DO NOT REPRINT

© FORTINET

Security Operations Analyst

Study Guide
FortiAnalyzer 7.4
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

3/28/2024
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 SOC Concepts and Security Frameworks 4

02 FortiAnalyzer Architecture 46
03 SOC Operations 74
04 SOC Automation 118
 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET

Security Operations Analyst

SOC Concepts and Security Frameworks

FortiAnalyzer 7.4
Last Modified: 28 March 2024

In this lesson, you will learn about the security operations center (SOC), including its importance in an
organization, the roles it contains, and how it can succeed in protecting your network.

SOCs are essential in today's cybersecurity landscape for protecting your organization’s assets. Using skilled
analysts and a tool like FortiAnalyzer, you can integrate logging, analytics, and reporting, all under a single
pane of glass, which enables SOCs to efficiently identify and respond to incidents, streamline data
management, and improve operational efficiency with automation and real-time intelligence. This setup
bolsters SOC agility and fortifies security frameworks, preparing teams to effectively combat cyber
adversaries and highlighting the strategic benefits of FortiAnalyzer in security operations.

Security Operations 7.4 Analyst Study Guide 4

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Lesson Overview

SOC Main Functions and Roles

Fortinet SOC Environment Benefits

Attack Frameworks Overview

Mapping Adversary Behavior

© Fortinet Inc. All Rights Reserved. 2

In this lesson, you will learn about the topics shown on this slide.

Security Operations 7.4 Analyst Study Guide 5

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET

SOC Main Functions and Roles

Objectives
• Describe the main functions and roles within a SOC
• Describe the main challenges within a SOC

© Fortinet Inc. All Rights Reserved. 3

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the main functions and roles within a SOC, you will be able to
recognize its operational framework and organizational dynamics.

Security Operations 7.4 Analyst Study Guide 6

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
What Is a SOC?
Threat Monitoring Continuous monitoring for security events and compromise indicators

Analyzing data for patterns and anomalies, and identifying malicious

Threat Detection activities

Swiftly responding, investigating, containing, and restoring from security

Incident Response incidents
Security
Threat Hunting Proactively searching for hidden threats using advanced techniques
Operations
Center Vulnerability
Management
Identifying and prioritizing vulnerabilities, patching, and configuration

Threat Intelligence Gathering, analyzing, and sharing emerging threat information

Reporting and Documenting incidents, preparing reports, and tracking metrics

Documentation
Compliance and Ensuring adherence to industry-specific regulations
Regulations
© Fortinet Inc. All Rights Reserved. 4

What are the main functions of a SOC? As this slide shows, a SOC team is responsible for numerous
complex tasks that are performed on a daily basis.

A SOC plays a pivotal role in cybersecurity by monitoring, responding, collaborating, continuously improving
security measures, and ensuring adherence to industry-specific regulations.

Security Operations 7.4 Analyst Study Guide 7

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
SOC Roles

SOC Managers Security Engineers Threat Hunters Incidents Response &

• Assign • Design, configure, • Actively seek out Forensic Analysts
resources and maintain threats or signs of • Create, manage,
• Create security threats in the and update
guidelines and infrastructure network incidents and
policies events
• Collect and analyze
evidence to
determine impact

SOC Analysts Vulnerability Management Threat Intelligence

Specialists Analysts
• Analyze data
and identify • Assess risk levels and • Identify and analyze
deviations identify vulnerabilities cyberthreats
from normal • Recommend
behavior mitigations

© Fortinet Inc. All Rights Reserved. 5

To fulfill the numerous functions of a SOC, you will need the appropriate personnel with diverse skillsets to
handle the following roles and responsibilities:

• SOC Manager/Team Lead: Organizes the day-to-day operations within the SOC, including but not limited
to, assigning resources and creating guidelines and policies.
• SOC Analysts: Analyze logs on the network and identify any meaningful deviations from the established
baselines.
• Security Engineers: Design, maintain, and configure the security infrastructure.
• Vulnerability Management Specialists: Assess the risk level of the network and identify vulnerabilities.
• Threat Hunters: Actively look for threats or signs of threats in the network.
• Threat Intelligence Analysts: Identify and analyze cyberthreats. They may use industry-standard attack
frameworks to identify the attack vectors and provide recommendations for mitigation.
• Incident Responders: Create, manage, and update the security incidents and events on a network. They
gauge the severity of events and inform management, as required.
• Forensics Analysts: Collect evidence, analyzing it, and determining the impact of a security incident.

Note that the responsibilities are not always clearly delineated. For example, a SOC manager may be
responsible for some analyst-centric tasks, such as reviewing incidents. Or a SOC analyst may also be
responsible for threat hunting tasks. In general, as an organization grows, it will have employees in more
dedicated roles within a SOC. Regardless of how big a SOC is, all personnel must work together,
communicate their findings, follow security policies, and react with precision to any threat.

Security Operations 7.4 Analyst Study Guide 8

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Teams Within a SOC
Red team simulates adversaries
• Attempts to exploit vulnerabilities
• Conducts penetration tests and vulnerability
assessments
• Performs security research

Red Team Purple Blue Team Blue team defends against adversaries
Vulnerability Team • Identifies, responds to, and mitigates security
Security Monitoring
Assessment TTP creation incidents
Threat Hunting • Performs security monitoring, threat hunting, and
Penetration Tests
Security Security Controls forensics
Social Engineering Improvements • Detects, responds to and recovers from incidents
Forensics
Security Research Design
Exercises
Purple team orchestrates knowledge sharing
• Bridges the gap between red and blue teams
• Facilitates knowledge transfer
• Designs exercises
• Improves organizational security posture
• Creates TTP mapping

© Fortinet Inc. All Rights Reserved. 6

In the context of SOC and cybersecurity, the terms purple team, red team, and blue team refer to different
teams that work on identifying, assessing, and defending against security threats.

Red Team: the simulator

1. Purpose: Simulate adversaries and attempt to exploit vulnerabilities in an organization's systems, just
like real-world attackers would.
2. Activities: Conduct penetration tests, vulnerability assessments, and other offensive security exercises.
3. Goal: Identify vulnerabilities and weaknesses in security controls before malicious actors can exploit
them.

Blue Team: the defender

1. Purpose: Defend against adversaries and identify, respond to, and mitigate security incidents.
2. Activities: Monitor networks and systems for signs of malicious activity, conduct digital forensics, and
implement security measures.
3. Goal: Detect, respond to, and recover from security incidents.

Purple Team: the orchestrator

1. Purpose: Collaborate and share knowledge while working to bridge the gap between the red and blue
teams, ensuring that they communicate effectively and learn from each other.
2. Activities: Facilitate knowledge transfer between the red and blue teams, help implement mitigations
based on red team findings, and assist in creating more realistic defensive drills.
3. Goal: Improve the organization's overall security posture by integrating the offensive and defensive
expertise of the teams.

Security Operations 7.4 Analyst Study Guide 9

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Reasons Why SOCs Fail or Succeed

Scope Technology Implementation

• Focused requirements and • Strong understanding of the • Resources allocated
Success

use cases market and technology • Required skills identified and

• Realistic expectations • Meets current and future planned for
• Appropriate application requirements, and in-scope • Impact on SOC playbooks
(current and future) processes understood
• Compliant with regulations • High-fidelity outputs
• Shallow and narrow • Lack of understanding of • Too small—no team
Failure

coverage how tools work • Lacking key skills

• Unrealistic expectations • Too many events (poor • No playbook—no process
• Wrong focus (threat vector) sources or poor tech) • Inconsistent responses
• Non-compliance with • Solution didn’t deliver
regulations

© Fortinet Inc. All Rights Reserved. 7

To succeed, a SOC requires security and risk management leaders to provide the correct methodology,
technology, and personnel to combat cybersecurity threats. To maintain cybersecurity, a SOC must continue
to evolve because threats are continuously evolving: The number of attack vectors and the methods used to
exploit weaknesses in a network grow every year.

Successful SOCs have a solid understanding of the scope of the issues, the technologies being used or
considered, and the processes being affected. As your SOC team grows, you must consider the impact that
growth has on the scope, technology, and implementation requirements.

Security Operations 7.4 Analyst Study Guide 10

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
SOC Maturity

SOC
Forward-Leaning Productivity
Optimization

Established Threat Hunting and Incident

Response

Establishing Enhanced Near-Real-Time Threat

Detection

Greenfield
Real-Time Monitoring and Operations

© Fortinet Inc. All Rights Reserved. 8

As a SOC matures and learns, it builds the processes required to treat basic incidents, and starts to
differentiate event treatments based on event impact. At this stage, additional tools might be used to expedite
the initial assessment, and alerts might be aggregated and augmented with additional context.

More mature organizations might need to strengthen their ability to perform root cause analysis of the incident
and elimination of the threat. When a SOC closes an incident, they must ensure the risk of recurrence is
correctly handled. The refinement of the end-to-end workflow will result in optimized orchestration, improved
productivity, and overall forward movement of the SOC.

Security Operations 7.4 Analyst Study Guide 11

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which SOC role is responsible for investigating logs to identify problems?
A. SOC analyst
B. Threat hunter
2. What is the role of the red team in a SOC?
A. To gather and analyze evidence, and determine scope of impact
B. To assess and exploit vulnerabilities

© Fortinet Inc. All Rights Reserved. 9

Security Operations 7.4 Analyst Study Guide 12

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Lesson Progress

SOC Main Functions and Roles

Fortinet SOC Environment Benefits

Attack Frameworks Overview

Mapping Adversary Behavior

© Fortinet Inc. All Rights Reserved. 10

Good job! You now understand SOC main functions and roles.

Now, you will learn about the benefits of the Fortinet SOC.

Security Operations 7.4 Analyst Study Guide 13

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET

Fortinet SOC Environment Benefits

Objectives
• Identify the challenges that the Fortinet SOC solves
• Describe the Fortinet SOC solution workflow

© Fortinet Inc. All Rights Reserved. 11

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the benefits of the Fortinet SOC, you will be able to select the
proper tools to improve your network security.

Security Operations 7.4 Analyst Study Guide 14

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Benefits of the Fortinet SOC Environment
Reduces
operational
cost Reduces
Reduces
time to alert fatigue
respond

 Collect logs from multiple Fortinet

Improves
device types Addresses
visibility  Standardize incident response analyst skills
gap
process
 Automate daily tasks
 Empower junior analysts

© Fortinet Inc. All Rights Reserved. 12

There are many benefits of leveraging the Fortinet SOC in your network.

FortiAnalyzer provides:
• Centralized logging with event correlation
• Integration with the Fortinet Security Fabric
• Integration with some third-party applications, such as Microsoft Teams and ServiceNow
• Device logging with event correlation and real-time threat detection
• Indicators of compromise (IOC) updated daily with the FortiGuard database
• Incidents and events management
• Automation with playbooks

When you use FortiAnalyzer in a SOC, you increase SOC productivity by addressing the following issues:
• Too many tools: Using a layered, multivendor approach can result in a SOC composed of multiple tools
that don't work together and require analysts with specialized skillsets, working in silos. Fortinet SOC
solves this.
• Volume of alerts: Automated false positive analysis and closure of tickets on third-party systems will
manage alert fatigue
• Manual processes: Automated playbooks can convert most manual analyst processes.
• Ineffective collaboration: Specialization means that not all analysts are equal. Some analysts handle only
specific types of incidents, such as phishing attacks, malware outbreaks, distributed denial-of-service
(DDoS) attacks, and so on. Analysts can be assigned incidents based on their skillset.

Security Operations 7.4 Analyst Study Guide 15

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Fortinet SOC Solution Workflow
Data Collection
•
FortiGate
• FortiSwitch
• FortiManager
• FortiClient EMS
• And more

Data Aggregation and Threat

Note: Playbooks are
Processing Detection
running behind the scenes
throughout the workflow Alert
Threat Analysis
Generation

Incident Response
(Investigation/Containment/Remediation/Recovery)

Continuous
Reporting
Improvement
© Fortinet Inc. All Rights Reserved. 13

The flow chart on this slide shows one possible workflow of the Fortinet SOC solution. FortiAnalyzer allows
users to manage many components of the Fortinet SOC through its interface. Overall, Fortinet SOC works by
continuously collecting and processing data from various sources to detect potential security threats and
anomalies. When FortiAnalyzer detects a security threat, it generates alerts for the security team who then
investigate and take the necessary action. Playbooks execute or run behind the scenes, continuously
enriching the entire incident response flow. After the incident is handled, the SOC team can generate reports
to further analyze the incident and improve processes.

• Data Collection: The SOC solution collects data from various sources, such as FortiGate, FortiSwitch,
FortiManager, FortiSandbox, FortiClient EMS, and more.
• Data Processing: The SOC solution processes the collected data to identify potential security threats and
anomalies.
• Threat Detection: The SOC solution uses threat intelligence to detect security threats, such as malware,
phishing attempts, and suspicious network activity.
• Alerting: When the SOC solution detects a security threat, it generates alerts and notifications to the
security team.
• Incident Investigation: The security team investigates alerts to determine the severity and scope of the
security threat.
• Containment: If necessary, the security team takes action to contain the security threat and prevent it from
spreading.
• Remediation: The security team takes action to remediate the security threat, such as removing malware
or patching vulnerabilities.
• Reporting: The SOC solution generates reports to provide insights into the security posture of the
organization and to help improve future security strategies.

Security Operations 7.4 Analyst Study Guide 16

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Integration Examples
• Connectors allow playbooks to
interact with devices in the
Security Fabric and standalone
devices
• They determine which actions can be
performed by playbook tasks

• Event handlers generate events

when a rule is matched
• FortiAnalyzer contains many
predefined (default) event handlers for
many Fortinet devices
• You can also create your own event
handlers

© Fortinet Inc. All Rights Reserved. 14

FortiAnalyzer can integrate with other Fortinet products and third-party applications. Connectors determine
which automated actions can be performed by playbooks. The available actions will vary depending on the
connector type used. Each connector type allows for different actions.

For FortiGate devices, you can also enable the automation stitch configuration in an event handler. When an
event is generated by an event handler with automation stitch enabled, FortiAnalyzer sends a notification to
the FortiGate automation framework. If an automation stitch is configured on the FortiGate device that
corresponds to that FortiAnalyzer event handler, the notification will trigger the related automation stitch and
activate an action in response. Some possible actions include FortiGate sending a custom email notification,
executing a CLI script, or performing a system action in response to the trigger.

Event handlers generate events when one of their configured rules matches incoming logs on FortiAnalyzer.
For example, the event handler can be configured with rules to match IP addresses, ports, or even a generic
text string. There are many predefined event handlers for Fortinet devices, such as FortiGate, FortiSandbox,
FortiMail, and FortiWeb. In addition to the predefined event handlers, you also have the option to create your
own.

Security Operations 7.4 Analyst Study Guide 17

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
An Example of Automation With a Playbook

1 FortiGate FortiSwitch
Internet Traffic
Automation 5
stitch runs Protected
Threat endpoints
intelligence Playbook sends
2 Logs
database webhook call
updates 4

3 Infected
endpoints
FortiAnalyzer
Event
detected
© Fortinet Inc. All Rights Reserved. 15

This slide shows an example of a playbook being used to automate tasks with FortiAnalyzer and other
networking devices:

1. Traffic flows through FortiGate.

2. FortiGate sends logs to FortiAnalyzer.
3. FortiAnalyzer detects some suspicious traffic from the logs and an event handler on FortiAnalyzer
generates an event.
4. The event triggers the execution of a playbook in FortiAnalyzer, which sends a webhook call to FortiGate.
5. FortiGate runs the automation stitch with the corrective or preventive actions.

Security Operations 7.4 Analyst Study Guide 18

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Hands-On Labs–Use Cases Flow
• Lab 1: Adversary Behavior
• Review a mock security threat report
• Map adversary behavior (MITRE ATT&CK Navigator)

• Lab 2: FortiAnalyzer Architecture

• Forward logs from a collector to an analyzer
• Create a FortiAnalyzer Fabric

• Lab 3: Detection Capabilities

• Collect log alerts and data (FortiMail and FortiSandbox)
• Configure detection rules and capabilities (FortiAnalyzer)

• Lab 4: Adversary Emulation and Detection

• Emulate a phishing attack (Kali Linux)
• Contain the attack (FortiAnalyzer and FortiClient EMS)

© Fortinet Inc. All Rights Reserved. 16

This slide shows the various activities you will be performing in the lab exercises, and which Fortinet SOC
products you will use. You will prepare for and execute incident handling over the course of four labs.

First, you will look at the security threat report provided by your security analyst to understand what type of
attack you are dealing with and how the attackers (adversaries) executed it. You will use the MITRE ATT&CK
enterprise model to map the attack into your system to see a visual representation of the different phases of
the attack. Sometimes, a visual representation can provide new or deeper insight into the attack.

Next, you will configure a FortiAnalyzer Fabric topology that contains one supervisor, two members, and a
single downstream collector that will send logs to one of the members.

