Fortinet Document Library

Version:

Version:

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Overview

FortiSOAR is a centralized hub for all of your security operations. Our platform provides customizable mechanisms for prevention, detection, and response that work across tools in your environment. The integrations here are intended to provide a demonstration of how FortiSOAR can enable your security operations from end-to-end.

Use the user guide to understand how to use FortiSOAR, including using modules such as Alerts and Incidents, importing data, searching within FortiSOAR, and creating your own custom dashboards and templates.

Logging on to FortiSOAR

Your administrator will provide you access and credentials to log on to the FortiSOAR application.

Tooltip

You must change the password when you first log on to FortiSOAR, irrespective of the complexity of the password assigned to you, by clicking the User Profile icon (User Profile icon) and then selecting the Change Password option.

Upon accessing the FortiSOAR login screen, enter your login credentials.

FortiSOAR™ login

If your organization uses SSO and your administrator has completed the configuration of SSO for FortiSOAR, you can use Single Sign On (SSO) to log on to FortiSOAR. Log on to FortiSOAR using SSO by clicking the Use Single Sign On (SSO) link that is present on the FortiSOAR login page.

FortiSOAR™ login with the SSO link

Once you click the Use Single Sign On (SSO) link, you are redirected to a third-party identity login page, where you must enter your credentials and get yourself authenticated. Once you successfully log on to FortiSOAR, your user profile automatically gets created. Your user profile is created based on the default values, such as your default team and role, configured by your administrator. You can update your profile by editing your user profile.

User Profile

All users of the system have a profile. Once you log on to FortiSOAR, you can access your own profile and can update your information. To access your profile, click the User Profile icon (User Profile icon) on the top-right bar in FortiSOAR.

User Profile Page

You can view your name, email, username, password, phone numbers, teams and roles to which you are assigned. You can also view your own audit logs, which display a chronological list of all the actions that you have performed across all the modules of FortiSOAR.

Note

The Username field is mandatory and case sensitive and it cannot be changed once it is set.

You must change your password when you first log on to FortiSOAR. You can change your password by clicking the User Profile icon and selecting the Change Password option. Clicking the Change Password option opens the Change Password dialog in which you enter your old password in the Old Password field, new password in the New Password field and re-enter the new password in the Confirm Password Field. Click Submit to change your password.

Change Password Dialog

Note

If you face issues with user preferences such as, applying filters on the grid or column formatting within a grid, click the More Options icon (More Options icon) and click on the Reset Columns To Default option.

Authentication

You can view your user type and username in the Authentication section. Do not change this option.

You can also reset your password by clicking the Reset Password button.

User Profile - Authentication

Clicking Reset Password opens the Reset Password dialog in which you enter the password that you want to set in the New Password field and re-enter the new password in the Confirm Password Field. Click Submit to change your password.

2-Factor

The 2-Factor authentication menu displays the current user preference for the 2-factor method. Currently, FortiSOAR supports only TeleSign for 2-Factor authentication. Do not change this option.

Notifications

Currently, notification preferences are limited to email. In the future, in-app notifications and SMS notifications will enable additional notification mechanisms. Do not change this option.

Theme Settings

You can update your FortiSOAR theme using the Theme Settings menu on the Edit User page. There are currently three theme options, Dark, Light, and Space, with Space being the default. Click Preview Theme to see the Theme as it would look and save the profile to apply the theme.

History

Use the History menu to view your authentication history and your ten most recent authentication attempts and their outcome.

Audit Logs

Use the User Specific Audit Logs panel to view a chronological list of all the actions that you have performed across all the modules of FortiSOAR. The audit log also displays users' login success or failures and logout events. The login event includes all three supported login types, which are DB Login, LDAP Login, and SSO Login.

Regenerating your password

In case you forget your FortiSOAR password, use the following procedure to reset or regenerate your password:

  1. On your FortiSOAR login page, click the Forgot Password link.
    Forgot Password link
  2. On the Forgot Password screen, enter your username, validate the captcha, and then click Send Reset Link.
    Forgot your Password screen
    Once you click Send Reset Link, an email is sent to the email address associated with the specified username.
    Resetting Password - Success Message

Feature Tour

Working in FortiSOAR

The FortiSOAR interface is based around a common navigation bar on the left side of the application, a global search bar, and filtering within modules. All navigation is built on top of the authorization you are provided according to your RBAC permissions.

