Stage 4: Automation

 Automation 04-01 : Some malicious scanning happens in DMZ. Pls detect and automatically quarantine the scanner.

·      You will need FortiCloud Deceptor as service https://daas.forticloud.com/halo/

​              Login: groupx@fortinethk.com

Password:     Fortinet123$

 You will need FortiSOAR

​              Login: csadmin

Password:     Fortinet123$

There is 2FA needed. Please login Gmail account to get the token.

Login:                 groupx@fortinethk.com

Password:      fortinet

·      The scanning is expect to relate Windows machine (Ping, RDP & SMB).

·      Please use 192.168.100.211 as decoy.

Hints:

·      There is automation function in FortiGate. ;-)

Automation 04-02 : Some community (eg. police, CERT) will send threat intelligence through email. Pls automatically inject it to firewall blocking malware.

·      Create IMAP connector to email server (192.168.200.31), port 993. No need to verify SSL.

Username:   report

Password:      fortinet

·      You will need to configure Data Injection. Most of the value should be default, except type should be “Phishing”.

·      If success, some IoC should be imported in Threat Feeds. Use it to block IoC on Firewall.

Hints:

·      Remember to add schedule. Every 5 minutes should be good enough.