Version:

Version:

Version:

Version:

Version:


Table of Contents

User Guide

War Rooms

Overview

War rooms enable SOC teams to get into a collaborative space to mitigate a critical cyber threat scenario or campaign. FortiSOAR makes it easy for analysts to quickly provision a War Room and ensures that the task force is well-equipped to handle and coordinate all aspects of critical situations. FortiSOAR enables stakeholders to analyze and collaborate to quickly mitigate the threat.

To effectively run a war room, you must be able to communicate effectively to both internal and external stakeholders. You must also be able to coordinate between teams, investigate the root cause, and resolve the problem by allocating tasks to specialists, agreeing on milestones, taking notes of technical analysis and solution proposals, and getting feedback on all points. It is also important to be able to escalate issues to executive management so that the management team can decide on the next course of action.

FortiSOAR provides you with the war room framework and allows you to define policies to achieve the functionality required to effectively run the war room. This ensures that members of your SOC team can handle major incidents or threats faster.

The process that is generally followed for threat mitigation is as follows:

  1. Create a Response Team who will be owners of the threat and responsible to respond to the threat. In a FortiSOAR War Room record, using the Dashboard screen, you can create a response team easily and add or remove users and/or teams. For more information, see the Gather a response team section.
  2. Assign Tasks: Create a task list of all activities that are generally required to respond to a threat and assign those to appropriate members of the response team. You can easily achieve this using the Task Management tab in the war room record.
  3. Investigate the incident: Investigate the threat or incident to find out the root cause and provide the mitigation for the threat. Using the Investigate tab, you can look at related incidents, alerts, indicators, and the assets involved in the investigation. This enables you to look at the bigger picture and assist in investigating and mitigating the threat.
  4. Reporting: Timely threat reporting to stakeholders is of utmost importance. You can use the Communication tab in a war room record to view the summary and current status of this threat, send email updates, and also specify the next steps and notes for activities undertaken.

Communication is the key that ties all the above steps mentioned and it is essential for effective mitigation of threats. You should be able to share information and send updates to all the stakeholders with ease. This includes recording and coordinating all activities, such as the context of the issue, the timeline to fix the issue, and the overview of the impact. In this way, when any new team members join the war room, they can quickly be brought up to speed and become an active contributor. Use the Workspace panel to collaborate among stakeholders by adding comments, tagging users, and adding attachments. You can also convey messages and announcements related to the threat to all the stakeholders using the Communication tab, and view the chronological history of all the activities that were performed in the war room using the Timeline tab.

The below sections define how to setup this general flow; however, this flow can be customized to include your changes or additions. You can also customize the War Room module as per your requirements by adding, removing, or modifying fields, picklists, widgets, etc.

You can also repurpose war rooms to set up processes for Business continuity planning (BCP).

Permissions required

War rooms have their own RBAC settings. To create and use War Rooms, you require CRUD permissions on the War Room module. Teams that have access to War Rooms depend on the team that sets up the war room. Also, in case of War Rooms, you can have user-based ownership in addition to team-based ownership.

Note

In case of a fresh installation of FortiSOAR, the default roles are given access to the War Room module. In case of a FortiSOAR upgrade, users have to enable access to the War Room module.

Launching War Rooms

  1. To launch a war room, open an incident record, and click Set up War Room.
    Incident Record - Launch War Room
  2. In the Set upWar Room dialog, enter an appropriate name and description for the war room. Also, ensure that the Include all analysts involved with this incident as War Room responders checkbox is selected (default) to include all the users who are part of the team that owns this incident, and then click Execute to create a war room in the Draft (default) state.
    Dialog to Lauch a War Room
  3. To open the War Room record either click on the link that appears on the incident once the war room is created or click Incident Response > War Rooms and click the created War Room record:
    War Room Record
    A link to the war room record is also added to the Workspace of incident.
  4. The war room record opens at the Dashboard tab which contains the summary of the incident. It is also the place where you can create the response team and assign ownership of this incident to particular users or teams. The war room record also contains other tabs - these are explained in the Setting Up War Rooms section.
    Once you have completed setting up the war room, you can begin sending notifications to all the stakeholders, click the Go Live button. Apart from this you can edit, export or delete the record. You can also leverage FortiSOAR'playbook/connector framework to rapidly mitigate and contain the threat by directly running playbooks using the Execute button. Similarly, you can run connector actions directly on the incident by clicking the Actions button. For more information all these operations, see the Working with Modules - Alerts & Incidents chapter.

