FortiSOAR_Design_and_Development_7.3_Study_Guide-Online.pdf

Transcript

DO NOT REPRINT
© FORTINET

FortiSOAR Design and
Development
Study Guide
for FortiSOAR 7.3
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

4/27/2023
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction to FortiSOAR 4
02 Dashboard Templates and Widgets 55
03 Module Templates and Widgets 90
04 Application Editor 131
05 Dynamic Variable and Values 154
06 Jinja Filters, Functions, and Conditions 183
07 Introduction to Playbooks 217
08 Playbook Core Steps 254
09 Playbook Evaluate Steps 281
10 Playbook Connectors, Data Ingestion, and Execution Steps 302
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Design and Development

Introduction to FortiSOAR

FortiSOAR 7.3
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
25 April
25 April
20232023

In this lesson, you will learn what Security Orchestration, Automation, and Response (SOAR) is, and how
FortiSOAR can help security operations center (SOC) teams. You will also learn about FortiSOAR
architecture and some initial configuration.

FortiSOAR Design and Development 7.3 Study Guide 4
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Objectives
Describe the basics of SOAR technology
Understand SOC maturity
Describe the alert handling procedure performed by SOC analysts
Describe the various FortiSOAR architectures
Describe FortiSOAR HA capability
Identify the minimum resource requirement for deployment
Understand the installation steps for FortiSOAR
Plan a FortiSOAR deployment
Configure initial settings
Identify the role of FortiSOAR in a SOC environment
Manage incidents and alerts in a SOC environment

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in SOAR technology, you will be able to determine a customer deployment
model, deploy FortiSOAR, and perform initial configuration.

FortiSOAR Design and Development 7.3 Study Guide 5
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

SOAR Basics

3

In this section, you will learn about SOAR technology, and the importance of SOAR in a SOC environment.

FortiSOAR Design and Development 7.3 Study Guide 6
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
What Is SOAR?

SOAR
Security Orchestration Automation Response
SOA
(Security Orchestration Automation)
+ TIP
(Threat Intelligence Platform)
+ IRP
(Incident Response Platforms)

© Fortinet Inc. All Rights Reserved. 4

Gartner defines SOAR as technologies that enable organizations to take inputs from a variety of sources
(mostly from security information and event management (SIEM) systems) and apply workflows aligned to
processes and procedures.

Orchestration is the process of collecting data, which is usually alerts and incidents from different sources,
and performing various actions from one platform. Orchestration also helps you to streamline and optimize
frequently occurring processes and workflows.

Automation and orchestration are different, but related, concepts. Automation enables security teams to be
more efficient by reducing or replacing human interaction with IT systems, and instead use a centralized
platform to perform tasks in order to reduce cost, complexity, and errors. Automated workflows and responses
enable the security teams to automatically respond to security events.

Incident response is an organized approach to addressing and managing the aftermath of a security breach or
cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the
situation in a way that limits damage and reduces recovery time and costs.

SOAR is the technology that can orchestrate data, automate workflows, and respond to incidents. All of that
can be performed from a single platform.

FortiSOAR Design and Development 7.3 Study Guide 7
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Why Is SOAR Important?

Too Many Too Many Manual & Lack of
Vendors Alerts Slow Response Trained People

© Fortinet Inc. All Rights Reserved. 5

The majority of organizations juggle at least 50 discrete cybersecurity products at once, posing a threat to
data security, according to a new report from Oracle and KPMG. Keeping the security team up-to-date on all
the latest features and functions for different vendors is a challenge.

Based on market research, the incident management segment is projected to grow at a higher compounded
annual growth than the network forensics segment. This will result in a very high volume of alerts and
incidents. Manually addressing every incident is not feasible for large organizations. The threat landscape is
evolving and attackers are more sophisticated than before. Responding to incidents manually can be slow,
and that could provide attackers with the opportunity to breach other systems, which could have been stopped
if the incidents were resolved quicker.

Cybersecurity has become a major priority for organizations looking to protect themselves against the
massive cost of data breaches, but there’s an international problem hindering that goal. There are millions of
cybersecurity positions open and unfilled around the world. Without trained security staff, organizations don’t
have the capability to deploy the right controls or develop security processes to detect and prevent
cyberattacks.

FortiSOAR Design and Development 7.3 Study Guide 8
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
What Is a SOC?
A security operations center, or SOC, is a
specialized organizational resource consisting
of a specialized set of
People
Processes
Technologies
Dedicated to monitoring and defending
organizational IT assets, and detecting,
containing, eradicating, and assisting in the
recovery from security threats and associated
incidents

© Fortinet Inc. All Rights Reserved. 6

A security operations center (SOC) is a facility that houses an information security team responsible for
monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to
detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a
strong set of processes. Security operations centers are typically staffed with security analysts and engineers
as well as managers who oversee security operations. SOC staff work closely with organizational incident
response teams to ensure security issues are addressed quickly upon discovery.

Security operations centers monitor and analyze activity on networks, servers, endpoints, databases,
applications, websites, and other systems, looking for anomalous activity that could be indicative of a security
incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly
identified, analyzed, defended, investigated, and reported.

FortiSOAR Design and Development 7.3 Study Guide 9
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Reasons SOC Tooling Projects Fail and Succeed

Scope Technology Implementation
Focused requirements and Strong understanding of the Resources allocated
Success

use cases market and technology Skills required identified and
Realistic expectations Meets current and future planned for
Appropriate application requirements, and in-scope Impact on SOC playbooks
(current and future) processes understood
High-fidelity outputs
Shallow and narrow Lack of understanding of Too small—no team
Failure

coverage how tools work Lacking key skills
Unrealistic expectations Too many events (poor No playbook—no process
Wrong focus (threat vector) sources or poor tech)
Solution didn’t deliver

© Fortinet Inc. All Rights Reserved. 7

Security and risk management leaders can improve the odds of selecting the right tool for the organization by
gaining consensus during a premortem analysis on what could go wrong, and which success metrics should
apply to a project. The premortem can also serve as an early-stage vehicle for collecting initial use cases and
requirements. Those can be further refined as part of the formal project definition and approval cycles.

