FortiSOAR
FortiSOAR is a Fortinet platform for automating and streamlining security operations, enabling faster threat detection, investigation, and response through customizable playbooks and integrations.
Arcanna - FortiSOAR integration
Arcanna integrates seamlessly with Fortinet FortiSOAR enabling users to interact with Arcanna directly from their playbooks. Arcanna connector can be easily installed in FortiSOAR Content Hub. The Arcanna connector enables you to ask Arcanna for a Decision at any point in a playbook, and to automatically close the feedback-loop by sending feedback to Arcanna when you close the incident with a reason.
Alerts or Incidents created by Fortinet FortiSOAR are usually enriched via automated investigation steps part of the SOAR playbook, resulting in a rich context that Arcanna can use to make the decision.
Main benefits on using Arcanna in conjunction with Fortinet FortiSOAR are:
- Improve operational efficiency and response time by assisting human decisions in SOC.
- Reduce the number of false positives, making decisions on tickets with relevant context.
- Improve automated decision making by building your own deep learning model tailored to the particularities of your environment.
Steps to configure FortiSOAR integration:
Prerequisites
- A valid Arcanna instance - for setup, follow this user guide.
- Fortinet FortiSOAR - free for testing documentation here
How to connect
Go to Arcanna instance:
-
Connect to FortiSOAR:
- Go to the Integrations tab
- Search for FortiSOAR integration and click on it:
- Fill in all the fields as shown below using your own API Key and Title, and then click Confirm:
-
Create an Arcanna job using FortiSOAR integration:
- Go to AI Jobs tab and click Create job
- Complete the Title and select the FortiSOAR integration just created as the input, as shown below:
- Click Save and run to save and start the job.
Go to FortiSOAR dashboard:
-
Access the FortiSOAR Dashboard
-
Open the Content Hub:
-
From the FortiSOAR dashboard, locate and click on the Content Hub tab then click on Arcanna.Ai connector:
-
Configure Arcanna integration with your Arcanna instance URL (IP:PORT or DNS) and the API Key configured above and click Save:
-
If everything went well, you will receive the health check successfully message:
-
Go to Actions & Playbooks tab to explore Arcanna actions.
-
Multiple Arcanna instances can be added if needed.
-
Configure Playbook with Arcanna Actions
Go to Automations -> Playbooks, click + Add Playbook to create a new playbook. When adding a new step in the playbook, click on Connector, then select Arcanna. Choose the desired configuration and action to use in the playbook:
Here is an example of a Playbook that uses Actions:
Get AI job by name - Used to get a specific job information (job have to use the API Key defined above)
- We will use the job defined above. Complete its exact name in Job name field:
- When running the playbook, the response should look like this:
Get jobs - Returns a list of jobs which use the defined API Key
- Simply select the Get jobs action:
- When running the playbook, the response should look like this (a list of jobs instead of one job data):
Start/Stop Job - Returns a list of jobs which use the defined API Key
- Complete the Job ID field with job id from Step Get Job By Name (or Get Jobs). Use
{{vars.steps.Get_Job_By_Name.data['job_id']}}for dynamic reference:
- When running the playbook, the response should look like this:
- If the job is already started or stopped, the response will return an error.
Get Decisions by Job ID - The same as above but using job id instead of job name
- Complete the Job ID field with job id from Step Get Job By Name (or Get Jobs). Use
{{vars.steps.Get_Job_By_Name.data['job_id']}}for dynamic reference:
- See the result is a list with three possible decisions (Escalate, Drop, Investigate):
Send Event to Arcanna
- Complete the Job ID field with job id from Step Get Job By Name (or Get Jobs). Use
{{vars.steps.Get_Job_By_Name.data['job_id']}}for dynamic reference: - Fill in the Body with the event. Here, we use the first alert from the trigger using dynamic reference
{{vars.input.records[0]}} - Fill in the Case ID to use the same ID for the document in Arcanna. Here, we retrieve the ID using dynamic reference
{{vars.input.records[0].id}}:
- When running the playbook, the response should look like this:
Send Analyst Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna
- Before this step: Go to Arcanna and select Decision Points
- Complete the Job ID field with job id from Step Send Event. Use
{{vars.steps.Send_Event.data['job_id']}}for dynamic reference - Fill in the Event ID field with event id from Step Send Event. Here, we retrieve the ID using dynamic reference
{{vars.steps.Send_Event.data['event_id']}} - Select the Feedback label from the dropdown (or manually enter another option):
- When running the playbook, the response should look like this:
Repeat the above steps with a different alert in the Send Event step and different feedback in the Send Feedback step to generate enough labeled data to trigger a retrain session in the next step.
Trigger AI Model training
- Complete the Job ID field with job id from Step Get Job By Name (or Get Jobs). Use
{{vars.steps.Get_Job_By_Name.data['job_id']}}for dynamic reference
- When running the playbook, the response should look like this:
Get Arcanna Decision - Used to obtain Arcanna's prediction for a given alert
- Send a new alert again with Send Event step
- Complete the Job ID field with job id from Step Send Event. Use
{{vars.steps.Send_Event.data['job_id']}}for dynamic reference - Fill in the Event ID field with event id from Step Send Event. Here, we retrieve the ID using dynamic reference
{{vars.steps.Send_Event.data['event_id']}}
- The response indicates that the prediction for the above unseen alert is 'Drop':
Get Event from Arcanna - Used to get a specific event from Arcanna
- Send a new alert again with Send Event step
- Complete the Job ID field with job id from Step Send Event. Use
{{vars.steps.Send_Event.data['job_id']}}for dynamic reference - Fill in the Event ID field with event id from Step Send Event. Here, we retrieve the ID using dynamic reference
{{vars.steps.Send_Event.data['event_id']}}
- The response includes the full event sent in the Send Event step:
