FortiSOAR_Administrator_7.3_Study_Guide-Online.pdf

DO NOT REPRINT © FORTINET FortiSOAR Administrator Study Guide for FortiSOAR 7.3 DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Product Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Training Program Information https://www.fortinet.com/nse-training Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Fortinet Training Institute Helpdesk (training questions, comments, feedback) https://helpdesk.training.fortinet.com/support/home 4/21/2023 DO NOT REPRINT © FORTINET TABLE OF CONTENTS 01 Introduction to FortiSOAR 4 02 Device Management 65 03 System Configuration 127 04 High Availability 180 05 Searching, War Rooms, and Upgrading 230 06 System Monitoring and Troubleshooting 271 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In this lesson, you will learn what Security Orchestration, Automation and Response is, and how FortiSOAR can help security operation center teams. You will also learn about FortiSOAR architecture and some initial configuration. FortiSOAR Administrator 7.3 Study Guide 4 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSOAR Administrator 7.3 Study Guide 5 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In this section, you will learn about SOAR technology, and the importance of SOAR in a SOC environment. By demonstrating competence in SOAR, you will be able to describe the basics of SOAR technology and understand SOC maturity. FortiSOAR Administrator 7.3 Study Guide 6 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Gartner defines SOAR as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management (SIEM) systems) and apply workflows aligned to processes and procedures. Orchestration is the process of collecting data, which is usually alerts and incidents from different sources, and performing various actions from one platform. Orchestration also helps you to streamline and optimize frequently occurring processes and workflows. Automation and orchestration are different, but related, concepts. Automation enables security teams to be more efficient by reducing or replacing human interaction with IT systems, and instead use a centralized platform to perform tasks in order to reduce cost, complexity, and errors. Automated workflows and responses enable the security teams to automatically respond to security events. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. SOAR is the technology that can orchestrate data, automate workflows, and respond to incidents. All of that can be performed from a single platform. FortiSOAR Administrator 7.3 Study Guide 7 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The majority of organizations juggle at least 50 discrete cybersecurity products at once, posing a threat to data security, according to a new report from Oracle and KPMG. Keeping the security team up-to-date on all the latest features and functions for different vendors is a challenge. Based on market research, the incident management segment is projected to grow at a higher compounded annual growth than the network forensics segment. This will result in a very high volume of alerts and incidents. Manually addressing every incident is not feasible for large organizations. The threat landscape is evolving and attackers are more sophisticated than before. Responding to incidents manually can be slow, and that could provide attackers with the opportunity to breach other systems, which could have been stopped if the incidents were resolved quicker. Cybersecurity has become a major priority for organizations looking to protect themselves against the massive cost of data breaches, but there’s an international problem hindering that goal. There are millions of cybersecurity positions open and unfilled around the world. Without trained security staff, organizations don’t have the capability to deploy the right controls or develop security processes to detect and prevent cyberattacks. FortiSOAR Administrator 7.3 Study Guide 8 Introduction to FortiSOAR DO NOT REPRINT © FORTINET A security operations center (SOC) is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. Security operations centers are typically staffed with security analysts and engineers as well as managers who oversee security operations. SOC staff work closely with organizational incident response teams to ensure security issues are addressed quickly upon discovery. Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. FortiSOAR Administrator 7.3 Study Guide 9 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Security and risk management leaders can improve the odds of selecting the right tool for the organization by gaining consensus during a premortem analysis on what could go wrong, and which success metrics should apply to a project. The premortem can also serve as an early-stage vehicle for collecting initial use cases and requirements. Those can be further refined as part of the formal project definition and approval cycles. As part of a project to bring tools into the SOC, a solid understanding of the scope, technologies being considered, and affected processes is required. As your SOC team grows, you must consider the scope, technology, and implementation requirements. FortiSOAR Administrator 7.3 Study Guide 10 Introduction to FortiSOAR DO NOT REPRINT © FORTINET An organization building a SOC prioritizes technology purchases to get real-time monitoring capabilities in order to better understand what is happening when observing the consequences of the event. This first level of visibility, while potentially limiting the SOC to reactive activities, is necessary. As the SOC matures and learns, it builds the processes to treat basic incidents, and starts to differentiate event treatment based on their impact. Additional tools might help at this stage to speed up initial assessment, with individual alerts being aggregated and augmented with additional context. More mature organizations might need to strengthen their ability to perform root cause analysis of the incident and elimination of the threat. You want to ensure that when you close an incident, the risk of recurrence is correctly handled. After the end-to-end workflow itself becomes more refined, orchestration and other productivity improvements will move the SOC forward. FortiSOAR Administrator 7.3 Study Guide 11 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Smaller or newly formed SOCs, or those that were previously outsourced where the technology was provided by the provider, often start with FortiSIEM or log management solutions. This is necessary to start seeing what is happening in the organization, leveraging logs from network and endpoint security controls already in place, and possibly from other sources, based on criticality to the organization, for example, domain controllers, critical applications, and other externally exposed assets. The need to have a common repository of incidents could be addressed within a SIEM tool or within the IT case management or service desk tool. You should consider using a security incident response platform (SIRP) tool, or the SIRP capabilities of a FortiSOAR tool, if the incident and case management capabilities in the FortiSIEM tool are not advanced enough, or there are security and privacy concerns with using the IT service desk tool. Every “greenfield” SOC will not have the resources (budget, people, time) to implement SIRP at the beginning, but you should strongly consider it at the start of instrumenting the SOC, rather than trying to bolt it on later in the SOC building journey. If security and privacy concerns make the IT service desk tool inappropriate, and if the preferred SIEM tool lacks adequate case management capabilities, security leaders face an early maturity bottleneck. They must consider a SIEM tool with more advanced case management capabilities, or leverage a SIRP tool or the SIRP capabilities of a SOAR tool, which would normally be beyond their current maturity level. FortiSOAR Administrator 7.3 Study Guide 12 Introduction to FortiSOAR DO NOT REPRINT © FORTINET This slide shows four key use cases in which FortiSOAR can help a matured SOC. FortiSOAR provides a unified incident response management platform where incidents can be investigated and remediated. To avoid false positives, alerts are triaged and checked to verify if the alert is legitimate by automatically extracting indicators, and checking their reputation against threat intelligence platforms. SOC optimization ensures that SOAR solutions enable security operations teams to automate the tiresome, repetitive, and monotonous elements of their workflow that don’t depend upon human interaction. This takes some of the pressure off security analysts, and frees them to focus on the day-to-day incident response and bigger-picture cyber defense strategies. Having a SOAR platform also helps SOC teams to collaborate with each other through a central platform without relying on any external case management software. FortiSOAR Administrator 7.3 Study Guide 13 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Administrator 7.3 Study Guide 14 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Good job! You now understand SOAR. Now, you will learn about SOC alert handling and triage. FortiSOAR Administrator 7.3 Study Guide 15 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In this section, you will learn how a SOC team handles alerts and the process of triage and escalation. By demonstrating competence in SOC alert handling and triage, you will learn how a SOC team handles alerts and the process of triage and escalation. FortiSOAR Administrator 7.3 Study Guide 16 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The SOC Automation Model is divided into three key areas: people, process, and product. Within each area, an organization can be classified at a maturity level from 1-3, based upon their security posture in that area. For example, an organization that is level 1 in all categories has a small IT team with no security staff (people), best effort incident response playbooks (process), and no dedicated security solutions (product). At the other extreme, an organization may have a large security team with experienced SOC analysts, well- defined playbooks, and have not only deployed but also measured the effectiveness of their SIEM and SOAR solutions. At Level 1: Achieve Visibility Leveraging Security Fabric Analytics At Level 1 of the SOC Automation Model, a security team has no dedicated security personnel or processes for addressing potential incidents. Additionally, the average enterprise receives more than 10,000 alerts per day, meaning that SOC analysts are overwhelmed and have little time for identifying and remediating true threats to the network. Without dedicated solutions, an organization’s security team lacks visibility into potential threats to their network. The team must manually collect and correlate all log data before they can analyze it. Many level 1 SOCs lack the knowledge or the resources to identify true threats, leaving the organization at risk. FortiAnalyzer is an easy-to-deploy solution for centralizing visibility and threat detection across an organization’s entire Fortinet Security Fabric, including both on-premises and cloud deployments. FortiAnalyzer correlates log data from multiple Fortinet devices, providing valuable context to security analysts. By analyzing this data using machine learning (ML) and indicators of compromise (IOCs) provided by a global threat-intelligence feed, FortiAnalyzer can help even the smallest security team to pinpoint and rapidly respond to threats within their network. FortiSOAR Administrator 7.3 Study Guide 17 Introduction to FortiSOAR DO NOT REPRINT © FORTINET At Level 2: Enhance Multivendor Visibility With SIEM, the average enterprise has 75 different point security solutions deployed on their network. While each of these solutions provides valuable intelligence about potential threats to the organization’s network, they often lack the context required to differentiate between a true threat and a false positive. Additionally, an array of standalone security solutions makes it difficult to enforce consistent security policies and maintain compliance with strict new data protection regulations, such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). A SIEM system is the logical solution to the security complexity caused by a multivendor environment. A SIEM solution ingests data collected from products created by multiple different vendors and performs automated correlation and analysis to provide a clearer picture of the overall status of the protected environment. FortiSIEM allows security teams to map operations to industry best practices and security standards, such as those published by the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). In this way, FortiSIEM expands on the visibility that FortiAnalyzer brings to the Fortinet Security Fabric. FortiSOAR Administrator 7.3 Study Guide 18 Introduction to FortiSOAR DO NOT REPRINT © FORTINET At Level 3: Incorporate Automated Response With SOAR, the cyber-threat landscape is accelerating as cyber criminals increasingly rely upon automation to speed up their attacks. While single-pane-of-glass visibility speeds up the rate at which a security team can identify a potential threat, a reliance on manual incident response processes means that defenders will always be a step behind the attackers. SOAR solutions enable an organization’s security team to leverage automation to speed up incident response. By creating an automated framework to tie together an organization’s complete security architecture, defensive actions can be taken by multiple different systems in concert. This minimizes the context switching required of security personnel, decreasing alert fatigue and speeding incident response. FortiSOAR also enables an organization to optimize its security processes by leveraging well-defined security playbooks. By automating repetitive tasks and responses to common threats, FortiSOAR enables a security team to focus their efforts and limited resources on higher-level tasks. FortiSOAR Administrator 7.3 Study Guide 19 Introduction to FortiSOAR DO NOT REPRINT © FORTINET A level 1 analyst is the front line responder to an alert. FortiSIEM or FortiSOAR could receive an alert depending on the way the log forwarding is set up in your infrastructure. The task of a level 1 analyst is usually to investigate and triage an alert. If you already have established techniques or procedures on FortiSIEM or FortiSOAR, then a level 1 analyst could automate some aspects of the investigation, such as reputation lookups for IOC using playbooks on FortiSOAR, or by using automation scripts on FortiSIEM. If the alert is not a valid threat, then the analyst can close it as a false positive. Otherwise, the analyst can open an incident or a case. On FortiSOAR, you can run a playbook to remediate the incident, if a playbook is available, and then close the incident. If a playbook remediation is not available, then you can escalate the incident to a level 2 analyst. FortiSOAR Administrator 7.3 Study Guide 20 Introduction to FortiSOAR DO NOT REPRINT © FORTINET A level 2 analyst investigates the incident using established techniques or procedures. A key role of a level 2 analyst is to investigate an incident through manual methods and use playbooks wherever possible. If the incident is not a threat, then the analyst can close it. Otherwise, they can move the incident to the remediation stage. The level 2 analyst determines if a remediation playbook is available to remediate the incident, and run the playbook against the incident. If an appropriate script is available, then the analyst can also remediate an incident from FortiSIEM. After an incident is remediated, the analyst updates the knowledge base within FortiSOAR, documents the incident, and closes it. If the analyst is unable to remediate the incident using a playbook or through FortiSIEM, then the analyst must determine if they can resolve the incident manually. After performing manual remediation, the analyst must update the knowledge base, document the case, and flag the case for a possible playbook in the future. If the level 2 analyst cannot remediate the incident, then they can escalate the case to a level 3 analyst. FortiSOAR Administrator 7.3 Study Guide 21 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The level 3 analyst takes ownership of the escalated incident and performs further advanced manual investigation on the incident in addition to all the investigation done by level 1 and level 2 analyst. If the threat is not valid then the case is documented and closed. If the threat is valid then the level 3 analyst will perform a manual remediation of the incident. The remediation could involve follow-up work such as updating FortiSIEM rules, updating firewall policies, patching all endpoints, and so on. The level 3 analyst will then decide if there is a known technique or procedure to resolve such an incident, either manual or through a playbook. If there is a known procedure, then the case is documented and closed. If there is no known procedure, then the analyst will update the knowledge base, review the procedure with an architect and update the procedure to resolve such incidents. FortiSOAR case logs provide a record for process updates. The review process also involves developing a new playbook, if required, so that such incidents can be automatically remediated by the playbook for future occurrences of such incidents. After the review process is complete, the case can be documented and closed. FortiSOAR Administrator 7.3 Study Guide 22 Introduction to FortiSOAR DO NOT REPRINT © FORTINET A level 3 analyst must follow specific protocols while developing a new technique or procedure. The analyst must identify the threat. Once identified, the analyst must mitigate the risk to avoid risk of exploitation. If possible, the analyst should try to patch any vulnerable systems, or block any indicators of compromise. While conducting a thorough investigation, the analyst should be able to identify the indicators that have been compromised. Based on that investigation, the analyst should build SIEM rules or SOAR playbooks so that such incidents can be identified and indicators can be enriched. The analyst’s next task is to remediate the incident automatically through FortiSIEM remediation scripts, or develop playbooks on FortiSOAR for automatic remediation. Finally, the analyst must carefully study the impact of remediation on services and networks. Often, a poorly developed playbook could cause self-inflicted issues, such as bringing down servers or critical network infrastructure. FortiSOAR Administrator 7.3 Study Guide 23 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Administrator 7.3 Study Guide 24 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Good job! You now understand SOC alert handling and triage. Now, you will learn about FortiSOAR architecture. FortiSOAR Administrator 7.3 Study Guide 25 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In this section, you will learn about FortiSOAR architecture, and various platforms on which you can install FortiSOAR. FortiSOAR Administrator 7.3 Study Guide 26 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In an enterprise architecture, there is one single