Then, you will prepare your defense by building detection capabilities and identifying the data sources coming
from your Fortinet solutions (FortiMail and FortiSandbox) security event logs. These logs are forwarded to
FortiAnalyzer for analysis. You will configure data selectors and custom event handlers on FortiAnalyzer to
detect the threat tactics that the adversaries use. You will also configure connectors and playbooks to
automatically generate incidents and perform actions on the other Fortinet products.

Next, you will emulate a phishing attack, while verifying that all the predefined detection rules are working as
designed and generating the expected incidents.

Finally, you will configure playbooks to update and identify asset information, and to quarantine the infected
host using the FortiClient EMS.

Security Operations 7.4 Analyst Study Guide 19

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Knowledge Check
1. What determines the possible actions a playbook task can perform?
A. The event handler
B. The connector

© Fortinet Inc. All Rights Reserved. 17

Security Operations 7.4 Analyst Study Guide 20

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Lesson Progress

SOC Main Functions and Roles

Fortinet SOC Environment Benefits

Attack Frameworks Overview

Mapping Adversary Behavior

© Fortinet Inc. All Rights Reserved. 18

Good job! You now understand the benefits of the Fortinet SOC.

Now, you will learn about two industry-standard attack frameworks.

Security Operations 7.4 Analyst Study Guide 21

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET

Attack Frameworks Overview

Objectives
• Describe the MITRE ATT&CK Enterprise Matrix
• Describe the Cyber Kill Chain

© Fortinet Inc. All Rights Reserved. 19

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the industry-standard attack frameworks, you will be able to understand and
identify attacks on your network.

Security Operations 7.4 Analyst Study Guide 22

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
MITRE ATT&CK Overview
ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge

• Detailed mapping of adversary behavior

framework
• Threat intelligence and adversary
emulation use cases
• Guidelines for classifying and describing
cyberattacks and intrusions
• 14 tactics categories consisting of
"technical objectives" of an adversary
• Categories broken down further into
specific techniques and subtechniques
• Created by the MITRE Corporation in
2013

Note: Not all tactics and techniques are shown

© Fortinet Inc. All Rights Reserved. 20

What is MITRE ATT&CK?

ATT&CK stands for: Adversarial Tactics, Techniques, and Common Knowledge. MITRE ATT&CK is also
referred to as the pyramid of pain.

It is a framework that provides a detailed mapping of adversary behavior. It is widely used for threat
intelligence and adversary emulation.

MITRE ATT&CK classifies and describes cyberattacks and intrusions through 14 tactics categories, each
representing a technical objective of an adversary. Not all tactics are shown on this slide. These categories
are further broken down into specific techniques and subtechniques.

The framework serves as an alternative to the Cyber Kill Chain developed by Lockheed Martin and offers
valuable insights for procedure, mitigation, and detection.

One of the main benefits of using MITRE ATT&CK framework is that it makes SOCs more effective.
FortiAnalyzer integrates with the MITRE ATT&CK Navigator to provide a comprehensive security solution.

The MITRE ATT&CK Navigator can be used by various members of the SOC team, including security
analysts, threat hunters, incident responders, and SOC managers, as a tool for visualizing and mapping
observed or potential adversary techniques and tactics to the ATT&CK framework. Using the MITRE ATT&CK
Navigator, SOC team members can enhance their understanding of the tactics and techniques used by
adversaries, improve threat detection and response capabilities, and align their defensive strategies with
industry best practices.

Security Operations 7.4 Analyst Study Guide 23

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
MITRE ATT&CK Overview (Contd)
Tactics

Techniques

Subtechniques

Expand to see
Note: To see all 14 tactics, access the ATT&CK Navigator:
subtechniques
https://mitre-attack.github.io/attack-navigator/

© Fortinet Inc. All Rights Reserved. 21

Using the matrices, you can identify a tactic, a technique, and potentially, a subtechnique. To view a
subtechnique, you must expand a technique that has one or more subtechniques. For example, the Active
Scanning technique displays a 0/3 value, which means there are three subtechniques, but currently none are
selected.

In the example shown of this slide, all three components are present:

• Tactics: Reconnaissance
• Technique: Active Scanning (T1595)
• subtechnique: Vulnerability Scanning (T1595.002)

Tactics represent the why of a technique or subtechnique. They explain what the adversary is trying to
accomplish, such as performing reconnaissance. The tactics are not designed to be interpreted as stages or
phases, and adversaries do not need to employ all tactics in the framework.

Techniques represent how an adversary fulfills their tactical goal by performing an action. For example, they
may perform active scanning for reconnaissance. Some techniques may have subtechniques, which are more
specific actions that are used to achieve their tactical goal. Furthermore, some techniques may fall under
more than one tactic.

Security Operations 7.4 Analyst Study Guide 24

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
MITRE ATT&CK Procedure, Mitigation, and Detection
• Procedure examples include information
about known bad actors who use a
technique

• Mitigations represent security concepts

and classes of technology that may
prevent the successful execution of a
technique or subtechnique

• Detection covers high-level security

concepts and classes of technology that
can detect the execution of a technique
or subtechnique

Note: Procedure, Mitigation, and Detection examples can be found at: https://attack.mitre.org/
© Fortinet Inc. All Rights Reserved. 22

Procedures are specific implementations adversaries have used for techniques or subtechniques. They are
documented in the MITRE ATT&CK framework based on observation of in-the-wild usage and can span
multiple techniques and subtechniques. Procedures are very dynamic in nature and difficult to scope in
advance because variations can affect coverage capabilities, such as detection and mitigation.

Mitigations represent vendor-agnostic and implementation-agnostic security concepts and classes of

technology that can prevent the successful execution of a technique or subtechnique. A mitigation can span
several techniques and subtechniques.

Detection covers high-level security concepts and classes of technology that can detect the execution of a
technique or subtechnique. In the example on this slide, the recommendation is to use monitoring to analyze
network traffic patterns. In other techniques, there may be malicious files involved in the security threat. In
general, if the technique or subtechnique is implemented or configured in a way that allows it to remove or
quarantine a malicious attachment, it is considered a mitigation (and, most likely, also a detection). If the
technique or subtechnique is only alerting but not preventing the delivery of the malicious attachment, it is a
detection.

Security Operations 7.4 Analyst Study Guide 25

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
MITRE ATT&CK Framework Matrices in FortiAnalyzer
• Cybersecurity tactics and techniques organized into matrices

Incidents & Events > MITRE ATT&CK > Attack Incidents & Events > MITRE ATT&CK > Coverage

The column headers

are the tactics

The tiles under the

columns are the
techniques

Click a tile to see

Click a tile to see which event handlers
associated incidents have coverage against
and events the technique or
subtechnique

Note: Not all tactics and techniques are shown

© Fortinet Inc. All Rights Reserved. 23

The MITRE ATT&CK and MITRE ATT&CK ICS pages on FortiAnalyzer are based on the MITRE ATT&CK
framework matrices.

The column headers are the tactics in the matrices. They describe the adversary’s goal or objective—such as
performing reconnaissance—when they use techniques on your network.

The tiles in the columns are the techniques in the matrices. They describe how an adversary can achieve their
objective in your network, such as using active scanning to perform reconnaissance.

You can review the incidents and events associated with a technique, such as the severity, information on the
technique and subtechnique, affected endpoints, and the total number of incidents and events. For example,
the Compromise Infrastructure tile has nine associated events.

You can review event handler coverage on the Coverage section. It will show you the number of event
handlers and the percentage of coverage that FortiAnalyzer has against attacks in the matrices. The number
on each tile shows how many event handlers are associated with that technique. For example, the
Compromise Infrastructure tile has eight associated event handlers. You can click a tile to view the list of
event handlers related to that technique.

To leverage the MITRE ATT&CK ICS matrix, which is not depicted on this slide, the OT Security Service
license is required on FortiAnalyzer.

Security Operations 7.4 Analyst Study Guide 26

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Cyber Kill Chain Overview
• Framework developed by Lockheed Reconnaissance Gather information about the target
Martin
• Identifies what adversaries have to Weaponization Use the gathered information to embed malware
complete in order to achieve their
objectives on a target
Delivery Transmission of the malware
• Derived from a military concept called kill
chain
Target system vulnerability
• Provide visibility and understanding of Exploitation
sophisticated attacks and attacker’s
tactics, techniques, and procedures Installation Malware is installed
• Consists of seven steps that represent
stages of advanced persistent threats Command & Connection to an outside server is established
(APT) Control

Actions on Attack on the network commences

Objective

© Fortinet Inc. All Rights Reserved. 24

The Cyber Kill Chain is frequently referenced as a standard framework that provides a high-level description
of adversary activities during advanced and persistent attacks. The Cyber Kill Chain conveys important high-
level concepts in a way that is digestible for non-technical audiences, but it lacks the level of detail required
when you need to drill down to the more technical aspects of adversary activity.

Security Operations 7.4 Analyst Study Guide 27

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Cyber Kill Chain in FortiAnalyzer
• In FortiAnalyzer, the predefined threat report is mapped to the Cyber Kill Chain stages
for correlation and pattern identification

© Fortinet Inc. All Rights Reserved. 25

This slide shows part of a generated threat report, which is a predefined report included with FortiAnalyzer.
This report maps the findings in the FortiAnalyzer report to stages of the Cyber Kill Chain. In this example
report, FortiAnalyzer has identified potential security breaches and mapped suspicious network traffic to
corresponding steps in the Cyber Kill Chain, such as reconnaissance activities; the use of risky, possibly
weaponized applications; detected vulnerabilities that could be exploited; and connections to command-and-
control server (C&C) sites.

Security Operations 7.4 Analyst Study Guide 28

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Adversary Behavior—MITRE ATT&CK vs. Cyber Kill Chain
Scenario: Group ABC initially probes the potential target's email systems in search of valid email accounts.

MITRE ATT&CK Cyber Kill Chain

Tactic Reconnaissance Gather information about the target

Weaponization Use the gathered information to embed malware

Technique Delivery Transmission of the malware

Subtechnique Exploitation Target system vulnerability

Installation Malware is installed

Command & Connection to an outside server is established

Control

Actions on Attack on the network commences

Objective

© Fortinet Inc. All Rights Reserved. 26

The MITRE ATT&CK model offers a comprehensive and detailed information about adversary behavior,
enabling organizations to improve their defenses and incident response capabilities. The Cyber Kill Chain
model provides a structured approach to identifying and disrupting attacks at different stages. Organizations
often use aspects of both models, integrating them into their cybersecurity strategies to gain a more holistic
view of threats and develop effective defensive measures.
MITRE ATT&CK model:
1. Focus: The model primarily focuses on documenting and categorizing adversary tactics, techniques, and
procedures (TTPs) observed in real-world cyber attacks.
2. Granularity: It provides a highly granular and detailed view of adversary behavior, describing specific
actions and techniques used throughout different stages of an attack.
3. Coverage: It covers a wide range of tactics and techniques across different platforms and attack vectors,
offering a comprehensive view of adversary behavior.
4. Application: It is commonly used for threat intelligence, red teaming, and blue teaming activities. It helps
organizations understand and simulate adversary behavior, assess their defenses, and improve their
incident response capabilities.
Cyber Kill Chain model:
1. Focus: Focuses on the stages or phases of a cyber attack from initial reconnaissance to post-exploitation
activities.
2. Lifecycle perspective: It provides a structured, step-by-step representation of an attacker's activities,
aiming to identify and disrupt each stage of an attack.
3. Sequential approach: It follows a linear progression, emphasizing the sequential order of an attack's
stages.
4. Application: It is commonly used for incident response, security operations, and vulnerability
management. It helps organizations detect, respond to, and prevent cyber attacks by understanding an
attacker's likely progression and targeting specific stages.

Security Operations 7.4 Analyst Study Guide 29

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which model or framework allows for a more detailed mapping of adversary
behavior?
A. MITRE ATT&CK
B. Lockheed Martin’s Cyber Kill Chain
2. Which one is a MITRE ATT&CK tactic?
A. Initial access
B. Exploitation

© Fortinet Inc. All Rights Reserved. 27

Security Operations 7.4 Analyst Study Guide 30

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Lesson Progress

SOC Main Functions and Roles

Fortinet SOC Environment Benefits

Attack Frameworks Overview

Mapping Adversary Behavior

© Fortinet Inc. All Rights Reserved. 28

Good job! You now understand the attack frameworks.

Now, you will learn about mapping adversary behavior.

Security Operations 7.4 Analyst Study Guide 31

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET

Mapping Adversary Behavior

Objectives
• Review a simulated attack
• Understand how to use the ATT&CK Navigator

© Fortinet Inc. All Rights Reserved. 29

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using the MITRE ATT&CK Navigator to map adversary behavior during a
simulated attack, you will acquire the knowledge and expertise necessary to map adversary behavior when
confronted with real-world cybersecurity threats.

Security Operations 7.4 Analyst Study Guide 32

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Mapping Adversary Behavior
• Understanding adversary behavior is a crucial step in protecting your network and data

• Ask these two questions:

• Why? What is the technical goal (tactic) of the threat actor?
• How? What actions (technique or subtechnique) is the threat actor taking to achieve their goal?

• The more you understand the techniques and the tools bad actors use, the more
effective you will be when formulating your strategy against threats

• In this section, you will review a use case to learn how to map adversary behavior to a
mock report

© Fortinet Inc. All Rights Reserved. 30

Understanding adversary behavior is essential to safeguarding your organization from threat actors. It
involves trying to anticipate the why and the how of the threat actors. For example, the technical goal of an
adversary is to obtain initial access. In order to achieve their goal, they perform phishing by propagating a
malicious link to users through email. After the phishing attempt is successful, the attacker may move on to
their next goal, such as gaining privileged access on the network.

When trying to map adversary behavior, it is important that you avoid jumping to a conclusion without first
performing a thorough evaluation. For example, you may see a technique that corresponds to multiple tactics,
but you need to evaluate if all of them apply to your scenario. It is also important to not let biases impact your
mapping, such as assuming that the most well-known or commonly seen exploit is the culprit.

Sources and references:

“Best Practices for MITRE ATT&CK® Mapping”, Cybersecurity & Infrastructure Security Agency, 2023. Available online at
https://www.cisa.gov/sites/default/files/2023-01/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf

Security Operations 7.4 Analyst Study Guide 33

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Use Case—Healthcare Sector

Cybercriminals are attempting to use a phishing attack to ransom private data from your organization, a
hospital.

Threat: Potential breach exposing thousands of patients’ data and

putting patients at risk

Your goal: Prevent your computer systems from breaking down, prevent
data from being compromised, and avoid disaster

Domain: Enterprise

Attacker: Group ABC

© Fortinet Inc. All Rights Reserved. 31

In this use case, your organization, a hospital, is under threat by a fictional adversary, Group ABC. This group
seeks to infiltrate your security with the goal of stealing private patient information.

You will use this mock scenario to learn how to map adversary behavior. When you complete the associated
labs, you will have an opportunity to put what you learned in this lesson, and from this use case, into practice.

Security Operations 7.4 Analyst Study Guide 34

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Mock Security Threat Report
This threat report describes a simulated attack by the fictional Group ABC. You will use this report to
map the behavior.

This report builds upon threat research information, gathered from our collaborators worldwide, that describes observed
tactics, techniques, and procedures associated with Group ABC activities.

“Group ABC initially probes their potential target's email systems in search of valid email accounts, most likely based on lists
of common usernames. Once they confirm valid email addresses on the target organization, Group ABC starts a
spearphishing campaign against select users. The following are some common characteristics found in similar campaigns:

a) The spearphishing emails usually contain an attached malicious Microsoft Office macro-enabled file.

b) Group ABC usually try to leverage potential hierarchy or power relationships to lure targets into downloading and
opening malicious files. They couple this with email content that conveys a sense of urgency and/or penalties to the
email recipient if they do not act immediately and as the message advises. Group ABC commonly sends the email to
accounts that potentially belong to system administrators, management, HR, and so on.

c) Group ABC generates a new version of the malicious artifact for each campaign, in order to prevent static detection
based on file hash. However, the files look the same in terms of content and they all include malware identified as
M/TrojanDropper.UR!tr.dldr.

© Fortinet Inc. All Rights Reserved. 32

This slide introduces a mock threat report, generated by FortiRecon, about Group ABC. As you read this
mock report, pay close attention to the italicized text, which will help you map adversary behavior later.
Observe that key verbs, such as “execute” and “probe”, have a strong correlation to the MITRE ATT&CK
framework tactics.

This report describes some key elements that you, as part of the purple team, will use to build the mapping of
their behavior using the MITRE ATT&CK Matrix for Enterprise.

Security Operations 7.4 Analyst Study Guide 35

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Mock Security Threat Report (Contd)
After execution, the malware establishes a reverse TCP control channel with a C&C server using the maliciouswebsitetest.com
domain. The channel uses TCP port 443 in order to evade basic security controls that may block communication to nonstandard
ports on the internet.

After establishing initial access through spearphishing and malicious file execution, Group ABC uses a dropper to install a
VBScript on the target system. Then, they modify the Windows Run registry key to execute the VBScript as soon as a user logs
in to the compromised host. This process establishes persistence of the C&C channel, even when the initially compromised host
restarts.

