Fortinet black logo

Administration Guide

SLA Management

Copy Link
Copy Doc ID f50e6507-ba25-11ec-9fd1-fa163e15d75b:792686
Download PDF

SLA Management

FortiSOAR provides you with a SLA Templates module using which you can create in-built SLA management for incidents and alerts.

You can define SLAs for incidents and alerts at varying degrees of severity and track whether those SLAs are met or missed.

Tooltip

The SLA feature requires the SOAR Framework Solution Pack to be installed.
In release 7.2.0 the SOAR Framework Solution Pack is installed by default on your FortiSOAR system.

FortiSOAR contains "06 - IRP - Case Management" playbooks collection that automatically tracks the SLAs of alerts and incidents and other OOB playbooks that demonstrate various use cases.The SLA Calculator connector is used for calculating the SLA due dates based on the locale and work hours that you have been specified. For more information on the SLA calculator, see the SLA calculator documentation on the FortiSOAR Connectors page.

Permissions required for managing SLAs

To create and manage SLAs, you must be assigned a role with a minimum of Create, Read, and Update permission on the SLA Templates module, Execute permission on the Playbooks module, Usage permission on the Widgets module, along with the default Read permission on the Application module. Appropriate permissions are also required to be assigned for the module, Alert/Incident on which you want to define the SLA.

Working with SLA Templates

FortiSOAR includes SLA templates for each of the severity levels defined for incidents or alerts, i.e, 5 SLA Templates for each severity level, i.e., Critical, High, Medium, Low, and Minimal, is added by default in FortiSOAR.
SLA Templates page

You can set SLAs for both alerts and incidents using the same SLA Template.

To view or edit existing SLA templates, do the following:

  1. Click Automation > SLA Templates in the left navigation bar.
  2. Click the row of the SLA template that you want to view or edit. For example, click the SLA for High, i.e., for alerts or incidents whose severity is set to 'High'.
  3. View the following set SLAs set:
    Time to acknowledge an incident or alert (Incident Ack Time/Alert Ack Time): 20 minutes. Acknowledgment SLAs are tracked on the setting of the status of incidents to 'In Progress' and alerts to 'Investigating'.
    Time to respond to an incident or alert (Incident Response Time/Alert Response Time): 30 minutes. Response SLAs are tracked on the setting of the of the status of incidents to 'Resolved' and alerts to 'Closed'.
    Similarly, SLAs can be paused (Pause Incident SLA On/Pause Alert SLA On) when the status of incidents is set to 'Awaiting' and alerts to 'Pending'.
    You can edit the values of any of the above fields, for example, Incident Ack Time based on your requirements:
    Include SLA template for High severity alerts and incidents
    To edit the SLA template in a form view, click the Edit Record button, edit the values, and then click Save.

You can similarly add new SLA templates for alerts and incidents as per your requirement by clicking Add on the SLA Templates page.

Viewing setting of SLAs on a record

You can view fields related to SLAs in the detail view of your alert or incident record, where you will see fields such as Ack Due Date, Ack Date, Ack SLA, Response Due Date, etc. using which you can track whether or not the SLAs have been met.

Tooltip

Records must be in the “Open” state along with a proper severity set for the acknowledgement and response SLAs to be calculated.

Open an alert record to view the status of the SLAs, i.e., whether they have been met, missed, or awaiting some action. For example, in the following image, the Ack SLA for an alert with High severity has been Met, whereas the response SLA timer is running at 23 minutes 18 seconds, and the Response SLA it is set to Awaiting Action. You can also see that the status of this alert is set to 'Investigating' which is why the acknowledgment SLA is met. Once the investigation of this alert is completed and its status is set to 'Closed', the time for the response will be calculated and according the Response SLA will be set to Met or Missed:

Sample alert record with SLAs set

SLA Management

FortiSOAR provides you with a SLA Templates module using which you can create in-built SLA management for incidents and alerts.

You can define SLAs for incidents and alerts at varying degrees of severity and track whether those SLAs are met or missed.

Tooltip

The SLA feature requires the SOAR Framework Solution Pack to be installed.
In release 7.2.0 the SOAR Framework Solution Pack is installed by default on your FortiSOAR system.

FortiSOAR contains "06 - IRP - Case Management" playbooks collection that automatically tracks the SLAs of alerts and incidents and other OOB playbooks that demonstrate various use cases.The SLA Calculator connector is used for calculating the SLA due dates based on the locale and work hours that you have been specified. For more information on the SLA calculator, see the SLA calculator documentation on the FortiSOAR Connectors page.

Permissions required for managing SLAs

To create and manage SLAs, you must be assigned a role with a minimum of Create, Read, and Update permission on the SLA Templates module, Execute permission on the Playbooks module, Usage permission on the Widgets module, along with the default Read permission on the Application module. Appropriate permissions are also required to be assigned for the module, Alert/Incident on which you want to define the SLA.

Working with SLA Templates

FortiSOAR includes SLA templates for each of the severity levels defined for incidents or alerts, i.e, 5 SLA Templates for each severity level, i.e., Critical, High, Medium, Low, and Minimal, is added by default in FortiSOAR.
SLA Templates page

You can set SLAs for both alerts and incidents using the same SLA Template.

To view or edit existing SLA templates, do the following:

  1. Click Automation > SLA Templates in the left navigation bar.
  2. Click the row of the SLA template that you want to view or edit. For example, click the SLA for High, i.e., for alerts or incidents whose severity is set to 'High'.
  3. View the following set SLAs set:
    Time to acknowledge an incident or alert (Incident Ack Time/Alert Ack Time): 20 minutes. Acknowledgment SLAs are tracked on the setting of the status of incidents to 'In Progress' and alerts to 'Investigating'.
    Time to respond to an incident or alert (Incident Response Time/Alert Response Time): 30 minutes. Response SLAs are tracked on the setting of the of the status of incidents to 'Resolved' and alerts to 'Closed'.
    Similarly, SLAs can be paused (Pause Incident SLA On/Pause Alert SLA On) when the status of incidents is set to 'Awaiting' and alerts to 'Pending'.
    You can edit the values of any of the above fields, for example, Incident Ack Time based on your requirements:
    Include SLA template for High severity alerts and incidents
    To edit the SLA template in a form view, click the Edit Record button, edit the values, and then click Save.

You can similarly add new SLA templates for alerts and incidents as per your requirement by clicking Add on the SLA Templates page.

Viewing setting of SLAs on a record

You can view fields related to SLAs in the detail view of your alert or incident record, where you will see fields such as Ack Due Date, Ack Date, Ack SLA, Response Due Date, etc. using which you can track whether or not the SLAs have been met.

Tooltip

Records must be in the “Open” state along with a proper severity set for the acknowledgement and response SLAs to be calculated.

Open an alert record to view the status of the SLAs, i.e., whether they have been met, missed, or awaiting some action. For example, in the following image, the Ack SLA for an alert with High severity has been Met, whereas the response SLA timer is running at 23 minutes 18 seconds, and the Response SLA it is set to Awaiting Action. You can also see that the status of this alert is set to 'Investigating' which is why the acknowledgment SLA is met. Once the investigation of this alert is completed and its status is set to 'Closed', the time for the response will be calculated and according the Response SLA will be set to Met or Missed:

Sample alert record with SLAs set