instance of FortiSOAR. You can ingest data using connectors into FortiSOAR from various devices in your infrastructure. When available, it is recommended that most logs be sent through the SIEM, rather than through direct connectors. This ensures the SIEM is a central point of log aggregation and can be used for analytics and reporting. After you integrate your FortiSIEM, or any other SIEM solution, with FortiSOAR, incidents generated by FortiSIEM are ingested by FortiSOAR. Every incident that is sent from FortiSIEM to FortiSOAR is a unique record on FortiSOAR. You can run remediation playbooks from FortiSOAR against those incidents, and perform remediation action on the target devices. For example, if the logs that are sent by FortiGate to FortiSIEM generate an incident that indicates an external malicious actor is trying to access corporate resources, then FortiSOAR evaluates that incident and rates that external IP against various threat intelligence platforms. If the IP is malicious, then you can run a remediation playbook to take action against that IP address. In the scenario shown on this slide, the solution is to block that IP on the FortiGate firewall. The playbook can automatically log in to FortiGate and put that IP on the quarantine list for an indefinite period of time. FortiSOAR Administrator 7.3 Study Guide 27 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In the case of a shared tenancy model, tenants share the same system as the primary device; tenants are local, but with restricted access on the system. The SOC team provides cybersecurity monitoring and management to various tenants in a single FortiSOAR instance. The shared tenancy model ensures that the data belonging to different tenants is segregated, and data access is controlled using RBAC. Therefore, a tenant can view only their own data or record, and not the data of other tenants. You can give each tenant their own login, which they can use to view their dashboards, report, check the actions taken on their records, check their SLA management, and so on. FortiSOAR Administrator 7.3 Study Guide 28 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In the case of a distributed tenancy model, the tenant node instance of FortiSOAR is remote and every tenant has their own instance of FortiSOAR. The primary FortiSOAR node resides at the MSSP location and communicates with the tenant node through a secure channel. Tenant data remains in the tenant environment, and they control how much data they want to share with the primary node. All sensitive information stays with the tenant node. Since the actual workflow execution happens at the tenant node itself, the primary node requires only the summary of information to help identify what investigations should run. The primary node pushes any action that needs to be executed to the tenant node. Similarly, any playbook that needs to be executed is pushed by the primary node to the tenant node. You can choose to deploy a dedicated secure message exchange server by specifying that option when using the regular FortiSOAR virtual appliance installer. Alternatively, you can enable the embedded secure message exchange server available on every FortiSOAR node. For a production environment, it is recommended to use an external secure message exchange server for improved scalability and availability. FortiSOAR Administrator 7.3 Study Guide 29 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In a multi-tenant hybrid model, the MSSP’s primary node centrally manages some customers. If the customer is managed by the primary node, then there is no requirement for a tenant node for that customer. However, you can also set up other customers who use a distributed method for the same primary FortiSOAR node. For those customers, you must install a tenant node. FortiSOAR Administrator 7.3 Study Guide 30 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR supports HA clusters that you can deploy in both active-passive and active-active configurations. You can configure FortiSOAR with either an externalized PostgreSQL database, or an internal PostgreSQL database. For both, you can configure active-active or active-passive HA clusters. One FortiSOAR cluster can have only one active primary node. All the other nodes are either active secondary nodes or passive nodes. FortiSOAR Administrator 7.3 Study Guide 31 Introduction to FortiSOAR DO NOT REPRINT © FORTINET A key element of the FortiSOAR architecture is its form factor. FortiSOAR is available as a virtual instance and comes as a 64-bit, hardened, Rocky Linux virtual machine that is preconfigured and pre-installed with FortiSOAR. All you have to do is import the virtual instance into your preferred environment. Instead of deploying a virtual instance, you can also self-install FortiSOAR on a Rocky Linux or RHEL operating system. Prior to 7.3.0, you could install FortiSOAR on the CentOS platform. However, because CentOS has announced its end-of-life cycle, FortiSOAR now requires Rocky Linux 8.6 or RHEL 8.6. FortiSOAR Administrator 7.3 Study Guide 32 Introduction to FortiSOAR DO NOT REPRINT © FORTINET A major benefit of the FortiSOAR form factor is its scalability. If your company grows, and you start sending more data to FortiSOAR than what it was initially configured to handle, you can upgrade the VM and add more resources. It’s easy to add CPUs, memory, and even storage to VMs. There are no charges or fees from Fortinet, unlike some vendors that charge by the number of CPUs used. The minimum hardware requirements for one instance of FortiSOAR are 8 vCPU, 20 GB of RAM, and 500 GB of storage. The recommended hardware requirements for one instance of FortiSOAR are 8 vCPU, 32 GB of RAM and 1 TB of storage. There are no size limits for the records database, and no charges or fees for storing months’ or years’ worth of data. That’s important to note when considering compliance reporting, and PCI or HIPPA requires that you store a year’s worth of data in order to provide appropriate audit reports. It’s very easy to determine how much storage you’ll need. FortiSOAR Administrator 7.3 Study Guide 33 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Cloud is a service subscription aimed to ease deployment, management, and scaling. You can access the FortiSOAR Cloud interface via the FortiCloud Services menu. To provision a FortiSOAR Cloud instance, you must have a FortiCloud account in addition to a FortiCloud Premium subscription and a FortiSOAR Cloud Entitlement license. If either license expires, you have a 30-day grace period to remedy the situation before the cloud portal shuts down the instance. Only one FortiSOAR instance can be created per FortiCloud account. You can choose which region to deploy your instance in, but you cannot migrate the instance to a different region later. The primary account holder can create secondary account holders with permissions to the account and the FortiSOAR cloud instance. After the instance has been provisioned, you can access it by using the web interface or the SSH console. The instance also contains an embedded secure message exchange, set as the cloud instance address running on TCP port 5671. From the FortiSOAR Cloud portal’s interface, you can also reboot and manage snapshots of the instance. FortiSOAR Administrator 7.3 Study Guide 34 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Administrator 7.3 Study Guide 35 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Good job! You now understand FortiSOAR architecture. Now, you will learn about FortiSOAR initial configuration. FortiSOAR Administrator 7.3 Study Guide 36 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In this section, you will learn about FortiSOAR deployment, licensing, and configuration options that will help you get FortiSOAR up and running. By demonstrating competence in FortiSOAR initial configuration, you will learn about FortiSOAR deployment, licensing, and configuration options that will help you get FortiSOAR up and running. FortiSOAR Administrator 7.3 Study Guide 37 Introduction to FortiSOAR DO NOT REPRINT © FORTINET This slide shows a high-level view of the initial deployment methodology of FortiSOAR. The planning process involves the following tasks: Complete site preparation, including hardware and resources for the VM Download the FortiSOAR VM The deployment process involves the following tasks: Import the FortiSOAR VM to the ESXi server Run the FortiSOAR configuration wizard License FortiSOAR using the License Manager Configure optional settings, such as editing the VM resource configuration and changing the default database password for FortiSOAR The configuration process involves the following tasks: Configure SMTP using the SMTP connector Point the ntpd service to a valid ntp server Set up a proxy server to serve all request for FortiSOAR Configure data encryption keys Create users, teams, and roles FortiSOAR Administrator 7.3 Study Guide 38 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The recommended hardware requirements for the FortiSOAR VM are 8vCPUs, 32 GB RAM, 1 TB disk, and one virtual NIC. The storage required depends on the environment, specifically how many records are expected, and how extensive logging is. You can install the FortiSOAR VM on VMware ESXi 5.5 or higher. You can also install the VM on Amazon Web Services, Redhat KVM, Docker, or have it hosted on FortiCloud. For inbound networking, ensure that port 22 and port 443 are enabled within the VM network. For FortiSOAR to correctly interact with your network, you must provide access between the FortiSOAR VM and the third- party products and services configured within your network. To accomplish this, enable