FortiSOAR_Design_and_Development_7.3_Study_Guide-Online.pdf

Full Transcript

DO NOT REPRINT © FORTINET FortiSOAR Design and Development Study Guide for FortiSOAR 7.3 DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https...

DO NOT REPRINT © FORTINET FortiSOAR Design and Development Study Guide for FortiSOAR 7.3 DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Product Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Training Program Information https://www.fortinet.com/nse-training Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Fortinet Training Institute Helpdesk (training questions, comments, feedback) https://helpdesk.training.fortinet.com/support/home 4/27/2023 DO NOT REPRINT © FORTINET TABLE OF CONTENTS 01 Introduction to FortiSOAR 4 02 Dashboard Templates and Widgets 55 03 Module Templates and Widgets 90 04 Application Editor 131 05 Dynamic Variable and Values 154 06 Jinja Filters, Functions, and Conditions 183 07 Introduction to Playbooks 217 08 Playbook Core Steps 254 09 Playbook Evaluate Steps 281 10 Playbook Connectors, Data Ingestion, and Execution Steps 302 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Design and Development Introduction to FortiSOAR FortiSOAR 7.3 © Copyright Fortinet Inc. All rights reserved. LastLast Modified: Modified: 25 April 25 April 20232023 In this lesson, you will learn what Security Orchestration, Automation, and Response (SOAR) is, and how FortiSOAR can help security operations center (SOC) teams. You will also learn about FortiSOAR architecture and some initial configuration. FortiSOAR Design and Development 7.3 Study Guide 4 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Objectives Describe the basics of SOAR technology Understand SOC maturity Describe the alert handling procedure performed by SOC analysts Describe the various FortiSOAR architectures Describe FortiSOAR HA capability Identify the minimum resource requirement for deployment Understand the installation steps for FortiSOAR Plan a FortiSOAR deployment Configure initial settings Identify the role of FortiSOAR in a SOC environment Manage incidents and alerts in a SOC environment © Fortinet Inc. All Rights Reserved. 2 After completing this lesson, you should be able to achieve the objectives shown on this slide. By demonstrating competence in SOAR technology, you will be able to determine a customer deployment model, deploy FortiSOAR, and perform initial configuration. FortiSOAR Design and Development 7.3 Study Guide 5 Introduction to FortiSOAR DO NOT REPRINT © FORTINET SOAR Basics 3 In this section, you will learn about SOAR technology, and the importance of SOAR in a SOC environment. FortiSOAR Design and Development 7.3 Study Guide 6 Introduction to FortiSOAR DO NOT REPRINT © FORTINET What Is SOAR? SOAR Security Orchestration Automation Response SOA (Security Orchestration Automation) + TIP (Threat Intelligence Platform) + IRP (Incident Response Platforms) © Fortinet Inc. All Rights Reserved. 4 Gartner defines SOAR as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management (SIEM) systems) and apply workflows aligned to processes and procedures. Orchestration is the process of collecting data, which is usually alerts and incidents from different sources, and performing various actions from one platform. Orchestration also helps you to streamline and optimize frequently occurring processes and workflows. Automation and orchestration are different, but related, concepts. Automation enables security teams to be more efficient by reducing or replacing human interaction with IT systems, and instead use a centralized platform to perform tasks in order to reduce cost, complexity, and errors. Automated workflows and responses enable the security teams to automatically respond to security events. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. SOAR is the technology that can orchestrate data, automate workflows, and respond to incidents. All of that can be performed from a single platform. FortiSOAR Design and Development 7.3 Study Guide 7 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Why Is SOAR Important? Too Many Too Many Manual & Lack of Vendors Alerts Slow Response Trained People © Fortinet Inc. All Rights Reserved. 5 The majority of organizations juggle at least 50 discrete cybersecurity products at once, posing a threat to data security, according to a new report from Oracle and KPMG. Keeping the security team up-to-date on all the latest features and functions for different vendors is a challenge. Based on market research, the incident management segment is projected to grow at a higher compounded annual growth than the network forensics segment. This will result in a very high volume of alerts and incidents. Manually addressing every incident is not feasible for large organizations. The threat landscape is evolving and attackers are more sophisticated than before. Responding to incidents manually can be slow, and that could provide attackers with the opportunity to breach other systems, which could have been stopped if the incidents were resolved quicker. Cybersecurity has become a major priority for organizations looking to protect themselves against the massive cost of data breaches, but there’s an international problem hindering that goal. There are millions of cybersecurity positions open and unfilled around the world. Without trained security staff, organizations don’t have the capability to deploy the right controls or develop security processes to detect and prevent cyberattacks. FortiSOAR Design and Development 7.3 Study Guide 8 Introduction to FortiSOAR DO NOT REPRINT © FORTINET What Is a SOC? A security operations center, or SOC, is a specialized organizational resource consisting of a specialized set of People Processes Technologies Dedicated to monitoring and defending organizational IT assets, and detecting, containing, eradicating, and assisting in the recovery from security threats and associated incidents © Fortinet Inc. All Rights Reserved. 6 A security operations center (SOC) is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. Security operations centers are typically staffed with security analysts and engineers as well as managers who oversee security operations. SOC staff work closely with organizational incident response teams to ensure security issues are addressed quickly upon discovery. Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. FortiSOAR Design and Development 7.3 Study Guide 9 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Reasons SOC Tooling Projects Fail and Succeed Scope Technology Implementation Focused requirements and Strong understanding of the Resources allocated Success use cases market and technology Skills required identified and Realistic expectations Meets current and future planned for Appropriate application requirements, and in-scope Impact on SOC playbooks (current and future) processes understood High-fidelity outputs Shallow and narrow Lack of understanding of Too small—no team Failure coverage how tools work Lacking key skills Unrealistic expectations Too many events (poor No playbook—no process Wrong focus (threat vector) sources or poor tech) Solution didn’t deliver © Fortinet Inc. All Rights Reserved. 7 Security and risk management leaders can improve the odds of selecting the right tool for the organization by gaining consensus during a premortem analysis on what could go wrong, and which success metrics should apply to a project. The premortem can also serve as an early-stage vehicle for collecting initial use cases and requirements. Those can be further refined as part of the formal project definition and approval cycles. As part of a project to bring tools into the SOC, a solid understanding of the scope, technologies being considered, and affected processes is required. As your SOC team grows, you must consider the scope, technology, and implementation requirements. FortiSOAR Design and Development 7.3 Study Guide 10 Introduction to FortiSOAR DO NOT REPRINT © FORTINET What Is SOC Maturity? SOC Forward Leaning Productivity Optimization Established Threat Hunting and Incident Response Establishing Enhanced Near-Real-Time Threat Detection Greenfield Real-Time Monitoring and Operations © Fortinet Inc. All Rights Reserved. 8 An organization building a SOC prioritizes technology purchases to get real-time monitoring capabilities in order to better understand what is happening when observing the consequences of the event. This first level of visibility, while potentially limiting the SOC to reactive activities, is necessary. As the SOC matures and learns, it builds the processes to treat basic incidents, and starts to differentiate event treatment based on their impact. Additional tools might help at this stage to speed up initial assessment, with individual alerts being aggregated and augmented with additional context. More mature organizations might need to strengthen their ability to perform root cause analysis of the incident and elimination of the threat. You want to ensure that when you close an incident, the risk of recurrence is correctly handled. After the end-to-end workflow itself becomes more refined, orchestration and other productivity improvements will move the SOC forward FortiSOAR Design and Development 7.3 Study Guide 11 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Solve Security Complexity Based on SOC Maturity S SOC Team O (5+ Analysts) C Dedicated Security Team M A NGFW T IT-Security Automated SD-WAN Response U (One Team) R Multi- Vendor I Visibility Y T Security Fabric Analytics Security Operations © Fortinet Inc. All Rights Reserved. 9 Smaller or newly formed SOCs, or those that were previously outsourced where the technology was provided by the provider, often start with FortiSIEM or log management solutions. This is necessary to start seeing what is happening in the organization, leveraging logs from network and endpoint security controls already in place, and possibly from other sources, based on criticality to the organization, for example, domain controllers, critical applications, and other externally exposed assets. The need to have a common repository of incidents could be addressed within a SIEM tool or within the IT case management or service desk tool. You should consider using a security incident response platform (SIRP) tool, or the SIRP capabilities of a FortiSOAR tool, if the incident and case management capabilities in the FortiSIEM tool are not advanced enough, or there are security and privacy concerns with using the IT service desk tool. Every “greenfield” SOC will not have the resources (budget, people, time) to implement SIRP at the beginning, but you should strongly consider it at the start of instrumenting the SOC, rather than trying to bolt it on later in the SOC building journey. If security and privacy concerns make the IT service desk tool inappropriate, and if the preferred SIEM tool lacks adequate case management capabilities, security leaders face an early maturity bottleneck. They must consider a SIEM tool with more advanced case management capabilities, or leverage a SIRP tool or the SIRP capabilities of a SOAR tool, which would normally be beyond their current maturity level. FortiSOAR Design and Development 7.3 Study Guide 12 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR—Four Key Use Cases for a Mature SOC Unified Incident Alert Triage SOC SOC Response Automation Optimization Collaboration Management © Fortinet Inc. All Rights Reserved. 10 This slide shows four key use cases in which FortiSOAR can help a matured SOC. FortiSOAR provides a unified incident response management platform where incidents can be investigated and remediated. To avoid false positives, alerts are triaged and checked to verify if the alert is legitimate by automatically extracting indicators, and checking their reputation against threat intelligence platforms. SOC optimization ensures that SOAR solutions enable security operations teams to automate the tiresome, repetitive, and monotonous elements of their workflow that don’t depend upon human interaction. This takes some of the pressure off security analysts, and frees them to focus on the day-to-day incident response and bigger-picture cyber defence strategies. Having a SOAR platform also helps SOC teams to collaborate with each other through a central platform without relying on any external case management software. FortiSOAR Design and Development 7.3 Study Guide 13 Introduction to FortiSOAR DO NOT REPRINT © FORTINET SOC Alert Handling and Triage 11 In this section, you will learn how a SOC team handles alerts and about the process of triage and escalation. FortiSOAR Design and Development 7.3 Study Guide 14 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The SOC Automation Model—Level 1 Medium business with an IT & security People team Logging & reporting Best effort Manual incident detection & response Products response Process © Fortinet Inc. All Rights Reserved. 12 The SOC Automation Model is divided into three key areas: people, process, and product. Within each area, an organization can be classified at a maturity level from 1-3, based upon their security posture in that area. For example, an organization that is level 1 in all categories has a small IT team with no security staff (people), best effort incident response playbooks (process), and no dedicated security solutions (product). At the other extreme, an organization may have a large security team with experienced SOC analysts, well- defined playbooks, and have not only deployed but also measured the effectiveness of their SIEM and SOAR solutions. At Level 1: Achieve Visibility Leveraging Security Fabric Analytics At Level 1 of the SOC Automation Model, a security team has no dedicated security personnel or processes for addressing potential incidents. Additionally, the average enterprise receives more than 10,000 alerts per day, meaning that SOC analysts are overwhelmed and have little time for identifying and remediating true threats to the network. Without dedicated solutions, an organization’s security team lacks visibility into potential threats to their network. The team must manually collect and correlate all log data before they can analyze it. Many level 1 SOCs lack the knowledge or the resources to identify true threats, leaving the organization at risk. FortiAnalyzer is an easy-to-deploy solution for centralizing visibility and threat detection across an organization’s entire Fortinet Security Fabric, including both on-premises and cloud deployments. FortiAnalyzer correlates log data from multiple Fortinet devices, providing valuable context to security analysts. By analyzing this data using machine learning (ML) and indicators of compromise (IOCs) provided by a global threat-intelligence feed, FortiAnalyzer can help even the smallest security team to pinpoint and rapidly respond to threats within their network. FortiSOAR Design and Development 7.3 Study Guide 15 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The SOC Automation Model—Level 2 Medium-large business with dedicated People security team Level 1+ Basic Multivendor incident automated response incident plan Products detection Process © Fortinet Inc. All Rights Reserved. 