Once you click Go Live, the Go Live dialog is displayed. You can add an external collaboration link to collaborate with stakeholders that are not part of FortiSOAR and then click Go Live. Once you click Go Live, the status of the war room turns from "Draft" to "Active", notifications are sent to all the members of the war room, and the incidents that are linked to the war room display the active War Room in the header widget.

Incident header displaying active War Room in header

Setting up War Rooms

You can begin setting war rooms by adding team members, assigning tasks, collaborating between the teams, investigating the incident, etc. To facilitate these activities, the war room record contains the Dashboard, Task Management, Investigate, Communication, and Timeline tabs. It also includes a Workspace panel that helps in collaboration. Details of each tab follow:

Dashboard

The Dashboard tab contains details of the incident such as the description and current status of the incident, time elapsed since the time of the incident, assets impacted by the incident, etc. It also contains the incidents, alerts, indicators, and artifacts that are related to this incident, etc. You can link records to this incident by clicking the Link record icon in the Incidents, Indicators, Assets & Other Artifacts Involved section.

Note

All modules whose records are related to the war room must be made 'User Ownable'. This is required if you want the records to be viewed by all the responders of the war room.

In the footer of the War Room Record, you can use the following buttons to perform operations:

  • Generate Report: Click to generate reports and metrics for this threat. When a report is generated, a Report field is added to the Info Center and the playbook responsible for generating the report also adds a comment in the Workspace. You can download the generated report, in the PDF format, from the link in the Report field or by using the Download File link the Workspace:
    War Room Generated Report available for download
  • Execute: Click to execute playbook actions on the record.
  • Actions: Click to execute connector actions directly on the record. You can also add tags to the result of the action making it easier to filter the action logs. You can also add the Evidence tag, to mark the result as evidence, which then gets added to the Evidences tab within Investigate.
    To know more about the Execute and Action buttons and operations, see the Working with Modules - Alerts & Incidents chapter.
  • Edit Record: Click to edit the war room record in the Form format.
  • Export Record: Click to export the war room record in the CSV or PDF format.
  • Delete Record: Click to delete the war room record.

Gathering a response team

The Info Center panel is a collapsible panel on the left side of the detail view, and it contains information such as who has launched or set up the war room, from when the war room has been active, and the conference bridge and collaboration details.

It is also where you can find the details of the response team, i.e., the teams and users who are owners of this war room and are responsible to provide a response to this incident. You can assign both teams and users, for example, you have a SOC team that is part of the response team, but you also want Analyst A (who is not part of the SOC) to be an individual owner, then you click the Users field and select Analyst A from the drop-down list.

War Room Record - Infosec Panel

You can edit the form to add or remove fields and widgets to the War Room record as per your requirements. You can add fields to the War Room module, using the Module Editor, for example, you can add a field name 'Impact on BCP' and add this field to the War Room template. You will then be able to see the 'Impact on BCP' field in the war room record, as showing in the following image:

War Room Record with Edited SVT
For information on the Module Editor, see the Application Editor chapter in the "Administration Guide" For information on editing SVT and widgets, see the Dashboards, Templates, and Widgets chapter.

Workspace - Enabling Communication

The Workspace panel is a collapsible panel on the right side of the detail view, using which collaboration can be easily achieved between various stakeholders by adding comments to the record. This enables participation of various stakeholders and team members across the organization. FortiSOAR supports message threads, which helps in keeping track of conversations and makes it easier to respond to a specific thread. You can add mentions or tagging users in comments by typing @, and then selecting the users from the displayed list, and can also mark a comment as important. Users who are tagged get notified of their mentions by email.

War Room Record - Workspace Panel

For more information on how comments work in a record, see the Working with Modules - Alerts & Incidents chapter.

Task Management

Use the Task Manager tab to manage all tasks related to the war room. This is where you can create a task list and manage task assignments and track tasks till their completion. The Task Manager contains various task that are grouped by fields such as the Status of the task. As shown in the following image, task cards are grouped together based on the status of the task, which are In progress, On Hold/Blocked, and Completed:

Investigate tab - Managing Tasks

Tasks are grouped by Status by default, however you can change the grouping as per your requirements, for example, group by Type, and can also choose the fields that you want to display on the card, by editing the 'Task Management' widget in the war room record template. For information on editing templates and widgets, see the Dashboards, Templates, and Widgets chapter. FortiSOAR also contains a "Widget Library" that allows you to edit out-of-the-box (OOB) widgets such as the 'Task Management' widget, and build new widgets for custom use cases.