the ports shown on this slide for SSH, SMTP, DNS, and HTTPS access. FortiSOAR Administrator 7.3 Study Guide 39 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The first step to deploying a FortiSOAR VM is to select the appropriate hypervisor. After deploying the VM, run the configuration wizard to change the host name, configure a proxy, update the network configuration, generate certificates, generate the device UUID, reset database passwords, restart services, configure the default HA cluster, and install Python libraries. You can edit the VM resource configuration to determine if you would like to use a static or dynamic IP. Determine the type of license that you would like to install. Provide the FortiSOAR UUID while registering the FortiSOAR instance on FortiCare. You must be logged in as a root user to retrieve the UUID from FortiSOAR. Download the license from FortiCare and upload it to FortiSOAR through FTP. Ensure that you have connectivity to globalupdate.fortinet.net. Deploy the license as an enterprise or a multi-tenant edition. Now, you should be able to access FortiSOAR through the GUI using the IP that you configured while running the configuration wizard to go through an initial setup. It is highly recommended that you confirm the SOAR Framework Solution Pack is installed and up-to-date in the environment. By default, the solution pack is installed in new 7.3.0 installations, but it can be skipped. This solution pack contains essential elements for effective incident response, including modules, dashboards, roles, and widgets. FortiSOAR Administrator 7.3 Study Guide 40 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR enforces licensing and restricts the use of FortiSOAR by specifying the following: The maximum number of active users in FortiSOAR at any point in time The type and edition of the license There are two main variations of license editions: Enterprise and Multi-tenant. The enterprise edition enables a regular enterprise production license. With multi-tenant licensing, there are three different editions. MT, which enables multi-tenancy where both shared and distributed multi-tenancy are supported. The instance where this license is deployed would serve as a primary node in a distributed deployment. MT_Tenant, which enables the node as a tenant in a multi-tenant deployment. This is the license to be deployed for a customer node of a Managed Security Services Provider (MSSP). You can configure the node as a tenant to the MSSP server for syncing data and actions to and from the MSSP primary server. MT_RegionalSOC, which enables the node as a regional SOC deployment at an organization with a distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time, you can configure it as a tenant to the global SOC where the MT license is deployed, and sync data and actions from the Global SOC FortiSOAR server. 7.3.0 also introduces a new licensing option that provides full access to FortiGuard threat intel feeds. It includes an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by FortiGuard security experts. FortiSOAR Administrator 7.3 Study Guide 41 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The FortiSOAR license can be of the following types: Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR. Perpetual (Trial): This type of license provides you with a free trial license for an unlimited time for FortiSOAR, but in a limited context. There are restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an enterprise type license and is restricted to three users using FortiSOAR for a maximum of 200 actions a day. Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe. You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription. Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date. FortiSOAR Administrator 7.3 Study Guide 42 Introduction to FortiSOAR DO NOT REPRINT © FORTINET You must use the SMTP connector to receive any system or email notifications, including requests for resetting passwords. The SMTP connector is part of a number of pre-installed connectors or built-ins that are included with FortiSOAR. By default, the SMTP connector is configured to use FortiSOAR as an SMTP relay server. The FortiSOAR Configuration Wizard is available only on the first SSH login. If, at a later stage, you need to change the hostname of your FortiSOAR VM, then you can use the FortiSOAR CLI to change the hostname. FortiSOAR comes with a self-signed certificate. Replace FortiSOAR self-signed certificates with your own signed certificate. FortiSOAR records each workflow action and audits every important activity such as logins, and the creation, updates to, and deletion of records. These generate a large volume of data, which might not be useful after some point in time. Therefore, you must configure a purge schedule for both these logs as per the organization's retention policy. This will help keep the disk usage for these logs constant over time. The Playbook Execution History data is significantly large, so it is very important that you schedule a purge of these logs at regular intervals. FortiSOAR Administrator 7.3 Study Guide 43 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The system comes with the default username csadmin and password changeme. It is highly recommended that you change the username and password after you log in for the first time. You should set up thresholds, schedules, and notifications to effectively monitor various FortiSOAR system resources, such as CPU, disk space, and memory utilization, and status of various FortiSOAR services. You can configure FortiSOAR with either an external PostgreSQL database or an internal PostgreSQL database. In both cases, you can configure active-active or active-passive high availability clusters. You must stop and start the FortiSOAR services in the following cases: Updating or upgrading the SSL certificates Post-update, if playbooks are not working as expected Post-reboot, if the FortiSOAR platform is not working as expected FortiSOAR Administrator 7.3 Study Guide 44 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Administrator 7.3 Study Guide 45 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Good job! You now understand FortiSOAR initial configuration. Now, you will learn about FortiSOAR overview. FortiSOAR Administrator 7.3 Study Guide 46 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In this section, you will explore some of the important features of FortiSOAR, and how a SOC can mature by using FortiSOAR. By demonstrating competence in FortiSOAR overview, you will explore some of the important features of FortiSOAR, and how a SOC can mature by using FortiSOAR. FortiSOAR Administrator 7.3 Study Guide 47 Introduction to FortiSOAR DO NOT REPRINT © FORTINET When you escalate an alert on FortiSOAR, it becomes an incident. Every incident on FortiSOAR can be considered as a ticket that an analyst will need to work on until they close the incident. The FortiSOAR queue management feature provides you with an overview of the work that must be completed and enables you to assign pending work to users. You can also reassign assignments in case of absence or analyst shift changes. Administrators can create applicable dashboards throughout the platform. The dashboards are assigned to users based on their roles. For example, you can create a dashboard that displays alerts that are severity critical and high, and then assign them to users who have the role of handling alerts. Users then can prioritize their work by looking at their dashboard. FortiSOAR gives you the option to assign levels of accessibility to users using role-based access control (RBAC) combined with team membership. You can grant users access to specific modules in FortiSOAR based on their role permissions. Users exercise their permissions in conjunction with their team membership. FortiSOAR Administrator 7.3 Study Guide 48 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The Content Hub is an all-new central repository for connectors, widgets, and solution packs, equipped with a searchable, filter-friendly interface. The Content Hub’s data is synchronized from the FortiSOAR repository every hour to ensure the content is up-to-date. Prior to 7.2.0, connectors and widgets were managed using different stores. To view the hub, you must have at least read permissions on the Content Hub and Applications modules. To work with add-ons, such as solution packs, widgets, or connectors, ensure the administrator has the required permissions for each respective module. The Content Hub is accessible both as a public-facing page at the URL listed on this slide, and within the FortiSOAR GUI itself. FortiSOAR Administrator 7.3 Study Guide 49 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The SOAR Framework Solution Pack is the foundational solution pack that creates the framework, including modules, dashboard, roles, and the widgets required for effective day-to-day operations of any SOC. The Incident Response modules have been moved to the solution pack, making it essential for users to install it to optimally use and experience FortiSOAR incident response. This solution pack installs several modules, such as alerts, incidents, and indicators, along with corresponding playbooks, dashboards, reports, and widgets. This makes it a comprehensive solution and provides a fully functional incident response platform augmented by automation and threat intelligence. The screenshot included in this slide shows the contained contents of the solution pack, including the roles, playbooks, and connectors. Note that the solution pack is installed by default with new installations of FortiSOAR. However, you may need to