As part of a project to bring tools into the SOC, a solid understanding of the scope, technologies being
considered, and affected processes is required. As your SOC team grows, you must consider the scope,
technology, and implementation requirements.

FortiSOAR Design and Development 7.3 Study Guide 10
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
What Is SOC Maturity?
SOC
Forward Leaning Productivity
Optimization

Established Threat Hunting and Incident
Response

Establishing
Enhanced Near-Real-Time Threat Detection

Greenfield
Real-Time Monitoring and Operations

© Fortinet Inc. All Rights Reserved. 8

An organization building a SOC prioritizes technology purchases to get real-time monitoring capabilities in
order to better understand what is happening when observing the consequences of the event. This first level
of visibility, while potentially limiting the SOC to reactive activities, is necessary.

As the SOC matures and learns, it builds the processes to treat basic incidents, and starts to differentiate
event treatment based on their impact. Additional tools might help at this stage to speed up initial assessment,
with individual alerts being aggregated and augmented with additional context.

More mature organizations might need to strengthen their ability to perform root cause analysis of the incident
and elimination of the threat. You want to ensure that when you close an incident, the risk of recurrence is
correctly handled. After the end-to-end workflow itself becomes more refined, orchestration and other
productivity improvements will move the SOC forward

FortiSOAR Design and Development 7.3 Study Guide 11
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Solve Security Complexity Based on SOC Maturity

S SOC Team
O (5+ Analysts)
C
Dedicated
Security Team
M
A NGFW
T IT-Security Automated
SD-WAN
Response
U (One Team)
R Multi-
Vendor
I Visibility
Y
T Security
Fabric
Analytics

Security
Operations

© Fortinet Inc. All Rights Reserved. 9

Smaller or newly formed SOCs, or those that were previously outsourced where the technology was provided
by the provider, often start with FortiSIEM or log management solutions. This is necessary to start seeing
what is happening in the organization, leveraging logs from network and endpoint security controls already in
place, and possibly from other sources, based on criticality to the organization, for example, domain
controllers, critical applications, and other externally exposed assets.

The need to have a common repository of incidents could be addressed within a SIEM tool or within the IT
case management or service desk tool. You should consider using a security incident response platform
(SIRP) tool, or the SIRP capabilities of a FortiSOAR tool, if the incident and case management capabilities in
the FortiSIEM tool are not advanced enough, or there are security and privacy concerns with using the IT
service desk tool. Every “greenfield” SOC will not have the resources (budget, people, time) to implement
SIRP at the beginning, but you should strongly consider it at the start of instrumenting the SOC, rather than
trying to bolt it on later in the SOC building journey.

If security and privacy concerns make the IT service desk tool inappropriate, and if the preferred SIEM tool
lacks adequate case management capabilities, security leaders face an early maturity bottleneck. They must
consider a SIEM tool with more advanced case management capabilities, or leverage a SIRP tool or the SIRP
capabilities of a SOAR tool, which would normally be beyond their current maturity level.

FortiSOAR Design and Development 7.3 Study Guide 12
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
FortiSOAR—Four Key Use Cases for a Mature SOC

Unified Incident Alert Triage SOC SOC
Response Automation Optimization Collaboration
Management

© Fortinet Inc. All Rights Reserved. 10

This slide shows four key use cases in which FortiSOAR can help a matured SOC.

FortiSOAR provides a unified incident response management platform where incidents can be investigated
and remediated.

To avoid false positives, alerts are triaged and checked to verify if the alert is legitimate by automatically
extracting indicators, and checking their reputation against threat intelligence platforms.

SOC optimization ensures that SOAR solutions enable security operations teams to automate the tiresome,
repetitive, and monotonous elements of their workflow that don’t depend upon human interaction. This takes
some of the pressure off security analysts, and frees them to focus on the day-to-day incident response and
bigger-picture cyber defence strategies.

Having a SOAR platform also helps SOC teams to collaborate with each other through a central platform
without relying on any external case management software.

FortiSOAR Design and Development 7.3 Study Guide 13
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

SOC Alert Handling and Triage

11

In this section, you will learn how a SOC team handles alerts and about the process of triage and escalation.

FortiSOAR Design and Development 7.3 Study Guide 14
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
The SOC Automation Model—Level 1

Medium
business with an
IT & security People
team

Logging &
reporting Best effort
Manual incident
detection & response
Products response
Process

© Fortinet Inc. All Rights Reserved. 12

The SOC Automation Model is divided into three key areas: people, process, and product. Within each area,
an organization can be classified at a maturity level from 1-3, based upon their security posture in that area.
For example, an organization that is level 1 in all categories has a small IT team with no security staff
(people), best effort incident response playbooks (process), and no dedicated security solutions (product). At
the other extreme, an organization may have a large security team with experienced SOC analysts, well-
defined playbooks, and have not only deployed but also measured the effectiveness of their SIEM and SOAR
solutions.

At Level 1: Achieve Visibility Leveraging Security Fabric Analytics At Level 1 of the SOC Automation Model, a
security team has no dedicated security personnel or processes for addressing potential incidents.
Additionally, the average enterprise receives more than 10,000 alerts per day, meaning that SOC analysts are
overwhelmed and have little time for identifying and remediating true threats to the network. Without dedicated
solutions, an organization’s security team lacks visibility into potential threats to their network. The team must
manually collect and correlate all log data before they can analyze it. Many level 1 SOCs lack the knowledge
or the resources to identify true threats, leaving the organization at risk. FortiAnalyzer is an easy-to-deploy
solution for centralizing visibility and threat detection across an organization’s entire Fortinet Security Fabric,
including both on-premises and cloud deployments. FortiAnalyzer correlates log data from multiple Fortinet
devices, providing valuable context to security analysts. By analyzing this data using machine learning (ML)
and indicators of compromise (IOCs) provided by a global threat-intelligence feed, FortiAnalyzer can help
even the smallest security team to pinpoint and rapidly respond to threats within their network.