For instance, if you have Read privileges to the Incidents module, you will be able to view all Incidents that are within your Ownership Sphere.

Navigation

The navigation bar provides quick access to the Components and Modules you are authorized to view.

At the highest level, the navigation bar provides Components, which open when you click on the component to reveal a module menu with all accessible modules. For example, when you click on the Incident Response, its module menu reveals the Alerts, Incidents, Tasks, Indicators and Email modules. Module links go to the Module's record listing pages.

Searching

There are three methods of searching within FortiSOAR.

Search Method Description
Global Search The Global Search bar at the top of the screen allows you to search for one or more keywords across all records within the system
Table Filter The Table Filter method allows you to search the name field quickly, such as Incidents, within the context of an individual data column on the table
Column Filter The Column Filter method within tables allows you to search specific records from a module, such as Incidents, within the context of an individual data column on the table

Search Interface

Global Search

The Global Search mechanism leverages an Elastic Search database to achieve rapid, efficient searches across the entirety of the record system. All the record data is stored in Elastic Search, including from file attachments, and made searchable.

The Global Search mechanism respects authorization from users to return search results, meaning users without Read permissions on a Module would not see results returned from that module even if they were found during the search.

Global Search result findings may be exported in the results table to CSV and then stored for future reference if desired.

Adding Records

Add records to a module using the Add button present on top of the grid that lists module records based on RBAC permissions.

Editing

Record editing within the record detail view can be accomplished via Inline editing, which allows for quick changes to fields and requires confirmation for all updates.

Additionally, in the detail view of every record is an Edit button on the top right in the breadcrumb bar. This gives you access to a bulk editing interface for all fields that are allowed within the authorization model of your user.

Modules & Models

One of the primary features of FortiSOAR is the ability to provide a clean interface with customized data models optimized for tracking day-to-day security data, such as Alerts.

FortiSOAR unifies the data streams to provide a centralized management interface for tracking. This means Incidents may spend their entire lifecycle rolled up inside of FortiSOAR and working across other related data being tracked, such as Tasks or Assets.

By providing a single place to view and organize security data, much of the overhead and manual effort of going to disparate security tools is significantly reduced. Users are enabled to focus on analyzing the data, not collecting the data.

Models within FortiSOAR are easily customizable according to the needs of an organization via API.

Many modules may be accessed through relationships but may not directly display in the interface navigation. Please see the detailed list of modules provided for more description.

Modules provide access to individual data models within the FortiSOAR database, such as Incidents.

All Module fields are editable and can be customized or extended as needed via API. Models are based on a standard JSON schema.

Note

We recommend you do not delete the core module fields that are included in your instance without consulting FortiSOAR Support. Deletion of core module fields may result in upgrade issues at a future date.

Not all modules will be exposed in the navigation. Some of them are only accessible within the context of other modules. You can modify the default navigation if you desire to add new modules at any time.

Some modules that are generally included by default in FortiSOAR are:

  • Alerts: Alerts generally represent records that contain a notice of suspicious activity typically triggered in a SIEM.
  • Incidents: Incidents generally represent records of actual breach of security.
  • Events: Events generally represent records that contain machine-level information which triggered a specific alert.
  • Indicators: Indicators generally represent records that contain simple identifiable information regarding a threat such as an IP or URL.

NOTE: Playbooks and Reporting do not have any associated Module definition.

Linking

Individual records are easily linked in the FortiSOAR interface to provide context and make it simple to track relationships. Linking may be contextual or operational.

Operational Links

For instance, an Incident may have multiple Tasks automatically generated based on the type of Incident. These Tasks stay linked to the Incident throughout the lifecycle and allow for an easy operational overview of where an Incident is beyond tracking just the Incident phase.

Contextual Links

In contextual situations, linking provides the ability to relate data records together and increase velocity during Preparation and Analysis activities.

