Default Modules

Modules provide access to individual data models within the FortiSOAR™ database, such as Incidents.

You will see the following default modules in case of a fresh install of FortiSOAR™.

In FortiSOAR™, the left navigation bar categorizes the modules as follows:

  • Dashboard
  • Queue Management
  • Incident Response
    Alerts
    Incidents
    Tasks
    Indicators
    Emails
  • Vulnerability Management
    Vulnerabilities
    Assets
    Scans
  • Automation
    Playbooks
    Rule Engine
    Connectors
    Schedules
  • Resources
    Attachments
    Email Templates
  • Reports
  • Help

Dashboard

Dashboards are generally the users' default home page. Administrators create dashboards that are applicable throughout the application and are assigned to users based on their roles. For more information, see Dashboards, Templates, and Widgets.

Queue Management

Queue Management provides you with an overview of work (records) that requires to be completed and enables you to assign pending work to users. You can also configure queue management to assign unassigned items to specific queues or users automatically. For more information, see Queue Management.

Incident Response

The Incident Response Component is a collection of all modules typically related to Security Incidents. You might work on the entire Incident lifecycle from within this component.

This component underpins the operational side of your SOC. The standard flow starts within the Alerts module.

Alerts

Alerts in FortiSOAR™ are essentially notifications indicating that an attack has been directed at an organization's systems. Alerts are related to events and often contain essential information for addressing the attack by including vulnerabilities and exploits being leveraged by the potential attack.

Incidents

Incidents represent a collection of information discovered during an Incident Response investigation. Incidents are triggered based on the suspicion or confirmation of a security breach. Incidents can be cyber or physical security related.

Campaigns represent a collection of Incidents that can be tied to a single Threat Actor. Seemingly disparate Incidents might actually be related attempts from a malicious attacker attempting to probe and gain access to your network.

It is generally difficult to determine if Incidents themselves are related and roll them into a Campaign. Typically, they would be linked by a known, single threat actor based upon some uniquely identifiable piece of information that ties the Actor across multiple Incidents.

Note

Campaigns are not part of default modules from version 4.10.0 onwards. However, Campaigns will work in case you are upgrading your system from version 4.10.0.

Tasks

Tasks represent a discrete action taken by either an individual or automated response. Tasks might link to outside systems, such as ticketing systems, to track specific actions beyond that of your SOC team.

Tasks might also be created to represent actions taken automatically as a part of a response policy enacted by a Workflow. This requires that the Workflow must have a step to insert a Task as a record of an action undertaken by an external system, such as blacklisting an IP in the firewall rule set.

Indicators

Indicators contain details of all the data that is collected from system log entries or files, which identify potentially malicious activity on a system or network. It contains records of identifiable information regarding a threat, such as an IP or URL.

Once an alert is created FortiSOAR™ extracts the metadata from the raw alert data and creates indicators, with details such as type of indicator, i.e. IP address, URL, attachment, domain, etc., the value of the indicator, such as the IP address number, the domain name, whether this indicator has been sighted any other alerts, and what is the IOC status of that indicator.

Emails

Emails contain potentially malicious emails, such as phishing emails. Once an email is added to this module, FortiSOAR™ extracts and stores the Email Headers for further investigation. FortiSOAR™ also creates an alert with a link to the email.

Vulnerability Management

The Vulnerability Management Component is a collection of all modules typically related to vulnerabilities that exist in your system.

Vulnerabilities

Vulnerabilities represent a collection of weaknesses in your systems that can lead to security concerns. You can configure vulnerability scans to run periodically on your network, creating an inventory of the vulnerabilities for your specific assets.

Assets

Computers represent the Assets of your organization. Assets represent a unique piece of hardware and any information known about that hardware, such as MAC address, hostname, or IP address. Assets preferably have a unique identifier.

Assets typically are only stored within FortiSOAR™ as records related to Incidents, Alerts, or Vulnerabilities. Asset information may be pulled from a CMDB or other resource available with knowledge of the asset characteristics, such as an ARP table or DHCP records.

In the case of large networks, Asset tracking is often a complicated process and plagued with limitations. We recommend that Asset creation involve corroboration between multiple unique sources of data that build a level of confidence in the accuracy of the Asset information, as single sources can be unreliable with respect to data integrity and accuracy.

Scans

Scans contain the details of all the scans that you run on your systems. It contains records of a bulk scan from scanners.

Automation

The Automation Component is a collection of modules that you can use to automate your security operations.

Playbooks

Playbooks in FortiSOAR™ allows you to automate your security processes across external systems while respecting the business process required for your organization to function. For more information, see Playbooks documentation.

Rule Engine

Rule Engine in FortiSOAR™ allows you to automate processes and build rules based on logic. This makes it easier for you to maintain changes in your data in the future since all the logic is laid out in rules. For more information, see Rule Engine documentation.

Connectors

Connectors provide you the ability to retrieve data from custom sources and perform automated operations. For more information, see Connector documentation.

Schedules

Schedules in FortiSOAR™ allows you to schedule playbooks to run at regular intervals. For more information, see Schedules documentation.

Note

In version 5.0.0 schedules as a module is removed, i.e., you will not find schedules on the Modules page and you cannot modify the mmd of the schedules using the Application Editor.

Resources

The Resources Component is a collection of all modules typically related to components stored in FortiSOAR™ such as attachments and templates.

Attachments

Attachments represent files that are uploaded and stored in FortiSOAR™. You submit files that are available in the FortiSOAR™ Attachments module to 3rd-party tools to scan and analyze suspicious files and retrieve reports for the submitted samples.

Important

You can add a file up to the maximum file size of 100 MB in the Attachments module.

Email Templates

Email Templates represent templates that are stored in FortiSOAR™ that you can use when you want to send emails from FortiSOAR™. For example, if you have created a rule that requires FortiSOAR™ to send an email automatically if a particular condition is met, then you must create a template for the email and save that email in the Email Templates module.

Email Templates contain a set of standard templates included with FortiSOAR™. Standard templates include emails that are sent by FortiSOAR™ when a new user is added in FortiSOAR™ or an email that is sent to users when they forget their passwords and send a request to reset the FortiSOAR™ password.

Reports

You must create reports natively from version 5.0.0 onwards and Jaspersoft reports are not supported or included in case of fresh installations of a 5.0.0 version and versions later than 5.0.0.

Jaspersoft reports are not supported from version 5.0.0 onwards and you must use FortiSOAR™ in-house reporting to create your reports. In case you are upgrading to version 5.0.0, then your Jaspersoft reports will not work. However, if you do require Jaspersoft reports, then the procedure for restoring Jaspersoft is present on the Fortinet Support Site: Restoring Jaspersoft after upgrading to CyOPs™ 5.0.0. You must log onto the support site to view information.

Help / Knowledge Base

The Help Component contains the Knowledge Base, which is the FortiSOAR™ Product documentation, along with small tutorials and examples, to help you work effectively with FortiSOAR™.