FortiSOAR Design and Development 7.3 Study Guide 15
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
The SOC Automation Model—Level 2

Medium-large
business with
dedicated People
security team

Level 1+
Basic
Multivendor incident
automated response
incident plan
Products detection
Process

© Fortinet Inc. All Rights Reserved. 13

At Level 2: Enhance Multivendor Visibility With SIEM, the average enterprise has 75 different point security
solutions deployed on their network. While each of these solutions provides valuable intelligence about
potential threats to the organization’s network, they often lack the context required to differentiate between a
true threat and a false positive. Additionally, an array of standalone security solutions makes it difficult to
enforce consistent security policies and maintain compliance with strict new data protection regulations, such
as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act
(CCPA). A SIEM system is the logical solution to the security complexity caused by a multivendor
environment. A SIEM solution ingests data collected from products created by multiple different vendors and
performs automated correlation and analysis to provide a clearer picture of the overall status of the protected
environment. FortiSIEM allows security teams to map operations to industry best practices and security
standards, such as those published by the National Institute of Standards and Technology (NIST) and the
Center for Internet Security (CIS). In this way, FortiSIEM expands on the visibility that FortiAnalyzer brings to
the Fortinet Security Fabric.

FortiSOAR Design and Development 7.3 Study Guide 16
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
The SOC Automation Model—Level 3

Large enterprise with
experienced SOC
analysts People

Level 2+
Alert management
Advanced SOC
Unified processes and
orchestration, playbooks
automation &
Products response

Process

© Fortinet Inc. All Rights Reserved. 14

At Level 3: Incorporate Automated Response With SOAR, the cyber-threat landscape is accelerating as cyber
criminals increasingly rely upon automation to speed up their attacks. While single-pane-of-glass visibility
speeds up the rate at which a security team can identify a potential threat, a reliance on manual incident
response processes means that defenders will always be a step behind the attackers. SOAR solutions enable
an organization’s security team to leverage automation to speed incident response. By creating an automated
framework to tie together an organization’s complete security architecture, defensive actions can be taken by
multiple different systems in concert. This minimizes the context switching required of security personnel,
decreasing alert fatigue and speeding incident response. FortiSOAR also enables an organization to optimize
its security processes by leveraging well-defined security playbooks. By automating repetitive tasks and
responses to common threats, FortiSOAR enables a security team to focus their efforts and limited resources
on higher-level tasks.

FortiSOAR Design and Development 7.3 Study Guide 17
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
SOC Alert Handling—L1 Analyst
Procedure for L3 SOC Model
Close

Run playbook
Close & validate

No Yes

L1 Analyst
Investigation Yes Playbook No
Valid Create Case/
Alert Remediation? Escalate
Established techniques Threat? Incident
& procedures

FortiSIEM external lookups automate FortiSIEM cases
specific investigation steps
FortiSOAR incidents
FortiSOAR playbooks automate
specific investigation steps

© Fortinet Inc. All Rights Reserved. 15

A level 1 analyst is the front line responder to an alert. FortiSIEM or FortiSOAR could receive an alert
depending on the way the log forwarding is set up in your infrastructure. The task of a level 1 analyst is
usually to investigate and triage an alert. If you already have established techniques or procedures on
FortiSIEM or FortiSOAR, then a level 1 analyst could automate some aspects of the investigation, such as
reputation lookups for IOC using playbooks on FortiSOAR, or by using automation scripts on FortiSIEM.

If the alert is not a valid threat, then the analyst can close it as a false positive. Otherwise, the analyst can
open an incident or a case. On FortiSOAR, you can run a playbook to remediate the incident, if a playbook is
available, and then close the incident. If a playbook remediation is not available, then you can escalate the
incident to a level 2 analyst.

FortiSOAR Design and Development 7.3 Study Guide 18
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
SOC Incident Handling—L2 Analyst Document
& Close
Procedure for L3 SOC Model

Document Flag for
possible future
& Close playbook

FortiSOAR acts as
Update Update
SOC knowledge Knowledge base Knowledge base
base

Document Run playbook Perform
& validate manual
& Close remediation
No Yes Yes

L2 Analyst
Escalated Investigation Yes No No
Valid Playbook Able to manually
Incident Escalate
Established techniques, Threat? Remediation? remediate?
plus manual investigation

FortiSIEM remediations

FortiSOAR can automate
specific investigation steps FortiSOAR playbooks
© Fortinet Inc. All Rights Reserved. 16

A level 2 analyst investigates the incident using established techniques or procedures. A key role of a level 2
analyst is to investigate an incident through manual methods and use playbooks wherever possible. If the
incident is not a threat, then the analyst can close it, otherwise they can move the incident to the remediation
stage. The level 2 analyst determines if a remediation playbook is available to remediate the incident, and run
the playbook against the incident. If an appropriate script is available, then the analyst can also remediate an
incident from FortiSIEM. After an incident is remediated, the analyst updates the knowledge base within
FortiSOAR, documents the incident, and closes it.

If the analyst is unable to remediate the incident using a playbook or through FortiSIEM, then the analyst must
determine if they can resolve the incident manually. After performing manual remediation, the analyst must
update the knowledge base, document the case, and flag the case for a possible playbook in the future.

If the level 2 analyst cannot remediate the incident, then they can escalate the case to level 3 analyst.

FortiSOAR Design and Development 7.3 Study Guide 19
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
SOC Escalated Incident Handling—L3 Analyst
Document
Procedure for L3 SOC Model & Close

New FSM rules
FortiSOAR case logs Review with
architect and
provide a record for update New FSR
process update procedures playbooks

Update
Document Knowledgebase
& Close
No No

L3 Analyst
Escalated Yes Perform Yes Document
Investigation Valid Known technique
manual
Incident Advanced manual threat? remediation or procedure? & Close
investigation

Note: The remediation could involve follow-up work, to update FortiSIEM rules, update firewall policies,
patch all endpoints, and so on.

© Fortinet Inc. All Rights Reserved. 17

The level 3 analyst takes ownership of the escalated incident and performs further advanced manual
investigation on the incident in addition to all the investigation done by level 1 and level 2 analyst. If the threat
is not valid then the case is documented and closed. If the threat is valid then the level 3 analyst will perform a
manual remediation of the incident.

