Version:

Version:

Version:

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Solution Packs

FortiSOAR is built using modular architecture and solution packs are the implementation of best practices to configure and optimally use FortiSOAR. The solution packs also contain a lot of sample/simulation/training data that enables you to experience FortiSOAR without having all the devices. FortiSOAR provides several out-of-the-box (OOB) solution packs to facilitate users to get started easily and effectively.

Note

Only certified Solution Packs are eligible for support. Support is limited to only the pack functionality in ideal environments and does not apply to any resolving system conflicts or changes that might have taken place due to the pack installation. Since a solution pack can require changes in system configurations and views, we strongly recommend that before you install a solution pack, you should review the solution packs and their dependencies before installation, take system backups, and test the solution pack in staging/development environments.

Some of the out-of-the-box (OOB) solution packs include:

  • SOAR Framework: Enables users to experience the power of FortiSOAR incident response. This Solution Pack (SP) is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation.
    Note: From release 7.2.0 onwards, the SOAR Framework Solution Pack (SP) is installed by default with the fresh installations of FortiSOAR. If you have upgraded your FortiSOAR system from release 7.2.0 to a release later than 7.2.0, for example, 7.2.1, and if the SOAR Framework SP has an updated release, for example 1.0.1, then in the Manage tab, an Update Available link is visible on the SOAR Framework SP's card. Similarly, if you have a freshly installed FortiSOAR release 7.2.1 system, then by default release 1.0.1 of the SOAR Framework SP is installed.
  • Multi Tenancy: Enables users to experience the power and capability of FortiSOAR incident response in a multi-tenant architecture.
  • MITRE ATTACK Enrichment Framework: Enables users to use the information and knowledge base that’s provided by the MITRE ATTACK Framework to its full extent.
  • Knowledge Base: Enables users to configure and optimally use FortiSOAR based on best practices. It provides users with information about different things like (triage processes, tools, etc.) used in a SOAR.

Many more out-of-the-box (OOB) solution packs are included with FortiSOAR and documentation comes bundled with each solution pack.
Content Hub contains the complete listing of all the solution packs. FortiSOAR allows users to edit out-of-the-box (OOB) solution packs if users want to customize a solution pack to suit their requirements and even build new packs for custom use cases.

Permissions required for using Solution Packs

Following are the permissions that you must be assigned to perform operations on solution packs:

  • To install a solution pack from the Content Hub, you must be assigned a role that has a minimum of Create, Read, and Update permissions on the Security module, Create and Read permissions on the Solution Packs module, and Read permission on the Application and Content Hub modules.
  • To import a solution pack, you must be assigned a role that has a minimum of Create, Read, and Update permissions on the Application and Security modules, Create and Read permissions on the Solution Packs module, and Read permission on the Content Hub module.
  • To create a new solution pack, you must be assigned a role that has a minimum of Create and Read permissions on the Security and the Solution Packs modules, and Read permission on the Application and Content Hub modules.
  • To edit Solution Packs, i.e., view the solution packs listed in the Content Hub and changes made to the Content Hub, you must be assigned a role that has a minimum of Read permission on the Application and Content Hub modules, a minimum of Create, Read, and Update permissions on the Security module, and Update and Read permissions on the Solution Packs module.
  • To clone Solution Packs, you must be assigned a role that has a minimum of Read permission on the Application, Security, and Content Hub modules, and a minimum of Create, Read, Update permissions on the Solution Packs module.
  • To export Solution Packs and download the zip file of solution packs, you must be assigned a role that has a minimum of Read and Update permissions on the Application and Security modules, a minimum of Read permission on the Solution Packs, Content Hub, and File modules.
  • To delete Solution Packs, you must be assigned a role that has a minimum of Read permission on the Application and Content Hub, and a minimum of Read and Delete permissions on the Solution Packsand, Security modules.

Apart from above permissions you also must have appropriate permissions for all the entities, i.e., modules, connector, widgets, dashboards, etc. that are used in solution packs. If you do not have the appropriate permissions then those entities (modules, connectors, widgets, etc) are skipped while working (cloning, editing, creating, etc) with the solution packs. If you do not have appropriate permissions for all the entities, then you will be unable to import and install solution packs.

