Fortinet black logo

User Guide

Home SOCaaS User Guide

Introduction

Copy Link
Copy Doc ID 2136d53e-e7cd-11ee-8c42-fa163e15d75b:352650
Download PDF

Introduction

SOCaaS analyzes security events generated from your FortiGate™ appliances, performs alert triage, and escalates verified threat notifications to your security team. SOCaaS complements your incident response monitoring life cycle by providing continuous cyber awareness and control of your Fortinet Security Fabric.

SOCaaS provides your security team with enrichment of received FortiGate events through the application of standard event handlers, playbooks and severity classification while distilling the FortiGuard threat research capability and vulnerability database.

With a FortiClient Forensic Service license, you can onboard a FortiClient EMS device and submit and view forensic analysis requests for endpoints associated with alerts created by SOCaaS. See Forensic analysis.

The service covers the following areas:

Monitoring & Detection

SOCaaS receives events from the supported appliances dependant on their firmware, entitlements and configuration which upon receipt will be processed through SOCaaS and evaluated to remove false positives and relay verified notifications to you. An example of the use cases covered by this service are:

  • Policy violation detection

  • Initial compromise detection

  • Malware detection

  • Intrusion detection

  • Command and control and botnet detection

  • Recon activity & lateral movement detection

  • FortiGate health monitoring

  • FortiGate misconfiguration monitoring

Investigation & Analysis

SOCaaS uses standard event handlers and playbooks to correlate FortiGuard threat resources for received security events further enhanced for verification by expert SOC (Security Operation Center) analysts to provide:

  • Automated correlation, analysis, and context enrichment using SOAR playbooks

  • Alert triage

  • Incident analysis and validation of events as verified incidents with customer escalation via phone and email notification

  • Request and view forensic analysis on endpoints managed by FortiClient EMS.
Containment & Response

Through the integration of FortiGuard threat research, known insights are shared as part of the escalation alert notification and are accessible within the SOCaaS Portal. You may further access the SOC analysts for:

  • Remote assistance following a verified event notification to clarify indicative response recommendations.

  • Recommendations for incident remediation and containment to implement related to an escalation alert notification.

Service Reporting

Regular reports are made available to you on a scheduled basis which include the following options:

  • Weekly summary reports on alerts, notifications and SOCaaS Portal tickets.

  • Monthly onboarded asset inventory summary report.

  • Quarterly service review - Customers who are interested in a Quarterly Business Review can submit a service request from their SOCaaS Customer Portal. The SOCaaS Service Delivery Managers (SDM) will contact customers to schedule a time for the Quarterly Service Review.

  • Weekly security threat reports which select activity based on the specific use case including, where appropriate, recommendations for FortiGate security configuration improvements related to enabling required appliance subscription services.

Access to SOCaaS Portal

The SOCaaS portal allows you to:

  • Raise a service request to add or amend a Fortinet appliance entitled to the SOCaaS.

  • View verified event information and incident status contained within an event ticket.

  • Download reports made available within SOCaaS.

  • Access helpful documents, videos, and news about SOCaaS.

  • View the SOC Monitoring Summary Dashboard along with important alert and logging information.

  • Review all your Fabric devices, entitled devices, onboarded devices, expiring licenses, and devices not subscribed to SOCaaS.

  • View and submit FortiClient forensic analysis requests.

SOCaaS requires and will receive logs from the FortiGate units registered and onboarded to SOCaaS in accordance with one of the deployment options outlined below as selected by you. Customer logs will be stored in the same region where log sources are located in the case of Option 2, or when identified by the Customer in the case of Option 1, in Fortinet datacenters in the then-currently available regions. A third option to receive logs from FortiSASE is also available.

Option 1: FortiGate Monitoring via Customer Owned On-Premises FortiAnalyzer™

  • The customer's FortiGate logs are sent to on-premises Customer’s FortiAnalyzer units.

  • On-premises FortiAnalyzer forwards logs to Fortinet SOCaaS cloud.

  • Alerts are sent to Fortinet SOCaaS cloud for security orchestration, automation, and incident response.

Option 2: FortiGate Monitoring via Customer FortiAnalyzer Cloud

  • The customer's FortiGate logs are sent to FortiAnalyzer cloud.

  • Alerts are sent to Fortinet SOC Cloud for Security Orchestration, Automation, and Incident response.