For instance, Alerts link to Artifacts which then may be automatically linked to Assets. Artifacts within an Alert from your SIEM tool may contain information that helps identify and link Asset records making it simple for an Analyst to understand the potential scope of an Alert. FortiSOAR can find identifiable Asset information and then use that to search one or more Asset resources, such as a CMDB, local DNS, or DHCP records.

Linking is accomplished within the record detail view.

Automation

FortiSOAR provides a powerful Workflow Engine where machine-to-machine (M2M) automation, policy enforcement, data enrichment, and notifications, are all available within a simple drag-and-drop interface.

Security Playbooks may be digitized and automated via Workflows. A standard library of Playbooks may be added at the time of installation to provide a quick level of defaults that may then be customized to match the specific use cases of your environment.

Access Control

FortiSOAR utilizes a robust security model with Role Based Access Control (RBAC) as well as team ownership.

RBAC provides Create, Read, Update, and Delete (CRUD), permissions on individual models within the platform. Roles are created by granting CRUD privileges on models within the available models' list.

Teams provide for row-level ownership of records. Teams have an explicit hierarchy model to allow for complex relationships. The Teams you are a member of and their relationships combined define an Ownership Sphere. An Ownership Sphere is the full set of records on which you can exercise your permissions.

Live UI - Web Sockets

Live UI provides users with many benefits, such as immediate refreshing of records in case of an update by users or workflow (playbook or API), without the users having to refresh the views to see the updates manually.

When a user or workflow (playbook or API) updates any record that is being displayed in the following UI components:

  • Grid and Relationship grid (view panel)
  • Details View Panel
  • Collaboration Panel: Comments or Attachments
  • Approvals in notification panel

Then these changes are immediately reflected to other users who are active on that FortiSOAR instance.

If your FortiSOAR instance is connected to the web sockets server then a green connection icon is displayed at the top-middle of the FortiSOAR UI as shown in the following image:

LiveUI - Connection Established

If your FortiSOAR instance cannot connect to the web sockets server, due to connectivity or any other issues, then a red connection icon and a message such as "Live Sync is not active...." is displayed at the top-middle of the FortiSOAR UI as shown in the following image:

LiveUI - Connection Lost

In such a case FortiSOAR also displays a message to the users asking users to use manual refresh to update the views.

Overview

FortiSOAR is a centralized hub for all of your security operations. Our platform provides customizable mechanisms for prevention, detection, and response that work across tools in your environment. The integrations here are intended to provide a demonstration of how FortiSOAR can enable your security operations from end-to-end.

Use the user guide to understand how to use FortiSOAR, including using modules such as Alerts and Incidents, importing data, searching within FortiSOAR, and creating your own custom dashboards and templates.

Logging on to FortiSOAR

Your administrator will provide you access and credentials to log on to the FortiSOAR application.

Tooltip

You must change the password when you first log on to FortiSOAR, irrespective of the complexity of the password assigned to you, by clicking the User Profile icon (User Profile icon) and then selecting the Change Password option.

Upon accessing the FortiSOAR login screen, enter your login credentials.

FortiSOAR™ login

If your organization uses SSO and your administrator has completed the configuration of SSO for FortiSOAR, you can use Single Sign On (SSO) to log on to FortiSOAR. Log on to FortiSOAR using SSO by clicking the Use Single Sign On (SSO) link that is present on the FortiSOAR login page.

FortiSOAR™ login with the SSO link

Once you click the Use Single Sign On (SSO) link, you are redirected to a third-party identity login page, where you must enter your credentials and get yourself authenticated. Once you successfully log on to FortiSOAR, your user profile automatically gets created. Your user profile is created based on the default values, such as your default team and role, configured by your administrator. You can update your profile by editing your user profile.

User Profile

All users of the system have a profile. Once you log on to FortiSOAR, you can access your own profile and can update your information. To access your profile, click the User Profile icon (User Profile icon) on the top-right bar in FortiSOAR.

User Profile Page

You can view your name, email, username, password, phone numbers, teams and roles to which you are assigned. You can also view your own audit logs, which display a chronological list of all the actions that you have performed across all the modules of FortiSOAR.

Note

The Username field is mandatory and case sensitive and it cannot be changed once it is set.