Caution

You must ensure that repo.fortisoar.fortinet.com is reachable from your FortiSOAR instance. Otherwise, you will see a blank page when you click Content Hub in the left navigation.

Viewing Solution Packs in Content Hub

To view solution packs, on the FortiSOAR left navigation, click Content Hub. On the Content Hub page, from the Filter panel choose Solution Packs to view the list of all currently available solution packs:

Maketplace - Solution Packs

You can search for a solution pack using the Search field and sort the solution pack alphabetically (A-Z) or by date. Using the Filters panel, you can filter the solution packs displayed in all the tabs based on varied criteria. Solution packs that are installed appear with a tick on their card, for example the SOAR Framework solution pack in the above image. Some Solution Packs (SP) have an orange icon, which signifies a 'Featured' SP, for example the SOAR Framework SP. Featured SPs are those SPs that are significant to SOAR operations and therefore have been highlighted. Similarly, some SPs have a 'Preview' ribbon which signifies that these SPs are being released like a "BETA" version with more enhancements being planned for subsequent releases to make them more comprehensive and robust, for example the Threat Intel Management SP. For more information on Content Hub, see the Content Hub chapter.

Working with Solution Packs

Click Content Hub > Discover to view a list of available SPs. To view the details of the solution pack and to perform actions on the solution pack, click the card of the solution pack. The solution pack popup contains a Summary tab and a Contents tab. The Summary tab contains a brief description of the solution pack, additional information such as the category of the solution pack and support contact information, and prerequisites or dependencies that must be fulfilled before installing that solution pack, as well as instructions on what steps must be performed for the solution pack to work:Solution Packs - Summary tab
Click View Contents to open the SP in the new window and install that SP or view its contents.
The Contents tab lists the contents of the solution pack, i.e., it displays the list of modules schemas, record sets, roles, playbook collections, widgets, connectors etc. that are part of that solution pack:
Installed Solution Packs - Content tab

To install a solution pack, click Content Hub > Discover and then click on the card of the solution pack that you want to install to open that solution pack's popup, and then click Install.

Other ways that you can install a Solution Pack are:

  • Import (Upload) a Solution Pack (.zip file) on the Content Hub > Manage tab. The process of the same is explained later in this topic.
  • Import the Solution Pack using the Import Wizard. The process of importing and exporting entities is explained in the Application Editor chapter in the "Administration Guide."
    Note: It is not recommended to import a Solution Pack using the Import Wizard, since only the Solution Pack data gets imported into the system, but the Solution Pack template is not created and the Solution Pack does not get created in the Content Hub. Therefore, in this case, you can only use the imported entities (widget, connectors, reports, etc), but not the Solution Pack template.

Before you install a Solution pack, consider the following:

  • Solution packs that contain "Module Schema(s)" (SP dialog > Contents) replace the settings and views of the following in your existing system:
    • 'System View Template' including the view of the specified schema
    • 'Action Buttons' displayed on top of the grids
    • 'Recommendations Settings' that provide the similarity suggestion
  • Install Solution packs in test environments and take system backups before installing a solution pack - Since solution packs can potentially alter your existing configurations and views, it is recommended to install Solution Packs in test environments and have system backups in place, such as backing up your System View Templates using the Import Wizard before installing a solution pack to avoid rework on manual adjustment of the settings to meet your requirements.
  • Some solution packs might need a 'System Publish' activity, causing the system to be unavailable for as long as a few minutes, and all the users will need to wait for this process to complete before resuming usage.

Once installed the solution packs appear in the Manage tab.

On the Manage tab, you can view the content that is installed, in our example, you can view the installed solution packs:
Manage Tab - Installed solution Packs

You can search for a SP by its name in the Search box and sort the SPs either alphabetically or by date. Similarly, you can filter the installed SPs that have an upgraded version, by selecting Update Available from the drop-down list. On the SP's card, you can also see if any SP that is installed on your system has an upgraded version. For example, if you have installed the Knowledge Base v1.0.1 solution pack on your system and v1.1.0 is available, you will see an Update Available link, which you can click to open the solution pack's popup. On the solution pack's popup, you will see an Update to <version number> button, clicking which upgrades the solution pack to the newer version.

