menu, goto Log&Report - Log Policy - FortiAnalyzer Policy

3. Select Create New at the top left to open the Configuration Wizard

4. Provide a meaningful name for the Policy and the click OK to save

5. After the Policy has been saved, click on Create New to a add a new entry to the policy
6. Enter the IP Address of Fortianalyzer into the corresponding field, then click on OK to add the entry

7. Check that the new entry was added successfully, click OK again to make sure that everything is saved.

8. On the left sided menu, goto Log&Report - Log Config - Global Log Settings

9. Enable FortiAnalyzer and select the previous configured FortiAnalyzer Policy

10. Click on Apply at the bottom of the Page to save the configuration.

11. To enable the global logging, open the built-in CLI by clicking on the >_ Symbol the to top right

12. Execute the following commands

config log traffic-log
set status enable
end

13. Logging of FortiWeb to FortiAnalyzer is now enabled. Please proceed with the configuration of FortiAnalyzer

FortiAnalyzer Preparations

1. Login to FortiAnalyzer with the given Credentials

2. Goto Device Manager and click on Add Device to add FortiWeb

3. Provide the follwoing Information, then click on Next to proceed with the configuration.

   • Name: FortiWeb
   • Serial Number: (This can be found at the Dashboard of FortiWeb)

   

   

   4. Wait until the Device got added successfully. Then click on Finish to close the wizard.

   

   5. To finalize the FortiWeb configuration, select the entry from the Device table and click on Edit

   

   6. Update Admin User and Password with the given credentials, then click on OK to save.

   

   7. To be able to feed Security Events within FortiSOAR, Events need to get generated within the Event Monitor. For this to work, a so called Handler needs to be in Place. The Handler for FortiWeb is disabled by default and needs to be enabled. For this, goto Incidents & Events - Handlers

   

   8. Select the Basic Handlers Tab, then use the Search field at the top right to search for FWB

   

   9. Right click on the search result, click on Enable to activate the handler.

   

   10. Check that the Status changes from disabled to enabled (green checkmark)

   

   11. As soon as FortiWeb detects an attack, a new Event entry will get added. See the following Example:

   

   Please make sure, that a Web Protection Profile is used within the configured FortiWeb Policy. The default policies provided by FortiWeb are more than enough with regards to this lab.

   

4. Congratulations, you are done with the preparations. Please continue to the next Section of the Lab.

Task 1 - Introduction to FortiSOAR

How to Connect to FortiSOAR Webinterface

1. Open the URL of FortiAnalyzer, using the Public IP Address (e.g. https://20.234.157.6)
2. Login into FortiAnalyzer with the provided lab credentials

3. In the FortiAnalyzer Setup Wizard, click on Next, then keep the default hostname and click on Nextagain.

4. Click on Finish to complete the Setup

5. At the left side menu, select Management Extension

6. if not automatically selected, click on FortiSOAR to access the FortiSOAR Webinterface. In Case not already done, accept the Terms and Service by Scrolling down to the Bottom of the embedded Site and click on Accept

6. The FortiSOAR Dashboard Page should be now visible as a iframe

8. Congratulations, you have successfully logged into FortiSOAR. Proceed with the next Chapter.

Install Licenses into FortiSOAR

By default, FortiSOAR comes with a limited Perpetual license. This type of license provides you with a free trial license an unlimited time for FortiSOAR, but in a limited context, i.e., with restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an “Enterprise” type license and is restricted to 2 users using FortiSOAR for a maximum of 300 actions a day.

1. Within the FortiSOAR WebUI, select the Gear icon at the top right.

2. In the System Configuration, goto the License manager

3. Copy the Device UUID and enter into the Support Portal to be able to Download the licenses file.

3. Upload the license file via Update License
4. Drag’n Drop / Select the license file, then click on Install License File

6. Confirm the Installation of the new license

If you recive an error like below, wait some minutes and repeat the step

7. Validate that the new license has been installed correctly

Incident and Alarm Handling in FortiSOAR

Incident and alarm handling are crucial components of any security operation. When security incidents occur or alarms are triggered, it is essential to have a systematic and efficient approach to address them. FortiSOAR provides a centralized platform to manage and handle incidents and alarms effectively.

