Fortinet black logo

User Guide

Home FortiSOAR 7.3.0 User Guide

Modules

7.3.0
7.5.0
7.4.3
7.4.2
7.4.1
7.4.0
7.3.1
7.3.0
7.2.2
7.2.1
7.2.0
7.0.3
7.0.2
7.0.1
7.0.0
6.4.4
6.4.3
6.4.1
6.4.0
6.0.0
Copy Link
Copy Doc ID 90cc14aa-4eaa-11ed-9d74-fa163e15d75b:824229
Download PDF

Modules

Modules provide access to individual data models within the FortiSOAR database, such as Incidents.

Default Modules

You will see the following default modules in case of a fresh install of FortiSOAR and if you have installed the SOAR Framework Solution Pack.

Note

From release 7.2.0 onwards, the SOAR Framework Solution Pack is installed by default with the fresh installations of FortiSOAR

The SOAR Framework SP is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation.

In FortiSOAR, the left navigation bar categorizes the modules as follows:

  • Dashboard
  • Queue and Shift Management
  • Incident Response
    Alerts
    Incidents
    Tasks
    Indicators
    Campaigns
    Hunts
    War Rooms
  • Automation
    Playbooks
    Connectors
    Data Ingestion
    Schedules
    SLA Templates
  • Resources
    Attachments
    Email Templates
  • Reports
  • Widget Library
  • Content Hub
  • Help

Dashboard

Dashboards are generally the users' default home page. Administrators create dashboards that are applicable throughout the application and are assigned to users based on their roles. For more information, see the Dashboards, Templates, and Widgets chapter.

Queue and Shift Management enables you to automatically assign records to users within a queue using queues and shifts. For more information, see the Queue and Shift Management chapter.

Incident Response

The Incident Response Component is a collection of all modules typically related to Security Incidents. You might work on the entire Incident lifecycle from within this component.

This component underpins the operational side of your SOC. The standard flow starts within the Alerts module.

Alerts

Alerts in FortiSOAR are essentially notifications indicating that an attack has been directed at an organization's systems. Alerts are related to events and often contain essential information for addressing the attack by including vulnerabilities and exploits being leveraged by the potential attack.

Incidents

Incidents represent a collection of information discovered during an Incident Response investigation. Incidents are triggered based on the suspicion or confirmation of a security breach. Incidents can be related to cyber or physical security.

Tasks

Tasks represent a discrete action taken by either an individual or automated response. Tasks might link to outside systems, such as ticketing systems, to track specific actions beyond that of your SOC team.

Tasks might also be created to represent actions taken automatically as a part of a response policy enacted by a Workflow. This requires that the Workflow must have a step to insert a Task as a record of an action undertaken by an external system, such as adding an IP address to the denylist in the firewall ruleset.

Indicators

Indicators contain details of all the data that is collected from system log entries or files, which identify potentially malicious activity on a system or network. It contains records of identifiable information regarding a threat, such as an IP or URL.

Once an alert is created FortiSOAR extracts the metadata from the raw alert data and creates indicators, with details such as type of indicator, i.e. IP address, URL, attachment, domain, etc., the value of the indicator, such as the IP address number, the domain name, whether this indicator has been sighted any other alerts, and what is the IOC status of that indicator.

Campaigns

Campaigns represent a collection of Incidents that can be tied to a single Threat Actor. Seemingly disparate Incidents might be related attempts from a malicious attacker attempting to probe and gain access to your network.

It is generally difficult to determine if Incidents themselves are related and roll them into a Campaign. Typically, they would be linked by a known, single threat actor based upon some uniquely identifiable piece of information that ties the Actor across multiple Incidents. Note that Campaigns are not part of default modules.

Hunts

Hunts is a module where you can store and organize your hunts. The hunt you create becomes a central repository where you can link all Alerts, Assets, Users, and other modules’ records associated with your hunting activity.

War Rooms

War Rooms in FortiSOAR is a collaborative space that enables SOC teams to mitigate a critical cyber threat scenario or campaign. FortiSOAR makes it easy for analysts to quickly and easily provision a War Room that allows participation of all stakeholders to analyze and collaborate to quickly mitigate the threat and restore the services. For more information, see the War Rooms chapter.

Automation

The Automation Component is a collection of modules that you can use to automate your security operations.

Playbooks

Playbooks in FortiSOAR allows you to automate your security processes across external systems while respecting the business process required for your organization to function. For more information, see the Playbooks Guide.

Connectors

Connectors provide you with the ability to retrieve data from custom sources and perform automated operations. FortiSOAR has already developed a number of connectors and also provides you with a Connector Building wizard using which you can develop custom connectors that can retrieve data from custom sources. For more information, see Connectors Guide.

Data Ingestion

Data Ingestion enables you to use the FortiSOAR Data Ingestion Wizard to ingest data from external SIEM solutions and other third-party sources like threat intelligence platforms, email solutions, etc. The wizard also takes care of the scheduling of data ingestion into FortiSOAR, if the connector is enabled for scheduling. For more information, see Connectors Guide.

Schedules

Schedules in FortiSOAR allow you to schedule playbooks to run at regular intervals. For more information, see the Schedules chapter.

Note

Schedules as a module is removed, i.e., you will not find schedules on the Modules page and you cannot modify the mmd of the schedules using the Application Editor.

SLA Templates

SLA Templates in FortiSOAR can be used to create an in-built SLA management for incidents and alerts. For more information, see the SLA Management chapter in the "Administration Guide."

Resources

The Resources Component is a collection of all modules typically related to components stored in FortiSOAR such as attachments and templates.

Attachments

Attachments represent files that are uploaded and stored in FortiSOAR. You submit files that are available in the FortiSOAR Attachments module to 3rd-party tools to scan and analyze suspicious files and retrieve reports for the submitted samples.

Tooltip

You can add a file up to the maximum file size of 100 MB in the Attachments module.

Email Templates

Email Templates represent templates that are stored in FortiSOAR that you can use when you want to send emails from FortiSOAR. For example, if you have created a rule that requires FortiSOAR to send an email automatically if a particular condition is met, then you must create a template for the email and save that email in the Email Templates module.

Email Templates contain a set of standard templates included with FortiSOAR. Standard templates include emails that are sent by FortiSOAR when a new user is added in FortiSOAR or an email that is sent to users when they forget their passwords and send a request to reset the FortiSOAR password.

Reports

Reports represent FortiSOAR Reports that you should use for your reporting purposes. You can easily create rich reports and dashboards in FortiSOAR. You can also schedule reports, view historical reports and also search for text in the report PDF, which is in the text PDF format. For more information, see the Reports chapter.

Widget Library

Widgets allow users to edit out-of-the-box (OOB) widgets and build new widgets for custom use cases. Users can use the widget library to customize existing widgets or build new widgets as per their requirements. For more information, see the Widgets Library chapter.

Content Hub

Content-Hub contains out-of-the-box reference material and product add-ons like solution packs, connectors, widgets, etc.

Solution Packs are the implementation of best practices to configure and optimally use FortiSOAR enabling users to get started easily and effectively. The solution packs contain a lot of sample/simulation/training data that enables you to experience FortiSOAR without having all the devices.
Connectors provide you with the ability to retrieve data from custom sources and perform automated operations. For more information, see Connectors Guide.

Widgets allow users to edit out-of-the-box (OOB) widgets and build new widgets for custom use cases. For more information, see the Widgets Library chapter.

Help

The Help component contains the Knowledge Base, which is the FortiSOAR Product documentation, along with small tutorials and examples, to help you work effectively with FortiSOAR.

Additional Modules

In addition to the default modules, the installation of solution packs (SP) provides you with corresponding modules. For example, if you install the Vulnerability Management SP, the Vulnerability Management modules get installed or if you install the SOC Simulator SP, the Scenarios/Simulations module gets installed. Detailed documentation comes bundled with each solution pack.

Vulnerability Management

Vulnerability Management is a collection of all modules typically related to vulnerabilities that exist in your system.

Vulnerabilities

Vulnerabilities represent a collection of weaknesses in your systems that can lead to security concerns. You can configure vulnerability scans to run periodically on your network, creating an inventory of the vulnerabilities for your specific assets.

Assets

Computers represent the Assets of your organization. Assets represent a unique piece of hardware and any information known about that hardware, such as MAC address, hostname, or IP address. Assets preferably have a unique identifier.

Assets typically are only stored within FortiSOAR as records related to Incidents, Alerts, or Vulnerabilities. Asset information may be pulled from a CMDB or other resource available with knowledge of the asset characteristics, such as an ARP table or DHCP records.

In the case of large networks, Asset tracking is often a complicated process and plagued with limitations. We recommend that Asset creation involve corroboration between multiple unique sources of data that build a level of confidence in the accuracy of the Asset information, as single sources can be unreliable with respect to data integrity and accuracy.