After establishing persistence, Group ABC tries to clear the security audit log on the compromised target in order to evade
detection.

After this initial setup, Group ABC proceeds with execution of various actions on the compromised system, which are not
identifiable as a pattern at this point.”

The purple team analyses the threat report and identifies the key elements to build a mapping of
their behavior using the MITRE ATT&CK for Enterprise matrix

© Fortinet Inc. All Rights Reserved. 33

This slide continues the threat report on Group ABC.

Security Operations 7.4 Analyst Study Guide 36

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Adversary Emulation and Detection—Attack Flow
Adversary TTP communications flow Target

1 SMTP enumeration to confirm valid email accounts (reconnaissance tactic)

Kali Linux 2 SMTP server response to enumeration FortiMail

3 Builds
Windows
artifact and Client
initiates TCP 4 Spearphishing email with malicious attachment (Microsoft Office document)
handler
5 Downloads and
opens malicious
attachment.

6 Executed artifact initiates reverse TCP session to handler

7 Temporary C&C channel is established

8 Persistence artifact (VBS script) transfer and Run Key creation (generates audit log)

9 VBS script executes and establishes second reverse TCP session to handler. Persistence
is achieved.

10 Windows Event Log (Security) is cleared to remove indicator of Run Key creation.
Log

© Fortinet Inc. All Rights Reserved. 34

This slide describes the entire adversary emulation attack flow that you will execute during one of the lab
exercises in this course.

In this lab exercise, you will alternate between playing the role of the attacker and playing the role of the victim
that interacts with the malicious email and attachment.

The attacking duties are handled by the red team, which aims to use the attack simulation to find holes in the
organization’s defense. With the vulnerabilities discovered from the attack, the red team can work with the
purple team to share knowledge with the blue team and improve the organization’s security posture.

It’s important that you review this flow prior to completing the lab exercises in this course, so that you better
understand the high-level context of the steps you will execute.

In addition, understanding the flow of an attack can help you identify the techniques or subtechniques used by
a threat actor group.

Security Operations 7.4 Analyst Study Guide 37

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Using the MITRE ATT&CK Navigator
• You can access the MITRE ATT&CK Navigator here:
https://mitre-attack.github.io/attack-navigator/
• There are three matrices:
• Enterprise, Mobile, and Industrial Control System (ICS)
• They offer different tactics, techniques, and subtechniques
• Click Create New Layer to select the matrix type

© Fortinet Inc. All Rights Reserved. 35

You can use the MITRE ATT&CK Navigator to map adversary behavior. It allows you to visualize the MITRE
ATT&CK matrices and select tactics, techniques, and subtechniques. You can access the MITRE ATT&CK
Navigator using the URL on this slide.

You can create a new layer, and select the Enterprise, Mobile, or ICS matrix. The enterprise option focuses
more on traditional IT environments, the mobile option focuses more on mobile devices, and the ICS option
focuses more on industrial environments and operational technologies. This course focuses on the enterprise
option.

Security Operations 7.4 Analyst Study Guide 38

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Using the MITRE ATT&CK Navigator (Contd)
• As an example, using information from the mock report, you
can create a mapping:
• Such as selecting the Gather Victim Identity Information technique, and
the Email Addresses subtechnique

• You can also use the scoring menu in the top right-hand
corner of the navigator by providing the techniques and
subtechniques a score value
• This will highlight the entries and make your mapping easier to read

© Fortinet Inc. All Rights Reserved. 36

Using information from the mock report as an example, you can create a mapping. The mock report contains
information about how Group ABC probes for email addresses, and then initiates a spearphishing campaign.

In the sample mapping shown on this slide, you can observe the Gather Victim Identity Information
technique, Email Addresses subtechnique, and scoring options.

Security Operations 7.4 Analyst Study Guide 39

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Using the MITRE ATT&CK Navigator (Contd)
• You can also add comments using the icon
in the upper-right of the navigator
• Use comments to detail the adversary
procedures

• The example comment is listed under the

Email Addresses subtechnique

© Fortinet Inc. All Rights Reserved. 37

An important component of the MITRE ATT&CK framework are the adversary procedures.

The ATT&CK Navigator does not have a specific object to map procedures, but you can use the comment
section of the subtechnique to annotate the Group ABC procedure that correspond to each tactic and
technique.

For example, you can type in a pertinent comment in the mock report related to how Group ABC probed the
email system of their potential targets in search of valid email accounts. In a real-world situation, you should
collect and document as many details as possible about an adversary, so adding comments about procedures
for every technique is recommended.

Security Operations 7.4 Analyst Study Guide 40

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Example Mapping
The purple team identified the following information from the mock report:
Group ABC first performs a Reconnaissance (tactic) by using a list of common usernames to probe the
target’s email systems, in order to Gather Victim Identity Information (technique) and obtain Valid
Email Addresses (subtechnique) existing on the target.

Report Phrase Tactic Technique Subtechnique Navigator Interface

“probe potential target's Reconnaissance Gather Victim Email Addresses

email systems in search Identity
of valid email Information
accounts,”

The result of a
mapping

© Fortinet Inc. All Rights Reserved. 38

This slide shows an example from the mock report, to map the tactics, techniques, and procedures (TTPs) of
Group ABC’s attempt to compromise an email account.

As a member of the purple team, you will need to analyze a threat report, identify key elements, and use them
to build a mapping of adversary behavior using the MITRE ATT&CK Navigator. Use the high-level steps on
this slide to visualize the requirements you will need to complete a mapping.

You will map out numerous TTPs in the lab exercises in this course.

Security Operations 7.4 Analyst Study Guide 41

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Saving and Exporting the Mapping
• You can rename the layer and export the mapping for future use

• You can also download the mapping and send your findings to other SOC
members as a JSON file

© Fortinet Inc. All Rights Reserved. 39

You can save your mapping, export it, and then send it to your entire SOC team to provide structured insight
into an adversary’s behavior.

When you save a mapping, be sure to give it a meaningful name. You can also download a mapping and save
it as a JSON file. This allows you to have a backup that you can import into the navigator later, if needed.

You also have the options to export a mapping as an Excel file or an SVG file.

Security Operations 7.4 Analyst Study Guide 42

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Knowledge Check
1. What is reconnaissance in the MITRE ATT&CK framework?
A. It is a technique.
B. It is a subtechnique.
C. It is a tactic.

© Fortinet Inc. All Rights Reserved. 40

Security Operations 7.4 Analyst Study Guide 43

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Lesson Progress

SOC Main Functions and Roles

Fortinet SOC Environment Benefits

Attack Frameworks Overview

Mapping Adversary Behavior

© Fortinet Inc. All Rights Reserved. 41

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

Security Operations 7.4 Analyst Study Guide 44

 SOC Concepts and Security Frameworks

DO NOT REPRINT
© FORTINET
Review
 Describe the main functions and roles within a SOC
 Identify the main challenges within a SOC
 Identify what challenges can be solved with the Fortinet SOC
 Describe the MITRE ATT&CK Enterprise Matrix
 Describe the Cyber Kill Chain
 Review a simulated attack
 Use the ATT&CK Navigator

© Fortinet Inc. All Rights Reserved. 42

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned what a SOC is, what challenges can be
solved with the Fortinet SOC, what industry-standard attack frameworks are, and how to map adversary
behavior.

Security Operations 7.4 Analyst Study Guide 45

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET

Security Operations Analyst

FortiAnalyzer Architecture

FortiAnalyzer 7.4
Last Modified: 28 March 2024

In this lesson, you will learn about the key features and concepts of FortiAnalyzer, including administrative
domains (ADOMs), operation modes, and the FortiAnalyzer Fabric.

FortiAnalyzer integrates logging, analytics, and reporting into one system, so you can quickly identify and
react to network security threats.

Security Operations 7.4 Analyst Study Guide 46

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Lesson Overview

FortiAnalyzer Architecture

Operation Modes

FortiAnalyzer Fabric

© Fortinet Inc. All Rights Reserved.

In this lesson, you will learn about the topics shown on this slide.

Security Operations 7.4 Analyst Study Guide 47

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET

FortiAnalyzer Architecture

Objectives
• Describe the purpose of FortiAnalyzer
• Describe administrative domains

© Fortinet Inc. All Rights Reserved. 3

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of FortiAnalyzer key features and concepts, you will be able to
use the device effectively in your own network.

Security Operations 7.4 Analyst Study Guide 48

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Centralized Log Repository
• FortiAnalyzer aggregates log data from one or more Fortinet devices
• Single view of security events taking place on a
range of devices
Supported devices:

• FortiGate/FortiCarrier
• FortiAnalyzer
• FortiAuthenticator
• FortiCache
• FortiClient
• FortiDDoS
• FortiMail
• FortiManager
• FortiNAC
FortiAnalyzer • FortiSandbox
• FortiWeb
• Syslog
• Chassis
Note: The list is not
exhaustive
© Fortinet Inc. All Rights Reserved. 4

FortiAnalyzer aggregates log data from one or more Fortinet devices, thereby acting as a centralized log
repository. Log aggregation provides a single channel for accessing your complete network data, so you don’t
need to access multiple devices, several times a day.

FortiAnalyzer can be integrated with many different Fortinet solutions. For a complete list, refer to the release
notes at docs.fortinet.com.

Security Operations 7.4 Analyst Study Guide 49

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Centralized Log Repository (Contd)
Workflow:
1. Registered devices send logs to FortiAnalyzer
2. FortiAnalyzer buffers, reorganizes, and stores the logs
3. Administrators:
• View and search the logs
• Configure, request, and view reports (based on log data)

• Sample Topology:
FortiManager
FortiGate
Branch
Office
FortiGate Administrator
Headquarters
Data Center Logs

Branch
Office
FortiGate FortiAnalyzer

Reports
© Fortinet Inc. All Rights Reserved. 5

The logging and reporting workflow operates as follows:

1. Registered devices send logs to FortiAnalyzer.
2. FortiAnalyzer collates and stores those logs in a way that is easy to search and run reports.
3. Administrators can connect to FortiAnalyzer using the GUI to view the logs manually or generate reports to
view the data. You can also use the CLI to perform administrative tasks.

You can easily integrate FortiAnalyzer into a network, even if there are multiple sites. A sample topology can
include multiple branches and a headquarters. Each location’s firewall is added into FortiAnalyzer, and the
administrator can view logs and generate reports for the entire network, from a single interface.

Security Operations 7.4 Analyst Study Guide 50

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Reports, Events, and Content Archiving
• Reports
• Network-wide reporting of device events, activities, and trends
• Archived, filtered, and mined for compliance or historical analysis purposes

• Events
• Identify and react to security threats quickly when configured conditions are met
• View events through Event Monitor (on the GUI), email, SNMP, or syslog
• Events that require further investigation can be used to generate new incidents

• Content archiving
• Simultaneously logs and archives full or summary copies of content transmitted over the network (email,
FTP, NNTP, and web traffic)
• Typically used to prevent sensitive information from leaving your network

© Fortinet Inc. All Rights Reserved. 6

Some key features of FortiAnalyzer include reporting, alert generation, and content archiving.

FortiAnalyzer reports provide a clear picture of network events, activities, and trends occurring on supported
devices. The reports collate information in logs so that you can interpret the information and, if necessary,
take any required actions. You can archive and filter the network knowledge you glean from these reports, as
well as mine it for compliance or historical analysis purposes.

Monitoring your network around the clock is not realistic. FortiAnalyzer events provide you with a way to see
and quickly react to threats, without having to constantly keep watch on your network. FortiAnalyzer can
generate events when specific conditions in the logs are met—conditions you configure FortiAnalyzer to
monitor for registered devices. You can view these events on the GUI, and you can also send them to multiple
recipients by email, SNMP, or syslog. You can escalate events that require investigation into incidents.

Content archiving provides you with a way to simultaneously log and archive full or summary copies of the
content transmitted over the network. You can use content archiving to prevent sensitive information from
leaving your organization's network. You can also use it to record network use. The data loss prevention
(DLP) engine can examine email, File Transfer Protocol (FTP), Network New Transfer Protocol (NNTP), and
web traffic, but you must configure the archive setting for each rule in a DLP sensor on FortiGate, so you can
specify what you want to archive.

Security Operations 7.4 Analyst Study Guide 51

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Database Language Support
• FortiAnalyzer supports Structured Query Language (SQL) for logging and reporting
• FortiAnalyzer inserts log data into the SQL database for log view and report generation
• FortiAnalyzer uses a PostgreSQL database
• Advanced reporting capabilities require some knowledge of SQL and databases

SQL

FortiAnalyzer

© Fortinet Inc. All Rights Reserved. 7

SQL is the database language that FortiAnalyzer uses for logging and reporting.

Advanced reporting capabilities require some knowledge of SQL and databases. For example, you may need
to compose custom SQL queries, known as datasets, to extract the data you require from the database.

Security Operations 7.4 Analyst Study Guide 52

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
ADOMs
• ADOMs group devices for administrators Dashboard > System Information
to monitor and manage
• One or more devices are assigned to ADOMs
and administrators are assigned to administer
one or more ADOMs

• Purpose:
• To divide administration of devices and restrict
access
• VDOMs, a feature of FortiGate, further restrict
access
• To more efficiently manage data policies and
disk space allocation
• Set for each ADOM (not for each device)
# config system global
set adom-status {enable | disable}
ADOMs are not
end
enabled by default

© Fortinet Inc. All Rights Reserved. 8

ADOMs allow you to group devices for management and monitoring. For example, administrators can
manage devices that are grouped based on their geographical location or business division.

The purpose of ADOMs is to:

• Divide the administration of devices by ADOM and to control (restrict) administrator access. If your network
uses VDOMs, ADOMs can further restrict access to data that comes from the VDOM of a specific device.

• Make the management of data policies and disk space allocation, which are set per ADOM, more efficient.

ADOMs are not enabled by default and can be configured only by the default admin administrator (or an
administrator with the Super_User profile).

All Fortinet devices included in a Security Fabric can be placed into an ADOM of the Fabric type, allowing for
fast data processing and log correlation.

Security Operations 7.4 Analyst Study Guide 53

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Knowledge Check
1. What does FortiAnalyzer use for log viewing and report generation?
A. Queries on a database
B. Queries of plain text files

2. What is the purpose of using ADOMs?

A. To divide administration of devices, restrict access, and manage data policies
B. To reduce resource usage on FortiAnalyzer

© Fortinet Inc. All Rights Reserved. 9

Security Operations 7.4 Analyst Study Guide 54

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Lesson Progress

FortiAnalyzer Architecture

Operation Modes

FortiAnalyzer Fabric

© Fortinet Inc. All Rights Reserved.

Good job! You now understand FortiAnalyzer architecture.

Now, you will learn about FortiAnalyzer operation modes.

Security Operations 7.4 Analyst Study Guide 55

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET

Operation Modes

Objectives
• Describe FortiAnalyzer operation modes
• Configure FortiAnalyzer collectors
• Configure FortiAnalyzer analyzers

© Fortinet Inc. All Rights Reserved. 11

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the configuration of collectors and analyzers, you can set up a topology
where FortiAnalyzer devices can work together to increase the overall performance of log receiving, analysis,
and reporting.

Security Operations 7.4 Analyst Study Guide 56

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
FortiAnalyzer Operation Modes—Analyzer
Dashboard > System Information

Analyzer is the default FortiAnalyzer in analyzer mode

operation mode

• Central log aggregator for one or more

logging devices, or FortiAnalyzer in
collector mode Fortinet devices directly send logs to a central log management platform
• Can still forward logs to another FortiAnalyzer
(or syslog/CEF server)

© Fortinet Inc. All Rights Reserved. 12

FortiAnalyzer has two modes of operation: analyzer and collector. The operation mode you choose depends
on your network topology and individual requirements.

You can change the operation mode in the System Information widget on the dashboard.

When operating in analyzer mode, the device acts as a central log aggregator for one or more log collectors,
such as a FortiAnalyzer device operating in collector mode, or any other supported device sending logs.
Analyzer is the default operation mode.

Security Operations 7.4 Analyst Study Guide 57

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
FortiAnalyzer Operation Modes—Collector

• Collects logs from multiple devices and FortiAnalyzer in analyzer mode

forwards them to FortiAnalyzer in
analyzer mode
• Can aggregate logs to another FortiAnalyzer
• Can only forward to syslog/CEF server in FortiAnalyzer in collector mode
real-time forwarding mode No event
management
or reporting
• Not used for analytics—archiving only

Fortinet devices send logs to log collector

© Fortinet Inc. All Rights Reserved. 13

When operating in collector mode, FortiAnalyzer collects logs from multiple devices and then forwards those
logs, in their original binary format, to another device, such as a FortiAnalyzer operating in analyzer mode. It
can also send them to a syslog server or a common event format (CEF) server, depending on the forwarding
mode. A collector does not have the same feature-rich options as an analyzer, because its only purpose is to
collect and forward logs. It cannot perform event management or reporting.