You must change your password when you first log on to FortiSOAR. You can change your password by clicking the User Profile icon and selecting the Change Password option. Clicking the Change Password option opens the Change Password dialog in which you enter your old password in the Old Password field, new password in the New Password field and re-enter the new password in the Confirm Password Field. Click Submit to change your password.

Change Password Dialog

Note

If you face issues with user preferences such as, applying filters on the grid or column formatting within a grid, click the More Options icon (More Options icon) and click on the Reset Columns To Default option.

Authentication

You can view your user type and username in the Authentication section. Do not change this option.

You can also reset your password by clicking the Reset Password button.

User Profile - Authentication

Clicking Reset Password opens the Reset Password dialog in which you enter the password that you want to set in the New Password field and re-enter the new password in the Confirm Password Field. Click Submit to change your password.

2-Factor

The 2-Factor authentication menu displays the current user preference for the 2-factor method. Currently, FortiSOAR supports only TeleSign for 2-Factor authentication. Do not change this option.

Notifications

Currently, notification preferences are limited to email. In the future, in-app notifications and SMS notifications will enable additional notification mechanisms. Do not change this option.

Theme Settings

You can update your FortiSOAR theme using the Theme Settings menu on the Edit User page. There are currently three theme options, Dark, Light, and Space, with Space being the default. Click Preview Theme to see the Theme as it would look and save the profile to apply the theme.

History

Use the History menu to view your authentication history and your ten most recent authentication attempts and their outcome.

Audit Logs

Use the User Specific Audit Logs panel to view a chronological list of all the actions that you have performed across all the modules of FortiSOAR. The audit log also displays users' login success or failures and logout events. The login event includes all three supported login types, which are DB Login, LDAP Login, and SSO Login.

Regenerating your password

In case you forget your FortiSOAR password, use the following procedure to reset or regenerate your password:

  1. On your FortiSOAR login page, click the Forgot Password link.
    Forgot Password link
  2. On the Forgot Password screen, enter your username, validate the captcha, and then click Send Reset Link.
    Forgot your Password screen
    Once you click Send Reset Link, an email is sent to the email address associated with the specified username.
    Resetting Password - Success Message

Feature Tour

Working in FortiSOAR

The FortiSOAR interface is based around a common navigation bar on the left side of the application, a global search bar, and filtering within modules. All navigation is built on top of the authorization you are provided according to your RBAC permissions.

For instance, if you have Read privileges to the Incidents module, you will be able to view all Incidents that are within your Ownership Sphere.

Navigation

The navigation bar provides quick access to the Components and Modules you are authorized to view.

At the highest level, the navigation bar provides Components, which open when you click on the component to reveal a module menu with all accessible modules. For example, when you click on the Incident Response, its module menu reveals the Alerts, Incidents, Tasks, Indicators and Email modules. Module links go to the Module's record listing pages.

Searching

There are three methods of searching within FortiSOAR.

Search Method Description
Global Search The Global Search bar at the top of the screen allows you to search for one or more keywords across all records within the system
Table Filter The Table Filter method allows you to search the name field quickly, such as Incidents, within the context of an individual data column on the table
Column Filter The Column Filter method within tables allows you to search specific records from a module, such as Incidents, within the context of an individual data column on the table

Search Interface

Global Search

The Global Search mechanism leverages an Elastic Search database to achieve rapid, efficient searches across the entirety of the record system. All the record data is stored in Elastic Search, including from file attachments, and made searchable.

The Global Search mechanism respects authorization from users to return search results, meaning users without Read permissions on a Module would not see results returned from that module even if they were found during the search.

Global Search result findings may be exported in the results table to CSV and then stored for future reference if desired.

Adding Records

Add records to a module using the Add button present on top of the grid that lists module records based on RBAC permissions.

Editing

Record editing within the record detail view can be accomplished via Inline editing, which allows for quick changes to fields and requires confirmation for all updates.

Additionally, in the detail view of every record is an Edit button on the top right in the breadcrumb bar. This gives you access to a bulk editing interface for all fields that are allowed within the authorization model of your user.

Modules & Models

One of the primary features of FortiSOAR is the ability to provide a clean interface with customized data models optimized for tracking day-to-day security data, such as Alerts.