Scans

Scans contain the details of all the scans that you run on your systems. It contains records of a bulk scan from scanners.

Scenarios

The Scenarios module allows you to run various Simulations. It contains simulation data and utilities that demonstrate FortiSOAR capabilities around several important SOC use-cases without the need to integrate with actual device endpoints.

Previous
Next

Modules

Modules provide access to individual data models within the FortiSOAR database, such as Incidents.

Default Modules

You will see the following default modules in case of a fresh install of FortiSOAR and if you have installed the SOAR Framework Solution Pack.

Note

From release 7.2.0 onwards, the SOAR Framework Solution Pack is installed by default with the fresh installations of FortiSOAR

The SOAR Framework SP is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation.

In FortiSOAR, the left navigation bar categorizes the modules as follows:

  • Dashboard
  • Queue and Shift Management
  • Incident Response
    Alerts
    Incidents
    Tasks
    Indicators
    Campaigns
    Hunts
    War Rooms
  • Automation
    Playbooks
    Connectors
    Data Ingestion
    Schedules
    SLA Templates
  • Resources
    Attachments
    Email Templates
  • Reports
  • Widget Library
  • Content Hub
  • Help

Dashboard

Dashboards are generally the users' default home page. Administrators create dashboards that are applicable throughout the application and are assigned to users based on their roles. For more information, see the Dashboards, Templates, and Widgets chapter.

Queue and Shift Management enables you to automatically assign records to users within a queue using queues and shifts. For more information, see the Queue and Shift Management chapter.

Incident Response

The Incident Response Component is a collection of all modules typically related to Security Incidents. You might work on the entire Incident lifecycle from within this component.

This component underpins the operational side of your SOC. The standard flow starts within the Alerts module.

Alerts

Alerts in FortiSOAR are essentially notifications indicating that an attack has been directed at an organization's systems. Alerts are related to events and often contain essential information for addressing the attack by including vulnerabilities and exploits being leveraged by the potential attack.

Incidents

Incidents represent a collection of information discovered during an Incident Response investigation. Incidents are triggered based on the suspicion or confirmation of a security breach. Incidents can be related to cyber or physical security.

Tasks

Tasks represent a discrete action taken by either an individual or automated response. Tasks might link to outside systems, such as ticketing systems, to track specific actions beyond that of your SOC team.

Tasks might also be created to represent actions taken automatically as a part of a response policy enacted by a Workflow. This requires that the Workflow must have a step to insert a Task as a record of an action undertaken by an external system, such as adding an IP address to the denylist in the firewall ruleset.

Indicators

Indicators contain details of all the data that is collected from system log entries or files, which identify potentially malicious activity on a system or network. It contains records of identifiable information regarding a threat, such as an IP or URL.

Once an alert is created FortiSOAR extracts the metadata from the raw alert data and creates indicators, with details such as type of indicator, i.e. IP address, URL, attachment, domain, etc., the value of the indicator, such as the IP address number, the domain name, whether this indicator has been sighted any other alerts, and what is the IOC status of that indicator.

Campaigns

Campaigns represent a collection of Incidents that can be tied to a single Threat Actor. Seemingly disparate Incidents might be related attempts from a malicious attacker attempting to probe and gain access to your network.

It is generally difficult to determine if Incidents themselves are related and roll them into a Campaign. Typically, they would be linked by a known, single threat actor based upon some uniquely identifiable piece of information that ties the Actor across multiple Incidents. Note that Campaigns are not part of default modules.

Hunts

Hunts is a module where you can store and organize your hunts. The hunt you create becomes a central repository where you can link all Alerts, Assets, Users, and other modules’ records associated with your hunting activity.

War Rooms

War Rooms in FortiSOAR is a collaborative space that enables SOC teams to mitigate a critical cyber threat scenario or campaign. FortiSOAR makes it easy for analysts to quickly and easily provision a War Room that allows participation of all stakeholders to analyze and collaborate to quickly mitigate the threat and restore the services. For more information, see the War Rooms chapter.

Automation

The Automation Component is a collection of modules that you can use to automate your security operations.

Playbooks

Playbooks in FortiSOAR allows you to automate your security processes across external systems while respecting the business process required for your organization to function. For more information, see the Playbooks Guide.

Connectors

Connectors provide you with the ability to retrieve data from custom sources and perform automated operations. FortiSOAR has already developed a number of connectors and also provides you with a Connector Building wizard using which you can develop custom connectors that can retrieve data from custom sources. For more information, see Connectors Guide.

