Overview

Use the administration guide to understand how to customize and administer FortiSOAR, including system, security and user management, and configuring templates.

When you log on to FortiSOAR for the first time as a csadmin user, you will be mandated to change your password. This enhances the security of your csadmin account and prevents unauthorized parties from accessing the administration account for FortiSOAR. New passwords that are set must contain at least 8 characters, one lower-case alphabet, one upper-case alphabet, one digit, and any one of the following special characters ~ ! @ # $ % ^ & * | ? _ Ensure that you note down your csadmin password since if you forget your initial csadmin password, then you have to request FortiSOAR to reset this password. Also, when you are changing your csadmin password, you must ensure that you also update the email ID that is specified for csadmin, which by default is set to soc@fortinet.com (which is not a valid email ID). You can change the email ID by clicking the User Profile icon () to open the User Profile page and change the email address in the Email field. Once you set a valid email ID in the user profile, then you would be able to reset your password, whenever required, by clicking the Forgot Password link on the login page.

Also, note if you want to move any file from and to a FortiSOAR system, then you must install SCP (yum install openssh-clients -y) or any SCP client. This is required since the openssh-clients package has been removed from FortiSOAR for security compliance.

From release 7.2.0 onwards, the Incident Response modules have been removed from the FortiSOAR platform and moved to the SOAR Framework Solution Pack (SP). The SOAR Framework Solution Pack (SP) is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation. From release 7.2.0 onwards, the SOAR Framework Solution Pack is installed by default with the fresh installations of FortiSOAR.

Common Tasks

Some of the common task that an administrator can perform are:

• License management
• System configuration
• Security management
• User management
• Appliance management
• Password Vault management
• Playbook configuration
• Application management

You can perform administration tasks using the Settings () icon in the upper right-hand corner near the User Profile icon.

Apart from the above tasks, you can install the SLA Management Solution Pack to track and manage SLA for alerts and incidents in FortiSOAR. For more information see the SLA Management Solution Pack documentation.

Tasks and Permissions

To manage different modules, appropriate rights must be assigned to users. In FortiSOAR, modules are applied to roles, for example, the Security module is applied to the Security Administrator role. Role permissions are based on the Create, Read, Update, and Delete model (CRUD). Each module within FortiSOAR has explicit CRUD permissions that you can modify and save within a single Role.

For example, to perform all tasks for system configuration, you must be assigned a role that has CRUD permissions on the Application module, or to be able to add and manage users, you must be assigned a role that at the minimum has Create and Update permissions on the People module.

By default, FortiSOAR has at least one role in place after installation, the Security Administrator.

Task	Permissions required on the module
System configuration: Customizing FortiSOAR and configure several default options used throughout the system, including setting up authentication mechanisms and configuring dashboards and templates.	Create, Read, Update, and Delete (CRUD) permissions on Application module. Default Role - Application Administrator.
Security management: Managing teams and roles.	CRUD permissions on Security module. Default Role - Security Administrator. The security administrator role also has CRUD permissions on the Secure Message Exchange and Tenants modules, so that this role can configure multi-tenant systems.
User management: Adding and removing users and editing their permissions.	CRUD permissions on People module.
Appliances management: Managing appliances and access keys.	CRUD permissions on Appliances module.
Password Vault management: Integrating with third-party external vaults to manage sensitive data	CRUD permissions on Connectors module and Read permission on Application module.
Playbook management: Configuring playbook collections and playbooks	CRUD permissions on Playbook module. Default Role - Playbook Administrator.

Guide to setting up FortiSOAR

The Setup Guide designed to assist administrators, whether they are new or experienced, in configuring FortiSOAR according to best practices. It provides guidance on essential configurations and the installation of necessary solution packs for optimal performance, such as setting up network proxies, enabling audit and playbook log purging, configuring enrichment, and mitigation playbooks. For details, including permissions required to view the Setup Guide, see the Setup Guide Widget documentation.

When administrators log into FortiSOAR for the first time, the Setup Guide is displayed:

To minimize the Setup Guide, click the > arrow. To reopen the Setup Guide, click the Setup Guide icon in the top-right corner of FortiSOAR:

To hide the FortiSOAR Setup Guide icon, clear the Enable Setup Guide option on the System Configuration page. For more information, see the System Configuration chapter.