FortiSoC is a subscription service that enables security orchestration, automation, and response (SOAR), and security information and event management (SIEM) capabilities on FortiAnalyzer.
FortiAnalyzer's SIEM capabilities parse, normalize, and correlate logs from Fortinet products and the security event log of Windows and Linux hosts (with Fabric Agent integration). Parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators. SIEM logs are displayed as Fabric logs in Log View and can be used when generating reports. See Types of logs collected for each device.
FortiSoC provides incident management capabilities with playbook automation to accelerate incident response. When FortiAnalyzer has a valid subscription license, the FortiSoC module is activated and administrators are able access SOAR features. Task automation can be configured by SOC analysts using playbooks which consist of a trigger and sequence of automated actions. Playbooks can be created from scratch or by using one of the predefined templates. Fabric connectors further enhance FortiSoC functionality by allowing playbooks to perform tasks using connected devices, including FortiOS and FortiClient EMS.
FortiSoC includes a trial with a limited capacity allowing up to five playbooks per day. A SOC subscription is required to run at full capacity. For additional information about licensing, please see support.fortinet.com.
This section includes information on the following topics:
- Viewing FortiSoC dashboards
- Configuring playbook automation
For information about FortiSoC incidents and events, see Incident and Event Management.