13 At Level 2: Enhance Multivendor Visibility With SIEM, the average enterprise has 75 different point security solutions deployed on their network. While each of these solutions provides valuable intelligence about potential threats to the organization’s network, they often lack the context required to differentiate between a true threat and a false positive. Additionally, an array of standalone security solutions makes it difficult to enforce consistent security policies and maintain compliance with strict new data protection regulations, such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). A SIEM system is the logical solution to the security complexity caused by a multivendor environment. A SIEM solution ingests data collected from products created by multiple different vendors and performs automated correlation and analysis to provide a clearer picture of the overall status of the protected environment. FortiSIEM allows security teams to map operations to industry best practices and security standards, such as those published by the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). In this way, FortiSIEM expands on the visibility that FortiAnalyzer brings to the Fortinet Security Fabric. FortiSOAR Design and Development 7.3 Study Guide 16 Introduction to FortiSOAR DO NOT REPRINT © FORTINET The SOC Automation Model—Level 3 Large enterprise with experienced SOC analysts People Level 2+ Alert management Advanced SOC Unified processes and orchestration, playbooks automation & Products response Process © Fortinet Inc. All Rights Reserved. 14 At Level 3: Incorporate Automated Response With SOAR, the cyber-threat landscape is accelerating as cyber criminals increasingly rely upon automation to speed up their attacks. While single-pane-of-glass visibility speeds up the rate at which a security team can identify a potential threat, a reliance on manual incident response processes means that defenders will always be a step behind the attackers. SOAR solutions enable an organization’s security team to leverage automation to speed incident response. By creating an automated framework to tie together an organization’s complete security architecture, defensive actions can be taken by multiple different systems in concert. This minimizes the context switching required of security personnel, decreasing alert fatigue and speeding incident response. FortiSOAR also enables an organization to optimize its security processes by leveraging well-defined security playbooks. By automating repetitive tasks and responses to common threats, FortiSOAR enables a security team to focus their efforts and limited resources on higher-level tasks. FortiSOAR Design and Development 7.3 Study Guide 17 Introduction to FortiSOAR DO NOT REPRINT © FORTINET SOC Alert Handling—L1 Analyst Procedure for L3 SOC Model Close Run playbook Close & validate No Yes L1 Analyst Investigation Yes Playbook No Valid Create Case/ Alert Remediation? Escalate Established techniques Threat? Incident & procedures FortiSIEM external lookups automate FortiSIEM cases specific investigation steps FortiSOAR incidents FortiSOAR playbooks automate specific investigation steps © Fortinet Inc. All Rights Reserved. 15 A level 1 analyst is the front line responder to an alert. FortiSIEM or FortiSOAR could receive an alert depending on the way the log forwarding is set up in your infrastructure. The task of a level 1 analyst is usually to investigate and triage an alert. If you already have established techniques or procedures on FortiSIEM or FortiSOAR, then a level 1 analyst could automate some aspects of the investigation, such as reputation lookups for IOC using playbooks on FortiSOAR, or by using automation scripts on FortiSIEM. If the alert is not a valid threat, then the analyst can close it as a false positive. Otherwise, the analyst can open an incident or a case. On FortiSOAR, you can run a playbook to remediate the incident, if a playbook is available, and then close the incident. If a playbook remediation is not available, then you can escalate the incident to a level 2 analyst. FortiSOAR Design and Development 7.3 Study Guide 18 Introduction to FortiSOAR DO NOT REPRINT © FORTINET SOC Incident Handling—L2 Analyst Document & Close Procedure for L3 SOC Model Document Flag for possible future & Close playbook FortiSOAR acts as Update Update SOC knowledge Knowledge base Knowledge base base Document Run playbook Perform & validate manual & Close remediation No Yes Yes L2 Analyst Escalated Investigation Yes No No Valid Playbook Able to manually Incident Escalate Established techniques, Threat? Remediation? remediate? plus manual investigation FortiSIEM remediations FortiSOAR can automate specific investigation steps FortiSOAR playbooks © Fortinet Inc. All Rights Reserved. 16 A level 2 analyst investigates the incident using established techniques or procedures. A key role of a level 2 analyst is to investigate an incident through manual methods and use playbooks wherever possible. If the incident is not a threat, then the analyst can close it, otherwise they can move the incident to the remediation stage. The level 2 analyst determines if a remediation playbook is available to remediate the incident, and run the playbook against the incident. If an appropriate script is available, then the analyst can also remediate an incident from FortiSIEM. After an incident is remediated, the analyst updates the knowledge base within FortiSOAR, documents the incident, and closes it. If the analyst is unable to remediate the incident using a playbook or through FortiSIEM, then the analyst must determine if they can resolve the incident manually. After performing manual remediation, the analyst must update the knowledge base, document the case, and flag the case for a possible playbook in the future. If the level 2 analyst cannot remediate the incident, then they can escalate the case to level 3 analyst. FortiSOAR Design and Development 7.3 Study Guide 19 Introduction to FortiSOAR DO NOT REPRINT © FORTINET SOC Escalated Incident Handling—L3 Analyst Document Procedure for L3 SOC Model & Close New FSM rules FortiSOAR case logs Review with architect and provide a record for update New FSR process update procedures playbooks Update Document Knowledgebase & Close No No L3 Analyst Escalated Yes Perform Yes Document Investigation Valid Known technique manual Incident Advanced manual threat? remediation or procedure? & Close investigation Note: The remediation could involve follow-up work, to update FortiSIEM rules, update firewall policies, patch all endpoints, and so on. © Fortinet Inc. All Rights Reserved. 