install this solution pack on upgraded FortiSOAR nodes. FortiSOAR Administrator 7.3 Study Guide 50 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Alerts can be created manually, through playbooks, or ingested into FortiSOAR through a connector. When an alert is ingested, FortiSOAR can check to verify if the alert is a false positive or not. If the alert is a false positive, then the alert is cleared. An alert can also be cleared after it’s resolved by an analyst, or after it’s resolved automatically through a playbook execution. If the alert is legitimate, then an analyst can escalate the alert to an incident. After the alert becomes an incident, then a senior analyst could be assigned to that incident and the analyst could clear the incident after investigation. An analyst can run more playbooks against the incident to enrich the indicators, or fetch more information about the incident from various threat intelligence platforms. New tasks can be created for the incident and they could be assigned to an analyst for decision making. FortiSOAR Administrator 7.3 Study Guide 51 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In FortiSOAR, you can escalate an alert to an incident. A FortiSOAR incident usually contains multiple alerts that are linked to each other, and to the incident. This allows FortiSOAR to convey the complexity of a security incident that has many stages. After FortiSOAR runs specific playbooks over an alert, it may extract indicators, which are objects FortiSOAR extracted from various fields of a record. For example, an indicator can have an associated reputation while a field cannot. An incident contains various response phases. An analyst works through these phases as they resolve an incident. From an incident, you can assign tasks to an analyst to resolve a particular issue related to the incident, such as blocking an IP address. The audit log helps you keep track of the incident’s history. The comments section is used to track all comments made by an analyst or comments generated by the playbook. FortiSOAR Administrator 7.3 Study Guide 52 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The Queue & Shift Management interface is an intelligent, automated assignment solution based on queues and shift spreads. The Queue Management tab allows you to manage queues. You can use the configuration wizard to create new queues, define which record types are associated with the queues, what conditions need to match, who to assign to the queues, and which assignment methods to use. Queues provide managers with a view to see what their resources are working on, how many tasks are pending, and then decide if any tasks need to be reallocated. Queues provide users with a view that shows them what tasks have been assigned, how many of them are pending, and what the priority of the tasks are. The Shift Management tab allows the generation of shift rosters with shift leads and team members. By leveraging queues and shifts together, FortiSOAR has the ability to manage shift handover processes. Records are assigned to individual users within a queue, and you can enable shift-based assignment to assign them to only users who are working. The Queue & Shift Management interface has replaced the Queue Management interface that was present in previous releases of FortiSOAR. The previous Queue Management interface did not support automated record assignments. FortiSOAR Administrator 7.3 Study Guide 53 Introduction to FortiSOAR DO NOT REPRINT © FORTINET A dashboard is the default landing page and home that a user sees after logging in to FortiSOAR. You can create personalized dashboards based on roles. Customizations that you make to your dashboards are visible and applicable only to you. Administrators must update the dashboard for the changes to apply to all users. Updates, including removal and additions that administrators make to the dashboards, apply to all users. FortiSOAR Administrator 7.3 Study Guide 54 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR allows you to easily set up reporting. You have the option to use the default report templates, edit, or create your own. Additionally, you can schedule reports, view historical reports, and also search for text in the report PDF. Click the View button to generate a preview of the report and have the opportunity to fine tune your reports prior to scheduling them. These screenshots show the Reports interface, and an example of the customizations available for creating reports. FortiSOAR Administrator 7.3 Study Guide 55 Introduction to FortiSOAR DO NOT REPRINT © FORTINET In FortiSOAR, teams and roles are closely aligned with a data table design. Teams own specific records, which are rows in a table. In other words, teams define ownership of discrete records within the database. A record can have more than one team owner. Users can also belong to multiple teams, thus allowing them to access records owned by their assigned teams. Roles, on the other hand, govern permissions on the columns within that table, centered around create, read, update, and delete (CRUD) permissions. Users’ access to different parts of the FortiSOAR platform are dictated by their effective permissions, which are a combination of all their roles’ permissions. For example, a user without the proper permissions may not be able to see some features in FortiSOAR, or a user can see records for a module, but does not have access to modify them. FortiSOAR Administrator 7.3 Study Guide 56 Introduction to FortiSOAR DO NOT REPRINT © FORTINET You can use the following tips to make it easier to work with playbooks and playbook steps in the playbook designer: You can activate or deactivate a playbook You can select a step by clicking while holding CTRL; to select all the steps, press CTRL+A You can drag and drop multiple selected steps You can copy multiple selected steps by pressing CTRL+C or copy all the steps by pressing CTRL+A and then pressing CTRL+C You can paste the copied steps into a different playbook by pressing CTRL+V You can delete a step or multiple steps by selecting steps and pressing backspace or delete You can save versions of a playbook that you are creating or updating; Using versioning, you can save multiple versions of the same playbook You can revert your current playbook to a particular version, making working in playbooks more effective FortiSOAR Administrator 7.3 Study Guide 57 Introduction to FortiSOAR DO NOT REPRINT © FORTINET You can connect playbook steps or remove the connection between playbook steps. To connect a playbook step, use the connection points that appear when you hover over a playbook step. Select a connection point and drag and drop the arrow connector on the step you want to connect. At the core of playbooks are steps. Steps represent discrete elements of data processing during the course of the playbook. You can link steps together in sequences to determine the flow of the playbook, starting from the trigger. Use the core steps to create and update records. Use the evaluate steps to make decisions based on user input and require manual intervention by an analyst. Use connector, utility, and code snippet steps to execute actions on a device. You can also call child playbooks using the reference playbook step. FortiSOAR Administrator 7.3 Study Guide 58 Introduction to FortiSOAR DO NOT REPRINT © FORTINET This slide shows all the playbook steps that you can use while configuring a playbook. The steps are broadly placed into five different categories. Use the core steps to create, find, or modify an alert, incident, task, or other item in the FortiSOAR database. Use the evaluate steps to make a logical decision, get approval, take manual input from the user, or otherwise affect the logical flow of the playbook. Use the execute steps to take an action, such as run the connector function or execute dozens of built-in utilities. Use the reference steps to refer to child playbooks from parent playbooks. FortiSOAR Administrator 7.3 Study Guide 59 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Use connectors to send and retrieve data from various third-party sources. Using connectors, you can interface to external cybersecurity tools, and perform various automated interactions using FortiSOAR playbooks. FortiSOAR has already developed a number of connectors that can be used to integrate with a number of external cyber security tools like SIEMs, such as FortiSIEM, and ticketing systems, such as Jira. You can use connectors in playbooks for various action-related tasks, such as getting an object from a firewall device, blocking an IP address on a firewall, disabling an account on Active Directory, getting data for enrichment of an indicator, and so on. FortiSOAR also enables administrators to develop custom connectors. You can create your own connector or edit an existing connector as per your requirements, using the Connector Wizard present in the FortiSOAR GUI. FortiSOAR Administrator 7.3 Study Guide 60 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The Help feature contains the Knowledge Center, which is the FortiSOAR product documentation, along with tutorials and examples, to help you work effectively with FortiSOAR. There are also additional modules that hold data for physical security events, compliance, fraud, and threat intelligence. You can also click on User Community to access the FortiSOAR community. From there, you can ask questions, help other FortiSOAR users, access the knowledge base, and more. FortiSOAR Administrator 7.3 Study Guide 61 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Administrator 7.3 Study Guide 62 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson. FortiSOAR