Arcanna.ai and Fortinet FortiSOAR
Introduction
Arcanna.ai is a decision intelligence platform that uses NLP, deep learning and user feedback that can be integrated with Fortinet FortiSOAR to assist in decision making, learn from daily incident resolutions and to incorporate knowledge to scale team’s capacity and to lead to a true autonomous SOC. All without changing the Incident Management screen of the SOC analysts.
FortiSOAR security orchestration, automation and response (SOAR) provides innovative case management, automation, and orchestration. Arcanna.ai integrates seamlessly with Fortinet FortiSOAR enabling users to interact with Arcanna.ai directly from their playbooks. Arcanna.ai connector can be easily installed in FortiSOAR Content Hub. The Arcanna.ai connector enables you to ask Arcanna.ai for a Decision at any point in a playbook, and to automatically close the feedback-loop by sending feedback to Arcanna.ai when you close the incident with a reason.
Alerts or Incidents created by Fortinet FortiSOAR are usually enriched via automated investigation steps part of the SOAR playbook, resulting in a rich context that Arcanna.ai can use to make the decision.
Main benefits on using Arcanna.ai in conjunction with Fortinet FortiSOAR are:
- Improve operational efficiency and response time by assisting human decisions in SOC.
- Reduce the number of false positives, making decisions on tickets with relevant context.
- Improve automated decision making by building your own deep learning model tailored to the particularities of your environment.
Prerequisites
-
Arcanna.ai - Arcanna.ai can be deployed on-premise or in your Kubernetes cluster. For setup, you can follow this user guide. For flexibility reasons, Arcanna.ai is exporting the AI processed alerts to an internal Elasticsearch/Opensearch data warehouse, that needs be installed at the same time with Arcanna.ai. You can use an Elasticsearch/Opensearch instance you already have, or a new one dedicated just for Arcanna.ai backend.
-
Fortinet FortiSOAR - free for testing documentation here
How to connect with FortiSOAR
- First you need an Arcanna.ai API token. This can be generated from the Arcanna.ai web interface. Go to the drop down menu below your Username on the top right corner and select API Keys.
On this page you will be able to manage the API keys. Click on Add new user key, provide a relevant name for the key then the key will be generated automatically.
Make sure that you copy the API Key generated, as it will not be displayed after exiting this section. You will also need this key in order to finish the integration process in FortiSOAR at a further step.
- Define the integration in Arcanna.ai. Go in Integrations and select External Data Source as category. Subcategory is External REST API alerts. After that, you will be asked to provide the predefined API Key that you just created at Step 1 and give it a name.
- Go to your FortiSOAR instance and go to Marketplace, search for Arcanna. Select it and click on the Install button.
Currently the connector is not yet published officially, but it can be easy imported. For the zip containing the connector you can send us a message at contact@arcanna.ai.
In the configuration tab you need to setup the details of your Arcanna instance:
- Configuration Name - The name of your instance, it can be anything you want
- Server Address - The IP of Arcanna.ai server.
- Server Port - Port 9666 is the one exposed for REST-API.
- API Key - The API Key that you previously generated from Arcanna.ai
In the Actions & Playbooks tab you can see all of the commands available for this connector. Please note that these commands come by default from Arcanna and further commands can be added, based on the needs of the user.
When deployed in VM or in AWS, URL includes the same IP used to access the UI. When deployed in the Kubernetes environment, the URL would be the ingress port or port node configured at deployment.
Create an AI job
Go to AI Jobs page, Create a new job for decision making.
Use the previously defined integration and tune your input parameter. Arcanna also allows you to add a tag to offenses, which can be anything you want.
Select the Generic Model as the Processor since we’ll train a model from scratch.
Use the Arcanna.ai database to store the processed data.
The Automation step allows you to define an automation, such as enriching some fields with VirusTotal or creating a ticket in a different Incident Response platform. For this use case, this step is not mandatory, due to the fact that FortiSOAR and Arcanna.ai communicate between each other with a closed feedback-loop.
You can press Create and Start job and you are all set.
At this point, Arcanna.ai will be able to receive incidents that have been called through a FortiSOAR playbook, be it automatically or manually by an analyst.
Create a FortiSOAR playbook
Below you have a Playbook example created by us that showcases the closed feedback-loop between FortiSOAR and Arcanna.ai.
Set Job ID
Go on the Job Overview and take the job id from the URL https://arcanna_url/jobs/overview/job_id. Save it in a variable to use it further in the playbook.
Send the record info to Arcanna.ai.
Wait for inference and get the inference result.
Use arcanna decision in your playbook.
After the ticket is closed, the closing reason or any other decision made can be sent to Arcanna as feedback.