Security Operations 7.4 Analyst Study Guide 58

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Analyzer—Collector Collaboration
Analyzer

Collector Collector

Fortinet devices send logs to log collector Fortinet devices send logs to log collector

• Increase FortiAnalyzer performance by using both modes

• Offload the log receiving task to the collector
• Analyzer focuses on data analysis and reporting
• Collector can help with slow or unreliable links by storing logs and forwarding them later
• On the collector, you should allocate most of the disk space to archive logs

© Fortinet Inc. All Rights Reserved. 14

By using both analyzer and collector modes, you increase FortiAnalyzer performance: Collectors offload the
task of receiving logs from multiple devices from the analyzer. This allows the analyzer to focus on data
analysis and reporting tasks.

Furthermore, because a collector is strictly dedicated to log collection, its log receiving rate and speed are
maximized. If bandwidth is an issue, like in the case of slow WAN links, you can use the store and upload
option to send logs only during low-bandwidth periods.

Because the collector does not perform any analytics tasks, you should allocate most of its disk space to
archive logs.

Security Operations 7.4 Analyst Study Guide 59

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Collector Configuration
Dashboard > System Information
• Enable collector operation mode

• Modify the data policy to focus on System Setting > ADOMs

archiving
• Set to 0 days for analytics
• Set archive retention based on your
organizational requirements

• Modify the disk utilization quota to

focus on archiving
• Allocate most disk space for archive log
use
• Set the analytics:archive ratio to 5%:95%
Note: You need to set the
allocated disk quota to
meet your requirements
© Fortinet Inc. All Rights Reserved. 15

You can change the operation mode to collector using the System Information dashboard widget. Once you
change the operation mode, you will be logged out of FortiAnalyzer.

The next task is to configure the collector to focus on archiving. On this slide, you can see that analytics
retention is set to 0 days, whereas archive retention is set to 365 days. Also, the analytics to archive ratio is
set to 5% and 95%, respectively.

Note that the settings shown on this slide are only suggestions. The disk space configured, for example, is
most likely insufficient for a production network.

Security Operations 7.4 Analyst Study Guide 60

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Collector Configuration (Contd)
• Enable log forwarding on the collector System Setting > Advanced > Log Forwarding

• Configure the required settings,

including name, remote server type,
server FQDN/IP, and other
parameters

• Configure additional filters to forward

matching logs, define fields to
exclude, and mask sensitive fields

© Fortinet Inc. All Rights Reserved. 16

After you configure the data policy and disk utilization settings on the collector, you can configure log
forwarding.

You will need to configure the following fields:

• Name: Type in a name for the log forwarding entry.
• Remote Server Type: Type FortiAnalyzer.
• Server FQDN/IP: Type in the target FortiAnalyzer address information.
• Compression (optional) – Enable log message compression when the remote FortiAnalyzer also supports
this format.
• Reliable Connection (optional) – Enable this setting to use a TCP connection. Disable it to use a UDP
connection.
• Sending Frequency – Select the frequency at which log forwarding will occur: in real time, every minute,
or every 5 minutes.

You can also configure additional filters to control what type of logs are included, excluded, and if you want to
obfuscate fields:
• Device Filters: Select which devices are included.
• Log Filters: – Select which log types are forwarded.
• Enable Exclusions: – Enable to select which log types are excluded.
• Enable Masking: – Enable to determine which fields will be masked before logs are forwarded.

Security Operations 7.4 Analyst Study Guide 61

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Analyzer Configuration
System Setting > ADOMs

• Modify the data policy to focus on

analytics
Note: Analytics logs take up
• Set the analytics retention based on your significantly more space than archive
organizational requirements logs, so adjust your settings
appropriately
• Set to 0 days for archive

• Modify the disk utilization quota to

focus on analytics
• Set the analytics:archive ratio to 95%:5%

© Fortinet Inc. All Rights Reserved. 17

On the analyzer, configure the data policy and disk utilization to focus on analytics. In the example shown on
this slide, the analytics retention is set to 60 days, whereas the archive retention is set to 0 days. There is a
reason why the collector archive retention is set to 365 days, but the analyzer analytics retention is not set to
the same range. The analytics to archive ratio is also set to 95% and 5%, respectively.

Remember that analytics logs take more space, so you must plan your data policy and disk utilization settings
carefully. Archive logs are compressed, but analytics logs are not (in order for quick access). As a result, you
can expect analytics logs to be roughly a few times larger.

The settings shown on this slide are only suggestions. You must consider what your organization requires in
your production network.

Security Operations 7.4 Analyst Study Guide 62

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which FortiAnalyzer operation mode do you use for analytics?
A. Analyzer
B. Collector

2. Which type of logs consume more disk space?

A. Analytics
B. Archive

© Fortinet Inc. All Rights Reserved. 18

Security Operations 7.4 Analyst Study Guide 63

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Lesson Progress

FortiAnalyzer Architecture

Operation Modes

FortiAnalyzer Fabric

© Fortinet Inc. All Rights Reserved.

Good job! You now understand FortiAnalyzer operation modes.

Now, you will learn about FortiAnalyzer Fabric.

Security Operations 7.4 Analyst Study Guide 64

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET

FortiAnalyzer Fabric

Objectives
• Describe FortiAnalyzer Fabric
• Review FortiAnalyzer Fabric topology
• Configure the FortiAnalyzer Fabric supervisor and members
• Describe Fabric groups

© Fortinet Inc. All Rights Reserved. 20

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the initial configuration of FortiAnalyzer, you will be able to add FortiAnalyzer
to your network and perform basic administrative tasks.

Security Operations 7.4 Analyst Study Guide 65

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
FortiAnalyzer Fabric
• Enables centralized viewing of devices, incidents,
and events across multiple FortiAnalyzers devices

• Ideal for environments with multiple FortiAnalyzers

and high log volume

• Two operation modes:

• Supervisor—one per fabric; acts as the root
• Member—sends information to supervisor

• The supervisor includes these modules:

• Device Manager
• FortiView
• Log View
• Incidents & Events
• Reports

© Fortinet Inc. All Rights Reserved. 21

The FortiAnalyzer Fabric enables centralized viewing of devices, incidents, events, and reports across
multiple FortiAnalyzers.

FortiAnalyzer Fabric includes two operation modes: supervisor and member.

Supervisors act as the root device in the FortiAnalyzer Fabric. Security operations center (SOC)
administrators can use the supervisor to view member devices and their ADOMs, authorized logging devices,
as well as incidents and events created on members. FortiAnalyzer syncs the incident and event information
from members to the supervisor using the API.

Members are devices in the FortiAnalyzer Fabric that send information to the supervisor for centralized
viewing. When configured as a member, FortiAnalyzer devices continue to have access to the FortiAnalyzer
features identified in the FortiAnalyzer Administration Guide. FortiAnalyzers configured with high availability
(HA) can become members. However, HA is not supported for FortiAnalyzers that are acting as the Fabric
Supervisor.

Security Operations 7.4 Analyst Study Guide 66

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Sample FortiAnalyzer Fabric Topology
The supervisor can view the
information on the members
using an API. Members do Supervisor
not forward their logs to the
supervisor.

Members must be Members

in analyzer mode

Fortinet devices send logs

The collector forwards logs
to the analyzer

Collectors
Collectors cannot (optional)
be members
Fortinet devices send logs

© Fortinet Inc. All Rights Reserved. 22

On this slide, you can see a sample FortiAnalyzer Fabric topology comprising four FortiAnalyzer devices. The
Fabric supervisor, depicted at the top, is configured to view information on two Fabric members. Logging
devices cannot be registered to the Fabric supervisor. Instead, they are registered to one or more
FortiAnalyzers in analyzer mode, which act as Fabric members.

Note that the FortiAnalyzer Fabric can also include downstream collectors that forward logs to Fabric
members. In this sample topology, there is a single collector that forwards logs to one of the members. The
other member has no downstream collector, so devices are sending logs directly to it.

Security Operations 7.4 Analyst Study Guide 67

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Configure FortiAnalyzer Supervisor
System Settings > Fabric Management

• Configure the supervisor using the GUI:

# config system soc-fabric

set status enable
• Alternatively, in the CLI: set name “MSSP-Fabric”
set supervisor <IP/DNS Name>

• (CLI only) Enable the soc-fabric on

the interface
# config system interface Do not forget to add other
edit <port #> administrative access protocols,
set allowaccess soc-fabric <add other protocols you need> such HTTPS and SSH, as required.
end Existing settings will be overwritten.

© Fortinet Inc. All Rights Reserved. 23

To configure the Fabric supervisor, define the following fields:

• Role: Select Supervisor.
• Cluster Name: Type in a name that all FortiAnalyzer Fabric devices will use.
• Session Port: Type in a port that all FortiAnalyzer Fabric devices will use or use the default port 6443.
• Secure Connection: Enable or disable TLS.

Note that the cluster name, session port, and secure connection settings must match the Fabric members.

You will also need to enable the soc-fabric administrative access option on any interface FortiAnalyzer is
using to communicate with any Fabric member. You can perform this part of the configuration on the CLI only.

Note that you need to be careful when changing the administrative access on an interface, especially if it is
the interface you use to manage FortiAnalyzer. In the example shown on this slide, if you enable only soc-
fabric, existing administrative access protocols are overwritten. To prevent that from happening, you must
define all your required protocols, such as HTTPS or SSH, and then also enable soc-fabric.

Security Operations 7.4 Analyst Study Guide 68

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Configure FortiAnalyzer Member
System Settings > Fabric Management

• Configure the member using the GUI:

# config system soc-fabric

• Alternatively, in the CLI: set status enable
set name “MSSP-Fabric”
set supervisor <IP/DNS Name>
• (CLI only) Enable the soc-fabric on
the interface
# config system interface Do not forget to add other
edit <port #> administrative access protocols,
set allowaccess soc-fabric <add other protocols you need> such HTTPS and SSH, as required.
end Existing settings will be overwritten.

© Fortinet Inc. All Rights Reserved. 24

To configure the Fabric member, define the following fields:

• Role: Select Member.
• Cluster Name
• IP: Type in the IP address of the fabric supervisor.
• Session Port
• Secure Connection

Note that the cluster name, session port, and secure connection settings must match the Fabric supervisor.

You will also need to enable the soc-fabric administrative access option on the interface FortiAnalyzer is
using to communicate with the Fabric supervisor. You can perform this part of the configuration on the CLI
only.

Security Operations 7.4 Analyst Study Guide 69

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Fabric Groups
• To filter information to specific FortiAnalyzer fabric members or ADOMs, you can
create Fabric groups
System Settings > Fabric Groups

The fabric group can be used to

filter devices
1

© Fortinet Inc. All Rights Reserved. 25

Depending on the number of devices added to the FortiAnalyzer Fabric, you may wish to limit the scope of
information presented by the Fabric supervisor. You can filter information based on a specific set of
FortiAnalyzer Fabric members or ADOMs by creating Fabric groups on the FortiAnalyzer Fabric supervisor.
Once created, the Fabric groups are listed under Device Manager, and can be used to filter results
in FortiView, Log View, and Reports. In the example shown on this slide, the Fabric group FAZ-MSSP-FAZ-
SiteB contains different ADOMs across two FortiAnalyzer Fabric members: FAZ-MSSP and FAZ-SiteB.

Without using Fabric groups, you can still filter information on the Fabric supervisor, but you will need to
manually select the FortiAnalyzer devices and the ADOMs required. This could be time consuming if there are
many devices in your topology. By leveraging Fabric groups, you can easily and quickly apply filters.

Security Operations 7.4 Analyst Study Guide 70

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which FortiAnalyzer operation mode must you configure Fabric members in?
A. Analyzer
B. Collector

2. Which statement about the Fabric supervisor is true?

A. All logging devices are registered to the Fabric supervisor.
B. Logging devices cannot be registered to the Fabric supervisor.

© Fortinet Inc. All Rights Reserved. 26

Security Operations 7.4 Analyst Study Guide 71

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Lesson Progress

Introduction to FortiAnalyzer Architecture

Operation Modes

FortiAnalyzer Fabric

© Fortinet Inc. All Rights Reserved.

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

Security Operations 7.4 Analyst Study Guide 72

 FortiAnalyzer Architecture

DO NOT REPRINT
© FORTINET
Review
 Describe the purpose of FortiAnalyzer
 Describe ADOMs
 Describe FortiAnalyzer operation modes
 Configure FortiAnalyzer collectors
 Configure FortiAnalyzer analyzers
 Describe FortiAnalyzer Fabric
 Review FortiAnalyzer Fabric topology
 Configure the FortiAnalyzer Fabric supervisor and members
 Describe Fabric groups

© Fortinet Inc. All Rights Reserved.

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about FortiAnalyzer key features and
concepts, and how to use FortiAnalyzer effectively in your network.

Security Operations 7.4 Analyst Study Guide 73

 SOC Operations

DO NOT REPRINT
© FORTINET

Security Operations Analyst

SOC Operations

FortiAnalyzer 7.4
Last Modified: 28 March 2024

In this lesson, you will learn about the key features of FortiAnalyzer that make it essential to a SOC.

FortiAnalyzer integrates event monitors, event handlers, and incidents that can be generated from the logs it
receives, so you can quickly identify and react to network security threats.

Security Operations 7.4 Analyst Study Guide 74

 SOC Operations

DO NOT REPRINT
© FORTINET
Lesson Overview

Concepts, Definitions, and Incident Handling

Events, Event Handlers, and Incidents

Threat Hunting

© Fortinet Inc. All Rights Reserved. 2

In this lesson, you will learn about the topics shown on this slide.

Security Operations 7.4 Analyst Study Guide 75

 SOC Operations

DO NOT REPRINT
© FORTINET

Concepts, Definitions, and Incident Handling

Objectives
• Describe FortiAnalyzer SOC features
• Describe basic concepts and definitions related to FortiAnalyzer
SOC features
• Analyze NIST SP 800-61 computer security incident
handling guidelines

© Fortinet Inc. All Rights Reserved. 3

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiAnalyzer SOC concepts and definitions, you will be able to identify and
describe the SOC-related features of FortiAnalyzer. You will also learn some guidelines for security incident
handling.

Security Operations 7.4 Analyst Study Guide 76

 SOC Operations

DO NOT REPRINT
© FORTINET
FortiAnalyzer SOC Features

Incident management Automation Analytics

• Incident/case management • Playbook templates and automation • SOC analytics
• Connectors for playbooks
• Indicators attachment for
• Visual playbook editor
incidents
• Playbook execution
• API to FortiSOAR for escalation • Playbook monitor

© Fortinet Inc. All Rights Reserved. 4

The legacy SOC operation had many disadvantages that are not manageable in the modern dynamic world.
For example, it required analysts to handle too many alerts, often using separate interfaces, with the
predictable loss of efficiency when trying to solve security breaches.

FortiAnalyzer provides solutions for modern SOC analysts that include:

• Complete incident lifecycle management capabilities, including alerts, monitoring, and escalation
• Automation framework using connectors and playbooks
• Centralized Security Fabric visibility throughout the network from a single web interface

Security Operations 7.4 Analyst Study Guide 77

 SOC Operations

DO NOT REPRINT
© FORTINET
Concepts and Definitions
Concept Definition
Security information and Fabric (SIEM) logs are a licensed feature that enables the FortiAnalyzer SIEM capabilities to
event management (SIEM) parse, normalize, and correlate logs from Fortinet products, as well as security event logs of
Windows and Linux hosts (with Fabric Agent integration).
Indicators of compromise The IOC service on FortiAnalyzer downloads the threat database from FortiGuard. The
(IOC) FortiGuard threat database contains the blocklist and suspicious list. IOC detects suspicious
events and potentially compromised network traffic using sophisticated algorithms on the threat
database.
Security event A record of an observed occurrence on a monitored information system. If an event is relevant
from an information security perspective, it can be considered a security event. On
FortiAnalyzer, events are generated using event handlers. Also, a Windows audit log entry
indicating a successful user login can be considered a security event.
Security incident An event that indicates a malicious or abnormal occurrence. On FortiAnalyzer, incidents are
escalated from events.
Indicator enrichment Querying threat intelligence sources about an indicator to obtain security context information. A
form of enrichment that is frequently used is checking the reputation of an indicator. For
example, you can verify if a given file hash is associated with known malware.

© Fortinet Inc. All Rights Reserved. 5

This slide shows some of the basic concepts that you should be familiar with when working in a SOC
environment.

SIEM is a technology that supports threat detection, compliance, and security incident management through
the collection and analysis of security events, as well as a wide variety of other event and contextual data
sources. Fabric (SIEM) logs are a licensed feature that enables the FortiAnalyzer SIEM capabilities to parse,
normalize, and correlate logs from Fortinet products, as well as security event logs of Windows and Linux
hosts (with Fabric Agent integration).

IOC are artifacts observed on a network or in an operations system where there is a high level of confidence
that the artifacts indicate a computer intrusion.

A security event is a record of an observed occurrence on a monitored information system. If an event is

relevant from an information security perspective, it can be considered a security event.

