Modules provide access to individual data models within the FortiSOAR database, such as
You will see the following default modules in case of a fresh install of FortiSOAR.
In FortiSOAR, the left navigation bar categorizes the modules as follows:
- Queue Management
- Incident Response
MITRE ATT&CK Techniques
- Vulnerability Management
- Widget Library
Dashboards are generally the users' default home page. Administrators create dashboards that are applicable throughout the application and are assigned to users based on their roles. For more information, see the Dashboards, Templates, and Widgets chapter.
Queue Management provides you with an overview of work (records) that requires to be completed and enables you to assign pending work to users. You can also configure queue management to assign unassigned items to specific queues or users automatically. For more information, see the Queue Management chapter.
The Incident Response Component is a collection of all modules typically related to Security Incidents. You might work on the entire Incident lifecycle from within this component.
This component underpins the operational side of your SOC. The standard flow starts within the
Alerts in FortiSOAR are essentially notifications indicating that an attack has been directed at an organization's systems. Alerts are related to events and often contain essential information for addressing the attack by including vulnerabilities and exploits being leveraged by the potential attack.
Incidents represent a collection of information discovered during an Incident Response investigation. Incidents are triggered based on the suspicion or confirmation of a security breach. Incidents can be cyber or physical security related.
Campaigns represent a collection of Incidents that can be tied to a single Threat Actor. Seemingly disparate Incidents might actually be related attempts from a malicious attacker attempting to probe and gain access to your network.
It is generally difficult to determine if Incidents themselves are related and roll them into a Campaign. Typically, they would be linked by a known, single threat actor based upon some uniquely identifiable piece of information that ties the Actor across multiple Incidents. Note that Campaigns are not part of default modules.
Tasks represent a discrete action taken by either an individual or automated response. Tasks might link to outside systems, such as ticketing systems, to track specific actions beyond that of your SOC team.
Tasks might also be created to represent actions taken automatically as a part of a response policy enacted by a Workflow. This requires that the Workflow must have a step to insert a Task as a record of an action undertaken by an external system, such as adding an IP address to the denylist in the firewall rule set.
Indicators contain details of all the data that is collected from system log entries or files, which identify potentially malicious activity on a system or network. It contains records of identifiable information regarding a threat, such as an IP or URL.
Once an alert is created FortiSOAR extracts the metadata from the raw alert data and creates indicators, with details such as type of indicator, i.e. IP address, URL, attachment, domain, etc., the value of the indicator, such as the IP address number, the domain name, whether this indicator has been sighted any other alerts, and what is the IOC status of that indicator.
Emails contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOAR extracts and stores the Email Headers for further investigation. FortiSOAR also creates an alert with a link to the email.
The MITRE ATT&CK Techniques module displays MITRE ATT&CK Techniques. FortiSOAR contains some playbooks that pull these techniques and some playbooks that can classify alerts into the relevant MITRE ATT&CK Techniques.
War Rooms in FortiSOAR is a collaborative space that enable SOC teams to mitigate a critical cyber threat scenario or campaign. FortiSOAR makes it easy for analysts to quickly and easily provision a War Room that allows participation of all stakeholders to analyze and collaborate to quickly mitigate the threat and restore the services. For more information, see the War Rooms chapter.
The Vulnerability Management Component is a collection of all modules typically related to vulnerabilities that exist in your system.
Vulnerabilities represent a collection of weaknesses in your systems that can lead to security concerns. You can configure vulnerability scans to run periodically on your network, creating an inventory of the vulnerabilities for your specific assets.
Computers represent the Assets of your organization. Assets represent a unique piece of hardware and any information known about that hardware, such as MAC address, hostname, or IP address. Assets preferably have a unique identifier.
Assets typically are only stored within FortiSOAR as records related to Incidents, Alerts, or Vulnerabilities. Asset information may be pulled from a CMDB or other resource available with knowledge of the asset characteristics, such as an ARP table or DHCP records.
In the case of large networks, Asset tracking is often a complicated process and plagued with limitations. We recommend that Asset creation involve corroboration between multiple unique sources of data that build a level of confidence in the accuracy of the Asset information, as single sources can be unreliable with respect to data integrity and accuracy.
Scans contain the details of all the scans that you run on your systems. It contains records of a bulk scan from scanners.
The Automation Component is a collection of modules that you can use to automate your security operations.
Playbooks in FortiSOAR allows you to automate your security processes across external systems while respecting the business process required for your organization to function. For more information, see the Playbooks Guide.
Connectors provide you the ability to retrieve data from custom sources and perform automated operations. For more information, see Connectors Guide.
Schedules in FortiSOAR allows you to schedule playbooks to run at regular intervals. For more information, see the Schedules chapter.
Schedules as a module is removed, i.e., you will not find schedules on the
SLA Templates in FortiSOAR can be use to create an in-built SLA management for incidents and alerts. For more information, see the SLA Management chapter in the "Administration Guide."
The Resources Component is a collection of all modules typically related to components stored in FortiSOAR such as attachments and templates.
Attachments represent files that are uploaded and stored in FortiSOAR. You submit files that are available in the FortiSOAR
Attachments module to 3rd-party tools to scan and analyze suspicious files and retrieve reports for the submitted samples.
You can add a file up to the maximum file size of 100 MB in the Attachments module.
Email Templates represent templates that are stored in FortiSOAR that you can use when you want to send emails from FortiSOAR. For example, if you have created a rule that requires FortiSOAR to send an email automatically if a particular condition is met, then you must create a template for the email and save that email in the Email Templates module.
Email Templates contain a set of standard templates included with FortiSOAR. Standard templates include emails that are sent by FortiSOAR when a new user is added in FortiSOAR or an email that is sent to users when they forget their passwords and send a request to reset the FortiSOAR password.
Reports represent FortiSOAR Reports that you should use for your reporting purposes. You can easily create rich reports and dashboards in FortiSOAR. You can also schedule reports, view historical reports and also search for text in the report PDF, which is in the text PDF format. For more information, see the Reports chapter.
Widget Library allows users to edit out-of-the-box (OOB) widgets and build new widgets for custom use cases. Users can use the widget library to customize existing widgets or build new widgets as per their requirements. For more information, see the Widget Library chapter.
The Help Component contains the Knowledge Base, which is the FortiSOAR Product documentation, along with small tutorials and examples, to help you work effectively with FortiSOAR.