With FortiSOAR, security incidents and alarms from different security devices and systems, such as FortiWeb and FortiClient EMS, can be consolidated and correlated in a single dashboard. This consolidation allows security teams to gain a comprehensive view of the security landscape, enabling faster and more accurate incident response.

FortiSOAR automates the initial triage and categorization of incidents and alarms, reducing the manual effort required. It applies predefined playbooks or workflows to incidents based on their severity, type, or other criteria. Playbooks consist of a series of automated actions, such as gathering additional information, enrichment, containment, and remediation. By automating these repetitive and time-consuming tasks, FortiSOAR enables security teams to focus on more critical and strategic activities.

More Information can be found in the FortiSOAR User Guide - Working with Modules - Alerts & Incidents

How to access the Alarms & Incident section

1. Expand the sidebar menu by clicking on the arrow the at top left

2. Select Incident Response - Alerts to access the recived alerts and events

This Section is empty at the moment. The further we get in the lab, the more alerts there will show up.

3. The Incidents can be found in the same menu right after the Alerts

Incidents are usually a group of multiple events and can contain multiple Alerts and Indicators.

Task 2 - FortiSOAR Content Hub

FortiSOAR Content Hub & Connectors

Content Hub is a vital component of FortiSOAR that provides a centralized repository of pre-built playbooks, scripts, and integrations. It serves as a knowledge base and resource center for security operations, allowing teams to leverage existing content and collaborate effectively.

Content Hub offers a vast collection of pre-defined playbooks created by Fortinet’s experts and the broader cybersecurity community. These playbooks cover a wide range of use cases, including incident response, threat hunting, vulnerability management, and compliance. By utilizing these pre-built playbooks, security teams can accelerate their response times and ensure consistency in their incident handling processes.

In addition to playbooks, Content Hub provides access to a variety of integration connectors. These connectors allow FortiSOAR to connect and interact with different security tools, such as FortiWeb and FortiClient EMS, as well as third-party solutions. This seamless integration capability ensures that incidents and alarms from various sources can be ingested, analyzed, and responded to from a single platform.

Furthermore, Content Hub enables collaboration and knowledge sharing among security professionals. It allows users to contribute their playbooks, scripts, and integrations to the community, fostering a vibrant ecosystem of security automation. This collaborative approach encourages the exchange of best practices and empowers security teams to continually improve their incident response capabilities.

More Information can be found in the FortiSOAR User Guide - Content Hub

How to access the Content Hub

1. If not already done, expand the sidebar menu by clicking on the arrow the at top left

2. Select Content Hub to access the recived alerts and events

3. A whole new view gets populated. This allows to search and filter for various Connectors, Solution Packs and Widgets to advance FortiSOAR

The same information can be also found at the FortiSOAR Content Hub Webpage

Install FortiAnalyzer Connector

1. Search for FortiAnalyzer in the Searchbar

2. Select the Fortinet FortiAnalyzer Connector. A new overlay Window appear which provides more details and the ability to install the connector.

3. To Install the selected Connector, click on Install at the bottom left of the Popup.

4. To start the Installation, click on Confirm

5. Wait until the Connector Installation has been completed

6. After the successfull Installation, it will automatically return back to the Connector Popup which provides now additional configuration fields

7. Add a new configuration with the information show on the screenshot. Adjust the values to fit the information provided for the lab.

Note: Please uncheck the Verify SSL option as the lab is using a self signed certificate.

8. Click on Save and validate that all Steps of the configuration verification, including the Health check are successfull.