A security incident is an event that indicates a malicious or abnormal occurrence. On FortiAnalyzer, incidents
are escalated from events.

Indicator enrichment queries threat intelligence sources for an indicator to obtain security context information.
Checking the reputation of an indicator is a form of enrichment that is frequently used.

Even though these concept and definitions may vary depending on the source (including specific vendors and
products), it’s important to clarify a few definitions that are used during this training. Overall, the definitions
follow either market conventions, established standards, or those of Fortinet solutions.

Security Operations 7.4 Analyst Study Guide 78

 SOC Operations

DO NOT REPRINT
© FORTINET
NIST SP 800-61 Incident Handling—Overview
• Defines incident handling as a lifecycle with four phases
• Assists in
• Establishing computer security incident response capabilities
• Handling incidents efficiently and effectively
• Focuses on
• Analyzing incident-related data
• Determining appropriate response
• Agnostic and broad approach
• Can be followed independently of particular
hardware, OS, protocols, or applications
• Recommended practices for handling any type of incident

The content of this slide is based on copyright material from the National Institute of Standards and Technology (NIST) available online at https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final.

© Fortinet Inc. All Rights Reserved. 6

Incident handling is a process or life cycle, which means it’s constantly in execution: Even after a single
incident is resolved, the results feed back into the process for the next incident handling. The inner cycle
defined by NIST comprises of two phases: Detection and Analysis, and Containment, Eradication and
Recovery.

It’s important to note that even these two phases represent a cycle, meaning two things:
• Containment, Eradication & Recovery can trigger Detection and Analysis steps
• Detection and Analysis may trigger Containment, Eradication and Recovery actions even before Detection
and Analysis is fully concluded

Example: During Detection & Analysis, a SOC analyst may confirm a user account was compromised and
immediately create a request for the IT team to temporarily disable the compromised user account
(Containment). In this case, a Containment action may be taken even before Detection and Analysis is
finished.

In mature SOC practices, a single person rarely executes all incident handling tasks, and even different teams
may be involved in the process. The incident handling process also defines that certain steps must be
executed by specific teams, or approved by a manager.

Sources and references:

(1) Paul Cichonski, Thomas Millar, Tim Grance, Karen Scarfone, “SP 800-61 Rev. 2 Computer Security Incident Handling Guide”,
National Institute of Standards and Technology, August, 2021. Available online at https://csrc.nist.gov/publications/detail/sp/800-
61/rev-2/final

Security Operations 7.4 Analyst Study Guide 79

 SOC Operations

DO NOT REPRINT
© FORTINET
NIST SP 800-61 Incident Handling—Detection and Analysis
• Prepare to handle any incident but focus on those that use common attack vectors, such as
external and removable media, web, and email
• Signs of an incident
• Precursors (relatively rare) – indicate an incident may occur in the future
• Indicators (common) – indicate an incident may have occurred or may be occurring now
• Common sources of precursors and indicators
• Intrusion detection and prevention systems (IDPS)
• SIEM
• Antimalware and antispam
• OS-level monitoring (file integrity, processes, and so on)
• Logs (OS, services, applications, and network devices)
• Network flows

The content of this slide is based on copyright material from NIST available online at https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final.

© Fortinet Inc. All Rights Reserved. 7

The incident response process has several phases. The initial phase involves establishing and training an
incident response team, and acquiring the necessary tools and resources. During preparation, the
organization also attempts to limit the number of incidents that occur by selecting and implementing a set of
controls based on the results of risk assessments.

Incident response methodologies typically emphasize preparation—not only establishing an incident response
capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring
that systems, networks, and applications are sufficiently secure.

For many organizations, the most challenging part of the incident response process is accurately detecting
and assessing possible incidents—determining whether an incident has occurred and, if so, the type, extent,
and magnitude of the problem. What makes this so challenging is a combination of three factors:
• Incidents may be detected through many different means, with varying levels of detail and fidelity.
Automated detection capabilities include network-based and host-based IDPSs, antivirus software, and log
analyzers. Incidents may also be detected through manual means, such as problems reported by users.
Some incidents have overt signs that can be easily detected, whereas others are almost impossible to
detect.
• The volume of potential signs of incidents is typically high.
• Deep, specialized technical knowledge and extensive experience are necessary for accurate and efficient
analysis of incident-related data.

Precursors and indicators are identified using many different sources. The slide shows some of the most
common ones.

Security Operations 7.4 Analyst Study Guide 80

 SOC Operations

DO NOT REPRINT
© FORTINET
NIST SP 800-61 Computer Security Incident Handling—
Containment, Eradication and Recovery
• Containment Recovery may involve actions, such as:
• Restore systems from clean backups and snapshots
• Often required and should be considered early
• Rebuild systems from scratch
• Decision-making is an essential part
• Replace compromised files with clean and reliable
• Strategies vary per incident versions
• Eradication and Recovery • Install patches
• Change passwords
• Identify affected resources, attacking resources, and
communication channels
• Eliminate components of the incident (delete
malware, disable compromised accounts, remove
persistence, and so on)
• Restore systems to normal operations
• Confirm systems are working normally
• Remediate vulnerabilities (if applicable)

The content of this slide is based on copyright material from NIST available online at https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final.

© Fortinet Inc. All Rights Reserved. 8

Containment is about stopping the adversary from progressing toward their objectives. Containment is
important before an incident overwhelms resources or increases damage. Most incidents require containment,
so that is an important consideration early in the course of handling each incident. A very straightforward
example of this is quarantining a compromised host to prevent the adversary from using it as a stepping stone
to other phases of the attack.

Eradication means eliminating the threat. Using the compromised host example, this could involve removing
malware and persistence mechanisms on the host. During eradication, it is important to identify all affected
hosts within the organization so that they can be remediated. For some incidents, eradication is either not
necessary, or is performed during recovery.

In recovery, administrators restore systems to normal operation, confirm that the systems are functioning
normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Using the compromised host
scenario, this could involve removing the host from quarantine so it can be used normally again on the
network.

Security Operations 7.4 Analyst Study Guide 81

 SOC Operations

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which two FortiAnalyzer features automate common tasks? (Choose two.)
A. Playbooks
B. Connectors
C. Incidents
D. Indicators

2. On FortiAnalyzer, what is an incident?

A. A record of an observed occurrence on a monitored system
B. A security event that has been escalated

© Fortinet Inc. All Rights Reserved. 9

Security Operations 7.4 Analyst Study Guide 82

 SOC Operations

DO NOT REPRINT
© FORTINET
Lesson Overview

Concepts, Definitions, and Incident Handling

Events, Event Handlers, and Incidents

Threat Hunting

© Fortinet Inc. All Rights Reserved. 10

Good job! You now understand FortiAnalyzer SOC concepts and definitions.

Now, you will learn about events, incidents, and event handlers on FortiAnalyzer.

Security Operations 7.4 Analyst Study Guide 83

 SOC Operations

DO NOT REPRINT
© FORTINET

Events, Incidents, and Handlers

Objectives
• Analyze and manage events and event handlers
• Customize event handlers
• Analyze and create incidents

© Fortinet Inc. All Rights Reserved. 11

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in events, incidents, and handlers, you can analyze and manage events and
event handlers, and analyze and create incidents.

Security Operations 7.4 Analyst Study Guide 84

 SOC Operations

DO NOT REPRINT
© FORTINET
Events and Event Handlers
• Events are generated by event handlers
• FortiAnalyzer is preconfigured with many event handlers
• You can create custom event handlers to generate events
• FortiAnalyzer filters all incoming logs using event handlers
• If logs match the conditions configured in an event handler, FortiAnalyzer generates an
event
• All the events that are generated can be viewed on the Events Monitor page

© Fortinet Inc. All Rights Reserved. 12

Event handlers generate events on FortiAnalyzer. FortiAnalyzer is preconfigured with many prebuilt event
handlers. However, FortiAnalyzer provides analysts with the ability to custom build their own event handlers to
generate events from logs that they determine are important.

FortiAnalyzer filters the logs it receives using event handlers and, if the logs received match the conditions
that are set in the event handlers, FortiAnalyzer generates an event.

You can view all generated events on the Events Monitor page.

Security Operations 7.4 Analyst Study Guide 85

 SOC Operations

DO NOT REPRINT
© FORTINET
How Are Events Generated?
Incident response options
Escalate to an
2. FortiAnalyzer incident
parses logs

Automation

1. FortiAnalyzer
3. FortiAnalyzer Analysis
receives logs
generates an
event if a rule is
matched in an
event handler

© Fortinet Inc. All Rights Reserved. 13

After receiving logs from other devices, and based on the details included in them, FortiAnalyzer uses event
handlers to determine whether new events need to be generated. Event handlers identify whether the
information in the logs matches a series of configurable criteria, such as threat type, device type, log type, and
so on.

FortiAnalyzer comes with many predefined event handlers that you can use. You can also clone and
customize them, or create custom event handlers from scratch.

You can view generated events under Event Monitor, where you can see them combined or further divided
by endpoint, threat, and system events.

If events warrant further attention and investigation, you can escalate them to incidents. From there, you can
correlate logs with the incident, look at an incident timeline, assign a priority and an analyst to review the
incident, and more. If there is a large volume of generated events, you may leverage playbooks to create,
handle, and resolve incidents.

Security Operations 7.4 Analyst Study Guide 86

 SOC Operations

DO NOT REPRINT
© FORTINET
Managing Event Handlers
• Event handlers look for specific conditions in logs
• Enable or disable event handlers as needed
• Disabled handlers do not generate events

Incidents & Events > Handlers

Disabled handlers
don’t generate
events

This handler has

Enable only the 15 rules and has
event handlers generated 33
you need events

© Fortinet Inc. All Rights Reserved. 14

An event handler looks for specific conditions in logs and, if a match exists, generates an event with details
that you can configure. FortiAnalyzer includes many predefined event handlers that you can enable to
generate events. You can also disable event handlers. Disabled handlers do not generate any events.

This slide shows a predefined event handler that has 15 rules and that has generated over 33 events on the
FortiAnalyzer device.

Security Operations 7.4 Analyst Study Guide 87

 SOC Operations

DO NOT REPRINT
© FORTINET
Event Handlers—Configuration
Incidents & Events > Handlers > Basic Handlers
• The configuration for each event handler
can include:
• MITRE attributes
• Data selectors (exclusion filters)
• Automation stitches Set MITRE
• Notifications ATT&CK domain
• Rules and technique
ID(s) the event
handler provides
coverage for
• Rules are granular conditions
• Event handler can have one or more rules
• Basic event handlers use the OR logic
• Correlation event handlers have many
operator logic options

Get notified when

an event handler is
triggered

© Fortinet Inc. All Rights Reserved. 15

Event handlers require configuration and fine-tuning to deliver only the desired events. The main configuration
page for the event handler allows you to enable the handler, type a name, and write a description for it.

You can also choose which MITRE domain the event handler falls under, and then select from a list of tech
IDs that correspond to the handler. Many predefined event handlers already have the MITRE attributes
configured. You can view the MITRE ATT&CK framework matrices under Incidents & Events.

You can also add a data selector, which is a common filter that is applied before every rule configured in the
event handler. Because of that, they are also known as exclusion filters.

When a handler generates an event with the automation stitch option enabled, FortiAnalyzer sends a
notification to the FortiGate automation framework, which then checks if there is a corresponding automation
stitch in FortiOS. If there is one, the configured action is triggered.

The Rules section contains the fields that must be matched up against logs in order to generate events. You
can disable, edit, or delete rules for the handler. The basic handler type uses an OR logic when evaluating
multiple rules. The correlation handler type has many more operator logic choices.

You can select a notification profile to send alerts whenever an event is generated by the handler.

Security Operations 7.4 Analyst Study Guide 88

 SOC Operations

DO NOT REPRINT
© FORTINET
Event Handlers—Rule Configuration
• Rules have many customizable fields Note: The fields available in the rules depend on the
Log Device Type value
• Not every field is required
Incidents & Events > Handlers > Basic Handlers

Supports most Fortinet

products, and third-
party devices through
syslog

Use the generic text

filter to search using
wildcard expressions

© Fortinet Inc. All Rights Reserved. 16

The screenshot on this slide shows the fields available for configuration inside a rule, including the log device
type, log type, and log subtype. Note that within rules themselves, both AND and OR logic are supported if
there are multiple conditions. The Log Field drop-down field presents common criteria you can select to
include in the filter. Alternatively, you can use generic text filters if you require precise filtering.

Security Operations 7.4 Analyst Study Guide 89

 SOC Operations

DO NOT REPRINT
© FORTINET
Event Handlers—Rule Configuration (Contd)
Incidents & Events > Handlers > Basic Handlers
• Define the condition that triggers an event
• There are three options:
• Count: A minimum threshold count of matching
logs
• Log Field value: Within a group, the log field
<log field> has <integer> or more
Used for data exfiltration and
unique values is only for log device type
• Sum: Multiple options such as duration, Fabric
sent/received bytes, and sent/received packets
• Additionally, configure the following in
relation to your selection:
• Time: All logs were generated within
<integer> minutes

© Fortinet Inc. All Rights Reserved. 17

If an event handler is generating too many events in your environment, you can configure the trigger
conditions such as count or sum, and the duration settings.

The trigger condition has three options that you can choose from: count, log field value, and sum. Additionally,
you can configure a time condition. The number of matching logs must occur in the specified duration in order
to generate an event.

You can also configure the event type, message, status, and indicator.

Security Operations 7.4 Analyst Study Guide 90

 SOC Operations

DO NOT REPRINT
© FORTINET
Event Handlers—Data Selectors
• Data selectors help narrow down events Incidents & Events > Handlers > Data Selectors
generated by devices, subnets, and filters:
• Devices (by name)
• Subnets (created in Fabric View)
• Filters (OR logic)

• Filters are granular conditions within data

selectors:
• Log device type
• Log type/subtype
• Matching logic (AND/OR logic)
• Generic text filter (for more precise filtering)

© Fortinet Inc. All Rights Reserved. 18

Data selectors help narrow down the events you want to see generated in event handlers. You can specify
various criteria within the data selector, including the devices, subnets, and additional filters. You must
configure a data selector first before you can apply it to an event handler.

Filters are granular rules to filter which types of logs match the data selector. You can create multiple filters
per data selector. The data selector matches filters with an OR logic.

The bottom screenshot on this slide shows the fields available for configuration inside a filter, including the log
device type, log type, and log subtype. Note that filters support both AND and OR logic within themselves.
The Log Field drop-down field presents common criteria you can select to include in the filter. Alternatively,
you can use generic text filters if you require precise filtering.

Security Operations 7.4 Analyst Study Guide 91

 SOC Operations

DO NOT REPRINT
© FORTINET
Event Status
• Events can be set to one of four statuses

Incidents & Events > Event Monitor

Event Description
Status
Unhandled The security event risk is not
mitigated or contained, so it is
considered open
Contained The risk source is isolated
Mitigated The security risk is mitigated by
being blocked or dropped
Blank Other scenarios

Note: You can configure the desired event status manually in the handler
settings, or let FortiAnalyzer choose it automatically

© Fortinet Inc. All Rights Reserved. 19

Events in FortiAnalyzer can be set to one of four statuses. The status determines if more action needs to be
taken by the security team.

The Unhandled status means that the security event risk is not mitigated or contained, so it is considered
open. For example, an IPS or AV log with an action value of pass has the event status set to Unhandled.
Botnet and IOC events are also considered unhandled.

The Contained status means that the risk source is isolated. For example, an antivirus log with an action
value of quarantine has the event status set to Contained.

The Mitigated status means that the security risk is being blocked or dropped. For example, an IPS or
antivirus log with the action value of block or drop has the event status set to Mitigated.

The Event Status field is empty in other scenarios. For example, you can see both allow and block actions
in logs associated with that event.

Security Operations 7.4 Analyst Study Guide 92

 SOC Operations

DO NOT REPRINT
© FORTINET
Event Handlers—Generic Text Filters
• Generic text filters allow more precise and flexible control over which logs trigger an event
• Multiple operators and logic are supported
• Supported operators:

Operator Meaning
== Equal (exact match)

!= Not equal (not matching)

< Smaller than

<= Smaller than or equal to

> Greater than

>= Greater than or equal to These syntax examples

are available in the GUI
~ Contained (included somewhere in the string)

!~ Not contained (not included)

Tokens: '(', ')', '&', '|', 'and', 'or', 'not' Tip: Identify the logs that you want to generate
events for, and from the raw view, copy the strings
you want to match
© Fortinet Inc. All Rights Reserved. 20

When configuring an event handler, the use of generic text filters allows more precise and flexible control over
which logs trigger an event. These filters use operators based on regex and the Portable Operating System
Interface (POSIX) standard.

Event handlers support multiple operators and logic. You can hover your cursor over the question mark next
to Generic Text Filter to display an example, as shown on this slide.

Keep in mind that you must use the escape character “\” if you need to include a reserved character in your
filter, for example when separating different parts of a URL.

To avoid syntax errors, search raw logs to identify the logs you want to generate an event for, and directly
copy and paste the strings you want to match in the handler.