The remediation could involve follow-up work such as updating FortiSIEM rules, update firewall policy, patch
all endpoints and so on. The level 3 analyst will then decide if there is a known technique or procedure to
resolve such an incident, either manual or through a playbook. If there is a known procedure, then the case is
documented and closed. If there is no known procedure, then the analyst will update the knowledge base,
review the procedure with an architect and update the procedure to resolve such incidents.

FortiSOAR case logs provide a record for process updates. The review process also involves developing a
new playbook, if required, so that such incidents can be autoremediated by the playbook for future
occurrences of such incidents. After the review process is complete, the case can be documented and closed.

FortiSOAR Design and Development 7.3 Study Guide 20
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
New Technique or Procedure

Identify Threat Identify indicators Identify remediation Identify impact of remediation

If possible, patch, Build SIEM rule or Build SIEM Implement approval
block or otherwise SOAR playbook to remediation or SOAR controls and checks to
mitigate risk of help identify in playbook to automate minimize risk of self-
exploit future future response DoS, and so on

© Fortinet Inc. All Rights Reserved. 18

A level 3 analyst must follow specific protocols while developing a new technique or procedure. The analyst
must identify the threat. Once identified, analyst must mitigate the risk must be mitigated to avoid risk of
exploitation. If possible the analyst should try to patch any vulnerable systems, or block any indicators of
compromise.

Through a thorough investigation, the analyst should be able to identify the indicators that have been
compromised. Based on that investigation, the analyst should build SIEM rules or SOAR playbooks so that
such incidents can be identified and indicators can be enriched.

The analyst’s next task is to remediate the incident automatically through FortiSIEM remediation scripts, or
develop playbooks on FortiSOAR for automatic remediation.

Finally, the analyst must study the impact of remediation on services and networks. Often, a poorly developed
playbook could cause a self-inflicted denial of service, bringing down servers or critical network infrastructure.

FortiSOAR Design and Development 7.3 Study Guide 21
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Architecture

19

In this section, you will learn about FortiSOAR architecture, and various platforms on which you can install
FortiSOAR.

FortiSOAR Design and Development 7.3 Study Guide 22
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Typical Enterprise Architecture
AP Router
Server
Firewall

Analyzer LAN
Threat Intelligence Platform

Alerts ingested
through API

Query and Enrichment

Incident

FortiSIEM
FortiSOAR
Run remediation playbooks

© Fortinet Inc. All Rights Reserved. 20

In an enterprise architecture, there is one single instance of FortiSOAR. You can ingest data using connectors
into FortiSOAR from various devices in your infrastructure. When available, it is recommended that most logs
be sent through the SIEM, rather than through direct connectors. This ensures the SIEM is a central point of
log aggregation and can be used for analytics and reporting.

After you integrate your FortiSIEM, or any other SIEM solution, with FortiSOAR, incidents generated by
FortiSIEM are ingested by FortiSOAR. Every incident that is sent from FortiSIEM to FortiSOAR is a unique
record on FortiSOAR. You can run remediation playbooks from FortiSOAR against those incidents, and
perform remediation action on the target devices. For example, if the logs that are sent by FortiGate to
FortiSIEM generate an incident that indicates an external malicious actor is trying to access corporate
resources, then FortiSOAR evaluates that incident and rates that external IP against various threat
intelligence platforms. If the IP is malicious, then you can run a remediation playbook to take action against
that IP address. In the scenario shown on this slide, the solution is to block that IP on the FortiGate firewall.
The playbook can automatically log in to FortiGate and put that IP on the quarantine list for an indefinite period
of time.

FortiSOAR Design and Development 7.3 Study Guide 23
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Multi-Tenant Shared Tenancy Architecture

FortiGate

Customer A
FortiSIEM
FortiSOAR
Node

Connectivity required
between sites FortiGate

All data sent to
MSSP SOC
FortiSIEM Customer B
Actions taken
from MSSP SOC
MSSP SOC

© Fortinet Inc. All Rights Reserved. 21

In the case of shared tenancy, tenants share the same system as the primary device; that is, tenants are
local, but with restricted access on the system. The SOC team provides cybersecurity monitoring and
management to various tenants in a single FortiSOAR instance. The shared tenancy model ensures that the
data belonging to different tenants is segregated, and data access is controlled using RBAC. Therefore, a
tenant can view only their own data or record, and not the data of other tenants.

You can give each tenant their own login, which they can use to view their dashboards, report, check the
actions taken on their records, check their SLA management, and so on.

FortiSOAR Design and Development 7.3 Study Guide 24
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Multi-Tenant Distributed Tenancy Architecture

TLS

FortiSOAR FortiSOAR FortiSOAR
Primary Node Secure Message Exchange Tenant Node

Playbooks pushed
to tenant node

Alerts & select data
shared with primary
FortiSIEM FortiGate
Actions pushed
to tenant node

CUSTOMER

© Fortinet Inc. All Rights Reserved. 22

In the case of a distributed tenancy model, the tenant node instance of FortiSOAR is remote and every tenant
has their own instance of FortiSOAR. The primary FortiSOAR node resides at the MSSP location and
communicates with the tenant node through a secure channel. Tenant data remains in the tenant
environment, and they control how much data they want to share with the primary node. All sensitive
information stays with the tenant node. Since the actual workflow execution happens at the tenant node itself,
the primary node requires only the summary of information to help identify what investigations should run. The
primary node pushes any action that needs to be executed to the tenant node. Similarly, any playbook that
needs to be executed is pushed by the primary node to the tenant node.

FortiSOAR Design and Development 7.3 Study Guide 25
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Multi-Tenant Hybrid Architecture
Mix and match shared and distributed architecture as required

FortiGate

Customer A
FortiSIEM Centrally managed
FortiSOAR
Primary Node

FortiSOAR FortiGate
Secure Router Node

Customer B
FortiSOAR
Tenant Node Distributed node
MSSP SOC FortiSIEM

© Fortinet Inc. All Rights Reserved. 23

In a multi-tenant hybrid model, the primary node centrally manages some customers. If the customer is
managed by the primary node, then there is no requirement for a tenant node for that customer. Then there
are other customers who use a distributed method. For those customers, you must install a tenant node.

