Fortinet black logo

Version:

Version:

Version:

Version:

Version:


Table of Contents

User Guide

Default Modules

Modules provide access to individual data models within the FortiSOAR database, such as Incidents.

You will see the following default modules in case of a fresh install of FortiSOAR.

In FortiSOAR, the left navigation bar categorizes the modules as follows:

  • Dashboard
  • Queue Management
  • Incident Response
    Alerts
    Incidents
    Tasks
    Indicators
    Emails
    MITRE ATT&CK Techniques
    War Rooms
  • Vulnerability Management
    Vulnerabilities
    Assets
    Scans
  • Automation
    Playbooks
    Connectors
    Schedules
    SLA Templates
  • Resources
    Attachments
    Email Templates
  • Reports
  • Widget Library
  • Help

Dashboard

Dashboards are generally the users' default home page. Administrators create dashboards that are applicable throughout the application and are assigned to users based on their roles. For more information, see the Dashboards, Templates, and Widgets chapter.

Queue Management

Queue Management provides you with an overview of work (records) that requires to be completed and enables you to assign pending work to users. You can also configure queue management to assign unassigned items to specific queues or users automatically. For more information, see the Queue Management chapter.

Incident Response

The Incident Response Component is a collection of all modules typically related to Security Incidents. You might work on the entire Incident lifecycle from within this component.

This component underpins the operational side of your SOC. The standard flow starts within the Alerts module.

Alerts

Alerts in FortiSOAR are essentially notifications indicating that an attack has been directed at an organization's systems. Alerts are related to events and often contain essential information for addressing the attack by including vulnerabilities and exploits being leveraged by the potential attack.

Incidents

Incidents represent a collection of information discovered during an Incident Response investigation. Incidents are triggered based on the suspicion or confirmation of a security breach. Incidents can be cyber or physical security related.

Campaigns represent a collection of Incidents that can be tied to a single Threat Actor. Seemingly disparate Incidents might actually be related attempts from a malicious attacker attempting to probe and gain access to your network.

It is generally difficult to determine if Incidents themselves are related and roll them into a Campaign. Typically, they would be linked by a known, single threat actor based upon some uniquely identifiable piece of information that ties the Actor across multiple Incidents. Note that Campaigns are not part of default modules.

Tasks

Tasks represent a discrete action taken by either an individual or automated response. Tasks might link to outside systems, such as ticketing systems, to track specific actions beyond that of your SOC team.

Tasks might also be created to represent actions taken automatically as a part of a response policy enacted by a Workflow. This requires that the Workflow must have a step to insert a Task as a record of an action undertaken by an external system, such as adding an IP address to the denylist in the firewall rule set.

Indicators

Indicators contain details of all the data that is collected from system log entries or files, which identify potentially malicious activity on a system or network. It contains records of identifiable information regarding a threat, such as an IP or URL.

Once an alert is created FortiSOAR extracts the metadata from the raw alert data and creates indicators, with details such as type of indicator, i.e. IP address, URL, attachment, domain, etc., the value of the indicator, such as the IP address number, the domain name, whether this indicator has been sighted any other alerts, and what is the IOC status of that indicator.

Emails

Emails contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOAR extracts and stores the Email Headers for further investigation. FortiSOAR also creates an alert with a link to the email.

MITRE ATT&CK Techniques

The MITRE ATT&CK Techniques module displays MITRE ATT&CK Techniques. FortiSOAR contains some playbooks that pull these techniques and some playbooks that can classify alerts into the relevant MITRE ATT&CK Techniques.

War Rooms

War Rooms in FortiSOAR is a collaborative space that enable SOC teams to mitigate a critical cyber threat scenario or campaign. FortiSOAR makes it easy for analysts to quickly and easily provision a War Room that allows participation of all stakeholders to analyze and collaborate to quickly mitigate the threat and restore the services. For more information, see the War Rooms chapter.

Vulnerability Management

The Vulnerability Management Component is a collection of all modules typically related to vulnerabilities that exist in your system.

Vulnerabilities

Vulnerabilities represent a collection of weaknesses in your systems that can lead to security concerns. You can configure vulnerability scans to run periodically on your network, creating an inventory of the vulnerabilities for your specific assets.

Assets

Computers represent the Assets of your organization. Assets represent a unique piece of hardware and any information known about that hardware, such as MAC address, hostname, or IP address. Assets preferably have a unique identifier.

Assets typically are only stored within FortiSOAR as records related to Incidents, Alerts, or Vulnerabilities. Asset information may be pulled from a CMDB or other resource available with knowledge of the asset characteristics, such as an ARP table or DHCP records.

In the case of large networks, Asset tracking is often a complicated process and plagued with limitations. We recommend that Asset creation involve corroboration between multiple unique sources of data that build a level of confidence in the accuracy of the Asset information, as single sources can be unreliable with respect to data integrity and accuracy.