17 The level 3 analyst takes ownership of the escalated incident and performs further advanced manual investigation on the incident in addition to all the investigation done by level 1 and level 2 analyst. If the threat is not valid then the case is documented and closed. If the threat is valid then the level 3 analyst will perform a manual remediation of the incident. The remediation could involve follow-up work such as updating FortiSIEM rules, update firewall policy, patch all endpoints and so on. The level 3 analyst will then decide if there is a known technique or procedure to resolve such an incident, either manual or through a playbook. If there is a known procedure, then the case is documented and closed. If there is no known procedure, then the analyst will update the knowledge base, review the procedure with an architect and update the procedure to resolve such incidents. FortiSOAR case logs provide a record for process updates. The review process also involves developing a new playbook, if required, so that such incidents can be autoremediated by the playbook for future occurrences of such incidents. After the review process is complete, the case can be documented and closed. FortiSOAR Design and Development 7.3 Study Guide 20 Introduction to FortiSOAR DO NOT REPRINT © FORTINET New Technique or Procedure Identify Threat Identify indicators Identify remediation Identify impact of remediation If possible, patch, Build SIEM rule or Build SIEM Implement approval block or otherwise SOAR playbook to remediation or SOAR controls and checks to mitigate risk of help identify in playbook to automate minimize risk of self- exploit future future response DoS, and so on © Fortinet Inc. All Rights Reserved. 18 A level 3 analyst must follow specific protocols while developing a new technique or procedure. The analyst must identify the threat. Once identified, analyst must mitigate the risk must be mitigated to avoid risk of exploitation. If possible the analyst should try to patch any vulnerable systems, or block any indicators of compromise. Through a thorough investigation, the analyst should be able to identify the indicators that have been compromised. Based on that investigation, the analyst should build SIEM rules or SOAR playbooks so that such incidents can be identified and indicators can be enriched. The analyst’s next task is to remediate the incident automatically through FortiSIEM remediation scripts, or develop playbooks on FortiSOAR for automatic remediation. Finally, the analyst must study the impact of remediation on services and networks. Often, a poorly developed playbook could cause a self-inflicted denial of service, bringing down servers or critical network infrastructure. FortiSOAR Design and Development 7.3 Study Guide 21 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Architecture 19 In this section, you will learn about FortiSOAR architecture, and various platforms on which you can install FortiSOAR. FortiSOAR Design and Development 7.3 Study Guide 22 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Typical Enterprise Architecture AP Router Server Firewall Analyzer LAN Threat Intelligence Platform Alerts ingested through API Query and Enrichment Incident FortiSIEM FortiSOAR Run remediation playbooks © Fortinet Inc. All Rights Reserved. 20 In an enterprise architecture, there is one single instance of FortiSOAR. You can ingest data using connectors into FortiSOAR from various devices in your infrastructure. When available, it is recommended that most logs be sent through the SIEM, rather than through direct connectors. This ensures the SIEM is a central point of log aggregation and can be used for analytics and reporting. After you integrate your FortiSIEM, or any other SIEM solution, with FortiSOAR, incidents generated by FortiSIEM are ingested by FortiSOAR. Every incident that is sent from FortiSIEM to FortiSOAR is a unique record on FortiSOAR. You can run remediation playbooks from FortiSOAR against those incidents, and perform remediation action on the target devices. For example, if the logs that are sent by FortiGate to FortiSIEM generate an incident that indicates an external malicious actor is trying to access corporate resources, then FortiSOAR evaluates that incident and rates that external IP against various threat intelligence platforms. If the IP is malicious, then you can run a remediation playbook to take action against that IP address. In the scenario shown on this slide, the solution is to block that IP on the FortiGate firewall. The playbook can automatically log in to FortiGate and put that IP on the quarantine list for an indefinite period of time. FortiSOAR Design and Development 7.3 Study Guide 23 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Multi-Tenant Shared Tenancy Architecture FortiGate Customer A FortiSIEM FortiSOAR Node Connectivity required between sites FortiGate All data sent to MSSP SOC FortiSIEM Customer B Actions taken from MSSP SOC MSSP SOC © Fortinet Inc. All Rights Reserved. 21 In the case of shared tenancy, tenants share the same system as the primary device; that is, tenants are local, but with restricted access on the system. The SOC team provides cybersecurity monitoring and management to various tenants in a single FortiSOAR instance. The shared tenancy model ensures that the data belonging to different tenants is segregated, and data access is controlled using RBAC. Therefore, a tenant can view only their own data or record, and not the data of other tenants. You can give each tenant their own login, which they can use to view their dashboards, report, check the actions taken on their records, check their SLA management, and so on. FortiSOAR Design and Development 7.3 Study Guide 24 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Multi-Tenant Distributed Tenancy Architecture TLS FortiSOAR FortiSOAR FortiSOAR Primary Node Secure Message Exchange Tenant Node Playbooks pushed to tenant node Alerts & select data shared with primary FortiSIEM FortiGate Actions pushed to tenant node CUSTOMER © Fortinet Inc. All Rights Reserved. 22 In the case of a distributed tenancy model, the tenant node instance of FortiSOAR is remote and every tenant has their own instance of FortiSOAR. The primary FortiSOAR node resides at the MSSP location and communicates with the tenant node through a secure channel. Tenant data remains in the tenant environment, and they control how much data they want to share with the primary node. All sensitive information stays with the tenant node. Since the actual workflow execution happens at the tenant node itself, the primary node requires only the summary of information to help identify what investigations should run. The primary node pushes any action that needs to be executed to the tenant node. Similarly, any playbook that needs to be executed is pushed by the primary node to the tenant node. FortiSOAR Design and Development 7.3 Study Guide 25 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Multi-Tenant Hybrid Architecture Mix and match shared and distributed architecture as required FortiGate Customer A FortiSIEM Centrally managed FortiSOAR Primary Node FortiSOAR FortiGate Secure Router Node Customer B FortiSOAR Tenant Node Distributed node MSSP SOC FortiSIEM © Fortinet Inc. All Rights Reserved. 