Overview

This article describes the FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK) for Managed Security Service Providers (MSSPs). It enables users to experience the power and capability of FortiSOAR™ incident response in a Multi-tenant architecture. FortiSOAR™ is built using modular architecture and the FSR IR Content Pack is the implementation of best practices to configure and use FortiSOAR™ in an optimal manner. The FSR Content Pack also contains a lot of sample/simulation/training data that enables you to experience FortiSOAR™ without having all the devices.

MSSP Specific Changes

System View Template (SVT)

• Alerts
  
  • List View

• • Add New

• • Details View

• Incidents
• Indicators
• Assets
• Tasks

Dashboards

• MSSP Overview: Displays a brief overview of all tenants

• Tenant Overview: Display detailed information of a particular tenant

Reports

• Tenant Weekly Alerts Reports
• Tenant Weekly Incidents Reports
• Tenant Overdue Alerts Activity
• Tenant Overdue Incident Activity 

Playbooks

• To perform “remediate actions” on a dedicated tenant, “Remote Reference Playbooks” in the “05- Actions” collection are added. New playbooks are prefixed with “Remote”.
• Extract Indicator
• Enrichment

Deployment Steps:

1. Download the “Content_Pack.json.zip”, which is attached with this document
2. Extract “Content_Pack.json.zip”
3. Import “Content_Pack.json” on both the “Master” and “Tenant” nodes.
4. Perform the following steps to import the JSON file:
   1. Click System Settings
   2. Click the “Configuration Import” option in the “Application Editor” section
   3. Click the “Import From File” button, which opens the “Import Configurations” wizard
   4. Upload the “Content_Pack.json” file and click “Continue”
   5. On the “Configuration” page, a list of configurations are shown. Review the configuration options and click “Continue” to import the configurations. Important: All the configuration options displayed on this page are required.
   6. Wait for import to finish.
5. Install connectors on both the “Master” and “Tenant” nodes.
   1. Login to a console session as a “sudo” user.
   2. Execute the following command to install all required connectors:

   3. yum install -y cyops-connector-activedirectory cyops-connector-alienvault-otx cyops-connector-alienvault-usm-anywhere cyops-connector-threatstream cyops-connector-carbonblack-response cyops-connector-elasticsearch cyops-connector-exchange cyops-connector-fortigate-firewall cyops-connector-fortinet-fortimail cyops-connector-fortinet-fortios cyops-connector-fortinet-fortisandbox cyops-connector-fortinet-fortisiem cyops-connector-fortinet-web-filter-lookup cyops-connector-arcsight cyops-connector-qradar cyops-connector-ipstack cyops-connector-jask-asoc cyops-connector-jira cyops-connector-logrhythm cyops-connector-mcafee-esm cyops-connector-microsoft-sccm cyops-connector-rapid7-insightvm cyops-connector-sophos-utm-9 cyops-connector-splunk cyops-connector-symantec-atp cyops-connector-symantec-cloudsoc cyops-connector-symantec-dlp cyops-connector-symantec-edr-cloud cyops-connector-tenable-io cyops-connector-threatq cyops-connector-virustotal cyops-connector-vmware-vsphere cyops-connector-mxtoolbox cyops-connector-slacalculator cyops-connector-symantec-sepm cyops-connector-symantec-webpulse-site-review cyops-connector-symantec-cloud cyops-connector-symantec-edr cyops-connector-symantec-ccsvm cyops-connector-symantec-ica cyops-connector-symantec-cas cyops-connector-symantec-icdx cyops-connector-symantec-messaging-gateway cyops-connector-symantec-deepsight-intelligence cyops-connector-symantec-mss cyops-connector-symantec-security-analytics cyops-connector-fortinet-fortianalyzer cyops-connector-carbonblack-defense cyops-connector-cyberark cyops-connector-phishme-intelligence cyops-connector-urlscan-io cyops-connector-xforce cyops-connector-palo-alto-networks-panorama cyops-connector-nmap-scanner cyops-connector-carbonblack-protect-bit9 cyops-connector-fortisoar-soc-simulator cyops-connector-servicenow cyops-connector-awss3 cyops-connector-fortinet-fortiedrbind-utils cyops-connector-mitre-attack

   4. After the connectors are installed, proceed with widget Installation on both “Master” and “Tenant” nodes.
      1. Click the “Widget Library” option from LHS navigation panel.
      2. Select the following widgets and install them:
         • SLA Count Down Timer
         • Incident Correlations

Setting up an environment

1. Configure the “Code Snippet” connector with the default configuration on both Master and Tenant systems.
2. To create Global variables and SLA templates on both the Master and Tenant systems, run the “Create Default Global Variables” playbook as follows:
   1. Click the Alerts module from the LHS navigation panel.
   2. Click the ‘Execute’ button and then select ‘Create Default Global Variables’
3. Enable the remote execution flag for all ”Action” playbooks on Tenant system by executing the “Enable Remote Execution Flag” playbook as follows:
   1. Click the Alerts module from the LHS navigation panel.
   2. Click the ‘Execute’ button and then select “Enable Remote Execution Flag”.
4. Generate a playbook alias on the Master system by executing the “Alias Mapping” playbook:
   1. Click the Alerts module from the LHS navigation panel.
   2. Click the ‘Execute’ button and then select “Alias Mapping”.