This tutorial aims at walking you through the steps you require to create Incident forms for various types of incidents, such as Phishing, using FortiSOAR.
Incidents represent a collection of information discovered during an Incident Response investigation. Incidents are triggered based on the suspicion or confirmation of a security breach. Incidents can be cyber or physical security related.
This document assumes that you have completed the installation and configuration of your FortiSOAR instance and now you are ready to create records in FortiSOAR.
Phishing Type of Incident should have the following additional fields, apart from the general fields of the Incident Record:
- Host Name
- Number of Hosts Affected
The Phishing Type of Incident Record without the above fields is displayed as follows:
The Phishing Type of Incident Record with the above fields will be displayed as follows:
These records will only be displayed in forms when the Incident Type is set to "Phishing."
To achieve this, we will have to perform the following steps:
- Add the required fields to the Incident of type "Phishing" using the Module Editor.
- Publish the Incidents module.
- Update the System-View Templates (SVT) for the Incidents module.
Use the Module Editor in FortiSOAR to add new modules, add new fields, and edit existing fields within a module. In our case, we assume that the Incident Module is already created with default fields and we require to add specific fields for the Phishing Type Incident. See the Application Editor chapter in the "Administration Guide" for information on how to add modules.
- Log on to FortiSOAR using your credentials.
- Click the Settings () icon that appears on the top-right corner in FortiSOAR and in the
Application Editorsection, click Modules to open the
- To add fields to the Incidents module, select Incidents from the Modules drop-down list, click the Fields Editor tab on the
Modulespage and click the Add (+) icon beside Fields.
- To add the Host Name field, configure the following properties for the field:
Field Type: The type of field; it specifies the type of form used to render this attribute. For example, a checkbox, a picklist, or a Text field.
For the Host Name field, select Text Field.
- Sub-Type: This is the sub-type of the Field Type that narrows down the input format to any specific type such as Text Field, Phone Field, Email Field etc. For the Host Name field, select Text Field.
Field Title: A short display name describing the field.
For the Host Name field, type
Editable: Selecting this option allows you to modify the field after the creation of a module record. If this option is not selected, then you cannot modify the initial value after the record is created.
For the Host Name field, ensure that the Editable checkbox is selected.
Searchable: Selecting this option makes this field searchable in the grid view.
Check the Searchable option for the Host Name field. For the Host Name field, ensure that the Searchable checkbox is selected.
Default Grid Column: Selecting this option makes the field appear as a column by default in the grid view.
For the Host Name field, ensure that the Default Grid Column checkbox is cleared.
Encrypted: Selecting this option enables encrypting of field values before storing in the database for enhanced security.
For the Host Name field, ensure that the Encrypted checkbox is cleared.
Required: Specifies whether the field is a required field.
Select Not Required for the Host Name field.
Visibility: Specifies whether the field is visible or not. For the Host Name field, select Visible (by Condition). In the condition builder select Type Equals Phishing.
This means that the Host Name field will only be visible when the Incident type is set as Phishing. Note that the
IncidentTypeis a Picklist type of field and using FortiSOAR you can define your incident types by editing this picklist or creating new picklists.
See the Application Editor topic in the "Administration" guide for information on how to create picklists and use condition builder and also for detailed explanations on fields and their properties.
- Default Value, Tooltip, and Length Constraints: For the Host Name field, for the purpose of this example, leave these field blank.
Allow Bulk Edit: Selecting this option allows the bulk edit operation on the selected field, this means that you can select multiple records in the Incidents grid view and change the value of this field in a single click.
For the Host Name field, for the purpose of this example, do not select this option.
- Click Apply to add the Host Name field to the
- Field Type: The type of field; it specifies the type of form used to render this attribute. For example, a checkbox, a picklist, or a Text field.
- Click Add Field to add the Number of Hosts Affected field and configure similar properties for these fields:
- Field Type: select Integer.
Field Title: type
Number of Hosts Affected.
- Configure the remaining properties for the Number of Hosts Affected field, similar to that of the Host Name field, including setting the Visibility of these fields to Visible (by Condition) and in the condition builder select Type Equals Phishing, to ensure that these fields are also only visible if the Incident Type is Phishing.
- Click Apply to add the Number of Hosts Affected field to the
- Click Save to save the changes to the
Whenever you change a field or a module and click Save, the change is staged but is not yet live in the system. You must perform a Publish to ensure that the changes are made in the system.
You initiate a publish action by clicking the Publish All Modules button at the top-right of the Module Editor page. Publishing pushes the changes that you have made to fields and modules to the database. Up until the Publish point, all changes to the data model in the Module Editor are saved as metadata, which is information that describes the structure of other information.
The FortiSOAR interface is rendered using Templates, which can be modified as needed to suit your specific purposes better. You can structure and style forms with varied types of fields by modifying templates according to your requirements. The system interface is composed of View Templates, which are JSON definitions of the interface structure composed of widgets. Widgets are configurable interface elements that are used to represent data, such as charts or lists visually.
Widgets are used to render information for visual display inside View Template. Widget types vary such that specific widgets only correspond to certain view types. For example, detail view has some exclusive widgets.
See the Dashboards, Templates, and Widgets chapter, for a detailed explanation on how to use templates and widgets.
To view the Sender Domain, Sender Email Address, and Recipient Email Address fields that we have added using the Fields editor on the FortiSOAR UI we have to add these fields to the Detailed view of incident records by updating the SVT for the Incident Module.
- Log on to FortiSOAR using your credentials.
- Click Incident Response > Incidents in the left-navigation to open the Incidents module in the list view.
- Click on a record to open the detailed view of an incident record and click the Edit Template icon in that record.
This opens the detail view of the incident record in the Template Editing mode:
Now you can begin editing the template using Widgets.
- In our example, we want a row to be added in which we can add the information for the Host Name and Number of Hosts Affected fields.
To achieve this, click the Insert Row Above link or Add Row button, depending on where you want to place these fields in the template. This will add a row and within this row, click Add Widget.
- From the
Choose Widgetdialog, select Editable Form Group widget. This opens the Editable Form Group template for configuration. You can also click on the Edit Widget icon in this row to modify the widget later.
- Configure the Editable Form Group as follows:
Affected Hostsin the Form Group Title field and type
display-inline-blockin the Row Style field.
- Then from the Select a Field drop-down list, select Host Name and click Add to add this field to the Editable Form Group.
- Similarly, select the Number of Hosts Affected field and then click Add to add in the widget.
This adds both the Host Name and Number of Hosts Affected fields to the Editable Form Group as shown in the following image, and click Save to save the widget configuration:
- On the template editing page, click Apply Changes to save changes to your template.
Now, you can see the fields that you have defined to be displayed in the detailed view of an incident record that has the type "Phishing."
This tutorial demonstrates the flexibility that FortiSOAR provides for incident response.
Using this flexibility, you can create very customized forms for various types of records, each catering to your specific requirements. Fields can be customized at a very granular level using properties that can be conditional, such as the Required By condition.