23 In a multi-tenant hybrid model, the primary node centrally manages some customers. If the customer is managed by the primary node, then there is no requirement for a tenant node for that customer. Then there are other customers who use a distributed method. For those customers, you must install a tenant node. FortiSOAR Design and Development 7.3 Study Guide 26 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR HA and Clustering High availability (HA) and clustering for Active-passive for resilience resilience and scalability Active-active for resilience and scalability Internal DB Load balancer used for active-active Replication Supported with internal and external database Multiple secondary nodes supported HA license required FortiSOAR FortiSOAR Active Primary Active Secondary © Fortinet Inc. All Rights Reserved. 24 FortiSOAR supports HA clusters that you can deploy in both active-passive and active-active configurations. You can configure FortiSOAR with either an externalized PostgreSQL database, or an internal PostgreSQL database. For both, you can configure active-active or active-passive HA clusters. One FortiSOAR cluster can have only one active primary node. All the other nodes are either active secondary nodes or passive nodes. FortiSOAR Design and Development 7.3 Study Guide 27 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Supported Installation Platforms Self Installation Virtual Instance Install application on dedicated Virtual instance images offered for Rocky Linux/RHEL server VMWare ESXi Allows installation on other AWS hypervisors FortiSOAR Cloud KVM, Hyper-V, and so on Docker Allows installation on bare metal Rocky Linux/RHEL 8.6 Recommended node resources: 8 CPUs 32 GB RAM 1 TB SSD HDD 1 vNIC © Fortinet Inc. All Rights Reserved. 25 A key element of the FortiSOAR architecture is its form factor. FortiSOAR is available as a virtual instance and comes as a 64-bit, hardened, Rocky Linux, virtual machine that is preconfigured and pre-installed with FortiSOAR. All you have to do is import the virtual instance into your hypervisor environment. FortiSOAR is supported on VMWare ESXi or Amazon Web Services (AWS). Prior to 7.3.0, you could install FortiSOAR on CentOS platform. However, because CentOS has announced its end-of-life cycle, FortiSOAR is now embedded with a newer, stable OS in Rocky Linux or RHEL 8.6. In addition, Docker support has been added in 7.3.0. Instead of deploying a virtual instance, you can self-install FortiSOAR on a minimal Rocky Linux operating system. You can also install it on different hypervisors such as KVM, Hyper-V, or even on a bare metal hypervisor. FortiSOAR Design and Development 7.3 Study Guide 28 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Resource Requirements for a FortiSOAR Virtual Instance Minimum hardware requirements for FortiSOAR virtual instance nodes are as follows Node CPU RAM Local Disk FortiSOAR 8 vCPU 32 GB 1 TB available disk space: recommended to have high-performance storage, preferably SSDs Note that these are only the minimum requirements. Performance may improve if you increase vCPUs and RAM in certain situations. In case of an MSSP setup, contact FortiSOAR support for sizing requirements. © Fortinet Inc. All Rights Reserved. 26 A major benefit of the FortiSOAR form factor is its scalability. If your company grows, and you start sending more data to FortiSOAR than what it was initially configured to handle, you can upgrade the VM and add more resources. It’s easy to add CPUs, memory, and even storage to VMs. There are no charges or fees from Fortinet, unlike some vendors that charge by the number of CPUs used. The minimum hardware requirements for one instance of FortiSOAR are 8 vCPU, 32 GB of RAM and 1 TB of storage. There are no size limits for the records database, and no charges or fees for storing months’ or years’ worth of data. That’s important to note when considering compliance reporting, and PCI or HIPPA requires that you store a year’s worth of data in order to provide appropriate audit reports. It’s very easy to determine how much storage you’ll need. FortiSOAR Design and Development 7.3 Study Guide 29 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Cloud A subscription service aimed to ease FortiSOAR deployment, management, and scaling Requires both a FortiCloud Premium subscription and a FortiSOAR Cloud Entitlement license If either license expires, there is a 30-day grace period Primary account holder can create secondary account holders FortiCloud creates an instance with an embedded secure message exchange Choose a region to deploy your instance Only one instance per FortiCloud account © Fortinet Inc. All Rights Reserved. 27 FortiSOAR Cloud is a service subscription aimed to ease deployment, management, and scaling. You can access the FortiSOAR Cloud interface via the FortiCloud Services menu. To provision a FortiSOAR Cloud instance, you must have a FortiCloud account in addition to a FortiCloud Premium subscription and a FortiSOAR Cloud Entitlement license. If either license expires, you have a 30-day grace period to remedy the situation before the cloud portal shuts down the instance. Only one FortiSOAR instance can be created per FortiCloud account. You can choose which region to deploy your instance in, but you cannot migrate the instance to a different region later. The primary account holder can create secondary account holders with permissions to the account and the FortiSOAR cloud instance. After the instance has been provisioned, you can access it by using the web interface or the SSH console. The instance also contains an embedded secure message exchange, set as the cloud instance address running on TCP port 5671. From the FortiSOAR Cloud portal’s interface, you can also reboot and manage snapshots of the instance. FortiSOAR Design and Development 7.3 Study Guide 30 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Initial Configurations 28 In this section, you will learn about FortiSOAR deployment, licensing, and configuration options that will help you get FortiSOAR up and running. FortiSOAR Design and Development 7.3 Study Guide 31 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Initial Deployment of the Virtual Instance Plan Deploy Complete site preparation, including hardware and resources for the VM Import the FortiSOAR VM into the ESXi Download the FortiSOAR VM server using the vSphere Web Client or upload the FortiSOAR VM to AWS Run the FortiSOAR configuration wizard License the FortiSOAR using the License Manager Configure optional settings such as editing the VM resource configuration and changing the default database password for FortiSOAR Configure Log on to FortiSOAR for the first time Configure SMTP using the SMTP connector Point the ntpd service to a valid ntp server Set up a proxy server to serve all requests for FortiSOAR Configure data encryption keys Create user © Fortinet Inc. All Rights Reserved. 