You can create a task list of activities for mitigating the threat and assign it to various members of the team. To create task, click + (Add new tasks) in the card group/bucket in which you want to create the task:

Investigate tab - Adding new tasks

In the Add Task form fill in the fields such as name of the task, its due date, priority, and status, and select the person to whom you want to assign the task. You can also leave the task unassigned and assign it to a team member at a later time. Click Save to add the card to the task list in the bucket specified by the status you have selected. For example, in the above image the created task will be added to the In Progess bucket and the user to whom it is assigned, i.e., Analyst A will receive an email notification of the task assignment.

You can also drag and drop cards from one bucket to another to quickly change the task states.

Investigate

Use the Investigate tab to investigate the incident and perform root cause analysis. It contains all the records and evidence linked to that particular incident, giving you a complete picture of all the events that lead to the security thread.

It displays an Artifacts tab that contains a graphical representation of all the records that are linked to this incident as shown in the following image:

Invigate Tab - Artifacts

It also contains an Evidence tab, where you can view all evidence related to this threat. You can investigate the war room by executing playbooks or connector actions directly on the war room record. For example, you could directly run a 'Get Domain Reputation' action that belongs to the VirusTotal connector on this record, and if the result of the action has an impact on this threat, you can tag the result of the action as Evidence, which then gets added to the Evidences tab. You can also manually upload evidences in this screen, by dragging or dropping the evidence file, or browsing to the evidence file. For more information on action logs and marking an action log as evidence, see the Working with Modules - Alerts & Incidents chapter.

War Room - Evidence tab

Communication

Use the Communication tab to view the summary of the incident, attach or send announcements associated with this threat, and define next steps for the threat. The Communication tab also contains a summary of the threat and its current status.

In the Next Steps section, you can add a list of pending tasks, or add notes for the activities undertaken.

War Room - Communication tab

You can also link or send announcements to all the members of the response team. To add an announcement, click the Add button, to display the Add New Announcement dialog. Select the announcement type, criticality of the announcement, and then enter the title and description for the announcement. Announcement Types can be Meeting, Information, or Generic, and its Criticality can be Generic or Important. If you also want to notify the responders by email, then select the Notify Responders On Email checkbox:

War Room Annoucements Dialog

Timeline

The Timeline tab displays a historical timeline for the current war room, i.e., it displays the chronological history of all the activities that were performed in the war room:

War Room - Timeline tab

Detailed information of the Timeline widget is present in the Dashboards, Templates, and Widgets chapter.

War Rooms

Overview

War rooms enable SOC teams to get into a collaborative space to mitigate a critical cyber threat scenario or campaign. FortiSOAR makes it easy for analysts to quickly provision a War Room and ensures that the task force is well-equipped to handle and coordinate all aspects of critical situations. FortiSOAR enables stakeholders to analyze and collaborate to quickly mitigate the threat.

To effectively run a war room, you must be able to communicate effectively to both internal and external stakeholders. You must also be able to coordinate between teams, investigate the root cause, and resolve the problem by allocating tasks to specialists, agreeing on milestones, taking notes of technical analysis and solution proposals, and getting feedback on all points. It is also important to be able to escalate issues to executive management so that the management team can decide on the next course of action.

FortiSOAR provides you with the war room framework and allows you to define policies to achieve the functionality required to effectively run the war room. This ensures that members of your SOC team can handle major incidents or threats faster.

The process that is generally followed for threat mitigation is as follows:

  1. Create a Response Team who will be owners of the threat and responsible to respond to the threat. In a FortiSOAR War Room record, using the Dashboard screen, you can create a response team easily and add or remove users and/or teams. For more information, see the Gather a response team section.
  2. Assign Tasks: Create a task list of all activities that are generally required to respond to a threat and assign those to appropriate members of the response team. You can easily achieve this using the Task Management tab in the war room record.
  3. Investigate the incident: Investigate the threat or incident to find out the root cause and provide the mitigation for the threat. Using the Investigate tab, you can look at related incidents, alerts, indicators, and the assets involved in the investigation. This enables you to look at the bigger picture and assist in investigating and mitigating the threat.
  4. Reporting: Timely threat reporting to stakeholders is of utmost importance. You can use the Communication tab in a war room record to view the summary and current status of this threat, send email updates, and also specify the next steps and notes for activities undertaken.

Communication is the key that ties all the above steps mentioned and it is essential for effective mitigation of threats. You should be able to share information and send updates to all the stakeholders with ease. This includes recording and coordinating all activities, such as the context of the issue, the timeline to fix the issue, and the overview of the impact. In this way, when any new team members join the war room, they can quickly be brought up to speed and become an active contributor. Use the Workspace panel to collaborate among stakeholders by adding comments, tagging users, and adding attachments. You can also convey messages and announcements related to the threat to all the stakeholders using the Communication tab, and view the chronological history of all the activities that were performed in the war room using the Timeline tab.

