New features and enhancements
FortiSOAR Content Hub
- Content Hub is FortiSOAR’s all-new, central, curated repository of rich content that meets your need to find suitable solutions. It hosts Solution Packs, Use Cases, Integrations, Playbooks, Widgets, Dashboards, Reports, and much more of such helpful content – all packed in a searchable, filter-friendly interface.
- Available both as a public-facing page on: https://fortisoar.contenthub.fortinet.com/ where you can discover and learn more about the latest content available and embedded within the product, where you can discover, install and create your own content. So, see you at the Hub!
- The SOAR Framework Solution Pack is the foundational solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. The Incident Response modules have been removed from the FortiSOAR platform and moved to the SOAR Framework SP, making it essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response.
Note: In release 7.2.0 the SOAR Framework Solution Pack is installed by default on your FortiSOAR system.
Threat Intelligence Management (TIM) Solution
- Built upon the Threat Intelligence Life Cycle, FortiSOAR’s well-researched TIM Solution allows for comprehensive threat feed management and a framework to create, consume and share, contextual, actionable threat intelligence.
- Offers native integration with FortiGuard for reputation lookup and daily feed ingestion.
- Noteworthy highlights of the solution include the ability to create and share feed datasets (using TAXII server) and generate threat intelligence reports. It also includes the ability to create goal-based workspaces for collecting, analyzing, and sharing actionable threat intelligence and feed management capabilities using source confidence, TLP, expiry, etc., parameters.
-
Released in the 'Preview' mode to gather your important feedback. It is available as an add-on solution pack in the content hub.
Machine Learning Powered Phishing Classifier
- Addressing the need to triage Phishing alerts more efficiently, the Phishing Classifier feature provides a Machine Learning-based classifier that helps to identify Phishing emails with a confidence score.
- To get you going faster, FortiSOAR gets installed with a pre-trained dataset, and yet it allows you to provide your own organization's contextual dataset.
Queue and Shift Management
-
Intelligent, automated assignment solution based on queues and shift spreads. Multiple assignment models offer better ways to assign records.
-
Shift Management allows the creation of Shift Rosters with Shift leads and team members.
-
Ability to manage shift handover processes for smooth shift transitions.
Note: The Queue and Shift Management feature replaces the Queue Management feature that was present in the earlier releases of FortiSOAR. Automated record assignments were not supported in Queue Management.
Notification Framework
- Notification framework makes its debut as a centralized framework for diverse notifications, such as email notifications, UI notifications from various services (such as alerts/incidents/tasks assignments), Comments @mentions, workflow failures, etc.
- Allows for the ability to use integrations in creating custom notification channels and using the new rule engine to create notification rules.
FortiSOAR integration with FortiMonitor
- FortiSOAR is integrated with FortiMonitor to enable monitoring including CPU, RAM, Disk monitoring, network card bandwidth, Nginx, PostgreSQL monitoring, etc., of your FortiSOAR instances using FortiMonitor.
- FortiMonitor can also monitor nodes of an HA cluster, and tenancy data replication lag in an MSSP environment.
Data Archival
- Never miss your compliance of preserving important data, while keeping your application nimble and high-performant. This release introduces a well-defined process for archiving data to store of your choice. Data archival enables you to retain data for longer by preserving it in your data lake. You can archive data into an external database instance, or into a SIEM/log management product using Syslog forwarding.
- Every record is archived with a signature so that any tampering can be easily identified.
Recycle Bin
- 'Recycle Bin' is made available for soft deletion of workflow and module records, making it possible to restore these in case of accidental deletions.
Manual Input Step Enhancements
-
This much-used step in playbook workflows gets significant enhancements like the ability to create global manual inputs that are independent of records, the ability to display manual inputs on a different suitable record other than the source, RBAC enhancements, improvements to show more information in its playbook execution logs, usability enhancements, integration in notification framework and other important updates.
