FortiSOAR Shift Management and Reporting

Questions and Answers

What primary functionality does the Queue Management interface provide?

• Shows tasks for all users without priority status.
• Generates shift rosters for users based on roles.
• Automates the process of creating personalized dashboards.
• Allows users to view tasks, pending items, and their priorities. (correct)

What improvement was made in the Queue & Shift Management interface compared to previous releases?

• It allows multiple users to view the same tasks simultaneously.
• It supports automated record assignments. (correct)
• It provides a more complex user interface.
• It eliminates shift-based assignments.

Which of the following actions can only be performed by administrators regarding dashboards?

• Update the dashboard to apply changes for all users. (correct)
• Create personalized dashboards for individual users.
• Customize the dashboard layout extensively.
• Remove historical data from the dashboard.

Which feature allows users to prepare reports before finalizing them?

Clicking the View button for a report preview. (B)

How does FortiSOAR ensure shift-based assignment of records?

Records are assigned only to users currently working. (C)

What customization options are available for user dashboards in FortiSOAR?

Users can create personalized dashboards only visible to themselves. (B)

What capability does FortiSOAR provide regarding historical reports?

Users can search for text within historical report PDFs. (A)

What happens to dashboard updates made by administrators?

Changes are visible to all users immediately. (B)

What is the main purpose of triaging alerts in a SOC?

To verify if the alert is legitimate before taking action. (C)

Which benefit does SOC optimization provide to security analysts?

It automates repetitive workflows, allowing analysts to focus on important tasks. (A)

What are the key areas of the SOC Automation Model?

People, Processes, Products. (A)

What does a level 1 maturity classification in the SOC Automation Model indicate?

The organization has best effort incident response playbooks and a small IT team. (D)

How do SOAR solutions enable collaboration among SOC teams?

By offering a centralized platform for interaction. (D)

Why is automating repetitive tasks important for security operations teams?

It frees analysts to concentrate on critical incident responses. (D)

What role do threat intelligence platforms play in alert verification?

They provide an automated way to assess alert legitimacy. (C)

What is the impact of having a SOAR platform in a SOC?

It centralizes and streamlines the incident management process. (A)

What is primarily required by the primary node in a multi-tenant hybrid model?

Summary of information to identify investigations (B)

What does FortiSOAR recommend for a production environment to ensure scalability and availability?

Deploying an external secure message exchange server (A)

How are active-passive and active-active configurations implemented in FortiSOAR?

Supported on both externalized and internal PostgreSQL databases (C)

What is the role of the tenant node in relation to the primary node?

It receives actions and playbooks from the primary node. (D)

In what scenario is there no requirement for a tenant node?

When the customer is centrally managed by the primary node. (D)

What is a characteristic of a FortiSOAR cluster?

One active primary node is present in a cluster. (B)

Which configuration allows for both high availability and scalability in FortiSOAR?

Deployment of an external secure message exchange server (C)

What distinguishes the embedded secure message exchange server from an external one in FortiSOAR?

The embedded server is available on every FortiSOAR node. (B)

What is the minimum permission a user must have to work with FortiSOAR?

Read permission on specific modules (B)

What does CRUD stand for in the context of Role-Based Access Control (RBAC)?

Create, Read, Update, Delete (D)

How many roles does FortiSOAR have by default after installation?

One role (A)

What role has full CRUD permissions across the Security module?

Security Administrator (D)

What happens when multiple roles are assigned to a user?

The user's permissions become a combination of all assigned roles (B)

What should you not do with the Security Administrator role?

Remove it from the system (C)

What is the role of the Security Administrator regarding team structures?

To build and maintain the role and team structure (B)

Which of the following can be modified in the Role Editor?

RBAC permissions on modules (B)

What occurs when an alert is escalated in FortiSOAR?

The alert becomes an incident. (D)

Which feature allows users to have an overview of work to be completed in FortiSOAR?