To upload a custom solution pack (.zip) that you have already created, click Upload > Upload Solution Pack. This opens the Upload Solution Pack popup where you can drag-and-drop the .zip file of the solution pack or browse to the .zip file to add the solution pack in FortiSOAR. If you have an existing version of the solution pack on your system, then you can click the Replace existing version checkbox to replace that version of the solution pack.

Notes:

  • If there is any depenedency associated with the custom solution pack, the you must install that dependency before importing the solution pack.
  • If your custom solution pack has a dependency on a solution pack that is part of the repository, for example, MITRE Framework, then the repo solution pack gets installed (if not already installed) when the custom solution pack is installed.
  • If you are exported a repository solution pack, for example MITRE Framework SP, and imported the same to another system, then that imported solution pack is considered as local custom solution pack and you will not get further updates to that solution pack.

You can perform the following actions on the popup of an installed SP:

  • Edit: To edit an installed repository solution pack to suit your requirements, click Edit, to open th confirmation dialog for creating a local copy of that solution pack. Clicking Confirm opens the Clone Solution Pack Editor. For details on editing solution packs, see Editing an existing Solution Pack. In the case of custom (local) solution pack, you can simply edit the solution pack; a local copy does not get created.
  • Export: To export a solution pack in the .zip format so that it can be used in another environment, click the Export button. Once the solution pack is saved as a .zip file, you can import the same using Upload > Upload Solution Pack.
  • Delete: To delete an installed solution pack, click Delete Template which displays a Confirmation dialog. Click Confirm on the dialog to uninstall the solution pack.When you perform the delete operation, the the solution pack template gets deleted, and data associated with the installed solution pack, such as the data of the associated connectors, widgets, etc, are retained on your system.

Apart from this, the solution pack also contains a link to its Documentation and its GIT repository, if that solution pack is part of the public GIT repository. When you hover on the GIT icon you can see the ratings of that solution pack and the number of forks that have been created from that solution pack.

Creating Solution Packs

Use the Solution Pack Building Wizard to efficiently create new Solution Packs.

To create a new Solution Pack, do the following:

  1. On the FortiSOAR left-navigation, click Content Hub > Create.
  2. On the Create tab, click Create > New Solution Pack, which displays the Create New Solution Pack Wizard.
    Solution Pack Building Wizard
  3. Click Let's start by defining a solution pack to open the About Solution Pack screen where you can provide the metadata for the solution pack such as the title, version, etc.
    Provide metadata for the Solution Pack
    Details that you can provide are:
    1. Upload a logo for the solution pack.
    2. In the Solution Pack Name field, enter an appropriate title for your Solution Pack.
      Note: Supported characters for the title, alphanumeric characters, spaces, colon, hyphen, ampersand (&), or underscores. Also, the value that you enter in this field must not match the name of any other Solution Pack that is available in the Content Hub. For example, you cannot enter SOAR Framework in this field, since the SOAR Framework Solution Pack is available in the Content Hub.
    3. In the API Identifier field contains an auto-populated name based on the name that you specify for the solution pack. The API Identifies is used as a variable in the Solution Pack code to reference this Solution Pack
    4. In the Version field, enter the version of the Solution Pack in the x.y.z format. For example, 1.0.0. As a good practice, you should always increase the version number before making changes to an installed solution pack.
    5. (Optional) In the Publisher field, enter the name of your organization as the publisher of this Solution Pack. The publisher of the Solution Pack is responsible for maintaining and supporting the Solution Pack.
      If you want to keep the Solution Pack anonymous, then you can add the "Community" keyword. If this field is left blank, again the Solution Pack's publisher is automatically set to "Community".
      Note: Do not enter "Fortinet" in this field.
    6. (Optional) In the Description field, enter information for the Solution Pack that you are creating. The Description is displayed on the Solution Pack card on the Content Hub listing page and enables users to understand more about the Solution Pack.
    7. (Optional) In the Help Link field, you can enter the links of the web pages that contain the details of the solution pack.
    8. (Optional) In the Support Info field, you can enter support email IDs that users can contact if they have any issues with the solution pack.
    9. (Optional) From the Category list, select the categories in which you want to place this solution pack. For example, Authentication, Centralized Security Management, Threat Intelligence, etc.
    10. (Optional) In the Tags field, enter the keywords that you want to associate with the Solution Pack. Tags make it easier to search and filter solution packs.
    11. Click Continue once you have completed entering the details.
  4. On the Prerequisites screen, add the dependencies and other prerequisites that are required to install the solution pack:
    1. From the Select Solution Pack list, select the solution packs that must be installed by users on their system before installing this solution pack, and then click Add as Dependency.
    2. In the Prerequisites section, click + Add Instruction to add instructions that require to be followed by users for the solution pack to work, and then click Continue. Examples of this could be simple code snippets or commands that users need to run after installation of the solution pack, or a list of steps users should follow after installing the solution pack. You can add multiple instructions for a solution pack.
      SP Building Wizard - Prerequisites
  5. On the Choose Entities screen, select the entities such as modules, playbooks, connectors, administrative and security settings, etc., that you want to bundle with the solution pack, and then click Continue.
    Choose Entities to be bundled with the Solution Pack
  6. On the Filter Data screen, you can choose the granular details of the entities that you want to include in the solution pack and then click Continue. The entities displayed on this screen are dependent on the entities that you have selected on the Choose Entities screen. For example, if you only want a specific set of modules to be part of the solution pack, then you can select only those modules, such as Alerts, Approvals, Incidents, Tasks, etc. You can also choose the fields that you want to include in a selected module by clicking Review. To include record sets, click Records, and to include their correlations, click Correlations.
    The Filter Data screen is the same as is present in the Export Wizard. For details on the Filter Data screen, see the Export Wizard topic of the Application Editor chapter in the "Administration Guide".
    Solution Pack Wizard - Filter Data Screen
  7. On the Create Solution Pack screen, you can review the solution pack contents and details of the solution. Click Create a Draft To Workspace saves the solution pack in the Create tab where you can continue to refine the solution pack. Solution Packs that are in the 'Draft' state are not available for local users to include in their solution packs, i.e., they cannot be included in any other solution pack as a dependency; though they can make edits to the solution pack in the Create tab. Click Save and Publish to publish the solution pack and add this solution pack in the Manage tab. Publishing makes the solution pack available to other users who are local to your FortiSOAR environment, i.e., users who are locally present in your FortiSOAR environment can select the solution pack as a dependency for their solution packs.
    Reviewing the created Solution Pack
  8. For our example, we clicked Create As Draft To Workspace, which displays a screen mentioning the next steps that you can perform with the solution pack. You can also click Download Solution Pack File to download a zip file of your solution pack.
    Solution Pack Building Wizard - Next Steps screen
    The next steps that you can perform are:
    • Keep enhancing and updating the solution pack in your WorkSpace tab.
    • Publish the solution pack and make it accessible to users local to your FortiSOAR environment.
    • Download the solution pack and contribute it to the FortiSOAR public Content Hub. This option contains a link that opens a GIT repository that contains instructions on how a user can contribute to the public Content Hub.

Editing an existing Solution Pack

To edit a solution pack that is in your local environment (and not published), go to the Create tab, and click edit on the solution pack card to open the Edit Solution Pack wizard. You can also create a new version of the solution pack by clicking Add Version on the solution pack card. This opens the Clone Solution Pack wizard, where you can add a new version of the SP and continue to edit the SP as per your requirements:
Clone SP Wizard

To edit a solution pack from the repository to suit your requirements, do the following:

  1. On the FortiSOAR left-navigation, click Content Hub > Manage.
  2. On the Manage tab, click the card of the solution pack that you want to edit to open the solution pack popup, and then click Edit. When you click Edit, FortiSOAR displays a confirmation dialog box to get a confirmation on creating a local copy of the solution pack that you can edit, so that you can edit an existing solution pack without impacting the original one:
    Edit Solution Pack Confirmation dialog
  3. Click Confirm to open the Clone Solution Pack wizard.
  4. Edit the solution pack as required and then either save the solution pack as a draft in the Create tab or publish the solution pack. The Clone Solution Pack wizard contains the same screens and fields as the Create New Solution Pack wizard. For more information on the screens and field, see the Creating Solution Packs topic.
    Note: It is recommended that you increase the version number before making changes to an installed solution pack.