Administrator 7.3 Study Guide 63 Introduction to FortiSOAR DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to deploy FortiSOAR and configure its initial settings. You also learned about various key features of FortiSOAR, and how these features can help a SOC mature and reduce the alert fatigue of SOC analysts. FortiSOAR Administrator 7.3 Study Guide 64 Device Management DO NOT REPRINT © FORTINET In this lesson, you will learn how to configure roles and teams, explain team hierarchy, and add, delete and manage users and user permissions. You will also learn how to configure and manage SLA templates, and backup and restore the FortiSOAR configuration files. FortiSOAR Administrator 7.3 Study Guide 65 Device Management DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSOAR Administrator 7.3 Study Guide 66 Device Management DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring and managing teams and team hierarchies, you will be able to ensure administrators are operating within their assigned roles, thereby implementing the principle of least privilege, and mitigating risk to your organization. FortiSOAR Administrator 7.3 Study Guide 67 Device Management DO NOT REPRINT © FORTINET In FortiSOAR, users’ levels of accessibility are derived from a combination of roles and team memberships. You can grant access to specific modules on FortiSOAR to users based on their role permissions. Users exercise their permissions in conjunction with which team or teams they belong to. Appliance users are also governed by the same authorization model. The security model within FortiSOAR achieves the following four essential security goals: Grants users the level of access necessary based on your desired organization structure and policies Supports sharing of data for collaboration while still respecting your team boundaries Supports data partitioning and prevents users from accessing data that is not explicitly meant for them Restricts external applications and scripts (appliances) from using the API beyond the requirements for accomplishing the desired RESTful actions FortiSOAR Administrator 7.3 Study Guide 68 Device Management DO NOT REPRINT © FORTINET Use the Teams menu to add new teams and edit user membership, in bulk, within each team. You can also define membership within teams on an individual basis, using the individual user or appliance profile. By default, FortiSOAR has at least one team in place after installation, the SOC Team. It is recommended that you do not modify or delete it and, instead, add new teams, as per your requirements. There is no limit to how many teams you can have in the system. Teams do not necessarily have to represent a specific team within your organization, but instead, teams represent a group of users who own a set of records. In this way, you can think of teams as row ownership within a table. The records are rows, and at least one team must own that row. Note that whenever you add a new team, you must update the playbook assignment. Playbook is the default appliance in FortiSOAR that is included in a new team. Only a user with create, read, update, and delete access to the Appliances module can update the playbook assignment, to ensure that the appliance has the necessary role to perform data read or write to modules. If the playbook does not have appropriate permissions, then it fails. FortiSOAR Administrator 7.3 Study Guide 69 Device Management DO NOT REPRINT © FORTINET Teams govern record ownership within the FortiSOAR security model, and team hierarchy reflects how team ownership relates between discrete teams. You can use the Team Hierarchy editor to define team relationships in accordance with each team’s relationships with other teams in the system. The table on this slide shows the possible team relationships. This model helps to support more advanced team relationship use cases, such as allowing for internal investigations among existing users without alerting the user and providing legal personas with their own permissions during incidents. Records created by nth level of team hierarchy are visible to parent teams. For example, records owned by grandchildren teams are visible to the grandparent teams. However, if two teams are children of the same parent, this does not mean that the children are siblings to each other. If you want them to be siblings, then you must explicitly define them as siblings. Similarly, if a team has a parent defined, adding a sibling to it does not create a parent-child relationship between the parent and the new team. FortiSOAR Administrator 7.3 Study Guide 70 Device Management DO NOT REPRINT © FORTINET In the example shown on this slide, the US Analysts team is the team in focus. All other teams are displayed in relation to the US Analysts team. The SOC Team is the parent of US Analysts. There are two explicitly defined siblings: France Analysts and Australia Analysts. US L1, US L2, and US L3 are children of US Analysts. Note that the team in focus must always be at the sibling level in order to map relationships from its perspective. In this lesson, this same hierarchy will be used to demonstrate how records are shared across teams with relationships. FortiSOAR Administrator 7.3 Study Guide 71 Device Management DO NOT REPRINT © FORTINET The Team Hierarchy editor is built to centralize around one team at a time. You can define how that team relates to all other teams in the system. The central team is referred to as the team in focus. The Team Hierarchy editor has the All Teams menu and three sections used to define the three relationship types: Parents, Siblings, and Children. To edit the relationships of any team, you must first bring that team into focus. To bring a team into focus, you can drag and drop that team to the Drag team here to edit area or double-click that team’s title in the All Teams menu. To reset the team in focus, click on Revert. Note that changes are in staging until the settings are saved, so they will be lost if you click on Revert and if you do not click on Save first. FortiSOAR Administrator 7.3 Study Guide 72 Device Management DO NOT REPRINT © FORTINET In the example shown on this slide, the US Analysts team is the parent of US L1, L2, and L3. The SOC Team is the parent of the US Analysts team. Australia Analysts and France Analysts are its siblings. To summarize the relationships and ownership: Members of the US Analysts team and the SOC Team can act on records of the US L1, L2, and L3 teams as if they are a member of those teams. Members of the SOC Team cannot act on records of Australia Analysts team and France Analysts team unless there are explicit parent-child relationships. Merely being a sibling of US Analysts does not build that relationship for them. Members of the Australia Analysts team and France Analysts team can act on US Analysts records due to their sibling relationship. Members of the Australia Analysts team and France Analysts team cannot act on records owned by SOC Team or US L1, L2, and L3. Members of the US L1, L2, and L3 teams cannot act on records of any other teams except their own. Note that they are also not siblings by default even though they share the same parent in US Analysts. The sibling relationship requires changing the team in focus to one of them and explicitly defining the siblings. On the left panel are teams unassociated with the US Analysts Team, which means that the SOC Team is isolated from all the Fraud team’s records and vice versa. If the Fraud team were related to the SOC Team, you would have seen the relationship in one of the sections on the right. The exception to this is if the Fraud team is a child of US L1, L2, or L3. In that case, the SOC Team would also be able to access Fraud team’s records because it would be the great grandparent of the Fraud team through its parent-child relationship with US Analysts. FortiSOAR Administrator 7.3 Study Guide 73 Device Management DO NOT REPRINT © FORTINET This slide shows a different team in focus, the US L1 team. It only has one defined relationship. The US Analysts team is its parent team, a relationship shown on the previous slide. However, beyond that parent- child relationship, no other relationships are seen, including to US L2 and L3. To summarize the relationships in this view, the US L1 team: Can only act on its own records Has a parent in US Analysts No default siblings No default children FortiSOAR Administrator 7.3 Study Guide 74 Device Management DO NOT REPRINT © FORTINET This slide shows a third team in focus, the US L2 team. There are two relationships – US Analysts as a parent, and US L3 as a sibling. Note that US L2 and US L3 are explicitly configured as siblings, but US L1 is not configured as a sibling. To summarize the relationships in this view, the US L2 team: Can act on its own records and US L3’s records Has a parent in US Analysts Has no children FortiSOAR Administrator 7.3 Study Guide 75 Device Management DO NOT REPRINT © FORTINET This slide shows a fourth team, the Australia Analysts team. There are two relationships: US Analysts as a sibling, and New SOC as a parent. The US Analysts team is an explicit sibling, as shown on the slide when the US Analysts team was the team in focus. However, you can see that France Analysts is not a sibling in relation to Australia Analysts, even though both teams are siblings of US Analysts. You can also see that Australian Analysts has a different parent from US Analysts. To summarize the relationships in this view, the Australian Analysts team: Can act on its own records and on US Analysts’ records Has a parent in New SOC, which can act on its records Has no children FortiSOAR Administrator 7.3 Study Guide 