FortiSOAR Design and Development 7.3 Study Guide 26
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
FortiSOAR HA and Clustering
High availability (HA) and clustering for Active-passive for resilience
resilience and scalability
Active-active for resilience and scalability
Internal DB Load balancer used for active-active
Replication
Supported with internal and external
database
Multiple secondary nodes supported
HA license required
FortiSOAR FortiSOAR
Active Primary Active Secondary

© Fortinet Inc. All Rights Reserved. 24

FortiSOAR supports HA clusters that you can deploy in both active-passive and active-active configurations.
You can configure FortiSOAR with either an externalized PostgreSQL database, or an internal PostgreSQL
database. For both, you can configure active-active or active-passive HA clusters. One FortiSOAR cluster can
have only one active primary node. All the other nodes are either active secondary nodes or passive nodes.

FortiSOAR Design and Development 7.3 Study Guide 27
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Supported Installation Platforms
Self Installation Virtual Instance
Install application on dedicated Virtual instance images offered for
Rocky Linux/RHEL server VMWare ESXi
Allows installation on other AWS
hypervisors FortiSOAR Cloud
KVM, Hyper-V, and so on
Docker
Allows installation on bare metal
Rocky Linux/RHEL 8.6
Recommended node resources:
8 CPUs
32 GB RAM
1 TB SSD HDD
1 vNIC

© Fortinet Inc. All Rights Reserved. 25

A key element of the FortiSOAR architecture is its form factor. FortiSOAR is available as a virtual instance
and comes as a 64-bit, hardened, Rocky Linux, virtual machine that is preconfigured and pre-installed with
FortiSOAR. All you have to do is import the virtual instance into your hypervisor environment. FortiSOAR is
supported on VMWare ESXi or Amazon Web Services (AWS).

Prior to 7.3.0, you could install FortiSOAR on CentOS platform. However, because CentOS has announced its
end-of-life cycle, FortiSOAR is now embedded with a newer, stable OS in Rocky Linux or RHEL 8.6. In
addition, Docker support has been added in 7.3.0.

Instead of deploying a virtual instance, you can self-install FortiSOAR on a minimal Rocky Linux operating
system. You can also install it on different hypervisors such as KVM, Hyper-V, or even on a bare metal
hypervisor.

FortiSOAR Design and Development 7.3 Study Guide 28
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Resource Requirements for a FortiSOAR Virtual Instance
Minimum hardware requirements for FortiSOAR virtual instance nodes are as follows

Node CPU RAM Local Disk
FortiSOAR 8 vCPU 32 GB 1 TB available disk space: recommended to have high-performance
storage, preferably SSDs

Note that these are only the minimum requirements. Performance may improve if you
increase vCPUs and RAM in certain situations.
In case of an MSSP setup, contact FortiSOAR support for sizing requirements.

© Fortinet Inc. All Rights Reserved. 26

A major benefit of the FortiSOAR form factor is its scalability. If your company grows, and you start sending
more data to FortiSOAR than what it was initially configured to handle, you can upgrade the VM and add more
resources. It’s easy to add CPUs, memory, and even storage to VMs. There are no charges or fees from
Fortinet, unlike some vendors that charge by the number of CPUs used. The minimum hardware
requirements for one instance of FortiSOAR are 8 vCPU, 32 GB of RAM and 1 TB of storage.

There are no size limits for the records database, and no charges or fees for storing months’ or years’ worth of
data. That’s important to note when considering compliance reporting, and PCI or HIPPA requires that you
store a year’s worth of data in order to provide appropriate audit reports. It’s very easy to determine how much
storage you’ll need.

FortiSOAR Design and Development 7.3 Study Guide 29
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
FortiSOAR Cloud
A subscription service aimed to ease
FortiSOAR deployment, management, and
scaling
Requires both a FortiCloud Premium
subscription and a FortiSOAR Cloud
Entitlement license
If either license expires, there is a 30-day grace
period
Primary account holder can create secondary
account holders
FortiCloud creates an instance with an
embedded secure message exchange
Choose a region to deploy your instance
Only one instance per FortiCloud account

© Fortinet Inc. All Rights Reserved. 27

FortiSOAR Cloud is a service subscription aimed to ease deployment, management, and scaling. You can
access the FortiSOAR Cloud interface via the FortiCloud Services menu.

To provision a FortiSOAR Cloud instance, you must have a FortiCloud account in addition to a FortiCloud
Premium subscription and a FortiSOAR Cloud Entitlement license. If either license expires, you have a 30-day
grace period to remedy the situation before the cloud portal shuts down the instance.

Only one FortiSOAR instance can be created per FortiCloud account. You can choose which region to deploy
your instance in, but you cannot migrate the instance to a different region later. The primary account holder
can create secondary account holders with permissions to the account and the FortiSOAR cloud instance.

After the instance has been provisioned, you can access it by using the web interface or the SSH console.
The instance also contains an embedded secure message exchange, set as the cloud instance address
running on TCP port 5671. From the FortiSOAR Cloud portal’s interface, you can also reboot and manage
snapshots of the instance.

FortiSOAR Design and Development 7.3 Study Guide 30
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Initial Configurations

28

In this section, you will learn about FortiSOAR deployment, licensing, and configuration options that will help
you get FortiSOAR up and running.

FortiSOAR Design and Development 7.3 Study Guide 31
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Initial Deployment of the Virtual Instance
Plan Deploy
Complete site preparation, including
hardware and resources for the VM Import the FortiSOAR VM into the ESXi
Download the FortiSOAR VM server using the vSphere Web Client or
upload the FortiSOAR VM to AWS
Run the FortiSOAR configuration wizard
License the FortiSOAR using the License
Manager
Configure optional settings such as
editing the VM resource configuration and
changing the default database password
for FortiSOAR

Configure
Log on to FortiSOAR for the first time
Configure SMTP using the SMTP
connector
Point the ntpd service to a valid ntp
server
Set up a proxy server to serve all
requests for FortiSOAR
Configure data encryption keys
Create user

© Fortinet Inc. All Rights Reserved. 29

This slide shows a high-level view of the initial deployment methodology of FortiSOAR.