FortiSOAR unifies the data streams to provide a centralized management interface for tracking. This means Incidents may spend their entire lifecycle rolled up inside of FortiSOAR and working across other related data being tracked, such as Tasks or Assets.

By providing a single place to view and organize security data, much of the overhead and manual effort of going to disparate security tools is significantly reduced. Users are enabled to focus on analyzing the data, not collecting the data.

Models within FortiSOAR are easily customizable according to the needs of an organization via API.

Many modules may be accessed through relationships but may not directly display in the interface navigation. Please see the detailed list of modules provided for more description.

Modules provide access to individual data models within the FortiSOAR database, such as Incidents.

All Module fields are editable and can be customized or extended as needed via API. Models are based on a standard JSON schema.

Note

We recommend you do not delete the core module fields that are included in your instance without consulting FortiSOAR Support. Deletion of core module fields may result in upgrade issues at a future date.

Not all modules will be exposed in the navigation. Some of them are only accessible within the context of other modules. You can modify the default navigation if you desire to add new modules at any time.

Some modules that are generally included by default in FortiSOAR are:

  • Alerts: Alerts generally represent records that contain a notice of suspicious activity typically triggered in a SIEM.
  • Incidents: Incidents generally represent records of actual breach of security.
  • Events: Events generally represent records that contain machine-level information which triggered a specific alert.
  • Indicators: Indicators generally represent records that contain simple identifiable information regarding a threat such as an IP or URL.

NOTE: Playbooks and Reporting do not have any associated Module definition.

Linking

Individual records are easily linked in the FortiSOAR interface to provide context and make it simple to track relationships. Linking may be contextual or operational.

Operational Links

For instance, an Incident may have multiple Tasks automatically generated based on the type of Incident. These Tasks stay linked to the Incident throughout the lifecycle and allow for an easy operational overview of where an Incident is beyond tracking just the Incident phase.

Contextual Links

In contextual situations, linking provides the ability to relate data records together and increase velocity during Preparation and Analysis activities.

For instance, Alerts link to Artifacts which then may be automatically linked to Assets. Artifacts within an Alert from your SIEM tool may contain information that helps identify and link Asset records making it simple for an Analyst to understand the potential scope of an Alert. FortiSOAR can find identifiable Asset information and then use that to search one or more Asset resources, such as a CMDB, local DNS, or DHCP records.

Linking is accomplished within the record detail view.

Automation

FortiSOAR provides a powerful Workflow Engine where machine-to-machine (M2M) automation, policy enforcement, data enrichment, and notifications, are all available within a simple drag-and-drop interface.

Security Playbooks may be digitized and automated via Workflows. A standard library of Playbooks may be added at the time of installation to provide a quick level of defaults that may then be customized to match the specific use cases of your environment.

Access Control

FortiSOAR utilizes a robust security model with Role Based Access Control (RBAC) as well as team ownership.

RBAC provides Create, Read, Update, and Delete (CRUD), permissions on individual models within the platform. Roles are created by granting CRUD privileges on models within the available models' list.

Teams provide for row-level ownership of records. Teams have an explicit hierarchy model to allow for complex relationships. The Teams you are a member of and their relationships combined define an Ownership Sphere. An Ownership Sphere is the full set of records on which you can exercise your permissions.

Live UI - Web Sockets

Live UI provides users with many benefits, such as immediate refreshing of records in case of an update by users or workflow (playbook or API), without the users having to refresh the views to see the updates manually.

When a user or workflow (playbook or API) updates any record that is being displayed in the following UI components:

  • Grid and Relationship grid (view panel)
  • Details View Panel
  • Collaboration Panel: Comments or Attachments
  • Approvals in notification panel

Then these changes are immediately reflected to other users who are active on that FortiSOAR instance.

If your FortiSOAR instance is connected to the web sockets server then a green connection icon is displayed at the top-middle of the FortiSOAR UI as shown in the following image:

LiveUI - Connection Established

If your FortiSOAR instance cannot connect to the web sockets server, due to connectivity or any other issues, then a red connection icon and a message such as "Live Sync is not active...." is displayed at the top-middle of the FortiSOAR UI as shown in the following image:

LiveUI - Connection Lost

In such a case FortiSOAR also displays a message to the users asking users to use manual refresh to update the views.