The below sections define how to setup this general flow; however, this flow can be customized to include your changes or additions. You can also customize the War Room module as per your requirements by adding, removing, or modifying fields, picklists, widgets, etc.

You can also repurpose war rooms to set up processes for Business continuity planning (BCP).

Permissions required

War rooms have their own RBAC settings. To create and use War Rooms, you require CRUD permissions on the War Room module. Teams that have access to War Rooms depend on the team that sets up the war room. Also, in case of War Rooms, you can have user-based ownership in addition to team-based ownership.

Note

In case of a fresh installation of FortiSOAR, the default roles are given access to the War Room module. In case of a FortiSOAR upgrade, users have to enable access to the War Room module.

Launching War Rooms

  1. To launch a war room, open an incident record, and click Set up War Room.
    Incident Record - Launch War Room
  2. In the Set upWar Room dialog, enter an appropriate name and description for the war room. Also, ensure that the Include all analysts involved with this incident as War Room responders checkbox is selected (default) to include all the users who are part of the team that owns this incident, and then click Execute to create a war room in the Draft (default) state.
    Dialog to Lauch a War Room
  3. To open the War Room record either click on the link that appears on the incident once the war room is created or click Incident Response > War Rooms and click the created War Room record:
    War Room Record
    A link to the war room record is also added to the Workspace of incident.
  4. The war room record opens at the Dashboard tab which contains the summary of the incident. It is also the place where you can create the response team and assign ownership of this incident to particular users or teams. The war room record also contains other tabs - these are explained in the Setting Up War Rooms section.
    Once you have completed setting up the war room, you can begin sending notifications to all the stakeholders, click the Go Live button. Apart from this you can edit, export or delete the record. You can also leverage FortiSOAR'playbook/connector framework to rapidly mitigate and contain the threat by directly running playbooks using the Execute button. Similarly, you can run connector actions directly on the incident by clicking the Actions button. For more information all these operations, see the Working with Modules - Alerts & Incidents chapter.

Once you click Go Live, the Go Live dialog is displayed. You can add an external collaboration link to collaborate with stakeholders that are not part of FortiSOAR and then click Go Live. Once you click Go Live, the status of the war room turns from "Draft" to "Active", notifications are sent to all the members of the war room, and the incidents that are linked to the war room display the active War Room in the header widget.

Incident header displaying active War Room in header

Setting up War Rooms

You can begin setting war rooms by adding team members, assigning tasks, collaborating between the teams, investigating the incident, etc. To facilitate these activities, the war room record contains the Dashboard, Task Management, Investigate, Communication, and Timeline tabs. It also includes a Workspace panel that helps in collaboration. Details of each tab follow:

Dashboard

The Dashboard tab contains details of the incident such as the description and current status of the incident, time elapsed since the time of the incident, assets impacted by the incident, etc. It also contains the incidents, alerts, indicators, and artifacts that are related to this incident, etc. You can link records to this incident by clicking the Link record icon in the Incidents, Indicators, Assets & Other Artifacts Involved section.

Note

All modules whose records are related to the war room must be made 'User Ownable'. This is required if you want the records to be viewed by all the responders of the war room.

In the footer of the War Room Record, you can use the following buttons to perform operations:

  • Generate Report: Click to generate reports and metrics for this threat. When a report is generated, a Report field is added to the Info Center and the playbook responsible for generating the report also adds a comment in the Workspace. You can download the generated report, in the PDF format, from the link in the Report field or by using the Download File link the Workspace:
    War Room Generated Report available for download
  • Execute: Click to execute playbook actions on the record.
  • Actions: Click to execute connector actions directly on the record. You can also add tags to the result of the action making it easier to filter the action logs. You can also add the Evidence tag, to mark the result as evidence, which then gets added to the Evidences tab within Investigate.
    To know more about the Execute and Action buttons and operations, see the Working with Modules - Alerts & Incidents chapter.
  • Edit Record: Click to edit the war room record in the Form format.
  • Export Record: Click to export the war room record in the CSV or PDF format.
  • Delete Record: Click to delete the war room record.

Gathering a response team

The Info Center panel is a collapsible panel on the left side of the detail view, and it contains information such as who has launched or set up the war room, from when the war room has been active, and the conference bridge and collaboration details.

