Configuring FortiSOAR™

Once your system is appropriately licensed you can start with the initial configuration steps required for setting up your FortiSOAR™ system as described in the following sections.

Logging on to FortiSOAR™ for the first time

  1. In a browser, enter the IP address that you had identified using the steps mentioned in the Determining your DHCP IP address section as and press Enter.
    For example, https://{Your_FortiSOAR™_IP}
    This will display the Fortinet End-User License Agreement (EULA). You must accept the EULA before you can log onto FortiSOAR™.
    Once you accept the EULA; the login screen is displayed as shown in the following image:
    Login Screen
  2. Login using the following credentials:
    Username: csadmin
    Password: changeme
    From FortiSOAR™ 6.0.0 onwards, the UI password of the 'csadmin' user for AWS enterprise and AWS community is set to the "instance_id" of your instance. To know the instance ID of your FortiSOAR™ AWS instance, you can SSH and run the cloud-init query instance_id command.
    Note: You must change this default password once you log into FortiSOAR™ by clicking the User Profile icon (User Profile icon) located at the top-right corner of the FortiSOAR™ UI and then selecting the Change Password option. Ensure that you note down your csadmin password since if you forget your initial csadmin password, then you have to request FortiSOAR™ to reset this password. Also, when you are changing your csadmin password, you must ensure that you also update the email ID that is specified for csadmin, which by default is set to soc@fortinet.com (which is not a valid email ID). You can change the email ID on the User Profile page, in the Email field. Once you set a valid email ID in the user profile, then you would be able to reset your password, whenever required, by clicking the Forgot Password link on the login page. After you have changed the default password, FortiSOAR™ logs you into the application and by default displays the Dashboard page:
    Dashboard page

Now you can begin configuring FortiSOAR™ for your network environment.

It is recommended that you should set up thresholds, schedules, and notifications for the System Monitoring playbook that is included by default with FortiSOAR™ 5.0.0 and later to effectively monitor various FortiSOAR™ system resources such as CPU, Disk Space and Memory utilization and status of various FortiSOAR™ services. To know more about setting up thresholds, notifications, and schedules, see the System Monitoring: Setting up thresholds, schedules, and notifications article present on the support site. You must log onto the support site to view this information.

Configuring SMTP for FortiSOAR™

You must use the SMTP connector to receive any system or email notifications, including requests for resetting passwords. The SMTP is part of a number of pre-installed connectors or built-ins that are included with FortiSOAR™. By default, the SMTP connector is configured to use FortiSOAR™ appliance as SMTP relay server. For more information on configuring the SMTP connector, see the "FortiSOAR™ Built-in connectors" article present on the support site. You must log onto the support site to view this information.

Important

When you configure the SMTP connector, ensure that the Mark As Default Configuration option for the configuration that is to be used for sending system notifications is selected.

Creating your first user and record

Important

The following steps provide a high-level view of how to get started with FortiSOAR™. These steps are explained in detail in "Beginners Tutorial to FortiSOAR™ for Administrators."

  1. Successfully log into FortiSOAR™.
  2. Click the Settings (Settings icon) icon that is present in the upper right-hand corner near the User Profile icon.
    This displays the System page.
    Use the Security Management section to configure the following: Team Hierarchy, Teams, Roles, Users, Authentication, and Secrets (Deprecated in FortiSOAR™ 5.0.0).
  3. Add a new team in FortiSOAR™.
    You can also use the default teams that are present in FortiSOAR™.
  4. Add a new role in FortiSOAR™.
    You can also use default roles that are present in FortiSOAR™.
    You provide user permissions on a module based on roles that you have assigned to that user.
    For example, if you want to provide a user with complete access to the Incident module, you must create a role that has Create, Read, Update, and Delete permissions on the Incident module and name it Incident Administrator. You must then assign that role to a user.
  5. Add a new user and assign an appropriate role to the user.
    For example, create a user John A and assign John A the Incident Administrator role.
  6. Create your first record.
    Log on to FortiSOAR™ as user John A, who has access to the Incident module. Click the Add button in the top bar of the Incidents module to open the Create New Alert form. Fill in the required details the Create New Incident form and click Save to create an incident.