9. Close the Configuration Popup.

10. The Installed Connector can be viewed in at the Manage Tab

Setup FortiAnalyzer Data Ingestion

Connectors in FortiSOAR can be used to tak action or to ingest Data into FortiSOAR like Assets, Events or Indicators, etc. Some Connectors, for example the FortiAnalyzer Connector allow to Ingest Data & take actions like Run Report, LIST LOG FIELDS, etc. These actions can be used within a playbook to “do something”. We will have a closer Look into Playbooks and how Connectors can be used in the next Chapter.

• To view the predefined actions of a Connector, select the Actions & Playbooks Tab after you have selected a Connector

To Configure the Data Ingestion of FortiAnalyzer, for example to feed Events generated by FortiClient EMS into FortiSOAR, take the following steps:

1. In the FortiSOAR menu sidebar, goto Content Hub, select the ManageTab

2. In the Searchbar type FortiAnalyzer

3. Select the FortiAnalyzer Connector, and click on Configure Data Ingestion at the right side of the Window

4. A new Overlay Popup will appear. Click on Let's start by fetching some data to start the configuration process

5. To configure field mappings with example data, adjust the default value as shown below and continue by clicking on FETCH DATA at the bottom right corner

6. keep the default field mappings and continue with the configuration by clicking on the button at the bottom right corner

7. In this lab, we will manually trigger the ingestion as the Lab is using an unlicensed version of FortiSOAR. This is limited to 300 Actions per day which also includes Data ingestion. In an production environment, a Schedule would be configured to automtically ingest the data and add the alerts to FortiSOAR.

8. Finish the configuration of the Data Ingestion by clicking on the Save Settings & Continue at the bottom right corner.

9. Click at OK at the bottom right of the screen to close the PopUp.

10. Close the Connector configuration Wizard PopUp.

11. To Manually ingest the Events, goto Automation - Data Ingestion at the left side Menu

12. An overview of all availibe Connectors wich allow Data Ingestion will appear.

13. By selecting the Fortinet FortiAnalyzer entry, an overview of the availible configurations will appear. Select Trigger Ingestion Now at the right to feed in availibe events and alerts.

14. A banner at the top of the page will appear which confirms that the ingestion is running.

15. To view the results, switch to the Incident Response - Alert Section and view the events getting added to FortiSOAR.

Install FortiClient EMS Connector

1. In the Content Hub menu, go back to the Discover Tab and search for FortiClient EMS

2. Select the Connector and install if not already done.

3. Setup a new Configuration as shown below. Adjust the values to fit the information provided for the lab.

4. Click on Save and validate that all Steps of the configuration verification, including the Health check are successfull.

Task 1 - Create your own Playbook

Playbook Editor

To start with the creation of a new Playbook, take the following Steps:

1. Goto Automation - Playbooks

2. Choose any Collection you want (for example 01 - Drafts Collection), then click on + Add Playbook

3. Provide a new Name for the Playbook, keep the default values and then click on Create

4. The Playbook Editor is now open and ready to use.

Every Playbook has to start with the Trigger Step This could be e.g. Manual if you do not want to have it executed automatically or if e.g. the Playbook should get executed when a new Alert is created, choose the On Create Trigger.

For more information about the Trigger Step, please have a look at the FortiSOAR Playbook Development Guide

After selecting a Trigger, the Name and Execution Behaviour (Scope) needs to be defined. For Example, if the Playbook is used to reaction on an Alert, The Alerts Module would be selected. Multiple selections are possible if the Playbooks can be also used for other Modules.

In my case, I do not require any input to run, but the playbook should only be used in the Alerts Module.

If done with the configuration of the Step, select Save at the bottom left of the Pop-up.

Now we have added our first Playbook Step - Good Job!

Before we will execute our Playbook to validate the functionality, change the Mode to DEBUG. This is important, as by default the INFO Mode only provides us if the Playbook run was successfull or not. This is to save space within the database and not filling it up with unneccessary details at runtime. While Development, we want to see which Variable and Step has which Output or Values assigned to make it easier in case of troubleshooting.