Support For RADIUS Server Authentication
- Users can be authenticated for FortiSOAR using RADIUS authentication. Users whose authentication type is set to RADIUS can log in to FortiSOAR using their RADIUS credentials.
Important HA Enhancements
- Ability to install custom connectors on a High Availability (HA) cluster using the UI.
- Ability to use replication slots to set up replication for your HA cluster. Using replication slots to set up HA clusters, adds support for differential synchronization between the primary node and the secondary nodes when the secondary nodes get out of sync with the primary node.
- Other enhancements include:
- Addition of the
clone-dboption to the HA command in the admin CLI. - Updates in the "Administration Guide" for multihoming containing instructions for extending support for two NICs on a FortiSOAR appliance for controlled traffic routing.
- Addition of the
Case Management Enhancements
- A new 'Date' field type is added to support the requirement of fields that need only the date to be displayed without the time component.
-
Additionally, DateTime fields, such as 'Created On', 'Modified On', etc. are now stored with milliseconds precision (earlier it was seconds), allowing greater accuracy in sequencing events.
-
Added a lighter version of the data grid widget, for better performance and usability.
-
The information shown in the row-expansion section can now be edited inline for meeting a wider range of use case requirements.
-
MIME type validations for file uploads, allowing administrators to restrict potentially malicious files of types such as .exe, .bat, etc. to be uploaded into FortiSOAR.
- Ability to change the listing page title if you want to name it something other than the plural name of the module.
-
Usability enhancements to relationship widget to include or exclude relationships.
Playbook Framework Enhancements
- A new ‘Ingest Bulk Feed’ playbook step is added to enable you to insert and update large volumes of records, primarily used while ingesting from Threat Intel Feeds, or others such as Vulnerabilities and Assets.
- Significant optimizations in the runtime of the workflows for better Memory and CPU consumption thereby improving playbook execution times as well as OS resource consumption during playbook execution.
- Important enhancements are made to the Data ingestion experience including the ability to trigger the ingestion instantly (ad-hoc), utilize previously saved ingestion logs for data mapping, and the ability to attach a custom data ingestion playbook collection for meeting advanced use cases.
- Added support for YAQL as an additional query filter language (in addition to JINJA). YAQL (Yet Another Query Language) is an embeddable and extensible query language, which allows users to perform complex queries against arbitrary objects and makes data filtering and manipulation much easier while developing playbooks. More details about YAQL are available here.
- RBAC-controlled ability to view all “System” playbook collections on the playbook listing section.
Export and Import Wizards Enhancements
- Multiple enhancements have been made to the Export and Import Wizards including the ability to selectively export and import fields in a module and items in the navigation structure. Support is also added for inclusion or exclusion of correlations of export of correlations data along with module's record data and for displaying total records imported on the 'Review Import' page of the Import Wizard.
Connector Enhancements
- Ability to install custom connectors on an FSR Agent from the FortiSOAR node using the UI.
- Ability to install connector dependencies from the FortiSOAR UI.
Support to configure account lockout settings
- Administrators now have the option to configure the number of times users can enter incorrect passwords while logging into FortiSOAR before their account gets locked. By default, this is set to 5 (times). Administrators can also specify the duration, in minutes, after which the user accounts get automatically unlocked, in cases where user accounts were locked due to exceeding the number of failed login attempts. By default, this is set to 30 (minutes).
Onboarding Guide
-
The Onboarding or Setup guide helps first-time or recurrent administrators of to optimally set up based on best practices.
Built-in Connector and Widget Enhancements
- Multiple built-in connectors like Utilities, Report Engine, FortiSOAR ML Engine, SMTP, and Code Snippet have been updated.
For more information on FortiSOAR Built-in connectors, see the "FortiSOAR™ Built-in connectors" article. - A new ‘Phishing Classifier’ connector has been introduced as a system connector.
- New widgets such as Manage Datasets, Card Tiles, and Feed Configuration Settings, are now available on the Content Hub.