FortiSOAR is a centralized hub for all of your security operations. Our platform provides customizable mechanisms for prevention, detection, and response that work across tools in your environment. The integrations here are intended to provide a demonstration of how FortiSOAR can enable your security operations from end-to-end.
Use the user guide to understand how to use FortiSOAR, including using modules such as Alerts and Incidents, importing data, searching within FortiSOAR, and creating your own custom dashboards and templates.
Logging on to FortiSOAR
Your administrator will provide you access and credentials to log on to the FortiSOAR application.
You must change the password when you first log on to FortiSOAR, irrespective of the complexity of the password assigned to you, by clicking the User Profile icon () and then selecting the Change Password option.
Upon accessing the FortiSOAR login screen, enter your login credentials.
If your organization uses SSO and your administrator has completed the configuration of SSO for FortiSOAR, you can use Single Sign On (SSO) to log on to FortiSOAR. Log on to FortiSOAR using SSO by clicking the Login with SSO button that is present on the FortiSOAR login page.
Once you click the Login with SSO button, you are redirected to a third-party identity login page, where you must enter your credentials and get yourself authenticated. Once you successfully log on to FortiSOAR, your user profile automatically gets created. Your user profile is created based on the default values, such as your default team and role, configured by your administrator. You can update your profile by editing your user profile.
All users of the system have a profile. Once you log on to FortiSOAR, you can access your own profile and can update your information. To access your profile, click the User Profile icon () on the top-right bar in FortiSOAR.
You can view your name, email, username, password, phone numbers, teams and roles to which you are assigned. You can also view your own audit logs, which display a chronological list of all the actions that you have performed across all the modules of FortiSOAR.
The Username field is mandatory and case sensitive and it cannot be changed once it is set.
You can upload your profile picture by clicking Change Image, which opens the
Upload a Profile Picture dialog, where you can drag-and-drop the profile image file, or click the Import icon and browse to the image file to import the profile image file to FortiSOAR, and then click Save Profile Image to add the profile image. Once the profile image is added, the same can be removed at anytime by clicking the Remove Image button that appears on the profile image.
You must change your password when you first log on to FortiSOAR. You can also change your password at any time by clicking the User Profile icon and selecting the Change Password option. Clicking the Change Password option opens the
Change Password dialog in which you enter your old password in the Old Password field, new password in the New Password field and re-enter the new password in the Confirm Password Field. New passwords that are set must contain at least 8 characters, one lower-case alphabet, one upper-case alphabet, one digit, and any one of the following special characters
Click Submit to change your password.
If you face issues with user preferences such as, applying filters on the grid or column formatting within a grid, click the More Options icon () and click on the Reset Columns To Default option.
You can view your user type and username in the Authentication section. Do not change these options
The 2-Factor authentication menu displays the current user preference for the 2-factor method. Currently, FortiSOAR supports only TeleSign for 2-Factor authentication. Do not change this option.
Notification preferences determine how FortiSOAR notifications get consumed by users. Do not change this option.
You can update your FortiSOAR theme using the Theme Settings menu on the
Edit User page. There are currently three theme options, Dark, Light, and Space, with Space being the default. Click Preview Theme to see the Theme as it would look and save the profile to apply the theme.
History menu to view your authentication history and your ten most recent authentication attempts and their outcome.
User Specific Audit Logs panel to view a chronological list of all the actions that you have performed across all the modules of FortiSOAR. The audit log also displays users' login success or failures and logout events. The login event includes all three supported login types, which are DB Login, LDAP Login, and SSO Login.
Regenerating your password
In case you forget your FortiSOAR password, use the following procedure to reset or regenerate your password:
- On your FortiSOAR login page, click the Forgot Password link.
- On the
Forgot Passwordscreen, enter your username, validate the captcha, and then click Send Reset Link.
Once you click Send Reset Link, an email is sent to the email address associated with the specified username.
Working in FortiSOAR
The FortiSOAR interface is based around a common navigation bar on the left side of the application, a global search bar, and filtering within modules. All navigation is built on top of the authorization you are provided according to your RBAC permissions.
For instance, if you have Read privileges to the Incidents module, you will be able to view all Incidents that are within your Ownership Sphere.
The navigation bar provides quick access to the Components and Modules you are authorized to view.
At the highest level, the navigation bar provides Components, which open when you click on the component to reveal a module menu with all accessible modules. For example, when you click on the Incident Response, its module menu reveals the Alerts, Incidents, Tasks, Indicators, War Rooms modules. Module links go to the Module's record listing pages.
There are three methods of searching within FortiSOAR.
|Global Search||The Global Search bar at the top of the screen allows you to search for one or more keywords across all records within the system|
|Table Filter||The Table Filter method allows you to search the name field quickly, such as Incidents, within the context of an individual data column on the table|
|Column Filter||The Column Filter method within tables allows you to search specific records from a module, such as Incidents, within the context of an individual data column on the table|
The Global Search mechanism leverages an Elastic Search database to achieve rapid, efficient searches across the entirety of the record system. All the record data is stored in Elastic Search, including from file attachments, and made searchable.
The Global Search mechanism respects authorization from users to return search results, meaning users without Read permissions on a Module would not see results returned from that module even if they were found during the search.
Global Search result findings may be exported in the results table to CSV and then stored for future reference if desired.
Viewing Settings and Executed Playbook Logs
The Settings and the Executed Playbook Logs icons appear on the top-right corner of your FortiSOAR screen.
Clicking the Settings icon displays the various administrative settings used to configure and customize FortiSOAR. Your administrator would already have configured these options, therefore you should not edit these options.
Clicking the Executed Playbook Logs icon displays the results of your playbooks that you have executed.
You can also use the executed playbook logs to debug your playbooks. For more information on all the Executed Playbook Logs, see the Debugging and Optimizing Playbooks chapter in the "Playbooks Guide."
Viewing Notifications and Pending Tasks
The Notifications and the Pending Tasks icons appear on the top-right corner of your FortiSOAR screen.
The Notifications icon contains a number in red color that mentions the number of unread notifications. Notifications include informative information, such as failure of workflows, assignment of user on created and updated alerts, incidents, tasks, etc., and actions that are pending for some user action. Clicking the Notifications icon displays the 'Notifications Panel':
In the Notification Panel, you can use the Search box to search for a particular notification, or filter notifications as follows:
- Click All to display all the notifications.
- Click Action Required to display only those notifications such as approvals, that are pending for some user action.
- Click @Mentions to display a list of comments in which you have been tagged.
- Select Show only Unread to display only those notifications that have not been read. Notifications get read once you click on them opening their corresponding records.
You can also delete notifications from the Notifications Panel or Pending Tasks panel, once you have read them by clicking the Delete icon. However, you can delete only those notifications that are assigned to you and not those that are assigned to a team, or any other user, or system (global) notifications such as workflow failures.
Users with a minimum of
Update permissions on the
Security Module can also click the Purge All icon to display the
Purge Notifications dialog. Click Purge All Notifications to delete all notifications or click Purge All Read Notifications to delete all read notifications:
The Pending Tasks icon contains a number in red color that mentions the number of pending tasks, both approvals and manual inputs. Clicking the Pending Tasks icon displays the 'Pending Tasks' panel:
For more information on the pending tasks panel, manual inputs, and approvals, see the Triggers and Steps chapter in the "Playbooks Guide."
Add records to a module using the Add button present on top of the grid that lists module records based on RBAC permissions.
Record editing within the record detail view can be accomplished via Inline editing, which allows for quick changes to fields and requires confirmation for all updates.
Additionally, in the detail view of every record is an Edit button on the top right in the breadcrumb bar. This gives you access to a bulk editing interface for all fields that are allowed within the authorization model of your user.
Modules & Models
One of the primary features of FortiSOAR is the ability to provide a clean interface with customized data models optimized for tracking day-to-day security data, such as Alerts.
FortiSOAR unifies the data streams to provide a centralized management interface for tracking. This means Incidents may spend their entire lifecycle rolled up inside of FortiSOAR and working across other related data being tracked, such as Tasks or Assets.
By providing a single place to view and organize security data, much of the overhead and manual effort of going to disparate security tools is significantly reduced. Users are enabled to focus on analyzing the data, not collecting the data.