29 This slide shows a high-level view of the initial deployment methodology of FortiSOAR. The planning process involves the following tasks: Complete site preparation, including hardware and resources for the VM Download the FortiSOAR VM The deployment process involves the following tasks: Import the FortiSOAR VM to the ESXi server Run the FortiSOAR configuration wizard License FortiSOAR using the License Manager Configure optional settings, such as editing the VM resource configuration and changing the default database password for FortiSOAR The configuration process involves the following tasks: Log on to FortiSOAR for the first time Configure SMTP using the SMTP connector Point the ntpd service to a valid ntp server Set up a proxy server to serve all request for FortiSOAR Configure data encryption keys Create a user FortiSOAR Design and Development 7.3 Study Guide 32 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Plan the Installation Plan Hardware Requirement Select Hypervisors VMware ESXi 5.5 or 8 vCPUs higher 32 GB RAM Amazon Web Services 1 TB disk Redhat KVM 1 vNIC Docker Fortinet-FortiCloud VM Inbound Networking VM Outbound Networking Port 22 Port 443 Port 22 Port 25 Port 443 © Fortinet Inc. All Rights Reserved. 30 The recommended hardware requirement for the FortiSOAR VM is 8vCPUs, 32 GB RAM, 1 TB disk, and one virtual NIC. You can install the FortiSOAR VM on VMware ESXi 5.5 or higher. You can also install the VM on Amazon Web Services, Redhat KVM, Docker, or hosted on FortiCloud. For inbound networking, ensure that port 22 and port 443 are enabled within the VM network. For FortiSOAR to correctly interact with your network, you must provide access between the FortiSOAR VM and the third- party products and services configured within your network. To accomplish this, enable the ports shown on this slide for SSH, SMTP, and HTTPS access. FortiSOAR Design and Development 7.3 Study Guide 33 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Deploy the VM Deploy Install the Import Run Edit the VM SOAR FortiSOAR License configuration resource Framework VM FortiSOAR wizard configuration Solution Pack Change hostname Set up static or Determine license type Install SOAR (optional) dynamic IP Register on FortiCare Framework Solution Configure Proxy (optional) Provide FortiSOAR UUID Pack Update network A root user can run the Foundational solution configuration csadm license --get- pack which includes Generate certificates device-uuid command to essential elements for print the device UUID day-to-day operations Generate device UUID for a SOC Reset database passwords Download license Restart services Ensure connectivity to https://globalupdate. Configure default HA fortinet.net cluster Upload license to FortiSOAR through FortiSOAR GUI or through FTP Deploy license as enterprise or multi-tenant edition © Fortinet Inc. All Rights Reserved. 31 The first step to deploying a FortiSOAR VM is to select the appropriate hypervisor. After deploying the VM, run the configuration wizard to change the hostname, configure a proxy, update the network configuration, generate certificates, generate the device UUID, reset database passwords, restart services, configure the default HA cluster, and install python libraries. You can edit the VM resource configuration to determine if you would like to use a static or dynamic IP. Determine the type of license that you would like to install. Provide the FortiSOAR UUID while registering the FortiSOAR on FortiCare. You must be logged in as a root user to retrieve the UUID from FortiSOAR. Download the license from FortiCare and upload it to FortiSOAR through FTP. Ensure that you have connectivity to globalupdate.fortinet.net. Deploy the license as an enterprise or a multi-tenant edition. Now, you should be able to access FortiSOAR through the GUI using the IP that you configured while running the configuration wizard to go through an initial setup. It is highly recommended to confirm the SOAR Framework Solution Pack is installed and up-to-date in the environment. By default the solution pack is installed in fresh 7.3.0 installations, but it can be skipped. This solution pack contains essential elements for effective incident response, including modules, dashboards, roles, and widgets. FortiSOAR Design and Development 7.3 Study Guide 34 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Licensing FortiSOAR Deploy FortiSOAR enforces licensing and restricts the use of FortiSOAR by specifying the following: The maximum number of active users in FortiSOAR at any point in time The type and edition of the license: Enterprise edition Multi-tenant edition MT: Enables multi-tenancy; both shared and distributed MT_Tenant: Enables the node as a tenant in a multi-tenant deployment MT_RegionalSOC: Enables the node as a regional SOC at an organization having a distributed SOC The expiration date of the license 7.3.0 introduces a new option for FortiGuard threat intel feeds csadm license --deploy-enterprise-license csadm license --deploy-multi-tenant-license Multi-tenant deployment © Fortinet Inc. All Rights Reserved. 32 FortiSOAR enforces licensing and restricts the use of FortiSOAR by specifying the following: The maximum number of active users in FortiSOAR at any point in time The type and edition of the license There are two types of license editions—Enterprise and Multi-tenant. This enterprise edition enables a regular enterprise production license. There are three different types of multi-tenant editions. MT, which enables multi-tenancy where both shared and distributed multi-tenancy are supported. The instance where this license is deployed would serve as a primary node in a distributed deployment. MT_Tenant, which enables the node as a tenant in a multi-tenant deployment. This is the license to be deployed for a customer node of a Managed Security Services Provider (MSSP). You can configure the node as a tenant to the MSSP server for syncing data and actions to and from the MSSP primary server. MT_RegionalSOC, which enables the node as a regional SOC deployment at an organization with a distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time, you can configure it as a tenant to the global SOC where the MT license is deployed, and sync data and actions from the Global SOC FortiSOAR server. 7.3.0 also introduces a new licensing option that provides full access to FortiGuard threat intel feeds. It includes an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by FortiGuard security experts. FortiSOAR Design and Development 7.3 Study Guide 35 Introduction to FortiSOAR DO NOT REPRINT © FORTINET License Types Perpetual: License for an unlimited time for FortiSOAR Perpetual (Trial): Free trial license for an unlimited time but with restrictions Subscription: License for particular number of users and a specific timeframe Evaluation: License allows you to evaluate FortiSOAR, with a predefined user count and expiry date Settings > License Manager © Fortinet Inc. All Rights Reserved. 