Security Operations 7.4 Analyst Study Guide 93

 SOC Operations

DO NOT REPRINT
© FORTINET
Managing Events
• Event Monitor displays events generated by the configured event handlers
Incidents & Events > Event Monitor

Critical severity
This is the event handler that
and marked as This is a snippet of Log View of
generated this event
unhandled correlated logs with the event
Double-click to see
the originating log Note: If you are receiving unexpected
events, check that the handler is
configured correctly

© Fortinet Inc. All Rights Reserved. 21

After event handlers start generating events, you can examine them in the All Events tab.

You can see events combined on the All Events tab, or further divided by endpoint, threat, and system
events.

Double-clicking an event provides more details about it, including the information from the associated logs.
Generally, you should give priority to events with an unhandled status and/or critical severity.

Security Operations 7.4 Analyst Study Guide 94

 SOC Operations

DO NOT REPRINT
© FORTINET
Available Management Actions for Events
• You can acknowledge an event, add a comment, assign it to an administrator, or create
an incident from it
Incidents & Events > Event Monitor

Acknowledged
events are not
shown by default

Create incidents
Right-click an event from events that
to see the list of require further
available actions investigation

Filter based on
the column values
to display events
of interest only

© Fortinet Inc. All Rights Reserved. 22

Right-clicking an event allows you to enter a comment for your records, acknowledge the event, assign it to an
administrator (or yourself) for further investigation, or create an incident from it.

Acknowledging an event removes it from the event list, but you can display it again by clicking Show
Acknowledged. Generally, you can acknowledge mitigated events because the related traffic was blocked by
the firewall.

An excessive number of mitigated events, despite being blocked repeatedly, may indicate a compromised
device. Additionally, if an event is used to generate an incident, you should acknowledge it after you mark the
incident as resolved.

You can use filters to display only the events of interest. For example, display only events related to IPS.

Security Operations 7.4 Analyst Study Guide 95

 SOC Operations

DO NOT REPRINT
© FORTINET
Creating an Incident
• An incident should be created when an event needs further analysis
• Can create manually or automatically (playbooks)
Incidents & Events > Event Monitor

Must create accounts

for party responsible
Incidents & Events > Incidents for handling incidents

© Fortinet Inc. All Rights Reserved. 23

Not all events have the same impact or importance on your network. Some of them might need further
analysis to prevent or mitigate security breaches. When an analyst finds an event that requires further
scrutiny, they should create a new incident from that event. You can think of an incident as an event that could
have negative consequence in your everyday operations.

You can create incidents manually or, preferably, automatically with the use of playbooks, taking advantage of
FortiAnalyzer automation capabilities.

In FortiAnalyzer, you create incidents manually from Event Monitor by right-clicking the desired event and
selecting the corresponding option.

Every incident includes a category, severity, status, affected endpoint and, optionally, a description, MITRE
attributes, and an assigned analyst.

Once created, you can view incidents on the Incidents interface.

Security Operations 7.4 Analyst Study Guide 96

 SOC Operations

DO NOT REPRINT
© FORTINET
Analyzing an Incident Incident #, description,
category, assignee, and
Incidents & Events > Incidents incident status

Important details to help

you investigate the
threat, with the option to
add or delete entries

© Fortinet Inc. All Rights Reserved. 24

To view the details of an incident, go to Incidents, and then double-click the incident you want. You can also
right-click an incident, and then select Analysis.

The Analysis page provides all the relevant information and access to the tools an administrator needs to
perform a full investigation of the incident. Some of the details shown on this page include: the affected
endpoint and user (if available), the incident timeline, any executed playbooks and the ability to run them,
audit history with any attached events and reports, and several more.

At the bottom, these tabs provide more details: Comments, Events, Reports, Indicators, Affected Assets,
Processes, Software, and Vulnerabilities. You can add or delete entries to focus your investigation.

The list of events associated with the incident is also available under the tab with that name. From here, you
can access the related logs by right-clicking the event of interest. This opens the Log View in a different
window.

Security Operations 7.4 Analyst Study Guide 97

 SOC Operations

DO NOT REPRINT
© FORTINET
Editing an Incident Incidents & Events > Incidents

• Update each incident setting while

working in it
• Close any solved incident
• Once closed, you can delete the incident
from the list
• Notifications can be configured for each
status change
Keep the incident
status up to date

Note: You should update incident details

according to the progress of the investigation.
Every incident should reach the Closed
status.
© Fortinet Inc. All Rights Reserved. 25

It is important to keep all incident settings up to date. This allows you to keep track of the work being done to
solve them.

When an incident is considered closed, you should change its status accordingly. Additionally, you can delete
resolved incidents from the list.

You can configure FortiAnalyzer to send notifications after any changes to an incident status.

Security Operations 7.4 Analyst Study Guide 98

 SOC Operations

DO NOT REPRINT
© FORTINET
Configure Incidents Settings
Incidents & Events > Incidents

Notification
example

First create the

connectors in Fabric
View

Note: Different connectors can

have different settings © Fortinet Inc. All Rights Reserved. 26

Incidents usually go through several stages during the analysis process. In most cases, it is important to make
sure all parties involved are notified when the incident status changes.

You can configure FortiAnalyzer to send a notification to external platforms using preconfigured fabric
connectors.

To configure notifications, in Settings, select a fabric connector from the drop-down field, and then choose
the incident activity for which you want to send notifications.

You can add more than one fabric connector, each with the same or different notification settings. You must
configure the receiving side of the connector for the notifications to be sent successfully. As an example, this
slide shows a notification received in Microsoft Teams for an updated incident.

Security Operations 7.4 Analyst Study Guide 99

 SOC Automation

DO NOT REPRINT
© FORTINET
Use Case—Healthcare Sector

Your organization is a hospital targeted by cybercriminals through a phishing attack to ransom private
data

Threat: Potential breach exposing thousands of patients’ data and

putting patients at risk

Our goal: Configure event handlers to detect the tactics and techniques
used by Group ABC

Domain: Enterprise

Attacker: Group ABC

© Fortinet Inc. All Rights Reserved. 27

In the healthcare sector story from Lesson 1—SOC Concepts and Security Frameworks, the blue team
prepares to build their detection capabilities by configuring custom event handlers on FortiAnalyzer to detect
the various tactics and techniques used by Group ABC.

Security Operations 7.4 Analyst Study Guide 100

 SOC Operations

DO NOT REPRINT
© FORTINET
Blue Team Plan of Action: Detection Capabilities
• Configure custom event handlers and data selectors to identify:
• Probing attacks that target email systems in search of valid email accounts
• Spearphishing emails with attached malicious Microsoft Office macro-enabled files
• Defense evasion (clearing security audit logs on the compromised host)

© Fortinet Inc. All Rights Reserved. 28

Using their knowledge of events, incidents, and event handlers on FortiAnalyzer, the blue team configures
custom event handlers and data selectors to identify probing attacks that target email systems in search of
valid email accounts. The blue team also configures custom event handlers to detect spearphishing emails
that contain an attached malicious Microsoft Office macro enabled file.

The blue team creates custom event handlers on FortiAnalyzer to identify the initial access tactic
(spearphishing and malicious file execution), when Group ABC uses the dropper to install a VBScript on the
target system. The custom event handler detects the modifying Windows' Run registry key technique, which
executes the VBScript as soon as a user logs in to the compromised host and creates an event. The registry
key change establishes persistence of the C&C channel even in case of a reboot of the initially compromised
host.

The blue team also creates custom event handlers to identify the defense evasion tactic, when Group ABC
tries to clear the security audit log on the compromised target to evade detection.

Security Operations 7.4 Analyst Study Guide 101

 SOC Operations

DO NOT REPRINT
© FORTINET
Mock Security Threat Report (Contd)
Incidents & Events > Event Monitor

Events generated by
custom event handlers
configured by the blue
team

Incident created
on FortiAnalyzer to
Incidents & Events > Incidents monitor the event

© Fortinet Inc. All Rights Reserved. 29

This slide shows an example of the events generated by the custom event handler that was created by the
blue team to identify probing attacks that target email systems in search of valid email accounts and to detect
spearphishing emails which may contain an attached malicious Microsoft Office macro-enabled file.

Security Operations 7.4 Analyst Study Guide 102

 SOC Operations

DO NOT REPRINT
© FORTINET
Mock Security Threat Report (Contd)
Incidents & Events > MITRE ATT&CK

TheEvents
attackgenerated
is coveredbyon
FortiAnalyzer
custom eventbased
handlers
on
the
configured
MITRE ATT&CK
by the Purple
page Team

© Fortinet Inc. All Rights Reserved. 30

The slide shows the Reconnaissance and Initial Access tactics, and the Gather Victim Identity
Information and Phishing techniques that are covered.

Security Operations 7.4 Analyst Study Guide 103

 SOC Operations

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which FortiAnalyzer feature generates events?
A. Playbooks
B. Event handlers

2. What does the mitigated event status mean?

A. The risk source is being blocked.
B. The risk source is being quarantined.

© Fortinet Inc. All Rights Reserved. 31

Security Operations 7.4 Analyst Study Guide 104

 SOC Operations

DO NOT REPRINT
© FORTINET
Lesson Overview

Concepts, Definitions, and Incident Handling

Events, Event Handlers, and Incidents

Threat Hunting

© Fortinet Inc. All Rights Reserved. 32

Good job! You now understand events, event handlers, and incidents.

Now, you will learn about threat hunting using FortiAnalyzer.

Security Operations 7.4 Analyst Study Guide 105

 SOC Operations

DO NOT REPRINT
© FORTINET

Threat Hunting

Objectives
• Describe the threat hunting workflow
• Analyze threat hunting dashboards
• Analyze IOC information from compromised hosts
• Manage outbreak alerts

© Fortinet Inc. All Rights Reserved. 33

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in threat hunting, you will be able to analyze FortiAnalyzer threat hunting
dashboards and indicators of compromise (IOC) information from compromised hosts, as well as stay up-to-
date on outbreak alerts.

Security Operations 7.4 Analyst Study Guide 106

 SOC Operations

DO NOT REPRINT
© FORTINET
Threat Hunting
• Proactively search for suspicious or risky network activity that may have gone
undetected
• The process usually begins with a question:
• Are any advanced persistent threats (APTs) currently active in the network?
• The reference to tactics, techniques, and procedures (TTPs), behaviors, and indicators
helps to refine your questions further
• Frequently aligned with the MITRE ATT&CK or the Cyber Kill Chain frameworks
• You can also create an if-then statement, for example:
• If you suspect reconnaissance activities in the network, then you should see abnormal traffic trends
• A simplified example:
TTP: Yes
Hypothesis: Evaluate Investigate
Reconnaissance Gather and filter results:
Is there an data:
through Does the data
unusual amount
gathering victim Review SMTP confirm your No New hypothesis
of SMTP
identity Logs hypothesis? or hunting
requests?
information process

© Fortinet Inc. All Rights Reserved. 34

Threat hunting consists of proactively searching for suspicious or potentially risky network activity in your
environment. The proactive approach helps the analyst find any threats that might have eluded detection by
the current security solutions or configurations.

The threat hunting process usually starts with a broad question, or hypothesis, that determines which type of
threat you are trying to find. You can also start with an if-then statement. For example, If you suspect
reconnaissance activities in the network, then you should see abnormal traffic trends.

The process is frequently aligned to the MITRE ATT&CK or Cyber Kill Chain frameworks. This allows you to
refine your questions further. The frameworks are not mutually exclusive: You can use both frameworks
together to help analyze and protect your network.

Security Operations 7.4 Analyst Study Guide 107

 SOC Operations

DO NOT REPRINT
© FORTINET
Threat Hunting (Contd)
• The Threat Hunting dashboard takes advantage of the SIEM framework to allow for
advanced correlation and analysis to hunt for threats
Incidents & Events > Threat Hunting

SOC analytics
dashboard using
the SIEM
database

© Fortinet Inc. All Rights Reserved. 35

FortiAnalyzer includes the Threat Hunting pane, which offers a SOC analytics dashboard using the SIEM
database.

Threat Hunting uses cached data to allow SOC analysts to quickly drill down on logs in fields of interest. This
dashboard includes a Log Count chart and SIEM log analytics table.

You can configure a custom time range or apply filters to the dashboard to refine your search results further.
Only logs matching the selected time range and filter are displayed in the SIEM log analytics table.

The dashboard view has various columns that display detailed statistics, including count (number of logs),
percentage, sent bytes, and session duration information. Double-click an item in the table to view the detailed
log information.

You must examine the information on the Threat Hunting dashboard and differentiate normal from
anomalous behavior. For example, based on the image on this slide, you can ask the following questions:
• Is the number of SMTP logs for this time period expected?
• Is the amount of SMTP connections at this hour normal?

Security Operations 7.4 Analyst Study Guide 108

 SOC Operations

DO NOT REPRINT
© FORTINET
Log Count Chart
• Use the Log Count chart to focus on the logs you must analyze based on a time range
• The details in the SIEM log table auto adjusts to the timeframe you select in this chart

Incidents & Events > Threat Hunting

Adjust the time bar

to include only the
desired time frame

© Fortinet Inc. All Rights Reserved. 36

The top of the Threat Hunting dashboard shows a chart displaying the total log count during the specified
time range. This section is called the Log Count chart.

You can zoom in and out on the displayed time range by using the scroll wheel of your mouse, or by adjusting
the time bar below the graph. You can adjust the time bar by dragging the start and stop bars on either side of
the selected time range, or by clicking and dragging the entire time range to the left or right. For example, you
could search for suspicious activity occurring outside business hours.

Only logs displayed within the time period visible in the chart are shown in the SIEM log analytics table.

Security Operations 7.4 Analyst Study Guide 109

 SOC Operations

DO NOT REPRINT
© FORTINET
Threat Hunting Example With FortiAnalyzer
• Has Reconnaissance been used to gather victim identity information from the mail server?
• In this example, the analyst uses the Log Chart to discover an unusual number of SMTP requests
• Analysis shows that the IP address 100.64.1.20 is generating lots of queries within a short time period
Incidents & Events > Threat Hunting

• Further investigation determines that the queries are an external attacker gathering victim identity
information
• A new incident is created, and the SOC responders can start containment and eradication steps

© Fortinet Inc. All Rights Reserved. 37

This slide illustrates an example of how an analyst can use FortiAnalyzer to perform a threat hunting
procedure.

Based on the MITRE ATT&CK Reconnaissance tactic, and the Gather Victim Identity Information technique,
establish a question: Has Reconnaissance been used to gather victim identity information from the mail
server? This slide shows an example of the threat hunting of this scenario.

Using the Log Chart, the analyst finds that an unusual amount of SMTP traffic is being generated, including
outside normal operation hours. By analyzing the details of the SMTP logs, the analyst determines that the IP
address 100.64.1.20 is the main source of this abnormal traffic.

This triggers the creation of a new incident. The SOC team determines that the host is compromised and
initiates the SOC action plan to contain and eradicate this breach.

Security Operations 7.4 Analyst Study Guide 110

 SOC Operations

DO NOT REPRINT
© FORTINET
Indicators of Compromise (Compromised Hosts)
• The indicators of compromise (IOC) engine detects end users with suspicious web
usage compromises by checking new and historical logs against IOC signatures
• Uses FortiGuard threat intelligence to provide visibility of emerging threats
• Requires a FortiGuard subscription

FortiAnalyzer receives
updates to its threat
database from FortiGuard

FortiGate sends traffic

to FortiAnalyzer The breach detection
engine analyzes logs

© Fortinet Inc. All Rights Reserved. 38

The IOC engine detects end users with suspicious web usage by checking new and historical logs against the
IOC signatures, which are based on a FortiGuard subscription.

The IOC service on FortiAnalyzer uses the FortiGuard database to analyze web filter, DNS, and traffic logs
from FortiGate devices for breach detection. It is updated to provide coverage of emerging threats.

The breach detection engine does not analyze antivirus logs, IPS logs, and so on, because these threats are
already detected or prevented on FortiGate. When a threat match is found, a threat score is assigned to the
end user based on the overall ranking score.

When the check is completed, FortiAnalyzer aggregates all the threat scores of an end user and provides its
verdict on the overall IOC of the end user. The verdict can be one of the following:
• Infected which indicates a real breach. This means that the breach detection engine found one or many
matches of blocklisted IPs or domain generation algorithms (DGAs) in the web filter logs.
• Suspicious which indicates a possible breach with varying degrees of confidence.

Security Operations 7.4 Analyst Study Guide 111

 SOC Operations

DO NOT REPRINT
© FORTINET
Compromised Host IOC Example
FortiView > Threat & Events

A real breach was detected, with three

threat types and this entry hasn’t been
acknowledged yet

Displaying blocklist detection method

used by the IOC

© Fortinet Inc. All Rights Reserved. 39

This slide shows an example of an IOC trigger in FortiView. The IOC engine has determined a real breach,
as indicated by the Infected verdict. The # of Threats column indicates that three different threats are
associated with this hit.

