Azure-Sentinel/Playbooks/Fortinet-FortiGate/readme.md

5.5 KiB

Fortinet Logic Apps connector, Function app and playbook templates

Fortinet

Table of Contents

  1. Overview
  2. Deploy Custom Connector + Function App + 3 Playbook templates
  3. Authentication
  4. Prerequisites
  5. Deployment
  6. Post Deployment Steps
  7. Limitations

Overview

FortiGate, a next-generation firewall from IT Cyber Security leaders Fortinet, provides the ultimate threat protection for businesses of all sizes. This integration is built over the FortiOS REST API which allows you to perform configuration and monitoring operations on a FortiGate appliance or VM.

Deploy Custom Connector+ Function App + 3 Playbook templates

This package includes:

The Azure Function handles the Get calls on FortiOS API in the playbook templates. These calls are not part of the custom connector due to platform limitations.

You can choose to deploy the whole package: connector + Function App + all three playbook templates, or each one seperately from it's specific folder.

Deploy to Azure Deploy to Azure Gov

Fortinet connector documentation

Authentication

Authentication methods this connector supports- API Key authentication

Prerequisites for using and deploying Custom Connector

Deployment instructions

  • Deploy the Custom Connector and playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
  • Fill in the required parameters for deploying custom connector and playbooks

Parameters

Parameter Description
Endpoint URL Enter the Fortinet end point (e.g. https://{FortnetTrafficManager})
Secret identifier Enter the Secret identifier which is captured in key vaults secret
Fortinet-ResponseOnIP Playbook Name Enter the playbook name here for ResponseOnIP playbook (e.g. Fortinet-ResponseOnIP)
Fortinet-ResponseOnUrl Playbook Name Enter the playbook name here for ResponseOnURL (e.g. Fortinet-ResponseOnUrl)
Fortinet-Enrichment Playbook Name Enter the playbook name here for Enrichment (e.g. Fortinet-Enrichment)
Teams GroupId Enter the Teams channel id to send the adaptive card
Teams ChannelId Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id
Function app name Enter the Function app name which you created as prerequisites
User identifier name Enter the User identifier name which you created for the Managed Identity Create user assigned manage identity

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  • Click the Azure Sentinel connection resource
  • Click edit API connection
  • Click Authorize
  • Sign in
  • Click Save
  • Repeat steps for other connections such as Teams connection and Fortinet connector API Connection (For authorizing the fortinet connector API connection, API Key needs to be provided.) and API virustotal connection (URL:https://www.virustotal.com/gui/)
  • Open each playbook go to logic app designer-->click on each function call action in the logic app and go to "Managed identity" dropdown and select user identity and save playbook.
  • Go to sentinel hook playbook to azure sentinel rules.

b. Configurations in Sentinel

  • In Azure sentinel analytical rules should be configured to trigger an incident with risky user account.
  • Configure the automation rules to trigger the playbooks.

Known Issues and Limitations

  • When pre-defined group reaches the max limit user must create the new pre-defined group and change in the playbook