Data Ingestion

Data Ingestion enables you to use the FortiSOAR Data Ingestion Wizard to ingest data from external SIEM solutions and other third-party sources like threat intelligence platforms, email solutions, etc. The wizard also takes care of the scheduling of data ingestion into FortiSOAR, if the connector is enabled for scheduling. For more information, see Connectors Guide.

Schedules

Schedules in FortiSOAR allow you to schedule playbooks to run at regular intervals. For more information, see the Schedules chapter.

Note

Schedules as a module is removed, i.e., you will not find schedules on the Modules page and you cannot modify the mmd of the schedules using the Application Editor.

SLA Templates

SLA Templates in FortiSOAR can be used to create an in-built SLA management for incidents and alerts. For more information, see the SLA Management chapter in the "Administration Guide."

Resources

The Resources Component is a collection of all modules typically related to components stored in FortiSOAR such as attachments and templates.

Attachments

Attachments represent files that are uploaded and stored in FortiSOAR. You submit files that are available in the FortiSOAR Attachments module to 3rd-party tools to scan and analyze suspicious files and retrieve reports for the submitted samples.

Tooltip

You can add a file up to the maximum file size of 100 MB in the Attachments module.

Email Templates

Email Templates represent templates that are stored in FortiSOAR that you can use when you want to send emails from FortiSOAR. For example, if you have created a rule that requires FortiSOAR to send an email automatically if a particular condition is met, then you must create a template for the email and save that email in the Email Templates module.

Email Templates contain a set of standard templates included with FortiSOAR. Standard templates include emails that are sent by FortiSOAR when a new user is added in FortiSOAR or an email that is sent to users when they forget their passwords and send a request to reset the FortiSOAR password.

Reports

Reports represent FortiSOAR Reports that you should use for your reporting purposes. You can easily create rich reports and dashboards in FortiSOAR. You can also schedule reports, view historical reports and also search for text in the report PDF, which is in the text PDF format. For more information, see the Reports chapter.

Widget Library

Widgets allow users to edit out-of-the-box (OOB) widgets and build new widgets for custom use cases. Users can use the widget library to customize existing widgets or build new widgets as per their requirements. For more information, see the Widgets Library chapter.

Content Hub

Content-Hub contains out-of-the-box reference material and product add-ons like solution packs, connectors, widgets, etc.

Solution Packs are the implementation of best practices to configure and optimally use FortiSOAR enabling users to get started easily and effectively. The solution packs contain a lot of sample/simulation/training data that enables you to experience FortiSOAR without having all the devices.
Connectors provide you with the ability to retrieve data from custom sources and perform automated operations. For more information, see Connectors Guide.

Widgets allow users to edit out-of-the-box (OOB) widgets and build new widgets for custom use cases. For more information, see the Widgets Library chapter.

Help

The Help component contains the Knowledge Base, which is the FortiSOAR Product documentation, along with small tutorials and examples, to help you work effectively with FortiSOAR.

Additional Modules

In addition to the default modules, the installation of solution packs (SP) provides you with corresponding modules. For example, if you install the Vulnerability Management SP, the Vulnerability Management modules get installed or if you install the SOC Simulator SP, the Scenarios/Simulations module gets installed. Detailed documentation comes bundled with each solution pack.

Vulnerability Management

Vulnerability Management is a collection of all modules typically related to vulnerabilities that exist in your system.

Vulnerabilities

Vulnerabilities represent a collection of weaknesses in your systems that can lead to security concerns. You can configure vulnerability scans to run periodically on your network, creating an inventory of the vulnerabilities for your specific assets.

Assets

Computers represent the Assets of your organization. Assets represent a unique piece of hardware and any information known about that hardware, such as MAC address, hostname, or IP address. Assets preferably have a unique identifier.

Assets typically are only stored within FortiSOAR as records related to Incidents, Alerts, or Vulnerabilities. Asset information may be pulled from a CMDB or other resource available with knowledge of the asset characteristics, such as an ARP table or DHCP records.

In the case of large networks, Asset tracking is often a complicated process and plagued with limitations. We recommend that Asset creation involve corroboration between multiple unique sources of data that build a level of confidence in the accuracy of the Asset information, as single sources can be unreliable with respect to data integrity and accuracy.

Scans

Scans contain the details of all the scans that you run on your systems. It contains records of a bulk scan from scanners.

Scenarios

The Scenarios module allows you to run various Simulations. It contains simulation data and utilities that demonstrate FortiSOAR capabilities around several important SOC use-cases without the need to integrate with actual device endpoints.

Previous
Next