Scans

Scans contain the details of all the scans that you run on your systems. It contains records of a bulk scan from scanners.

Automation

The Automation Component is a collection of modules that you can use to automate your security operations.

Playbooks

Playbooks in FortiSOAR allows you to automate your security processes across external systems while respecting the business process required for your organization to function. For more information, see the Playbooks Guide.

Connectors

Connectors provide you the ability to retrieve data from custom sources and perform automated operations. For more information, see Connectors Guide.

Schedules

Schedules in FortiSOAR allows you to schedule playbooks to run at regular intervals. For more information, see the Schedules chapter.

Note

Schedules as a module is removed, i.e., you will not find schedules on the Modules page and you cannot modify the mmd of the schedules using the Application Editor.

SLA Templates

SLA Templates in FortiSOAR can be use to create an in-built SLA management for incidents and alerts. For more information, see the SLA Management chapter in the "Administration Guide."

Resources

The Resources Component is a collection of all modules typically related to components stored in FortiSOAR such as attachments and templates.

Attachments

Attachments represent files that are uploaded and stored in FortiSOAR. You submit files that are available in the FortiSOAR Attachments module to 3rd-party tools to scan and analyze suspicious files and retrieve reports for the submitted samples.

Tooltip

You can add a file up to the maximum file size of 100 MB in the Attachments module.

Email Templates

Email Templates represent templates that are stored in FortiSOAR that you can use when you want to send emails from FortiSOAR. For example, if you have created a rule that requires FortiSOAR to send an email automatically if a particular condition is met, then you must create a template for the email and save that email in the Email Templates module.

Email Templates contain a set of standard templates included with FortiSOAR. Standard templates include emails that are sent by FortiSOAR when a new user is added in FortiSOAR or an email that is sent to users when they forget their passwords and send a request to reset the FortiSOAR password.

Reports

Reports represent FortiSOAR Reports that you should use for your reporting purposes. You can easily create rich reports and dashboards in FortiSOAR. You can also schedule reports, view historical reports and also search for text in the report PDF, which is in the text PDF format. For more information, see the Reports chapter.

Widget Library

Widget Library allows users to edit out-of-the-box (OOB) widgets and build new widgets for custom use cases. Users can use the widget library to customize existing widgets or build new widgets as per their requirements. For more information, see the Widget Library chapter.

Help / Knowledge Base

The Help Component contains the Knowledge Base, which is the FortiSOAR Product documentation, along with small tutorials and examples, to help you work effectively with FortiSOAR.

Default Modules

Modules provide access to individual data models within the FortiSOAR database, such as Incidents.

You will see the following default modules in case of a fresh install of FortiSOAR.

In FortiSOAR, the left navigation bar categorizes the modules as follows:

  • Dashboard
  • Queue Management
  • Incident Response
    Alerts
    Incidents
    Tasks
    Indicators
    Emails
    MITRE ATT&CK Techniques
    War Rooms
  • Vulnerability Management
    Vulnerabilities
    Assets
    Scans
  • Automation
    Playbooks
    Connectors
    Schedules
    SLA Templates
  • Resources
    Attachments
    Email Templates
  • Reports
  • Widget Library
  • Help

Dashboard

Dashboards are generally the users' default home page. Administrators create dashboards that are applicable throughout the application and are assigned to users based on their roles. For more information, see the Dashboards, Templates, and Widgets chapter.

Queue Management

Queue Management provides you with an overview of work (records) that requires to be completed and enables you to assign pending work to users. You can also configure queue management to assign unassigned items to specific queues or users automatically. For more information, see the Queue Management chapter.

Incident Response

The Incident Response Component is a collection of all modules typically related to Security Incidents. You might work on the entire Incident lifecycle from within this component.

This component underpins the operational side of your SOC. The standard flow starts within the Alerts module.

Alerts

Alerts in FortiSOAR are essentially notifications indicating that an attack has been directed at an organization's systems. Alerts are related to events and often contain essential information for addressing the attack by including vulnerabilities and exploits being leveraged by the potential attack.

Incidents

Incidents represent a collection of information discovered during an Incident Response investigation. Incidents are triggered based on the suspicion or confirmation of a security breach. Incidents can be cyber or physical security related.

Campaigns represent a collection of Incidents that can be tied to a single Threat Actor. Seemingly disparate Incidents might actually be related attempts from a malicious attacker attempting to probe and gain access to your network.

It is generally difficult to determine if Incidents themselves are related and roll them into a Campaign. Typically, they would be linked by a known, single threat actor based upon some uniquely identifiable piece of information that ties the Actor across multiple Incidents. Note that Campaigns are not part of default modules.

Tasks

Tasks represent a discrete action taken by either an individual or automated response. Tasks might link to outside systems, such as ticketing systems, to track specific actions beyond that of your SOC team.