The planning process involves the following tasks:
Complete site preparation, including hardware and resources for the VM
Download the FortiSOAR VM

The deployment process involves the following tasks:
Import the FortiSOAR VM to the ESXi server
Run the FortiSOAR configuration wizard
License FortiSOAR using the License Manager
Configure optional settings, such as editing the VM resource configuration and changing the default
database password for FortiSOAR

The configuration process involves the following tasks:
Log on to FortiSOAR for the first time
Configure SMTP using the SMTP connector
Point the ntpd service to a valid ntp server
Set up a proxy server to serve all request for FortiSOAR
Configure data encryption keys
Create a user

FortiSOAR Design and Development 7.3 Study Guide 32
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Plan the Installation Plan

Hardware
Requirement Select Hypervisors
VMware ESXi 5.5 or
8 vCPUs higher
32 GB RAM Amazon Web
Services
1 TB disk
Redhat KVM
1 vNIC
Docker
Fortinet-FortiCloud

VM Inbound
Networking VM Outbound
Networking
Port 22
Port 443 Port 22
Port 25
Port 443

© Fortinet Inc. All Rights Reserved. 30

The recommended hardware requirement for the FortiSOAR VM is 8vCPUs, 32 GB RAM, 1 TB disk, and one
virtual NIC. You can install the FortiSOAR VM on VMware ESXi 5.5 or higher. You can also install the VM on
Amazon Web Services, Redhat KVM, Docker, or hosted on FortiCloud.

For inbound networking, ensure that port 22 and port 443 are enabled within the VM network. For FortiSOAR
to correctly interact with your network, you must provide access between the FortiSOAR VM and the third-
party products and services configured within your network. To accomplish this, enable the ports shown on
this slide for SSH, SMTP, and HTTPS access.

FortiSOAR Design and Development 7.3 Study Guide 33
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Deploy the VM Deploy

Install the
Import Run Edit the VM SOAR
FortiSOAR License
configuration resource Framework
VM FortiSOAR
wizard configuration Solution
Pack

Change hostname Set up static or Determine license type Install SOAR
(optional) dynamic IP Register on FortiCare Framework Solution
Configure Proxy (optional) Provide FortiSOAR UUID Pack
Update network A root user can run the Foundational solution
configuration csadm license --get- pack which includes
Generate certificates device-uuid command to essential elements for
print the device UUID day-to-day operations
Generate device UUID for a SOC
Reset database passwords Download license
Restart services Ensure connectivity to
https://globalupdate.
Configure default HA fortinet.net
cluster
Upload license to FortiSOAR
through FortiSOAR GUI or
through FTP
Deploy license as enterprise
or multi-tenant edition

© Fortinet Inc. All Rights Reserved. 31

The first step to deploying a FortiSOAR VM is to select the appropriate hypervisor. After deploying the VM,
run the configuration wizard to change the hostname, configure a proxy, update the network configuration,
generate certificates, generate the device UUID, reset database passwords, restart services, configure the
default HA cluster, and install python libraries. You can edit the VM resource configuration to determine if you
would like to use a static or dynamic IP.

Determine the type of license that you would like to install. Provide the FortiSOAR UUID while registering the
FortiSOAR on FortiCare. You must be logged in as a root user to retrieve the UUID from FortiSOAR.
Download the license from FortiCare and upload it to FortiSOAR through FTP. Ensure that you have
connectivity to globalupdate.fortinet.net. Deploy the license as an enterprise or a multi-tenant
edition.

Now, you should be able to access FortiSOAR through the GUI using the IP that you configured while running
the configuration wizard to go through an initial setup.

It is highly recommended to confirm the SOAR Framework Solution Pack is installed and up-to-date in the
environment. By default the solution pack is installed in fresh 7.3.0 installations, but it can be skipped. This
solution pack contains essential elements for effective incident response, including modules, dashboards,
roles, and widgets.

FortiSOAR Design and Development 7.3 Study Guide 34
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Licensing FortiSOAR Deploy

FortiSOAR enforces licensing and restricts the use of FortiSOAR by specifying
the following:
The maximum number of active users in FortiSOAR at any point in time
The type and edition of the license:
Enterprise edition
Multi-tenant edition
MT: Enables multi-tenancy; both shared and distributed
MT_Tenant: Enables the node as a tenant in a multi-tenant deployment
MT_RegionalSOC: Enables the node as a regional SOC at an organization having a distributed SOC
The expiration date of the license
7.3.0 introduces a new option for FortiGuard threat intel feeds

csadm license --deploy-enterprise-license

csadm license --deploy-multi-tenant-license
Multi-tenant deployment

© Fortinet Inc. All Rights Reserved. 32

FortiSOAR enforces licensing and restricts the use of FortiSOAR by specifying the following:
The maximum number of active users in FortiSOAR at any point in time
The type and edition of the license

There are two types of license editions—Enterprise and Multi-tenant. This enterprise edition enables a regular
enterprise production license.

There are three different types of multi-tenant editions.
MT, which enables multi-tenancy where both shared and distributed multi-tenancy are supported. The
instance where this license is deployed would serve as a primary node in a distributed deployment.
MT_Tenant, which enables the node as a tenant in a multi-tenant deployment. This is the license to be
deployed for a customer node of a Managed Security Services Provider (MSSP). You can configure the
node as a tenant to the MSSP server for syncing data and actions to and from the MSSP primary server.
MT_RegionalSOC, which enables the node as a regional SOC deployment at an organization with a
distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time,
you can configure it as a tenant to the global SOC where the MT license is deployed, and sync data and
actions from the Global SOC FortiSOAR server.

7.3.0 also introduces a new licensing option that provides full access to FortiGuard threat intel feeds. It
includes an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by
FortiGuard security experts.