76 Device Management DO NOT REPRINT © FORTINET FortiSOAR Administrator 7.3 Study Guide 77 Device Management DO NOT REPRINT © FORTINET Good job! You now understand security management. Now, you will learn about user and role configuration. FortiSOAR Administrator 7.3 Study Guide 78 Device Management DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring and managing roles and users, you will be able to ensure administrators are operating within their assigned roles. FortiSOAR Administrator 7.3 Study Guide 79 Device Management DO NOT REPRINT © FORTINET Roles define users’ ability to act upon data within a CRUD permission set on any module in the system. Note that you must be assigned a role that has CRUD permissions on the Security module to be able to add, edit and delete teams and roles. Use the Roles menu to create and define roles within the system. You assign roles based on CRUD permissions defined across all modules. You can assign roles in the User or Appliance profiles only. You cannot bulk assign roles. FortiSOAR implements RBAC also for playbooks. For example, for users to run playbooks, administrators must assign roles that have execute permission on the Playbooks module to such users. Note that users who do not have execute permission will not be shown the execute action for the module records. Execute actions include actions, such as Escalate, Resolve, or any actions that appear in the Execute drop-down list. FortiSOAR Administrator 7.3 Study Guide 80 Device Management DO NOT REPRINT © FORTINET The Roles menu allows you to define and modify all the roles within the environment. Roles are not hardcoded in the system; therefore, role editing is a sensitive permission and must be carefully governed by administrators. It is important to note that any user that needs to work with FortiSOAR and records within FortiSOAR must be assigned a role with a minimum of read permission on the Application, Audit Log Activities, and Security modules. Use the Role Editor to add and edit RBAC permissions. Role permissions are based on the CRUD model. Each module has explicit CRUD permissions that you can modify and save within a single role. You can also explicitly assign permissions for each field within a module by clicking the Set Field Permissions link for that module. A user can have more than one role applied. Each role you grant to a user is added to the user’s overall RBAC permission set. Therefore, a user’s RBAC permissions is an aggregation of all the CRUD permissions granted to them by each role you assign to them. FortiSOAR Administrator 7.3 Study Guide 81 Device Management DO NOT REPRINT © FORTINET By default, FortiSOAR has at least one role in place after installation: the Security Administrator. If the SOAR Framework Solution Pack is installed, there are additional roles defined. The Security Administrator role starts by having full CRUD permissions across the Security module, which allows the administrator to add and manage roles and teams within the application. The Security Administrator role also has CRUD permissions on the Secure Message Exchange and Tenants modules, so that this role can configure multi-tenant systems. It should only be assigned to someone who has been tasked with the responsibility for building and maintaining the role and team structure for your organization. It is recommended that you do not remove this role. If you do plan to remove it, you must ensure that at least one other role with an assigned user has the Security module enabled if you always want to maintain access to edit teams and roles within the application. The Application Administrator role grants access to configure application settings, found in the Application Editor section on the Settings page. All users must have read privileges to the Application module to be able to use the application interface. You can restrict non-human users, API users, from entering into the application GUI by not giving them any access to the Application module. The Full App Permission user is a root user, who has full permissions across FortiSOAR. However, data partitioning is still in effect depending on the team to which the Full App user belongs to, and what records are owned by the team. FortiSOAR Administrator 7.3 Study Guide 82 Device Management DO NOT REPRINT © FORTINET The Playbook Administrator role has access to the Orchestration and Playbooks component. Only users who have explicitly been given a minimum of read access to playbooks can see this component on the left navigation bar. For users to have full privileges to manage playbooks, you must be given CRUD permissions. The SOC Analyst role is given access to the Alerts module and modules associated with alerts—such as Comments, Attachments, and so on—and also schedules and reporting. It can also access the Incidents module. The role is designed to investigate alerts, triage, and escalate alerts to incidents when necessary. Analysts are also responsible for remediation and containment tasks. The SOC Manager role has complete access to modules associated with the investigation of Incidents— such as Alerts, Incidents, Communications, Indicators, Tasks, War Rooms, and more. The role is designed to manage investigation of incidents, and performing remediation and containment activities. These default roles can be modified to your organization’s requirements, or new roles can be created for even more granular control. FortiSOAR Administrator 7.3 Study Guide 83 Device Management DO NOT REPRINT © FORTINET This slide shows an example of a new user configuration. You need to enter the user details on the New User page. Note that the Username field is mandatory and case sensitive and it cannot be changed after it is set. All new users, including the csadmin user, must change their password when they first log in to FortiSOAR, regardless of the complexity of the password assigned to the users. After you configure a valid email ID in the user profile, you can reset your password, whenever required, by clicking the Forgot Password link on the login page. Use the SMTP connector to configure a connection to an email server, which is required to complete the process of adding new users. You can use the SMTP connector to send email notifications. If you have not configured the SMTP connector, the user is still created. However, the system cannot send the password reset notification link to the users, and therefore the process remains incomplete. Locked users are those who have exceeded the number of authentications tries allowed within a one-hour period. You can define the maximum number of attempts allowed before the user is locked. Only an administrator who has CRUD permissions on the People module and read and update permissions on the Security module can unlock the user. By default, users can enter an incorrect password five times before their account gets locked for 30 minutes. A security administrator can change these default values. From version 7.0.0 onwards, administrators cannot lock a user using the FortiSOAR GUI; however, administrators can unlock a user from the GUI by selecting the Unlock checkbox on that user's profile page and then clicking Save, or locked users can wait for the configured timeout duration before their account gets unlocked. FortiSOAR Administrator 7.3 Study Guide 84 Device Management DO NOT REPRINT © FORTINET There are two user access types in FortiSOAR: First is the Named type. This access type has a permanent seat reserved, so a license is taken whether or not the user is logged in. The second is the Concurrent type, which only takes a concurrent spot when a user logs in. However, if there are no available spots, an error is seen as shown on this slide. Select the user access type in the Authentication section under the Users profile for either a new or current user. The License Manager shows the user seats allocation between named and concurrent users. In the example shown on this slide, there are two allowed user seats, and one named user already exists. There are three configured concurrent users. This means that only one user seat is available for the three concurrent users to share between them. A reasonable use case for concurrent users is for an organization with employees on different shifts or time zones. Instead of configuring named users and taking up permanent spots for each user, concurrent users will allow for more flexibility with allocating user seats. FortiSOAR Administrator 7.3 Study Guide 85 Device Management DO NOT REPRINT © FORTINET You can view the login status of a user through the GUI or the CLI. In the GUI, view the status under the Login Status column. To view the login status through the CLI, use the show-logged-in-users command on this slide. To force a concurrent user to log out and free up a seat, either use the log out button under the user’s profile, or run the logout-user command on this slide. FortiSOAR Administrator 7.3 Study Guide 86 Device Management DO NOT REPRINT © FORTINET All users within the system have a profile. Each user has access to their own profile so that they can update specific information about themselves by clicking the User Profile icon. To edit user profiles, you must be assigned a role that has a minimum of create, read, and update permissions on the People module. Otherwise, you will only be able to view your own profile. The user profile includes the user’s name, email, user name, password, and phone numbers. A user can also view the team and roles they belong to, as well as update their theme. A users can view their own audit logs, which display a chronological list of all actions performed across all the modules of FortiSOAR. The audit log also