Queue management feature (C)

How can administrators tailor dashboards for users in FortiSOAR?

By creating dashboards based on user role permissions (D)

What does role-based access control (RBAC) in FortiSOAR enable administrators to do?

Grant users access based on role permissions and team membership (C)

What is the purpose of the FortiSOAR Content Hub?

To provide a central repository for various resources (D)

How frequently is the Content Hub's data synchronized with the FortiSOAR repository?

Every hour (D)

What benefit do analysts receive from utilizing assigned dashboards in FortiSOAR?

Ability to prioritize their workload effectively (D)

What happens when an analyst is absent in FortiSOAR?

Their assignments can be reassigned. (C)

Study Notes

Queue & Shift Management

• FortiSOAR allows creating shift rosters with shift leads and team members
• Queues allow users to view assigned tasks, pending tasks, and task priority
• Records are assigned to users within a queue, and shift-based assignment can be enabled to assign them to only users who are working

Dashboard

• Dashboards are the default landing page for FortiSOAR users
• Personalized dashboards can be created based on user roles
• Dashboard customizations are only visible and applicable to the individual user
• Administrators must update the dashboard for changes to apply to all users

Reporting

• Users have the option to use default report templates or create their own
• Reports can be scheduled, viewed historically, and text can be searched within the PDF report
• Reports can be previewed before scheduling

SOC Optimization

• Alerts are triaged and checked to verify if the alert is legitimate
• Triaging and checking alerts is done by automatically extracting indicators and checking their reputation against threat intelligence platforms
• FortiSOAR automates repetitive and monotonous elements of SOC workflows, freeing analysts to focus on incident response and larger-picture cyber defense strategies

SOC Alert Handling & Triage

• SOC teams handle alerts and proceed through a process of triage and escalation
• The SOC Automation Model is divided into three key areas: people, process, and product
• Each area is classified at a maturity level from 1-3, based on the organization's security posture

FortiSOAR Architecture

• FortiSOAR supports multi-tenant models with a primary node and tenant nodes
• The primary node requires only a summary of information to identify investigations
• The primary node pushes any action needed to be executed to the tenant node
• FortiSOAR supports HA clusters in both active-passive and active-active configurations
• A secure message exchange server can be deployed externally or embedded on each FortiSOAR node
• For production environments, it is recommended to use an external secure message exchange server for increased scalability and availability

FortiSOAR Features

• FortiSOAR allows users to escalate alerts, which become incidents
• Analysts can work on incidents until closure
• FortiSOAR's queue management feature provides an overview of pending work and allows users to reassign tasks
• Administrators can create dashboards based on user roles to help prioritize tasks
• Users can be granted access to specific modules within FortiSOAR using role-based access control (RBAC)
• User RBAC permissions are aggregated from all assigned roles

Content Hub

• The Content Hub acts as a central repository for connectors, widgets, and solution packs
• Content in the hub is updated hourly by synchronization from the FortiSOAR repository

Roles

• Roles can be defined and modified within FortiSOAR
• It is essential to assign roles with read permissions for the Application, Audit Log Activities, and Security modules to users who need to work with FortiSOAR
• Roles are not hardcoded and therefore must be carefully managed by administrators
• CRUD model permissions are used to define roles and control access within modules
• Users can be assigned multiple roles, and permissions are aggregated from each assigned role

Security Administrator Role

• The Security Administrator role has full CRUD permissions on the Security module, allowing for the management of roles and teams
• This role also has CRUD permissions on the Secure Message Exchange and Tenants modules for multi-tenant configurations
• It is recommended to only assign this role to users with responsibility for managing role and team structure and to avoid removing the role.

Description

This quiz covers key features of FortiSOAR, focusing on shift and queue management, personalized dashboards, and reporting capabilities. Learn how to optimize your SOC operations by exploring alert triage and reporting tools. Test your knowledge on these essential functionalities for effective security operations.