Within the Playbook Editor, click on INFO at the top right corner

Select DEBUG from the dropdown menu and click on Apply

To Execute a Playbook, click on the “Play”-Button the the top right of the Playbook Editor.

Don’t forget to regularly press Save Playbook button to not loose your work. This is also required, before executing a Playbook.

Let’s continue adding some Steps to our Playbook in the next Section.

Playbook Steps

To add a new Step, just “drag and drop any highlighted connecot points to add a new Step”.

At the left side, a new Pop-up appears which allows you to choose the type of the new Step.

Depending on what you want to do/achieve, select the Step. To specify a Variabl use the Set Variable Step from the Core Steps. If you want to trigger an action e.g. within FortiClient EMS or use any availabile activity from our FortiSOAR COnnectors, use the Connector Step from the Execute Section, and so on. Find more details about the different Steps and capabilities within the FortiSOAR Playbook Development Guide

I will first set a Variable as a next step. After selecting the Step Set Variable I have to choose a Name and then specify the variable name and it’s Content. As a Value, FortiSOAR allows to use Jinja2 Expressions and Filters.

To see some examples, select the Functions or Input/Output Tab after you have clicked into the Value field

In my case I do not have any value I want to reference to, so I will just add a String as value.

Save the step by clicking on the button at the bottom left.

Lets add another Set VariableStep which will access the previous added variable. For this, we need to provide a Name for the Step and a Name for the variable.

After clicking into the Value field, you will notive that the previous Variable appears on the right under the Input/OutputTab

By selecting the Custom Variable example the Jinja2 Expression will be automatically added as Value.

As an alternative, you can also write {{ vars. example }}

In case the next Step within a Playbook requires to use Values from a previous Step, FortiSOAR offers a very easy solution to access those. Just select the correlating Step within the Pop-up menu and follow the tree structur to select the required variable name.

Click on Save to save our progress. Also don’t forget to save your Playbook.

The Playbook should look similar like the following:

Let’s run out created playbook. For this click on the “Play”-Button as described above. As no input is required, click on Execute at the bottom left.

The Execution Log will appear.

To debug the Playbook Steps, select the set variable Step. This allows to have a closer look what was the Input &Output of the Step.

Looking at the second Step, at the Input Tab you will see the Jinja2 Statement on how we accessed the Variable

And the Result can be viewed within the Output Tab

This was a very simple Playbook but for now this is everything you need to know to solve Challenge.

In the next Section, you will find some useful Jinja2 expression examples and Links which can be very handy.

If the Playbook ist done, you can use it e.g. within the Alerts Section. For this, just select an exiting alert and choose the Execute Menu entry at the top. The select the corresponding Playbook you want to execute.

Jinja2 Filter and Functions

Fortinet provides a very comprehensive Guide which describes all Jinja2 Filters and functions in detail: FortiSOAR Jinja2 Filter & Functions

• access variable example

{{ vars.example }}

• access Step variable (List) output

{{ vars.example[0].value1 }}

• For loop

{% for item in vars.example %} 
	{% if item == 'TEST' %}
	Yes  {% endif %}
{% endfor %}

• If condition

{% if 1485561600000 > 1484092800000 %}
        {{vars.input.records[0]}} 
            {% elif 5==6 %}
        {{vars.input.records[0]}} 
{% endif %}

• ipaddress Filter

{{ test_list | ipaddr }}

Task 1 - Quarantine Client

As a first Task in this lab, you will develop your own Playbook to quarantine Client on FortiClient EMS. Based on the Informaition you have learned in the Prvious Chapter, the Playbook has to accomplish the following tasks:

• The Information of the Client need to be extracted based on a Security Event / Alert retrived from FortiAnalyzer/FortiWeb

  • To trigger an Attack alert, make sure that a Security profile is configured within the FortiWeb Policy, in addition, feel free to use the following string and just append it to the URL to trigger an Attack Alert

  ?q=%27%20or%20data%20@>%20%27{"a":"b"}%27%20--

• Retrieve more details based on the Alert Information about the Client

• Provide Approval Wizard before Quarantine Client with the following Information

  • FortiClient EMS ID
  • Client IP
  • Reason to Quarantine
  • OS Version
  • FortiClient Version

• Quarantine Client on FortiClient EMS

• Don’t forget to think about the case, that the Approval get’s rejected.