Models within FortiSOAR are easily customizable according to the needs of an organization via API.
Many modules may be accessed through relationships but might not be directly displayed in the interface navigation. Please see the detailed list of modules provided for more description.
Modules provide access to individual data models within the FortiSOAR database, such as Incidents.
All Module fields are editable and can be customized or extended as needed via API. Models are based on a standard JSON schema.
We recommend you do not delete the core module fields that are included in your instance without consulting FortiSOAR Support. Deletion of core module fields may result in upgrade issues at a future date.
Not all modules will be exposed in the navigation. Some of them are only accessible within the context of other modules. You can modify the default navigation if you desire to add new modules at any time.
From release 7.2.0 onwards, the Incident Response modules have been removed from the FortiSOAR platform and moved to the SOAR Framework Solution Pack (SP). The SOAR Framework SP is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation.
A brief about the incident response modules follows:
- Alerts: Alerts generally represent records that contain a notice of suspicious activity typically triggered in a SIEM.
- Incidents: Incidents generally represent records of an actual breach of security.
- Indicators: Indicators generally represent records that contain simple identifiable information regarding a threat such as an IP or URL.
- Tasks: Tasks represent a discrete action taken by either an individual or automated response. Tasks might link to outside systems, such as ticketing systems, to track specific actions beyond that of your SOC team.
- War Rooms: War Rooms in FortiSOAR is a collaborative space that enables SOC teams to mitigate a critical cyber threat scenario or campaign.
NOTE: Playbooks and Reporting do not have any associated Module definition.
Individual records are easily linked in the FortiSOAR interface to provide context and make it simple to track relationships. Linking may be contextual or operational.
For instance, an Incident may have multiple Tasks automatically generated based on the type of Incident. These Tasks stay linked to the Incident throughout the lifecycle and allow for an easy operational overview of where an Incident is beyond tracking just the Incident phase.
In contextual situations, linking provides the ability to relate data records together and increase velocity during Preparation and Analysis activities.
For instance, Alerts link to Artifacts which then may be automatically linked to Assets. Artifacts within an Alert from your SIEM tool may contain information that helps identify and link Asset records making it simple for an Analyst to understand the potential scope of an Alert. FortiSOAR can find identifiable Asset information and then use that to search one or more Asset resources, such as a CMDB, local DNS, or DHCP records.
Linking is accomplished within the record detail view.
FortiSOAR provides a powerful Workflow Engine where machine-to-machine (M2M) automation, policy enforcement, data enrichment, and notifications, are all available within a simple drag-and-drop interface.
Security Playbooks may be digitized and automated via Workflows. A standard library of Playbooks may be added at the time of installation to provide a quick level of defaults that may then be customized to match the specific use cases of your environment.
FortiSOAR utilizes a robust security model with Role Based Access Control (RBAC) as well as team ownership.
RBAC provides Create, Read, Update, and Delete (CRUD), permissions on individual models within the platform. Roles are created by granting CRUD privileges on models within the available models' list.
Teams provide for row-level ownership of records. Teams have an explicit hierarchy model to allow for complex relationships. The Teams you are a member of and their relationships combined define an Ownership Sphere. An Ownership Sphere is the full set of records on which you can exercise your permissions.
Live UI - Web Sockets
Live UI provides users with many benefits, such as immediate refreshing of records in case of an update by users or workflow (playbook or API), without the users having to refresh the views to see the updates manually.
When a user or workflow (playbook or API) updates any record that is being displayed in the following UI components:
- Grid and Relationship grid (view panel)
- Details View Panel
- Collaboration Panel: Comments or Attachments
- Approvals in notification panel
Then these changes are immediately reflected to other users who are active on that FortiSOAR instance.
If your FortiSOAR instance is connected to the web sockets server then a green connection icon is displayed at the top-middle of the FortiSOAR UI as shown in the following image:
If your FortiSOAR instance cannot connect to the web sockets server, due to connectivity or any other issues, then a red connection icon and a message such as "Live Sync is not active...." is displayed at the top-middle of the FortiSOAR UI as shown in the following image:
In such a case FortiSOAR also displays a message to the users asking users to use manual refresh to update the views.