FortiSOAR Design and Development 7.3 Study Guide 35
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
License Types
Perpetual: License for an unlimited time for FortiSOAR
Perpetual (Trial): Free trial license for an unlimited time but with restrictions
Subscription: License for particular number of users and a specific timeframe
Evaluation: License allows you to evaluate FortiSOAR, with a predefined user count and
expiry date
Settings > License Manager

© Fortinet Inc. All Rights Reserved. 33

The FortiSOAR license can be of the following types:
Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR.
Perpetual (Trial): This type of license provides you with a free trial license for an unlimited time for
FortiSOAR, but in a limited context; that is, with restrictions on the number of users and actions that can be
performed in FortiSOAR in a day. By default, this license is an enterprise type license and is restricted to
three users using FortiSOAR for a maximum of 200 actions a day.
Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a
particular number of users and a specific timeframe. You can renew your subscription and change the
number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve
the latest subscription.
Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a
predefined user count and expiry date.

FortiSOAR Design and Development 7.3 Study Guide 36
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Configuring FortiSOAR Configure

Receive any system or Configure Update
Replace FortiSOAR self-signed
email notifications the SSL certificates with your own
SMTP certificates signed certificate

Set up
purging for
Change
Configure purging for
compliance purpose
audit and hostname csadm hostname --set []
playbook
logs

© Fortinet Inc. All Rights Reserved. 34

You must use the SMTP connector to receive any system or email notifications, including requests for
resetting passwords. The SMTP connector is part of a number of pre-installed connectors or built-ins that are
included with FortiSOAR. By default, the SMTP connector is configured to use FortiSOAR as an SMTP relay
server.

The FortiSOAR Configuration Wizard is available only on the first SSH login. If, at a later stage, you need to
change the hostname of your FortiSOAR VM, then you can use the FortiSOAR CLI to change the hostname.

FortiSOAR comes with a self-signed certificate. Replace FortiSOAR self-signed certificates with your own
signed certificate.

FortiSOAR records each workflow action and audits every important activity such as logins, and the creation,
updates to, and deletion of records. These generate a large volume of data, which might not be useful after
some point in time. Therefore, you must configure a purge schedule for both these logs as per the
organization's retention policy. This will help keep the disk usage for these logs constant over time. The
Playbook Execution History data is significantly large, so it is very important that you schedule a purge of
these logs at regular intervals.

FortiSOAR Design and Development 7.3 Study Guide 37
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Configuring FortiSOAR (Contd) Configure

Settings > Security Management > Team Hierarchy
Configure active-active
or active-passive high
availability clusters

Create
Configure
Set up thresholds, schedules, and first user
notifications for the System HA
Monitoring playbook that is included and
options
by default with FortiSOAR
record
Settings > Security Configuration
Setup Start
system and stop
monitoring services
csadm services --status
csadm services --restart
csadm services --start
csadm services --stop

© Fortinet Inc. All Rights Reserved. 35

The system comes with the default username csadmin and password changeme. It is highly recommended
that you change the username and password after you log in for the first time.

You should set up thresholds, schedules, and notifications for the System Monitoring playbook that is included
by default with FortiSOAR to effectively monitor various FortiSOAR system resources, such as CPU, disk
space, and memory utilization, and status of various FortiSOAR services.

You can configure FortiSOAR with either an external PostgreSQL database or an internal PostgreSQL
database. In both cases, you can configure active-active or active-passive high availability clusters.

You must stop and start the FortiSOAR services in the following cases:
Updating or upgrading the SSL certificates
Post-update, if playbooks are not working as expected
Post-reboot, if the FortiSOAR platform is not working as expected

FortiSOAR Design and Development 7.3 Study Guide 38
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Overview

36

In this section, you will explore some of the important features of FortiSOAR, and how a SOC can mature by
using FortiSOAR.

FortiSOAR Design and Development 7.3 Study Guide 39
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Selected SOC Management Features

Ticketing Queues Dashboards & Reports RBAC

© Fortinet Inc. All Rights Reserved. 37

When you escalate an alert on FortiSOAR, it becomes an incident. Every incident on FortiSOAR can be
considered as a ticket that an analyst will need to work on until they close the incident.

The FortiSOAR queue management feature provides you with an overview of the work (records) that must be
completed and enables you to assign pending work to users. You can also reassign assignments in case of
absence or analyst shift changes.

Administrators can create applicable dashboards throughout the application. The dashboards are assigned to
users based on their roles. For example, you can create a dashboard that displays alerts that are critical and
high, and then assign them to users who have the role of handling alerts. Users can prioritize their work by
looking at their dashboard, which displays critical and high alerts.

FortiSOAR gives you the option to assign levels of accessibility to users using role-based access control
(RBAC) combined with team membership. You can grant users access to specific modules in FortiSOAR
based on their role permissions. Users exercise their permissions in conjunction with their team
membership(s).

FortiSOAR Design and Development 7.3 Study Guide 40
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
FortiSOAR Content Hub
Content type:
Connectors
Solution Packs
Widgets
Hosts solution packs, use cases,
integrations, playbooks, widgets,
dashboards, reports, how-to-videos
and more
Available as a public-facing page on
https://fortisoar.contenthu
b.fortinet.com
Also embedded within FortiSOAR
itself, where you can discover, install
and create your own content

© Fortinet Inc. All Rights Reserved. 38

The Content Hub is an all-new central repository for connectors, widgets, and solution packs, equipped with a
searchable, filter-friendly interface. The Content Hub’s data is synchronized from the FortiSOAR repository
every hour to ensure the content is up-to-date. Prior to 7.2.0, connectors and widgets were managed using
different stores.

To view the hub, you must have at least read permissions on the Content Hub and Applications modules.
To work with add-ons, such as solution packs, widgets, or connectors, ensure the administrator has the
required permissions for each respective module.

The Content Hub is accessible both as a public-facing page at the URL listed on this slide, and within the
FortiSOAR GUI itself.