33 The FortiSOAR license can be of the following types: Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR. Perpetual (Trial): This type of license provides you with a free trial license for an unlimited time for FortiSOAR, but in a limited context; that is, with restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an enterprise type license and is restricted to three users using FortiSOAR for a maximum of 200 actions a day. Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe. You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription. Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date. FortiSOAR Design and Development 7.3 Study Guide 36 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Configuring FortiSOAR Configure Receive any system or Configure Update Replace FortiSOAR self-signed email notifications the SSL certificates with your own SMTP certificates signed certificate Set up purging for Change Configure purging for compliance purpose audit and hostname csadm hostname --set [] playbook logs © Fortinet Inc. All Rights Reserved. 34 You must use the SMTP connector to receive any system or email notifications, including requests for resetting passwords. The SMTP connector is part of a number of pre-installed connectors or built-ins that are included with FortiSOAR. By default, the SMTP connector is configured to use FortiSOAR as an SMTP relay server. The FortiSOAR Configuration Wizard is available only on the first SSH login. If, at a later stage, you need to change the hostname of your FortiSOAR VM, then you can use the FortiSOAR CLI to change the hostname. FortiSOAR comes with a self-signed certificate. Replace FortiSOAR self-signed certificates with your own signed certificate. FortiSOAR records each workflow action and audits every important activity such as logins, and the creation, updates to, and deletion of records. These generate a large volume of data, which might not be useful after some point in time. Therefore, you must configure a purge schedule for both these logs as per the organization's retention policy. This will help keep the disk usage for these logs constant over time. The Playbook Execution History data is significantly large, so it is very important that you schedule a purge of these logs at regular intervals. FortiSOAR Design and Development 7.3 Study Guide 37 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Configuring FortiSOAR (Contd) Configure Settings > Security Management > Team Hierarchy Configure active-active or active-passive high availability clusters Create Configure Set up thresholds, schedules, and first user notifications for the System HA Monitoring playbook that is included and options by default with FortiSOAR record Settings > Security Configuration Setup Start system and stop monitoring services csadm services --status csadm services --restart csadm services --start csadm services --stop © Fortinet Inc. All Rights Reserved. 35 The system comes with the default username csadmin and password changeme. It is highly recommended that you change the username and password after you log in for the first time. You should set up thresholds, schedules, and notifications for the System Monitoring playbook that is included by default with FortiSOAR to effectively monitor various FortiSOAR system resources, such as CPU, disk space, and memory utilization, and status of various FortiSOAR services. You can configure FortiSOAR with either an external PostgreSQL database or an internal PostgreSQL database. In both cases, you can configure active-active or active-passive high availability clusters. You must stop and start the FortiSOAR services in the following cases: Updating or upgrading the SSL certificates Post-update, if playbooks are not working as expected Post-reboot, if the FortiSOAR platform is not working as expected FortiSOAR Design and Development 7.3 Study Guide 38 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Overview 36 In this section, you will explore some of the important features of FortiSOAR, and how a SOC can mature by using FortiSOAR. FortiSOAR Design and Development 7.3 Study Guide 39 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Selected SOC Management Features Ticketing Queues Dashboards & Reports RBAC © Fortinet Inc. All Rights Reserved. 37 When you escalate an alert on FortiSOAR, it becomes an incident. Every incident on FortiSOAR can be considered as a ticket that an analyst will need to work on until they close the incident. The FortiSOAR queue management feature provides you with an overview of the work (records) that must be completed and enables you to assign pending work to users. You can also reassign assignments in case of absence or analyst shift changes. Administrators can create applicable dashboards throughout the application. The dashboards are assigned to users based on their roles. For example, you can create a dashboard that displays alerts that are critical and high, and then assign them to users who have the role of handling alerts. Users can prioritize their work by looking at their dashboard, which displays critical and high alerts. FortiSOAR gives you the option to assign levels of accessibility to users using role-based access control (RBAC) combined with team membership. You can grant users access to specific modules in FortiSOAR based on their role permissions. Users exercise their permissions in conjunction with their team membership(s). FortiSOAR Design and Development 7.3 Study Guide 40 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Content Hub Content type: Connectors Solution Packs Widgets Hosts solution packs, use cases, integrations, playbooks, widgets, dashboards, reports, how-to-videos and more Available as a public-facing page on https://fortisoar.contenthu b.fortinet.com Also embedded within FortiSOAR itself, where you can discover, install and create your own content © Fortinet Inc. All Rights Reserved. 38 The Content Hub is an all-new central repository for connectors, widgets, and solution packs, equipped with a searchable, filter-friendly interface. The Content Hub’s data is synchronized from the FortiSOAR repository every hour to ensure the content is up-to-date. Prior to 7.2.0, connectors and widgets were managed using different stores. To view the hub, you must have at least read permissions on the Content Hub and Applications modules. To work with add-ons, such as solution packs, widgets, or connectors, ensure the administrator has the required permissions for each respective module. The Content Hub is accessible both as a public-facing page at the URL listed on this slide, and within the FortiSOAR GUI itself. FortiSOAR Design and Development 7.3 Study Guide 41 Introduction to FortiSOAR DO NOT REPRINT © FORTINET SOAR Framework Solution Pack Recommended that this solution pack be installed after upgrading FortiSOAR It is included with fresh installs, but can be skipped during the process Installs several modules such as alerts, incidents, and indicators along with corresponding playbooks, dashboards, reports, and widgets to make it a comprehensive solution and provide a fully functional incident response platform augmented by automation and threat intelligence © Fortinet Inc. All Rights Reserved. 