Solution Packs

FortiSOAR is built using modular architecture and solution packs are the implementation of best practices to configure and optimally use FortiSOAR. The solution packs also contain a lot of sample/simulation/training data that enables you to experience FortiSOAR without having all the devices. FortiSOAR provides several out-of-the-box (OOB) solution packs to facilitate users to get started easily and effectively.

Note

Only certified Solution Packs are eligible for support. Support is limited to only the pack functionality in ideal environments and does not apply to any resolving system conflicts or changes that might have taken place due to the pack installation. Since a solution pack can require changes in system configurations and views, we strongly recommend that before you install a solution pack, you should review the solution packs and their dependencies before installation, take system backups, and test the solution pack in staging/development environments.

Some of the out-of-the-box (OOB) solution packs include:

  • SOAR Framework: Enables users to experience the power of FortiSOAR incident response. This Solution Pack (SP) is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation.
    Note: From release 7.2.0 onwards, the SOAR Framework Solution Pack (SP) is installed by default with the fresh installations of FortiSOAR. If you have upgraded your FortiSOAR system from release 7.2.0 to a release later than 7.2.0, for example, 7.2.1, and if the SOAR Framework SP has an updated release, for example 1.0.1, then in the Manage tab, an Update Available link is visible on the SOAR Framework SP's card. Similarly, if you have a freshly installed FortiSOAR release 7.2.1 system, then by default release 1.0.1 of the SOAR Framework SP is installed.
  • Multi Tenancy: Enables users to experience the power and capability of FortiSOAR incident response in a multi-tenant architecture.
  • MITRE ATTACK Enrichment Framework: Enables users to use the information and knowledge base that’s provided by the MITRE ATTACK Framework to its full extent.
  • Knowledge Base: Enables users to configure and optimally use FortiSOAR based on best practices. It provides users with information about different things like (triage processes, tools, etc.) used in a SOAR.

Many more out-of-the-box (OOB) solution packs are included with FortiSOAR and documentation comes bundled with each solution pack.
Content Hub contains the complete listing of all the solution packs. FortiSOAR allows users to edit out-of-the-box (OOB) solution packs if users want to customize a solution pack to suit their requirements and even build new packs for custom use cases.

Permissions required for using Solution Packs

Following are the permissions that you must be assigned to perform operations on solution packs:

  • To install a solution pack from the Content Hub, you must be assigned a role that has a minimum of Create, Read, and Update permissions on the Security module, Create and Read permissions on the Solution Packs module, and Read permission on the Application and Content Hub modules.
  • To import a solution pack, you must be assigned a role that has a minimum of Create, Read, and Update permissions on the Application and Security modules, Create and Read permissions on the Solution Packs module, and Read permission on the Content Hub module.
  • To create a new solution pack, you must be assigned a role that has a minimum of Create and Read permissions on the Security and the Solution Packs modules, and Read permission on the Application and Content Hub modules.
  • To edit Solution Packs, i.e., view the solution packs listed in the Content Hub and changes made to the Content Hub, you must be assigned a role that has a minimum of Read permission on the Application and Content Hub modules, a minimum of Create, Read, and Update permissions on the Security module, and Update and Read permissions on the Solution Packs module.
  • To clone Solution Packs, you must be assigned a role that has a minimum of Read permission on the Application, Security, and Content Hub modules, and a minimum of Create, Read, Update permissions on the Solution Packs module.
  • To export Solution Packs and download the zip file of solution packs, you must be assigned a role that has a minimum of Read and Update permissions on the Application and Security modules, a minimum of Read permission on the Solution Packs, Content Hub, and File modules.
  • To delete Solution Packs, you must be assigned a role that has a minimum of Read permission on the Application and Content Hub, and a minimum of Read and Delete permissions on the Solution Packsand, Security modules.

Apart from above permissions you also must have appropriate permissions for all the entities, i.e., modules, connector, widgets, dashboards, etc. that are used in solution packs. If you do not have the appropriate permissions then those entities (modules, connectors, widgets, etc) are skipped while working (cloning, editing, creating, etc) with the solution packs. If you do not have appropriate permissions for all the entities, then you will be unable to import and install solution packs.