Hint

In case you will use the Get all Endpoints function of the FortiClient EMS Connector, the following Values are required:

• Value for Field: Verifiction:

{
  "saml_id": "",
  "ldap_ids": []
}

• Value for Field: Filter:

<Specify you filter here - have a look into the example playbook>

Task 2 - Unquarantine client

2 - Unquarantine Client

As the last Task, you have developed a Playbook which allows to quarantine a Client via FortiClient EMS. As you may notice, you have lost remote access to the Client. Your next Task is to develop a Second Playbook which will unquarantine the previous Client based in the same Input Values like in Task 1.

For this, the Playbook has to accomplish the following tasks:

• Retrieve more details based on the Alert Information about the Client

• Provide Approval Wizard before Quarantine Client with the following Information

  • FortiClient EMS ID
  • Client IP
  • Reason Client got Quarantined
  • OS Version
  • FortiClient Version

• Unquarantine Client on FortiClient EMS

• Don’t forget to think about the case, that the Approval get’s rejected.

Solution - Task 1

Challenge 1 Solution

In this Section you will find a detailed solution of the previos tasks. In addition, there are example Playbooks attached which you can import as a solution.

Example Playbook Overview

• Download Example Playbook

Step Details

1. Stepname: Start

This is the Intitial Step. It is configured to start Manual and the Scope is defined to be only relevant for Alerts

2. Stepname: extract alert source data

FortiSOAR attaches by default the complete source data to every alert. This includes also non-visible information. As this Playbook extracts the Client IP address and for a better readablity, the source data will be extracted into it’s own variable.

3. Stepname: extract client details

Based on the source data of the alert, the client ip address and the alert subject would be relevant for further use. These get stored within their own variables.

4. Stepname: get all endpoints filtered

This step will use the FortiClient EMS Connector to retrieve all endpoints but with a filter based on the client ip address based on the information of the alert.

5. Stepname: approve quarantine

Before quarantine the client, a approval step based on the Manual Input Step is defined. This Step will output various details as requested by the Task and proceeds depending on the Button which is selected by the User.

6. Stepname: quarantine client

This step leverages the FortiClient EMS connector to quarantine the Client based on the client id which can be extracted of the result of step get all endpoints filtered

6. Stepname: cancel execution

This step is just an empty step which does nothing but ends the execution of the Playbook.

Solution - Task 2

Challenge 2 Solution

In this Section you will find a detailed solution of the previos tasks. In addition, there are example Playbooks attached which you can import as a solution.

Example Playbook Overview

• Download Example Playbook

Step Details

1. Stepname: Start

This is the Intitial Step. It is configured to start Manual and the Scope is defined to be only relevant for Alerts

2. Stepname: extract alert source data

FortiSOAR attaches by default the complete source data to every alert. This includes also non-visible information. As this Playbook extracts the Client IP address and for a better readablity, the source data will be extracted into it’s own variable.

3. Stepname: extract client details

Based on the source data of the alert, the client ip address and the alert subject would be relevant for further use. These get stored within their own variables.

4. Stepname: get all endpoints filtered

This step will use the FortiClient EMS Connector to retrieve all endpoints but with a filter based on the client ip address based on the information of the alert.

5. Stepname: approve quarantine

Before quarantine the client, a approval step based on the Manual Input Step is defined. This Step will output various details as requested by the Task and proceeds depending on the Button which is selected by the User.

6. Stepname: unquarantine client

This step leverages the FortiClient EMS connector to unquarantine the Client based on the client id which can be extracted of the result of step get all endpoints filtered

6. Stepname: cancel execution

This step is just an empty step which does nothing but ends the execution of the Playbook.