On the IOC FortiView, you can also:

• Filter the entries by specifying devices or a time period.
• Acknowledge the IOC. By default, you can view acknowledged IOCs, unless you configure the system to
not show them. You can add a short comment when acknowledging an entry.
• Double-click an entry to drill down and view threat details.

When you double-click the desired entry, more details are displayed, and you can filter the view based on two
categories:
• Blocklist, which indicates items marked as infected after checking the blocklist included in the IOC
database downloaded from FortiGuard. You can verify that this traffic was blocked by clicking Details
under the Security Actions column. If you believe that the IP address or domain listed under the Detect
Pattern column is a valid one, you can report it as misrated by clicking that entry.
• Suspicious, which indicates a match was found in the suspicious list included in the IOC database
downloaded from FortiGuard. In this case, FortiAnalyzer flags the endpoint for further analysis, compares
the flagged log entries with the previous statistics of the endpoint for the same day, and then updates the
score. If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts.

Security Operations 7.4 Analyst Study Guide 112

 SOC Operations

DO NOT REPRINT
© FORTINET
Outbreak Detection Service Overview
• Licensed feature
• Allows customers to receive information about malware outbreaks
• Automatically downloads new event handlers and reports related to the outbreaks
Incidents & Events > Outbreak Alerts

© Fortinet Inc. All Rights Reserved. 40

The FortiAnalyzer Outbreak Detection Service is a licensed feature that allows FortiAnalyzer administrators to
receive and view outbreak alerts, and automatically download related event handlers and reports from
FortiGuard. Outbreak event handlers and reports are created in real time by Fortinet to detect and respond to
emerging outbreaks.

The Outbreak Alerts pane displays alerts from Fortinet, which are available on all ADOMs.

Security Operations 7.4 Analyst Study Guide 113

 SOC Operations

DO NOT REPRINT
© FORTINET
Outbreak Alert Handlers and Reports
• New event handlers are added to the list of • The same is true for the newly
available handlers, and you can use them in downloaded reports
the same way as the rest in the list
Incidents & Events > Handlers Reports > Report Definitions

Reports downloaded
through the outbreak alerts
service
Event handlers downloaded
through the outbreak alerts
service

© Fortinet Inc. All Rights Reserved. 41

Once downloaded, the new handlers are available under the Event Handler list. The same management and
configuration functions are available for these handlers as the system default and custom handlers. That is,
you can clone them, export them, import them, and so on.

The same is true for the new reports.

Security Operations 7.4 Analyst Study Guide 114

 SOC Operations

DO NOT REPRINT
© FORTINET
Knowledge Check
1. The IOC engine analyzes new and historical logs against IOC signatures for which
type of hosts?
A. End users
B. Fabric devices

2. The threat hunting dashboard uses which database?

A. SIEM
B. TIDB

© Fortinet Inc. All Rights Reserved. 42

Security Operations 7.4 Analyst Study Guide 115

 SOC Operations

DO NOT REPRINT
© FORTINET
Lesson Overview

Concepts, Definitions, and Incident Handling

Events, Event Handlers, and Incidents

Threat Hunting

© Fortinet Inc. All Rights Reserved. 43

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

Security Operations 7.4 Analyst Study Guide 116

 SOC Operations

DO NOT REPRINT
© FORTINET
Review
 Describe basic FortiAnalyzer SOC concepts, definitions, and features
 Analyze and manage events, and customize event handlers
 Analyze and create incidents
 Describe the threat hunting workflow
 Analyze threat hunting dashboards
 Analyze IOC information from compromised hosts
 Manage outbreak alerts

© Fortinet Inc. All Rights Reserved. 44

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to analyze and manage events,
customize event handlers, and analyze and create incidents. You also learned how to perform threat hunting
on FortiAnalyzer, analyze IOC information from compromised hosts, and manage outbreak alerts.

Security Operations 7.4 Analyst Study Guide 117

 SOC Automation

DO NOT REPRINT
© FORTINET

Security Operations Analyst

SOC Automation

FortiAnalyzer 7.4
Last Modified: 28 March 2024

In this lesson, you will learn about the automation capabilities of FortiAnalyzer.

FortiAnalyzer integrates playbooks, connectors, and incidents that can be automated so you can quickly
identify and react to network security threats.

Security Operations 7.4 Analyst Study Guide 118

 SOC Automation

DO NOT REPRINT
© FORTINET
Lesson Overview

Playbook Concepts

Creating Playbooks

Configuring Connectors

Managing Playbooks

© Fortinet Inc. All Rights Reserved. 2

In this lesson, you will learn about the topics shown on this slide.

Security Operations 7.4 Analyst Study Guide 119

 SOC Automation

DO NOT REPRINT
© FORTINET

Playbook Concepts

Objectives
• Describe FortiAnalyzer automation capabilities
• Identify playbook components
• Describe trigger types and properties
• Describe playbook tasks

© Fortinet Inc. All Rights Reserved. 3

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the purpose of playbooks and their components, you will be
able to use playbooks effectively.

Security Operations 7.4 Analyst Study Guide 120

 SOC Automation

DO NOT REPRINT
© FORTINET
Why Automation?
Fabric View > Automation > Summary
• In general, the benefits of using
automation include:
• Improved productivity
• Increased efficiency
• Reduced costs
• Fewer human errors

• In a SOC environment, the benefits of

using playbooks results in: Without automation, you must
• Faster incident response time perform these actions manually
• Faster data analysis
• Better use of analysts’ time
• Better compliance management
• Consistent security posture

© Fortinet Inc. All Rights Reserved. 4

Automation is critical for security teams who are facing the ever-changing threat landscape. Generally
speaking, automation improves productivity, reduces cost, increases efficiency, and minimizes human errors.
In a SOC environment, these benefits provide, among other results, faster response time, faster data analysis,
better use of analysts' time, better compliance management, and a more consistent security posture.

FortiAnalyzer allows SOC analysts to automate common and repetitive tasks using playbooks. FortiAnalyzer
works with standalone devices, but it is also integrated with the Security Fabric. This integration allows
FortiAnalyzer to communicate with other devices in the Security Fabric to detect security events, and trigger
corrective or preventive actions automatically, by running automated playbooks.

For example, you can create playbooks that automatically generate a report, or instruct the FortiClient EMS
server to quarantine a compromised host, just to mention two use cases. The available actions depend on the
device type. Using devices that are compatible with the Security Fabric allows you to exploit their capabilities
to their full extent.

In this lesson, you will learn more about these capabilities.

Security Operations 7.4 Analyst Study Guide 121

 SOC Automation

DO NOT REPRINT
© FORTINET
Automation With a Playbook

1 FortiGate FortiClient EMS

Internet Traffic
Endpoint is
quarantined Protected
Threat 5 endpoints
Intelligence
Database 2 Logs
(TIDB)
Playbook sends
updates
quarantine
4
requests

3 Infected
endpoints
FortiAnalyzer
Event
detected
© Fortinet Inc. All Rights Reserved. 5

This slide shows an example of a playbook being used to automate tasks.

In this example, all network traffic traverses FortiGate. FortiGate sends all traffic and security logs to
FortiAnalyzer. FortiAnalyzer detects suspicious activity and generates an event. This event triggers the
execution of a playbook in FortiAnalyzer. The playbook sends a request to FortiClient EMS using the
FortiClient EMS connector. FortiClient EMS runs an automation stitch and applies the corrective or preventive
action.

Security Operations 7.4 Analyst Study Guide 122

 SOC Automation

DO NOT REPRINT
© FORTINET
Playbook Components
Playbook Designer
• Playbooks are ADOM-specific
• Each playbook has only one trigger Tasks execute actions
• Determines when a playbook executes
• Playbooks have one or more tasks
• Actions that will take place
• The actions that can be performed by a
task depends on the connector
The trigger makes
• Different devices (connectors) allow different
actions the playbook run

• Playbooks can be created from built-in

templates or from scratch • Playbooks are created using an intuitive
playbook designer
• Flow diagrams help you visualize the
workflow

© Fortinet Inc. All Rights Reserved. 6

Playbooks include a starter event (trigger) that determines when a playbook runs, and one or more tasks that
are executed.

After a playbook is triggered, it flows through the existing tasks defined within the playbook designer.

Each task includes the automated action that needs to take place. The available actions depend on the
connector used. Connectors allow tasks to be performed on supported devices.

You can create playbooks from scratch or using predefined templates. Playbooks are available only in the
ADOM where they were created, unless they are exported to a different ADOM.

Security Operations 7.4 Analyst Study Guide 123

 SOC Automation

DO NOT REPRINT
© FORTINET
Playbook Concepts
• A simple playbook execution sequence
• Tasks run one after another

Playbook is
Task 1 runs Task 2 runs Task 3 runs
triggered

• Multiple tasks can be triggered

• Tasks can be sequential, or run in parallel

Details of the Details are

A spearphishing A report runs
event are attached to the
event is detected
collected incident

An incident is
created

© Fortinet Inc. All Rights Reserved. 7

In the simplest design, a playbook consists of a trigger and a series of tasks that are executed one after the
other. However, playbooks also allow for more complex designs that involve multiple tasks running
simultaneously. Additionally, if needed, the output of one task can be used by the tasks that follow it.

For example, one task can collect specific events and the following task can add those events to an incident.

Security Operations 7.4 Analyst Study Guide 124

 SOC Automation

DO NOT REPRINT
© FORTINET
Triggers

Trigger type Description

EVENT_TRIGGER The playbook is run when an event is created that matches the configured
filters
When no filters are set, all events will trigger the playbook
INCIDENT_TRIGGER The playbook is run when an incident is created that matches the configured
filters
When no filters are set, all incidents will trigger the playbook
ON_SCHEDULE The playbook is run during the configured schedule
You can define the start time, end time, interval type, and interval frequency
for the schedule
ON_DEMAND The playbook is run when it is manually started by an administrator

© Fortinet Inc. All Rights Reserved. 8

Every playbook starts with a trigger that determines when the playbook is executed. Each playbook can
include only one trigger. After a playbook is triggered, it flows through the configured tasks, as defined in the
playbook designer.

The event, incident, and on-schedule triggers are automatic and activates when specific conditions are met.
You can use the on-schedule trigger for manual playbook execution.

Note that playbooks with the ON_SCHEDULE trigger can also be executed manually. This allows you to test
them outside of their configured timeframe.

Security Operations 7.4 Analyst Study Guide 125

 SOC Automation

DO NOT REPRINT
© FORTINET
Triggers (Contd) Fabric View > Automation > Summary

• Use more than one condition to

limit playbook execution
• Apply logic to determine when and
how conditions trigger events
• Apply AND logic to enforce the rule
that all conditions must match
• Apply OR logic to enforce the rule that Available filters depend on
any conditions must match
the chosen trigger type
• ON_SCHEDULE triggers
parameters are all based on
timeframes
• ON_DEMAND triggers have no
extra configurable parameters

Example

© Fortinet Inc. All Rights Reserved. 9

The trigger type determines the options you can configure to control when the playbook will run. For example,
you can configure an event trigger to run only when FortiAnalyzer detects an event with a particular event
handler.

When configuring multiple conditions for a trigger, you can specify whether all conditions must match or any
one condition must match.

Security Operations 7.4 Analyst Study Guide 126

 SOC Automation

DO NOT REPRINT
© FORTINET
Fabric View > Automation > Playbook
Tasks
• Tasks are actions that are
executed when the playbook runs
• Available actions depend on the
connector
• Chain one task to another task to
execute a sequence of actions
• The output of a task can be used
as an input for the next task in the
sequence

© Fortinet Inc. All Rights Reserved. 10

Tasks are actions that are executed when the playbook runs. Each trigger event can start the execution of one
or more tasks, and each task can perform one action.

You can also configure tasks so that the output of one task is used as an input by another task in sequence.
For example, you can create a task to retrieve some data, and then provide that data to the next task for
report generation.

When adding a new task, you must choose a relevant connector before you can select an action. On this
slide, the actions associated with the local connector are shown. The available actions will vary depending on
the connector type that you select.

You can configure tasks to use the default preconfigured values, or take inputs from the trigger or from
preceding tasks. You must configure automation rules on FortiGate before you can see the list of available
actions on FortiOS connectors.

Security Operations 7.4 Analyst Study Guide 127

 SOC Automation

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which trigger type must you use to manually run a playbook?
A. Event_Trigger
B. On_Demand

2. Which playbook element determines the available actions a task can perform?
A. Connectors
B. Trigger type

© Fortinet Inc. All Rights Reserved. 11

Security Operations 7.4 Analyst Study Guide 128

 SOC Automation

DO NOT REPRINT
© FORTINET
Lesson Progress

Playbook Concepts

Creating Playbooks

Configuring Connectors

Managing Playbooks

© Fortinet Inc. All Rights Reserved. 12

Good job! You now understand playbook concepts.

Now, you will learn how to create playbooks on FortiAnalyzer.

Security Operations 7.4 Analyst Study Guide 129

 SOC Automation

DO NOT REPRINT
© FORTINET

Creating Playbooks

Objectives
• Create new playbooks from a template
• Customize playbook settings
• Create new playbooks from scratch
• Use variables in tasks

© Fortinet Inc. All Rights Reserved. 13

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in automating tasks with playbooks, you will be able to increase the efficiency
of your organization’s SOC operations.

Security Operations 7.4 Analyst Study Guide 130

 SOC Automation

DO NOT REPRINT
© FORTINET
Creating Playbooks From a Template
• FortiAnalyzer includes several playbook templates
• You can customize the playbooks created from these templates to fit your needs
Fabric View > Automation > Playbook

Explore the available templates before

creating a playbook from scratch since they
cover many common scenarios (not all
templates are shown)

© Fortinet Inc. All Rights Reserved. 14

FortiAnalyzer includes several playbook templates that SOC analysts can customize. You can use the
templates to perform tasks such as:
• Investigate compromised host incidents and critical intrusion incidents.
• Enrich data for assets and identity, and for hosts under investigation.
• Block command-and-control (C&C) IP addresses.
• Quarantine and run antivirus scans on endpoints.

Security Operations 7.4 Analyst Study Guide 131

 SOC Automation

DO NOT REPRINT
© FORTINET
Customizing Playbook Settings
• A new playbook created from a template is preloaded with all required components
• You can remove or customize tasks to meet your needs

Edit tasks to meet your requirements Remove tasks not needed

Playbook Designer

Note: A report with auto-

cache and extended log
filtering enabled must be
created before you can
use it in a task

© Fortinet Inc. All Rights Reserved. 15

After you select a playbook template, the playbook designer is displayed with a preconfigured trigger and one
or more tasks. The preconfigured trigger and tasks will be different, based on the template you select. You
can configure, add, or remove tasks to customize the playbook.

This slide shows an example of a playbook that will:

• Run when the specified event or events are generated.
• Create a new incident.
• Retrieve the list of events specified in the task filter and add them to the incident.
• Run a report and attach it to the incident.

After this playbook runs, the incident will include relevant information that the analyst can use during an
incident investigation. Note that before configuring a task to run a report, you must verify that the report exists,
and that the auto-cache and extended log filtering settings are enabled.

Security Operations 7.4 Analyst Study Guide 132

 SOC Automation

DO NOT REPRINT
© FORTINET
Customizing Playbook Settings (Contd)
Fabric View > Automation > Playbook
Customize the
playbook name and
description

Click and drag a Click and drag a

connector tab to connector tab to
an empty space another task to
to add new tasks connect them
© Fortinet Inc. All Rights Reserved. 16

By default, every new playbook you create from a template is preconfigured with a generic name and time
stamp. This can make them difficult to distinguish, so it’s highly recommended that you edit the names and
descriptions of new playbooks to something easily recognizable.

To add new tasks, click and drag the connector tabs attached to the current tasks or the trigger. This creates
an empty task that you can configure. To connect tasks to each other or to the trigger, click and drag a
connector tab onto another connector tab.

Security Operations 7.4 Analyst Study Guide 133

 SOC Automation

DO NOT REPRINT
© FORTINET
Creating a New Playbook From Scratch
Fabric View > Automation > Playbook

FortiAnalyzer needs a
few minutes to parse a
newly created playbook

© Fortinet Inc. All Rights Reserved. 17

If none of the templates fits your needs, you can always create a playbook from scratch.

First, you must select a trigger. For some triggers, you can add filters to make sure that the playbook runs
only if a specified condition is matched.

You must configure a task or multiple tasks that you want to execute. You can also configure filters to limit the
action scope which will reduce unnecessary data processing. For example, when you configure a task to
retrieve events, configure a filter to retrieve events generated by a specific event handler, or events with a
specific severity.

Also, keep in mind that after you create a new playbook, FortiAnalyzer needs a few minutes to parse it. If you
try to run a newly created playbook configured with an on-demand trigger before it is parsed, FortiAnalyzer
generates an error message as shown on this slide.