Tasks might also be created to represent actions taken automatically as a part of a response policy enacted by a Workflow. This requires that the Workflow must have a step to insert a Task as a record of an action undertaken by an external system, such as adding an IP address to the denylist in the firewall rule set.

Indicators

Indicators contain details of all the data that is collected from system log entries or files, which identify potentially malicious activity on a system or network. It contains records of identifiable information regarding a threat, such as an IP or URL.

Once an alert is created FortiSOAR extracts the metadata from the raw alert data and creates indicators, with details such as type of indicator, i.e. IP address, URL, attachment, domain, etc., the value of the indicator, such as the IP address number, the domain name, whether this indicator has been sighted any other alerts, and what is the IOC status of that indicator.

Emails

Emails contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOAR extracts and stores the Email Headers for further investigation. FortiSOAR also creates an alert with a link to the email.

MITRE ATT&CK Techniques

The MITRE ATT&CK Techniques module displays MITRE ATT&CK Techniques. FortiSOAR contains some playbooks that pull these techniques and some playbooks that can classify alerts into the relevant MITRE ATT&CK Techniques.

War Rooms

War Rooms in FortiSOAR is a collaborative space that enable SOC teams to mitigate a critical cyber threat scenario or campaign. FortiSOAR makes it easy for analysts to quickly and easily provision a War Room that allows participation of all stakeholders to analyze and collaborate to quickly mitigate the threat and restore the services. For more information, see the War Rooms chapter.

Vulnerability Management

The Vulnerability Management Component is a collection of all modules typically related to vulnerabilities that exist in your system.

Vulnerabilities

Vulnerabilities represent a collection of weaknesses in your systems that can lead to security concerns. You can configure vulnerability scans to run periodically on your network, creating an inventory of the vulnerabilities for your specific assets.

Assets

Computers represent the Assets of your organization. Assets represent a unique piece of hardware and any information known about that hardware, such as MAC address, hostname, or IP address. Assets preferably have a unique identifier.

Assets typically are only stored within FortiSOAR as records related to Incidents, Alerts, or Vulnerabilities. Asset information may be pulled from a CMDB or other resource available with knowledge of the asset characteristics, such as an ARP table or DHCP records.

In the case of large networks, Asset tracking is often a complicated process and plagued with limitations. We recommend that Asset creation involve corroboration between multiple unique sources of data that build a level of confidence in the accuracy of the Asset information, as single sources can be unreliable with respect to data integrity and accuracy.

Scans

Scans contain the details of all the scans that you run on your systems. It contains records of a bulk scan from scanners.

Automation

The Automation Component is a collection of modules that you can use to automate your security operations.

Playbooks

Playbooks in FortiSOAR allows you to automate your security processes across external systems while respecting the business process required for your organization to function. For more information, see the Playbooks Guide.

Connectors

Connectors provide you the ability to retrieve data from custom sources and perform automated operations. For more information, see Connectors Guide.

Schedules

Schedules in FortiSOAR allows you to schedule playbooks to run at regular intervals. For more information, see the Schedules chapter.

Note

Schedules as a module is removed, i.e., you will not find schedules on the Modules page and you cannot modify the mmd of the schedules using the Application Editor.

SLA Templates

SLA Templates in FortiSOAR can be use to create an in-built SLA management for incidents and alerts. For more information, see the SLA Management chapter in the "Administration Guide."

Resources

The Resources Component is a collection of all modules typically related to components stored in FortiSOAR such as attachments and templates.

Attachments

Attachments represent files that are uploaded and stored in FortiSOAR. You submit files that are available in the FortiSOAR Attachments module to 3rd-party tools to scan and analyze suspicious files and retrieve reports for the submitted samples.

Tooltip

You can add a file up to the maximum file size of 100 MB in the Attachments module.

Email Templates

Email Templates represent templates that are stored in FortiSOAR that you can use when you want to send emails from FortiSOAR. For example, if you have created a rule that requires FortiSOAR to send an email automatically if a particular condition is met, then you must create a template for the email and save that email in the Email Templates module.

Email Templates contain a set of standard templates included with FortiSOAR. Standard templates include emails that are sent by FortiSOAR when a new user is added in FortiSOAR or an email that is sent to users when they forget their passwords and send a request to reset the FortiSOAR password.

Reports

Reports represent FortiSOAR Reports that you should use for your reporting purposes. You can easily create rich reports and dashboards in FortiSOAR. You can also schedule reports, view historical reports and also search for text in the report PDF, which is in the text PDF format. For more information, see the Reports chapter.

Widget Library

Widget Library allows users to edit out-of-the-box (OOB) widgets and build new widgets for custom use cases. Users can use the widget library to customize existing widgets or build new widgets as per their requirements. For more information, see the Widget Library chapter.

Help / Knowledge Base

The Help Component contains the Knowledge Base, which is the FortiSOAR Product documentation, along with small tutorials and examples, to help you work effectively with FortiSOAR.