Caution

You must ensure that repo.fortisoar.fortinet.com is reachable from your FortiSOAR instance. Otherwise, you will see a blank page when you click Content Hub in the left navigation.

Viewing Solution Packs in Content Hub

To view solution packs, on the FortiSOAR left navigation, click Content Hub. On the Content Hub page, from the Filter panel choose Solution Packs to view the list of all currently available solution packs:

Maketplace - Solution Packs

You can search for a solution pack using the Search field and sort the solution pack alphabetically (A-Z) or by date. Using the Filters panel, you can filter the solution packs displayed in all the tabs based on varied criteria. Solution packs that are installed appear with a tick on their card, for example the SOAR Framework solution pack in the above image. Some Solution Packs (SP) have an orange icon, which signifies a 'Featured' SP, for example the SOAR Framework SP. Featured SPs are those SPs that are significant to SOAR operations and therefore have been highlighted. Similarly, some SPs have a 'Preview' ribbon which signifies that these SPs are being released like a "BETA" version with more enhancements being planned for subsequent releases to make them more comprehensive and robust, for example the Threat Intel Management SP. For more information on Content Hub, see the Content Hub chapter.

Working with Solution Packs

Click Content Hub > Discover to view a list of available SPs. To view the details of the solution pack and to perform actions on the solution pack, click the card of the solution pack. The solution pack popup contains a Summary tab and a Contents tab. The Summary tab contains a brief description of the solution pack, additional information such as the category of the solution pack and support contact information, and prerequisites or dependencies that must be fulfilled before installing that solution pack, as well as instructions on what steps must be performed for the solution pack to work:Solution Packs - Summary tab
Click View Contents to open the SP in the new window and install that SP or view its contents.
The Contents tab lists the contents of the solution pack, i.e., it displays the list of modules schemas, record sets, roles, playbook collections, widgets, connectors etc. that are part of that solution pack:
Installed Solution Packs - Content tab

To install a solution pack, click Content Hub > Discover and then click on the card of the solution pack that you want to install to open that solution pack's popup, and then click Install.

Other ways that you can install a Solution Pack are:

  • Import (Upload) a Solution Pack (.zip file) on the Content Hub > Manage tab. The process of the same is explained later in this topic.
  • Import the Solution Pack using the Import Wizard. The process of importing and exporting entities is explained in the Application Editor chapter in the "Administration Guide."
    Note: It is not recommended to import a Solution Pack using the Import Wizard, since only the Solution Pack data gets imported into the system, but the Solution Pack template is not created and the Solution Pack does not get created in the Content Hub. Therefore, in this case, you can only use the imported entities (widget, connectors, reports, etc), but not the Solution Pack template.

Before you install a Solution pack, consider the following:

  • Solution packs that contain "Module Schema(s)" (SP dialog > Contents) replace the settings and views of the following in your existing system:
    • 'System View Template' including the view of the specified schema
    • 'Action Buttons' displayed on top of the grids
    • 'Recommendations Settings' that provide the similarity suggestion
  • Install Solution packs in test environments and take system backups before installing a solution pack - Since solution packs can potentially alter your existing configurations and views, it is recommended to install Solution Packs in test environments and have system backups in place, such as backing up your System View Templates using the Import Wizard before installing a solution pack to avoid rework on manual adjustment of the settings to meet your requirements.
  • Some solution packs might need a 'System Publish' activity, causing the system to be unavailable for as long as a few minutes, and all the users will need to wait for this process to complete before resuming usage.

Once installed the solution packs appear in the Manage tab.

On the Manage tab, you can view the content that is installed, in our example, you can view the installed solution packs:
Manage Tab - Installed solution Packs

You can search for a SP by its name in the Search box and sort the SPs either alphabetically or by date. Similarly, you can filter the installed SPs that have an upgraded version, by selecting Update Available from the drop-down list. On the SP's card, you can also see if any SP that is installed on your system has an upgraded version. For example, if you have installed the Knowledge Base v1.0.1 solution pack on your system and v1.1.0 is available, you will see an Update Available link, which you can click to open the solution pack's popup. On the solution pack's popup, you will see an Update to <version number> button, clicking which upgrades the solution pack to the newer version.