It is also where you can find the details of the response team, i.e., the teams and users who are owners of this war room and are responsible to provide a response to this incident. You can assign both teams and users, for example, you have a SOC team that is part of the response team, but you also want Analyst A (who is not part of the SOC) to be an individual owner, then you click the Users field and select Analyst A from the drop-down list.

War Room Record - Infosec Panel

You can edit the form to add or remove fields and widgets to the War Room record as per your requirements. You can add fields to the War Room module, using the Module Editor, for example, you can add a field name 'Impact on BCP' and add this field to the War Room template. You will then be able to see the 'Impact on BCP' field in the war room record, as showing in the following image:

War Room Record with Edited SVT
For information on the Module Editor, see the Application Editor chapter in the "Administration Guide" For information on editing SVT and widgets, see the Dashboards, Templates, and Widgets chapter.

Workspace - Enabling Communication

The Workspace panel is a collapsible panel on the right side of the detail view, using which collaboration can be easily achieved between various stakeholders by adding comments to the record. This enables participation of various stakeholders and team members across the organization. FortiSOAR supports message threads, which helps in keeping track of conversations and makes it easier to respond to a specific thread. You can add mentions or tagging users in comments by typing @, and then selecting the users from the displayed list, and can also mark a comment as important. Users who are tagged get notified of their mentions by email.

War Room Record - Workspace Panel

For more information on how comments work in a record, see the Working with Modules - Alerts & Incidents chapter.

Task Management

Use the Task Manager tab to manage all tasks related to the war room. This is where you can create a task list and manage task assignments and track tasks till their completion. The Task Manager contains various task that are grouped by fields such as the Status of the task. As shown in the following image, task cards are grouped together based on the status of the task, which are In progress, On Hold/Blocked, and Completed:

Investigate tab - Managing Tasks

Tasks are grouped by Status by default, however you can change the grouping as per your requirements, for example, group by Type, and can also choose the fields that you want to display on the card, by editing the 'Task Management' widget in the war room record template. For information on editing templates and widgets, see the Dashboards, Templates, and Widgets chapter. FortiSOAR also contains a "Widget Library" that allows you to edit out-of-the-box (OOB) widgets such as the 'Task Management' widget, and build new widgets for custom use cases.

You can create a task list of activities for mitigating the threat and assign it to various members of the team. To create task, click + (Add new tasks) in the card group/bucket in which you want to create the task:

Investigate tab - Adding new tasks

In the Add Task form fill in the fields such as name of the task, its due date, priority, and status, and select the person to whom you want to assign the task. You can also leave the task unassigned and assign it to a team member at a later time. Click Save to add the card to the task list in the bucket specified by the status you have selected. For example, in the above image the created task will be added to the In Progess bucket and the user to whom it is assigned, i.e., Analyst A will receive an email notification of the task assignment.

You can also drag and drop cards from one bucket to another to quickly change the task states.

Investigate

Use the Investigate tab to investigate the incident and perform root cause analysis. It contains all the records and evidence linked to that particular incident, giving you a complete picture of all the events that lead to the security thread.

It displays an Artifacts tab that contains a graphical representation of all the records that are linked to this incident as shown in the following image:

Invigate Tab - Artifacts

It also contains an Evidence tab, where you can view all evidence related to this threat. You can investigate the war room by executing playbooks or connector actions directly on the war room record. For example, you could directly run a 'Get Domain Reputation' action that belongs to the VirusTotal connector on this record, and if the result of the action has an impact on this threat, you can tag the result of the action as Evidence, which then gets added to the Evidences tab. You can also manually upload evidences in this screen, by dragging or dropping the evidence file, or browsing to the evidence file. For more information on action logs and marking an action log as evidence, see the Working with Modules - Alerts & Incidents chapter.

War Room - Evidence tab

Communication

Use the Communication tab to view the summary of the incident, attach or send announcements associated with this threat, and define next steps for the threat. The Communication tab also contains a summary of the threat and its current status.

In the Next Steps section, you can add a list of pending tasks, or add notes for the activities undertaken.

War Room - Communication tab

You can also link or send announcements to all the members of the response team. To add an announcement, click the Add button, to display the Add New Announcement dialog. Select the announcement type, criticality of the announcement, and then enter the title and description for the announcement. Announcement Types can be Meeting, Information, or Generic, and its Criticality can be Generic or Important. If you also want to notify the responders by email, then select the Notify Responders On Email checkbox:

War Room Annoucements Dialog

Timeline

The Timeline tab displays a historical timeline for the current war room, i.e., it displays the chronological history of all the activities that were performed in the war room:

War Room - Timeline tab

Detailed information of the Timeline widget is present in the Dashboards, Templates, and Widgets chapter.