39 The SOAR Framework Solution Pack is the foundational solution pack that creates the framework, including modules, dashboard, roles, widgets, and so on, required for effective day-to-day operations of any SOC. Starting from 7.2.0, the Incident Response modules have been removed from the FortiSOAR platform and moved to the SOAR Framework Solution Pack, making it essential for users to install the SOAR Framework Solution Pack to optimally use and experience the FortiSOAR incident response. This solution pack installs several modules such as alerts, incidents, and indicators along with corresponding playbooks, dashboards, reports, and widgets to make it a comprehensive solution and provide a fully functional incident response platform augmented by automation and threat intelligence. The screenshot on this slide shows the contained contents of the solution pack, including the roles, playbooks, and connectors. Note that the solution pack is installed by default with fresh installations of FortiSOAR. However, upgraded FortiSOAR nodes will need to install this solution pack. FortiSOAR Design and Development 7.3 Study Guide 42 Introduction to FortiSOAR DO NOT REPRINT © FORTINET FortiSOAR Ticketing/Incident Process FortiSOAR Clear Clear Investigate Alert Source (for example, Connector Alert Escalate Incident FortiSIEM) Manual Alert Assign related Run Create Tasks Configuration alerts/indicators Playbooks Connector Enrich/Fetch/ Remediate © Fortinet Inc. All Rights Reserved. 40 Alerts can be created manually through playbooks or alerts could be ingested by FortiSOAR through a connector. When an alert is ingested, FortiSOAR can check to verify if the alert is a false positive or not. If the alert is a false positive, then the alert is cleared. An alert can also be cleared after it’s resolved by an analyst, or after it’s resolved automatically through a playbook execution. If the alert is legitimate, then an analyst can escalate the alert to an incident. After the alert becomes an incident, then a senior analyst could be assigned to that incident and the analyst could clear the incident after investigation. An analyst could run more playbooks against the incident to enrich the indicators, or fetch more information about the incident from various threat intelligence platforms. New tasks can be created for the incident and they could be assigned to an analyst for decision making. FortiSOAR Design and Development 7.3 Study Guide 43 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Ticketing—Example Incident Ticket Incident Response > Incidents Response Phase SLA Associated Graphical representation of Associated Tasks indicators, alerts, and incident Indicators © Fortinet Inc. All Rights Reserved. 41 You can escalate an alert to an incident. A FortiSOAR incident usually contains multiple alerts that are linked to each other, and to the incident. This allows FortiSOAR to convey the complexity of a security incident that has many stages. After FortiSOAR runs specific playbooks over an alert, it may extract indicators based on the alert fields. Indicators are objects that FortiSOAR extracted from various fields of a record. For example, an indicator can have an associated reputation while a field cannot. An incident contains various response phases. An analyst works through these phases as they resolve an incident. From an incident, you can assign tasks to an analyst to resolve a particular issue related to the incident, such as blocking an IP address. The audit log helps you track the incident history since it’s creation. The comments section is used to track all comments made by an analyst or comments generated by the playbook. FortiSOAR Design and Development 7.3 Study Guide 44 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Queue and Shift Management Intelligent, automated assignment solution based on queues and shift spreads Assign alerts and incidents to a queue automatically based on criteria Queue & Shift Management > Queue Management Queue & Shift Management > Shift Management © Fortinet Inc. All Rights Reserved. 42 The Queue and Shift Management feature is an intelligent, automated assignment solution based on queues and shift spreads. You can manage queues using the configuration wizard to define which record types are associated with the queues, what conditions need to match, who to assign to the queues, and which assignment methods to use. Queues provide managers with a view that answers questions such as, “What are my resources working on currently?”, “How many tasks are pending?”, and “Do any tasks require reallocation?”. Queues provide users with a view that answers questions such as, “What is my work?”, “How much of my work is pending?”, and “What are the priorities of my tasks?”. The Shift Management feature allows the generation of shift rosters with shift leads and team members. By leveraging queue and shifts together, FortiSOAR has the ability to manage shift handover processes. Records are assigned to individual users within a queue, and you can enable shift-based assignment to assign them to only users who are working. Note that the Queue and Shift Management feature has replaced the Queue Management feature that was present in the earlier releases of FortiSOAR. Automated record assignments were not supported in the old queue management feature. FortiSOAR Design and Development 7.3 Study Guide 45 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Dashboard Custom dashboard support Dashboard Multi-dashboard structure Flexible widget based dashboards © Fortinet Inc. All Rights Reserved. 43 A dashboard is the default landing and home that a user sees after logging in to FortiSOAR. You can create personalized dashboards based on roles. Customizations that you make to your dashboards are visible and applicable only to you. Administrators must update the dashboard for the changes to apply to all users. Updates, including removal and additions that administrators make to the dashboards, apply to all users. FortiSOAR Design and Development 7.3 Study Guide 46 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Reporting Reports © Fortinet Inc. All Rights Reserved. 44 FortiSOAR allows you to easily set up reporting. You have the option to use default report templates, edit them, or create your own. Additionally, you can schedule reports, view historical reports, and also search for text in the report PDF. The View button generates a preview of what the report would look like, giving you an ability to fine tune your reports prior to scheduling them. This slide’s screenshots demonstrate the Reports interface, and an example of the customizations available for creating reports. FortiSOAR Design and Development 7.3 Study Guide 47 Introduction to FortiSOAR DO NOT REPRINT © FORTINET Role-Based Access Control and Teams Settings > Security Management > Team Hierarchy Teams and roles work together for flexible RBAC Teams Define which records a user can access Flexible hierarchy supports parent, sibling, and child team relationships Roles Define which fields in a record a user can access Granularly create, read, update, delete permissions © Fortinet Inc. All Rights Reserved. 45 Teams and roles are closely aligned with a data table design

Use Quizgecko on...
Browser
Browser