displays a user’s login successes or failures, and logout events. Login event includes all four supported login types: Database login, LDAP login, RADIUS login, and SSO login. Audit logs also contain user-specific terminate and resume playbook events. FortiSOAR Administrator 7.3 Study Guide 87 Device Management DO NOT REPRINT © FORTINET The options for two-factor authentications are no two-factor authentication configured, send a voice message, or send an SMS. FortiSOAR currently supports only TeleSign to deliver the one-time password required for authentication. You will need a TeleSign account to complete the configuration in the Authentication section of a user’s profile. The Work Phone field is mandatory if a security administrator has enforced two-factor authentication across all FortiSOAR users. You will learn more about this global setting in this lesson. FortiSOAR Administrator 7.3 Study Guide 88 Device Management DO NOT REPRINT © FORTINET An administrator can change a user’s team membership and assigned roles directly from their profile without having to navigate to the Teams and Roles interfaces. You can select multiple checkboxes to grant a user more than one team or role. This slide shows the selected teams and roles of this particular user. FortiSOAR Administrator 7.3 Study Guide 89 Device Management DO NOT REPRINT © FORTINET Administrators with a minimum of read permissions on the Security module will be able to view a consolidated list of effective permissions based on a user’s assigned roles. This is useful in the event that the user is assigned multiple roles, and unintended access is given. The opposite is also true: if a user is unable to access parts of the system, you can confirm if they are missing permissions. The Effective Role Permissions interface allows the administrator to check all permissions assigned to a user instead of having to audit each role individually. FortiSOAR Administrator 7.3 Study Guide 90 Device Management DO NOT REPRINT © FORTINET Administrators can delete users by running a script on the FortiSOAR CLI. You cannot delete user accounts on the GUI regardless if you're a user or an administrator. The slide shows the steps to delete a user on the FortiSOAR CLI. First, enter the username of the user that you want to delete in the usersToDelete.txt file. The file path is shown on the slide. This file is an empty text file in which you can enter the ID of users who you want to delete. Second, connect over SSH to your FortiSOAR VM and log in as a root user. Finally, enter the command shown on this slide to execute the deletion script. The userDelete script only deletes users in the local database and does not work for externalized databases. It is highly recommended that you use this script to delete or clean up users during the initial stages of configuring FortiSOAR. If you delete users who have been using FortiSOAR for a while, then the records for which the deleted user was the only owner, are also lost forever. FortiSOAR Administrator 7.3 Study Guide 91 Device Management DO NOT REPRINT © FORTINET FortiSOAR Administrator 7.3 Study Guide 92 Device Management DO NOT REPRINT © FORTINET Good job! You now understand role and user configuration. Now, you will learn about authentication. FortiSOAR Administrator 7.3 Study Guide 93 Device Management DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring user accounts and LDAP integration, you will be able to set up FortiSOAR to import and authenticate LDAP users. FortiSOAR Administrator 7.3 Study Guide 94 Device Management DO NOT REPRINT © FORTINET The FortiSOAR security model treats authentication and authorization separately: Authentication defines your ability to log in and access FortiSOAR. FortiSOAR enforces authentication based on a set of credentials. Authorization governs the users’ ability to work with data within FortiSOAR after authentication is complete. You control authorization by assigning teams and roles to users. This is an important distinction because when you configure user accounts, you must always define both the authentication and desired authorization for a user. Otherwise, after a user logs in to FortiSOAR, the user might be presented with a blank screen due to lack of authorization. Conversely, a user may have excessive permissions for their role within the organization. This section will focus on various authentication options for users to log into the system. FortiSOAR Administrator 7.3 Study Guide 95 Device Management DO NOT REPRINT © FORTINET FortiSOAR supports the following four types of authentication: Native (local database): Users are created on FortiSOAR itself. LDAP: Remote LDAP server, such as an Active Directory environment. SAML: Open standard for exchanging information between an identity provider and FortiSOAR. Examples of identity providers would be FortiAuthenticator, Okta, Google and many others. RADIUS: Support for RADIUS was added from FortiSOAR 7.2.0 onwards. Microsoft NPS is a commonly seen RADIUS server. To configure authentication settings, an administrator requires a minimum of read and update permissions on the Security module. FortiSOAR Administrator 7.3 Study Guide 96 Device Management DO NOT REPRINT © FORTINET On the Account Configuration page, in the Session & Idle Timeout section, you can configure various settings. The Idle Timeout value determines the number of minutes a user can be idle on FortiSOAR, after which an idle warning dialog is displayed. The default value is 30 minutes. The Idle Timeout Grace Period value is the number of seconds a user is given to view the idle warning dialog after which FortiSOAR logs the user out. The default value is 60 seconds. The Token Refresh value is the number of minutes before the session token is refreshed. User interaction is not required. The default value is 60 minutes. The Reauthenticate Dashboard User value determines the number of hours after which a dashboard user is forced to re-authenticate. The default value is 24 hours. The Reauthenticate Application User is the number of hours after which an application user is forced to re- authenticate. The default value is 24 hours. FortiSOAR Administrator 7.3 Study Guide 97 Device Management DO NOT REPRINT © FORTINET On the Account Configuration page, you can configure various options for user accounts. You can select Enforce 2FA to globally enforce two-factor authentication on all FortiSOAR users. Before you enforce two-factor authentication, all users’ profiles must have it configured to prevent users from getting locked out. Currently, FortiSOAR supports only TeleSign for two-factor authentication using SMS. You need to have a TeleSign account to send one-time password codes to the users’ mobile devices. Type information provided by TeleSign into the Customer ID and API Key fields. FortiSOAR Administrator 7.3 Study Guide 98 Device Management DO NOT REPRINT © FORTINET Use the Authentication menu to set up, modify, and turn on or off your LDAP authentication provider. To configure LDAP authentication, first ensure LDAP Enabled is selected. Enter the IP/hostname and port of your LDAP authentication server. Optionally, you can enable Use TLS/SSL and then provide user account credentials to search the directory and import users. You can add users either by mapping users using the User Attribute Map section, or search for users in the directory and then import users. To map users, configure the User Attribute Map. FortiSOAR provides a default user attribute map array that contains the most common combination of field mappings. You can modify the mappings based on your own LDAP container fields by editing the map. In the User Attribute Map section, under Fields, click the editable field name (right-side field name), to map it to your LDAP fields. The non-editable field name (left-side field name) is the FortiSOAR attribute. FortiSOAR Administrator 7.3 Study Guide 99 Device Management DO NOT REPRINT © FORTINET You must have a valid administrative user name and password to search the LDAP resource for user information. You do not have to use admin credentials, but at a minimum, you must have user credentials to access the LDAP tree and import all desired user containers. After you add the credentials in the User Search section, click Allow User Import to configure your environment to look in the LDAP resource for all new users. If you want to add local users, you must clear the Allow User Import checkbox to revert your system to the local user import in the Users administration menu. To narrow down your search, you can enter a path inside the Base DN field to specify the starting point of the query. The Recursive option allows for searching of users inside nested groups under the base DN. The Search Attribute field can be used to define which LDAP attribute to specifically search for, such as sAMAccountName, UPN, and more. The Search Criteria field can be used to find specific results based on the search attributes defined. For example, if the attribute defined is sAMAccountName, you can search for a match in the criteria search bar. FortiSOAR Administrator 7.3 Study Guide 100 Device Management DO NOT REPRINT © FORTINET Security Assertion Markup Language (SAML) is an XML-based, open standard data format for exchanging authentication and authorization data between parties. When SAML is enabled, there is a new option to log into FortiSOAR by clicking on the Use Single Sign on (SSO) button. SAML defines three roles: the principal, the identity provider (IdP), and the service provider (SP). The principal is generally a user that has an authen

FortiSOAR_Administrator_7.3_Study_Guide-Online.pdf

Related

Transcript

Tags

Upgrade to continue