To upload a custom solution pack (.zip) that you have already created, click Upload > Upload Solution Pack. This opens the Upload Solution Pack popup where you can drag-and-drop the .zip file of the solution pack or browse to the .zip file to add the solution pack in FortiSOAR. If you have an existing version of the solution pack on your system, then you can click the Replace existing version checkbox to replace that version of the solution pack.

Notes:

  • If there is any depenedency associated with the custom solution pack, the you must install that dependency before importing the solution pack.
  • If your custom solution pack has a dependency on a solution pack that is part of the repository, for example, MITRE Framework, then the repo solution pack gets installed (if not already installed) when the custom solution pack is installed.
  • If you are exported a repository solution pack, for example MITRE Framework SP, and imported the same to another system, then that imported solution pack is considered as local custom solution pack and you will not get further updates to that solution pack.

You can perform the following actions on the popup of an installed SP:

  • Edit: To edit an installed repository solution pack to suit your requirements, click Edit, to open th confirmation dialog for creating a local copy of that solution pack. Clicking Confirm opens the Clone Solution Pack Editor. For details on editing solution packs, see Editing an existing Solution Pack. In the case of custom (local) solution pack, you can simply edit the solution pack; a local copy does not get created.
  • Export: To export a solution pack in the .zip format so that it can be used in another environment, click the Export button. Once the solution pack is saved as a .zip file, you can import the same using Upload > Upload Solution Pack.
  • Delete: To delete an installed solution pack, click Delete Template which displays a Confirmation dialog. Click Confirm on the dialog to uninstall the solution pack.When you perform the delete operation, the the solution pack template gets deleted, and data associated with the installed solution pack, such as the data of the associated connectors, widgets, etc, are retained on your system.

Apart from this, the solution pack also contains a link to its Documentation and its GIT repository, if that solution pack is part of the public GIT repository. When you hover on the GIT icon you can see the ratings of that solution pack and the number of forks that have been created from that solution pack.

Creating Solution Packs

Use the Solution Pack Building Wizard to efficiently create new Solution Packs.

To create a new Solution Pack, do the following:

  1. On the FortiSOAR left-navigation, click Content Hub > Create.
  2. On the Create tab, click Create > New Solution Pack, which displays the Create New Solution Pack Wizard.
    Solution Pack Building Wizard
  3. Click Let's start by defining a solution pack to open the About Solution Pack screen where you can provide the metadata for the solution pack such as the title, version, etc.
    Provide metadata for the Solution Pack
    Details that you can provide are:
    1. Upload a logo for the solution pack.
    2. In the Solution Pack Name field, enter an appropriate title for your Solution Pack.
      Note: Supported characters for the title, alphanumeric characters, spaces, colon, hyphen, ampersand (&), or underscores. Also, the value that you enter in this field must not match the name of any other Solution Pack that is available in the Content Hub. For example, you cannot enter SOAR Framework in this field, since the SOAR Framework Solution Pack is available in the Content Hub.
    3. In the API Identifier field contains an auto-populated name based on the name that you specify for the solution pack. The API Identifies is used as a variable in the Solution Pack code to reference this Solution Pack
    4. In the Version field, enter the version of the Solution Pack in the x.y.z format. For example, 1.0.0. As a good practice, you should always increase the version number before making changes to an installed solution pack.
    5. (Optional) In the Publisher field, enter the name of your organization as the publisher of this Solution Pack. The publisher of the Solution Pack is responsible for maintaining and supporting the Solution Pack.
      If you want to keep the Solution Pack anonymous, then you can add the "Community" keyword. If this field is left blank, again the Solution Pack's publisher is automatically set to "Community".
      Note: Do not enter "Fortinet" in this field.
    6. (Optional) In the Description field, enter information for the Solution Pack that you are creating. The Description is displayed on the Solution Pack card on the Content Hub listing page and enables users to understand more about the Solution Pack.
    7. (Optional) In the Help Link field, you can enter the links of the web pages that contain the details of the solution pack.
    8. (Optional) In the Support Info field, you can enter support email IDs that users can contact if they have any issues with the solution pack.
    9. (Optional) From the Category list, select the categories in which you want to place this solution pack. For example, Authentication, Centralized Security Management, Threat Intelligence, etc.
    10. (Optional) In the Tags field, enter the keywords that you want to associate with the Solution Pack. Tags make it easier to search and filter solution packs.
    11. Click Continue once you have completed entering the details.
  4. On the Prerequisites screen, add the dependencies and other prerequisites that are required to install the solution pack:
    1. From the Select Solution Pack list, select the solution packs that must be installed by users on their system before installing this solution pack, and then click Add as Dependency.
    2. In the Prerequisites section, click + Add Instruction to add instructions that require to be followed by users for the solution pack to work, and then click Continue. Examples of this could be simple code snippets or commands that users need to run after installation of the solution pack, or a list of steps users should follow after installing the solution pack. You can add multiple instructions for a solution pack.
      SP Building Wizard - Prerequisites
  5. On the Choose Entities screen, select the entities such as modules, playbooks, connectors, administrative and security settings, etc., that you want to bundle with the solution pack, and then click Continue.
    Choose Entities to be bundled with the Solution Pack
  6. On the Filter Data screen, you can choose the granular details of the entities that you want to include in the solution pack and then click Continue. The entities displayed on this screen are dependent on the entities that you have selected on the Choose Entities screen. For example, if you only want a specific set of modules to be part of the solution pack, then you can select only those modules, such as Alerts, Approvals, Incidents, Tasks, etc. You can also choose the fields that you want to include in a selected module by clicking Review. To include record sets, click Records, and to include their correlations, click Correlations.
    The Filter Data screen is the same as is present in the Export Wizard. For details on the Filter Data screen, see the Export Wizard topic of the Application Editor chapter in the "Administration Guide".
    Solution Pack Wizard - Filter Data Screen
  7. On the Create Solution Pack screen, you can review the solution pack contents and details of the solution. Click Create a Draft To Workspace saves the solution pack in the Create tab where you can continue to refine the solution pack. Solution Packs that are in the 'Draft' state are not available for local users to include in their solution packs, i.e., they cannot be included in any other solution pack as a dependency; though they can make edits to the solution pack in the Create tab. Click Save and Publish to publish the solution pack and add this solution pack in the Manage tab. Publishing makes the solution pack available to other users who are local to your FortiSOAR environment, i.e., users who are locally present in your FortiSOAR environment can select the solution pack as a dependency for their solution packs.
    Reviewing the created Solution Pack
  8. For our example, we clicked Create As Draft To Workspace, which displays a screen mentioning the next steps that you can perform with the solution pack. You can also click Download Solution Pack File to download a zip file of your solution pack.
    Solution Pack Building Wizard - Next Steps screen
    The next steps that you can perform are:
    • Keep enhancing and updating the solution pack in your WorkSpace tab.
    • Publish the solution pack and make it accessible to users local to your FortiSOAR environment.
    • Download the solution pack and contribute it to the FortiSOAR public Content Hub. This option contains a link that opens a GIT repository that contains instructions on how a user can contribute to the public Content Hub.

Editing an existing Solution Pack

To edit a solution pack that is in your local environment (and not published), go to the Create tab, and click edit on the solution pack card to open the Edit Solution Pack wizard. You can also create a new version of the solution pack by clicking Add Version on the solution pack card. This opens the Clone Solution Pack wizard, where you can add a new version of the SP and continue to edit the SP as per your requirements:
Clone SP Wizard

To edit a solution pack from the repository to suit your requirements, do the following:

  1. On the FortiSOAR left-navigation, click Content Hub > Manage.
  2. On the Manage tab, click the card of the solution pack that you want to edit to open the solution pack popup, and then click Edit. When you click Edit, FortiSOAR displays a confirmation dialog box to get a confirmation on creating a local copy of the solution pack that you can edit, so that you can edit an existing solution pack without impacting the original one:
    Edit Solution Pack Confirmation dialog
  3. Click Confirm to open the Clone Solution Pack wizard.
  4. Edit the solution pack as required and then either save the solution pack as a draft in the Create tab or publish the solution pack. The Clone Solution Pack wizard contains the same screens and fields as the Create New Solution Pack wizard. For more information on the screens and field, see the Creating Solution Packs topic.
    Note: It is recommended that you increase the version number before making changes to an installed solution pack.