FortiSOAR Design and Development 7.3 Study Guide 41
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
SOAR Framework Solution Pack
Recommended that this solution pack be installed after upgrading FortiSOAR
It is included with fresh installs, but can be skipped during the process
Installs several modules such as alerts, incidents, and indicators along with corresponding
playbooks, dashboards, reports, and widgets to make it a comprehensive solution and provide a
fully functional incident response platform augmented by automation and threat intelligence

© Fortinet Inc. All Rights Reserved. 39

The SOAR Framework Solution Pack is the foundational solution pack that creates the framework, including
modules, dashboard, roles, widgets, and so on, required for effective day-to-day operations of any SOC.
Starting from 7.2.0, the Incident Response modules have been removed from the FortiSOAR platform and
moved to the SOAR Framework Solution Pack, making it essential for users to install the SOAR Framework
Solution Pack to optimally use and experience the FortiSOAR incident response.

This solution pack installs several modules such as alerts, incidents, and indicators along with corresponding
playbooks, dashboards, reports, and widgets to make it a comprehensive solution and provide a fully
functional incident response platform augmented by automation and threat intelligence.

The screenshot on this slide shows the contained contents of the solution pack, including the roles, playbooks,
and connectors.

Note that the solution pack is installed by default with fresh installations of FortiSOAR. However, upgraded
FortiSOAR nodes will need to install this solution pack.

FortiSOAR Design and Development 7.3 Study Guide 42
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
FortiSOAR Ticketing/Incident Process
FortiSOAR
Clear Clear

Investigate
Alert Source
(for example, Connector Alert Escalate Incident
FortiSIEM)

Manual Alert Assign related Run
Create Tasks
Configuration alerts/indicators Playbooks

Connector

Enrich/Fetch/
Remediate

© Fortinet Inc. All Rights Reserved. 40

Alerts can be created manually through playbooks or alerts could be ingested by FortiSOAR through a
connector. When an alert is ingested, FortiSOAR can check to verify if the alert is a false positive or not. If the
alert is a false positive, then the alert is cleared. An alert can also be cleared after it’s resolved by an analyst,
or after it’s resolved automatically through a playbook execution.

If the alert is legitimate, then an analyst can escalate the alert to an incident. After the alert becomes an
incident, then a senior analyst could be assigned to that incident and the analyst could clear the incident after
investigation. An analyst could run more playbooks against the incident to enrich the indicators, or fetch more
information about the incident from various threat intelligence platforms. New tasks can be created for the
incident and they could be assigned to an analyst for decision making.

FortiSOAR Design and Development 7.3 Study Guide 43
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Ticketing—Example Incident Ticket Incident Response > Incidents

Response
Phase

SLA

Associated Graphical representation of
Associated Tasks indicators, alerts, and incident
Indicators

© Fortinet Inc. All Rights Reserved. 41

You can escalate an alert to an incident. A FortiSOAR incident usually contains multiple alerts that are linked
to each other, and to the incident. This allows FortiSOAR to convey the complexity of a security incident that
has many stages. After FortiSOAR runs specific playbooks over an alert, it may extract indicators based on
the alert fields. Indicators are objects that FortiSOAR extracted from various fields of a record. For example,
an indicator can have an associated reputation while a field cannot.

An incident contains various response phases. An analyst works through these phases as they resolve an
incident. From an incident, you can assign tasks to an analyst to resolve a particular issue related to the
incident, such as blocking an IP address. The audit log helps you track the incident history since it’s creation.
The comments section is used to track all comments made by an analyst or comments generated by the
playbook.

FortiSOAR Design and Development 7.3 Study Guide 44
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Queue and Shift Management
Intelligent, automated assignment solution based on queues and shift spreads
Assign alerts and incidents to a queue automatically based on criteria

Queue & Shift Management > Queue Management Queue & Shift Management > Shift Management

© Fortinet Inc. All Rights Reserved. 42

The Queue and Shift Management feature is an intelligent, automated assignment solution based on queues
and shift spreads. You can manage queues using the configuration wizard to define which record types are
associated with the queues, what conditions need to match, who to assign to the queues, and which
assignment methods to use.

Queues provide managers with a view that answers questions such as, “What are my resources working on
currently?”, “How many tasks are pending?”, and “Do any tasks require reallocation?”.

Queues provide users with a view that answers questions such as, “What is my work?”, “How much of my
work is pending?”, and “What are the priorities of my tasks?”.

The Shift Management feature allows the generation of shift rosters with shift leads and team members. By
leveraging queue and shifts together, FortiSOAR has the ability to manage shift handover processes. Records
are assigned to individual users within a queue, and you can enable shift-based assignment to assign them to
only users who are working.

Note that the Queue and Shift Management feature has replaced the Queue Management feature that was
present in the earlier releases of FortiSOAR. Automated record assignments were not supported in the old
queue management feature.

FortiSOAR Design and Development 7.3 Study Guide 45
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Dashboard Custom dashboard support
Dashboard

Multi-dashboard structure

Flexible widget
based dashboards

© Fortinet Inc. All Rights Reserved. 43

A dashboard is the default landing and home that a user sees after logging in to FortiSOAR. You can create
personalized dashboards based on roles. Customizations that you make to your dashboards are visible and
applicable only to you. Administrators must update the dashboard for the changes to apply to all users.
Updates, including removal and additions that administrators make to the dashboards, apply to all users.

FortiSOAR Design and Development 7.3 Study Guide 46
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Reporting
Reports

© Fortinet Inc. All Rights Reserved. 44

FortiSOAR allows you to easily set up reporting. You have the option to use default report templates, edit
them, or create your own. Additionally, you can schedule reports, view historical reports, and also search for
text in the report PDF. The View button generates a preview of what the report would look like, giving you an
ability to fine tune your reports prior to scheduling them.

This slide’s screenshots demonstrate the Reports interface, and an example of the customizations available
for creating reports.

FortiSOAR Design and Development 7.3 Study Guide 47
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET
Role-Based Access Control and Teams
Settings > Security Management > Team Hierarchy
Teams and roles work together for
flexible RBAC
Teams
Define which records a user can access
Flexible hierarchy supports parent, sibling,
and child team relationships
Roles
Define which fields in a record a user can
access
Granularly create, read, update, delete
permissions

© Fortinet Inc. All Rights Reserved. 45

Teams and roles are closely aligned with a data table design