Introduction

Welcome to Fortinet Security Orchestration, Automation, and Response Platform, otherwise known as FortiSOAR™. Here you will find a centralized hub for all of your security operations. Our platform provides customizable mechanisms for prevention, detection, and response that work across tools in your environment.

We believe that the best protection from Cyber Threats comes from the right combination of People, Processes, and Tools. FortiSOAR™ allows you to manage the entire lifecycle of Alerts, Threats, Incidents, Vulnerabilities based on the best practices of Security Operations teams. We allow the security team to focus on what's important and automate the mechanisms for gathering, analyzing, prioritizing and acting on security data.

Component Description
People People work within our interface to monitor, update, and address security data.
Processes Processes and Playbooks become digitized within our Playbook Engine to move from static documentation to actual action and orchestration.
Tools Tools are connected and orchestrated across the People via the Processes.

Our platform unifies these 3 ingredients to create velocity in addressing and preventing security Incidents. Our goal is to ensure your response time is reduced from days or months to minutes.

FortiSOAR™ 6.0.0 enhances its native support for multi-tenancy for managed security services providers (MSSPs), including support for the master to modify tenants' MMDs, and the ability to push modules and picklists from the master node to the tenant nodes. For more information on how to configure multi-tenancy for FortiSOAR™ see the "Multi-Tenancy Support in FortiSOAR™ Guide." FortiSOAR™ 6.0.0 also revamps the FortiSOAR™ UI making it more intuitive and easier to use FortiSOAR™, including enhancing the Executed Playbook Logs.

FortiSOAR™ has enhanced the Data Ingestion wizard that facilitates ingesting data from external SIEM solutions and other third-party sources like threat intelligence platforms, email solutions, etc. Enhancements include updates to the UI to make it easier to work with the wizard, adding support for pulling ingestion for each of your connector configuration, adding support for inclusion of multiple queries to pull data, and introduction of an Data Ingestion tab that displays connectors that are enabled for data ingestion.

Examples of Security Scenarios

Example 1

  • An Alert may be triggered by your SIEM device based on a specific rule monitoring the underlying artifacts across Assets on your network. The Alert is pushed over to FortiSOAR™ or automatically retrieved on a rolling time period.

  • The Alert can then kick off a workflow that automatically generates an Incident and assigns multiple Tasks to your team. Tasks may have time-based rules to ensure the Incident is addressed within a window defined by your security policy.

  • Members of your team can then be assigned distinct roles with differing access levels to the Tasks' data and analytics.

  • Campaigns may also be created to link the Incidents in a systematic approach if patterns emerge from an Advanced Persistent Threat (APT) for instance.

Example 2

  • A Vulnerability Scan may be running periodically on your network, creating an inventory of your Assets' specific Vulnerabilities.

  • FortiSOAR™ can ingest the Scans automatically and link information from your CMDB to provide a record for the security team of which may then be reviewed.

  • Vulnerabilities may trigger Tasks to assure you are properly locking down exposed systems and monitoring the highest priority Vulnerabilities, for instance based on the Asset value or Asset owner.

What follows is documentation and examples of how you can use this platform to create a highly effective and highly automated security operation.

Additional Resources

We have created additional resources regarding Playbooks and standard Incident Response Processes on our website, IncidentResponse.com. We highly recommend you reference these resources as you build out your own Playbooks and Response Policies.