Option 3: FortiClient EMS and FortiSASE

  • With a SOCaaS add-on license for FortiSASE, you can forward FortiSASE logs to SOCaaS for monitoring.

Previous
Next

Introduction

SOCaaS analyzes security events generated from your FortiGate™ appliances, performs alert triage, and escalates verified threat notifications to your security team. SOCaaS complements your incident response monitoring life cycle by providing continuous cyber awareness and control of your Fortinet Security Fabric.

SOCaaS provides your security team with enrichment of received FortiGate events through the application of standard event handlers, playbooks and severity classification while distilling the FortiGuard threat research capability and vulnerability database.

With a FortiClient Forensic Service license, you can onboard a FortiClient EMS device and submit and view forensic analysis requests for endpoints associated with alerts created by SOCaaS. See Forensic analysis.

The service covers the following areas:

Monitoring & Detection

SOCaaS receives events from the supported appliances dependant on their firmware, entitlements and configuration which upon receipt will be processed through SOCaaS and evaluated to remove false positives and relay verified notifications to you. An example of the use cases covered by this service are:

  • Policy violation detection

  • Initial compromise detection

  • Malware detection

  • Intrusion detection

  • Command and control and botnet detection

  • Recon activity & lateral movement detection

  • FortiGate health monitoring

  • FortiGate misconfiguration monitoring

Investigation & Analysis

SOCaaS uses standard event handlers and playbooks to correlate FortiGuard threat resources for received security events further enhanced for verification by expert SOC (Security Operation Center) analysts to provide:

  • Automated correlation, analysis, and context enrichment using SOAR playbooks

  • Alert triage

  • Incident analysis and validation of events as verified incidents with customer escalation via phone and email notification

  • Request and view forensic analysis on endpoints managed by FortiClient EMS.
Containment & Response

Through the integration of FortiGuard threat research, known insights are shared as part of the escalation alert notification and are accessible within the SOCaaS Portal. You may further access the SOC analysts for:

  • Remote assistance following a verified event notification to clarify indicative response recommendations.

  • Recommendations for incident remediation and containment to implement related to an escalation alert notification.

Service Reporting

Regular reports are made available to you on a scheduled basis which include the following options:

  • Weekly summary reports on alerts, notifications and SOCaaS Portal tickets.

  • Monthly onboarded asset inventory summary report.

  • Quarterly service review - Customers who are interested in a Quarterly Business Review can submit a service request from their SOCaaS Customer Portal. The SOCaaS Service Delivery Managers (SDM) will contact customers to schedule a time for the Quarterly Service Review.

  • Weekly security threat reports which select activity based on the specific use case including, where appropriate, recommendations for FortiGate security configuration improvements related to enabling required appliance subscription services.

Access to SOCaaS Portal

The SOCaaS portal allows you to:

  • Raise a service request to add or amend a Fortinet appliance entitled to the SOCaaS.

  • View verified event information and incident status contained within an event ticket.

  • Download reports made available within SOCaaS.

  • Access helpful documents, videos, and news about SOCaaS.

  • View the SOC Monitoring Summary Dashboard along with important alert and logging information.

  • Review all your Fabric devices, entitled devices, onboarded devices, expiring licenses, and devices not subscribed to SOCaaS.

  • View and submit FortiClient forensic analysis requests.

SOCaaS requires and will receive logs from the FortiGate units registered and onboarded to SOCaaS in accordance with one of the deployment options outlined below as selected by you. Customer logs will be stored in the same region where log sources are located in the case of Option 2, or when identified by the Customer in the case of Option 1, in Fortinet datacenters in the then-currently available regions. A third option to receive logs from FortiSASE is also available.

Option 1: FortiGate Monitoring via Customer Owned On-Premises FortiAnalyzer™

  • The customer's FortiGate logs are sent to on-premises Customer’s FortiAnalyzer units.

  • On-premises FortiAnalyzer forwards logs to Fortinet SOCaaS cloud.

  • Alerts are sent to Fortinet SOCaaS cloud for security orchestration, automation, and incident response.

Option 2: FortiGate Monitoring via Customer FortiAnalyzer Cloud

  • The customer's FortiGate logs are sent to FortiAnalyzer cloud.

  • Alerts are sent to Fortinet SOC Cloud for Security Orchestration, Automation, and Incident response.

Option 3: FortiClient EMS and FortiSASE

  • With a SOCaaS add-on license for FortiSASE, you can forward FortiSASE logs to SOCaaS for monitoring.

Previous
Next