Security Operations 7.4 Analyst Study Guide 134

 SOC Automation

DO NOT REPRINT
© FORTINET
Variables
• You can use output variables and trigger variables in playbook tasks
• Output variables: Output of previous task is the input of current task
• Format: ${task_id.output}
• Previous task ID required
• Trigger variables: Use some of the information from the trigger to filter the action in the
task
• Format: ${trigger.variable}
Fabric View > Automation > Playbook

The new task uses an

output variable. On
the left is the report
task ID, and on the
Second task right is the output of
generates a the report task (the
report actual report)
New Task

© Fortinet Inc. All Rights Reserved. 18

You can use variables when configuring tasks. There are two types of playbook variables: output variables
and trigger variables.

Use output variables to take the output from a preceding task as an input for the current task. An output
variable consists of the task ID, followed by the task output, as shown on this slide.

The example shown on this slide shows a task configured to use a report as an input from a preceding task to
update an incident.

Use trigger variables to take information from the trigger step of a playbook configured with an event or
incident trigger. For example, a playbook configured with a report action requires filtering based on an
endpoint IP address. You can retrieve this information from the triggering event using a trigger variable.

Security Operations 7.4 Analyst Study Guide 135

 SOC Automation

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which type of variable takes the output of a preceding task as the input of a current
task?
A. Trigger variable
B. Output variable

© Fortinet Inc. All Rights Reserved. 19

Security Operations 7.4 Analyst Study Guide 136

 SOC Automation

DO NOT REPRINT
© FORTINET
Lesson Progress

Playbook Concepts

Creating Playbooks

Configuring Connectors

Managing Playbooks

© Fortinet Inc. All Rights Reserved. 20

Good job! You now understand how to create playbooks.

Now, you will learn about configuring connectors.

Security Operations 7.4 Analyst Study Guide 137

 SOC Automation

DO NOT REPRINT
© FORTINET

Configuring Connectors

Objectives
• Describe connector types
• Configure connector actions

© Fortinet Inc. All Rights Reserved. 21

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in connectors, you will understand how FortiAnalyzer uses connectors in
conjunction with playbooks to automate actions to be performed on other Fortinet devices.

Security Operations 7.4 Analyst Study Guide 138

 SOC Automation

DO NOT REPRINT
© FORTINET
Connectors
• Allow playbooks to interact with devices
Fabric View > Automation > Connectors
in the Security Fabric and other
standalone devices
• Determine which actions can be
performed by playbook tasks
• The local connector does not need any
additional configuration
• All other connector types must be configured
• The connector status icon is colour
coded:
• Green: connection successful
• Black: connection unknown
• Red: connection down

Status icon

© Fortinet Inc. All Rights Reserved. 22

Connectors determine which automated actions playbooks can perform. Each connector type supports
different actions.

You can quickly determine the API connection status of a connector, which is indicated by a colored status
icon.

By default, you can use the local connector in playbooks without any additional configuration. All other
connectors require additional configuration.

For example, the FortiOS connector is listed as soon as you add the first FortiGate device to FortiAnalyzer.
However, to see the actions related to that FortiOS connector, you must enable an automation rule using an
incoming webhook call trigger on the FortiGate device.

Security Operations 7.4 Analyst Study Guide 139

 SOC Automation

DO NOT REPRINT
© FORTINET
Connector Types
• Two types of connectors Fabric View > Fabric Connectors
• Security Fabric
• ITSM
• Security Fabric connectors:
• FortiClient EMS
• FortiMail
• FortiCASB
• ITSM connectors:
• Service Now
• Slack
• MS Teams
• Generic: Support additional third-party
ticketing platforms

© Fortinet Inc. All Rights Reserved. 23

On FortiAnalyzer, there are two types of connectors that you can configure on the Fabric Connectors page:
Security Fabric and IT service management (ITSM)

Security Fabric connectors include FortiClient EMS, FortiMail, and FortiCASB connectors.

ITSM connectors include connecting to third-party service management or ticketing software such as Service
Now, Slack, MS Teams, and so on. FortiAnalyzer also supports a generic connector type to facilitate
integration with additional third-party ticketing software.

Security Operations 7.4 Analyst Study Guide 140

 SOC Automation

DO NOT REPRINT
© FORTINET
Connector Actions
• Connector actions are automated
• Each connector has its own set of actions
• Connector actions are predefined
Fabric View > Fabric Connectors

FortiMail
connector
actions
FortiClient EMS
connector actions

© Fortinet Inc. All Rights Reserved. 24

Each connector has its own set of predefined actions. These actions are automated and are performed in
playbooks.

An example of when you might use a connector action in your network is to have a FortiClient EMS connector
regularly retrieve a list of endpoints or perform quarantine actions on compromised endpoints.

All connector actions are predefined and cannot be modified.

Security Operations 7.4 Analyst Study Guide 141

 SOC Automation

DO NOT REPRINT
© FORTINET
Use Case
Fabric View > Automation > Playbooks

3
2

Infected host is
quarantined

Fabric View > Automation > Playbook Monitor

© Fortinet Inc. All Rights Reserved. 25

This slide shows an example of a playbook using the FortiClient EMS connector.

FortiAnalyzer has generated an event indicating that a host is infected after downloading a malicious file. The
analyst has configured a playbook with a FortiClient EMS connector to quarantine infected hosts.

The analyst performs the following actions:

1) Manually run the playbook because it is configured for an on-demand trigger.
2) Input the FortiClient host details, including endpoint number, FortiClient UID, FortiClient site, and an
existing incident ID.

The playbook automates the following actions:

1) Execute a quarantine task on the infected host using the FortiClient EMS connector, and attach all related
data to the incident.
2) Quarantine the host so the malicious file cannot move laterally and infect other hosts in the network.

Security Operations 7.4 Analyst Study Guide 142

 SOC Automation

DO NOT REPRINT
© FORTINET
Knowledge Check
1. Which connector requires additional configuration?
A. FortiOS connector
B. Local connector

2. Which connector type allows integration with third-party ticketing applications?

A. Security Fabric
B. ITSM

© Fortinet Inc. All Rights Reserved. 26

Security Operations 7.4 Analyst Study Guide 143

 SOC Automation

DO NOT REPRINT
© FORTINET
Lesson Progress

Playbook Concepts

Creating Playbooks

Configuring Connectors

Managing Playbooks

© Fortinet Inc. All Rights Reserved. 27

Good job! You now know how to configure connectors.

Now, you will learn about managing playbooks and connectors on FortiAnalyzer.

Security Operations 7.4 Analyst Study Guide 144

 SOC Automation

DO NOT REPRINT
© FORTINET

Managing Playbooks

Objectives
• Monitor playbooks
• Export and import playbooks
• Review the mock threat report

© Fortinet Inc. All Rights Reserved. 28

After completing this section, you will be able to achieve the objectives shown on this slide.

By demonstrating competence in monitoring playbooks, you will be able to identify whether all automated
tasks ran successfully. You will also be able to export playbooks to another ADOM or device.

Security Operations 7.4 Analyst Study Guide 145

 SOC Automation

DO NOT REPRINT
© FORTINET
Monitoring Playbooks This playbook has
three tasks: One task
• To see the playbook execution logs, click Details and then View Log is successful but the
other two failed
Fabric View > Automation > Playbook Monitor

Fabric View > Automation > Playbook Monitor

This task failed because it did not

receive the input it was expecting
from a preceding task
© Fortinet Inc. All Rights Reserved. 29

When you troubleshoot playbooks, you must review the logs. Details about the execution of a playbook are
available in the associated log.

In the playbook monitor, all playbook jobs that include one or more failed tasks are assigned a failed status. A
failed status, however, does not mean that all tasks in the playbook failed. Other task actions in the playbook
may execute successfully.

In the example shown on this slide, the spearphishing attachment playbook has three configured tasks, two of
which failed to run—incident spearphishing and attach data to incident. Therefore, the playbook job is
considered to have failed.

Security Operations 7.4 Analyst Study Guide 146

 SOC Automation

DO NOT REPRINT
© FORTINET
Monitoring Playbooks (Contd)
Fabric View > Automation > Playbook Monitor

View the raw logs

for failed
[2024-03-13T06:31:05.246-0700] {taskinstance.py:1937} ERROR - Task failed with
playbooks to see
exception more details
Traceback (most recent call last):
File "/drive0/private/airflow/plugins/incident_operator.py", line 218, in execute
self.epid = int(self.epid)
^^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: '100.64.1.20'
[2024-03-13T06:31:05.331-0700] {standard_task_runner.py:104} ERROR - Failed to
execute job 417 for task placeholder_00f4d7f1_fac5_4354_a60a_3127a6bc5cc7 (invalid
literal for int() with base 10: '100.64.1.20'; 1851)

This playbook failed because a task was expecting

an integer value for the epid variable, but received
a Base 10 value (IP address) instead © Fortinet Inc. All Rights Reserved. 30

To determine where exactly the task execution failed, you must view the raw logs.

The example on this slide shows the raw logs for the incident spearphishing task. The raw logs indicate that
the task is expecting an integer value input for the epid variable but received a Base 10 IP address instead.

Security Operations 7.4 Analyst Study Guide 147

 SOC Automation

DO NOT REPRINT
© FORTINET
Exporting Playbooks Fabric View > Automation > Playbook
• Playbooks are defined per ADOM
• Export playbooks to use them in a
different ADOM or FortiAnalyzer device
• You can include the connectors in the
exported file
• The exported file is in JSON format
• You can also compress the file

Including the
connectors ensures all
required components
are exported

© Fortinet Inc. All Rights Reserved. 31

Playbooks are defined per ADOM. If you want to use an existing playbook in a different ADOM or a different
FortiAnalyzer device, you must export the playbook.

To export a playbook, right-click the playbook, and then click Export. You can export more than one playbook
at a same time by selecting multiple playbooks.

When exporting a playbook, you can choose to export the connectors. Connectors required to run the
playbook will be included in the exported file. This will preserve the connector configuration with the playbook
configuration.

You can export the playbook in two formats: plain text JSON or zipped base 64 encoded JSON. If you want a
human-readable file, then you must choose the text version during the export process.

Security Operations 7.4 Analyst Study Guide 148

 SOC Automation

DO NOT REPRINT
© FORTINET
Importing Playbooks
• Import a previously exported playbook on the destination ADOM or device
Fabric View > Automation > Playbook

© Fortinet Inc. All Rights Reserved. 32

To import a playbook, right-click anywhere on the playbook dashboard, and then click Import.

If the imported playbook has the same name as an existing playbook, to avoid conflicts, FortiAnalyzer will
append a timestamp to the imported playbook name.

Playbooks are imported with the status they had (enabled or disabled) when they were exported. Playbooks
with automatic triggers (incident or event) should be exported while they are disabled, to prevent the playbook
from unintentionally running after import.

Security Operations 7.4 Analyst Study Guide 149

 SOC Automation

DO NOT REPRINT
© FORTINET
Playbooks Dashboard
• This dashboard tracks all playbooks executed in the last seven days
Fabric View > Automation > Summary

AAplaybook
playbook
cancan
have
have
These two playbooks
multiple
multiple
actions
actions. have run more than
all of the other
playbooks, which
could be normal or
caused by a
misconfiguration

© Fortinet Inc. All Rights Reserved. 33

The playbook dashboard shows the number of playbooks executed, which playbooks have executed,
playbook actions executed, and any trends in the total executed playbooks and actions.

This dashboard shows all the playbooks that have been executed in the last seven days, including their
names, and the total number of actions performed. This information gives you an idea of how much time has
been saved by automating tasks.

In the example shown on this slide, 2388 playbooks have been executed. However, 10,730 actions have been
taken. This shows that one or more of the playbooks listed have more than one action configured. The image
also shows the names of the most frequently executed playbooks. It is the responsibility of the SOC analyst to
ensure playbooks are correctly configured so they run only when required.

Security Operations 7.4 Analyst Study Guide 150

 SOC Automation

DO NOT REPRINT
© FORTINET
Use Case—Healthcare Sector

Your organization is a hospital targeted by cybercriminals through a phishing attack to ransom private
data

Threat: Potential breach exposing thousands of patients’ data and

putting patients at risk.

Our goal: Automate actions using playbooks and connectors on

FortiAnalyzer

Domain: Enterprise

Attacker: Group ABC

© Fortinet Inc. All Rights Reserved. 34

In the healthcare sector story from Lesson 1—SOC Concepts and Security Frameworks, the blue team
prepares to automate their actions using playbooks and connectors on FortiAnalyzer.

Security Operations 7.4 Analyst Study Guide 151

 SOC Automation

DO NOT REPRINT
© FORTINET
Blue Team Plan of Action: Automation
• Configure playbooks to run because of the following detection events:
• Probing attacks that target email systems in search of valid email accounts
• Spearphishing emails with attached malicious Microsoft Office macro-enabled files
• Configure the FortiClient EMS connector and playbooks to automate the following tasks:
• Retrieve a list of all endpoints with FortiClient site and UUID information
• Quarantine identified compromised host (containment)
• Release sanitized host from quarantine (recovery)

© Fortinet Inc. All Rights Reserved. 35

Using their knowledge of playbooks on FortiAnalyzer, the blue team configures playbooks to run when an
event handler triggers by identifying probing attacks by Group ABC. The probing attack targets email systems
in search of valid email accounts. The blue team also configures playbooks to automatically run when an
event is created after detecting spearphishing emails that contain an attached malicious Microsoft Office
macro-enabled file. These playbooks create incidents that can be used to track and follow the investigation
into these attacks. The playbooks also attach data from events created by the corresponding event handlers
to these incidents for easy access.

The blue team uses their knowledge of connectors on FortiAnalyzer to configure the FortiClient EMS
connector. This automatically creates several playbooks, one of which the blue team uses to retrieve a list of
all endpoints that include important data such as the FortiClient site and FortiClient UUID, which are updated
in the FortiAnalyzer Asset Identity Center. The blue team also configures a playbook to use in the containment
phase of incident handling. The containment phase playbook quarantines the identified compromised host
following an investigation into the malicious file download. Finally, the blue team configures a playbook to use
in the recovery phase of incident handling. The recovery playbook releases the sanitized host from
quarantine.

Security Operations 7.4 Analyst Study Guide 152

 SOC Automation

DO NOT REPRINT
© FORTINET
Blue Team Plan of Action: Playbooks
Fabric View > Automation > Playbook

Playbook configured to
List of playbooks created detect a spearphishing
by the blue team to event
detect attacks, and to
quarantine and release
hosts

© Fortinet Inc. All Rights Reserved. 36

This slide shows all the playbooks that the blue team configures in response to the threat report about the
Group ABC attack. These include a playbook that will run if FortiAnalyzer detects a reconnaissance tactic
attempting to gather victim identity information through SMTP enumeration, as well a playbook that will trigger
if FortiAnalyzer detects a spearphishing event. The list of playbooks also include quarantine and unquarantine
playbooks that FortiAnalyzer will run using the FortiClient EMS connector during the containment and
recovery phases of incident handling.

The slide shows an example of the blue team’s spearphishing attack playbook.

Security Operations 7.4 Analyst Study Guide 153

 SOC Automation

DO NOT REPRINT
© FORTINET
Blue Team Plan of Action: Playbooks (Cont)
Fabric View > Automation > Playbook

All the playbooks that were

run when FortiAnalyzer
detected different attacks from
the adversary Group ABC

Incident auto generated by

spearphishing playbook
that was configured by the
blue team © Fortinet Inc. All Rights Reserved. 37

This slide shows all the playbooks that were run on FortiAnalyzer during the Group ABC attack. This includes
playbooks that were run to identify the SMTP enumeration attempts to gather victim identity information. A
playbook was also run when a spearphishing attachment was detected by FortiSandbox.

The slide also shows the quarantine and unquarantine playbooks that were run using the FortiClient EMS
connector to quarantine the infected host and then later to remove the sanitized host from quarantine.

It also includes the incident that was automatically generated when the spearphishing playbook was run to
monitor the attack. The incident audit history shows the timeline of every action that was performed on this
incident.

Security Operations 7.4 Analyst Study Guide 154

 SOC Automation

DO NOT REPRINT
© FORTINET
Knowledge Check
1. How many days of playbook execution does the playbook dashboard track?
A. 7
B. 15

2. When exporting playbooks, which connector configuration can you also export?
A. Local connector
B. FortiClient EMS connector

© Fortinet Inc. All Rights Reserved. 38

Security Operations 7.4 Analyst Study Guide 155

 SOC Automation

DO NOT REPRINT
© FORTINET
Lesson Progress

Playbook Concepts

Creating Playbooks

Configuring Connectors

Managing Playbooks

© Fortinet Inc. All Rights Reserved. 39

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

Security Operations 7.4 Analyst Study Guide 156

 SOC Automation

DO NOT REPRINT
© FORTINET
Review
 Identify playbook components
 Describe trigger types and their properties
 Create and customize playbooks from a template
 Create new playbooks from scratch
 Use variables in tasks
 Configure connector actions
 Monitor playbooks
 Export and import playbooks

© Fortinet Inc. All Rights Reserved. 40

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you leaned how to configure and use playbooks effectively
to automate tasks in FortiAnalyzer. You also learned how to use connectors along with playbooks to send
actions to other Fortinet devices and third-party applications.

Security Operations 7.4 Analyst Study Guide 157

DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.