Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.


FortiSOAR's integration with FortiAnalyzer

About the Integration:

FortiSOAR 6.0 rolled out an enhanced integration with FortiAnalyzer (FAZ). FAZ users can leverage this integration to ingest FAZ incidents into FortiSOAR (FSR) and take the investigation ahead using FSR's extensive connector library (of nearly 300 OOB security tool integrations), role-based comprehensive case management and best-in-class automation framework, aka playbooks.  


Use cases:
On ingesting incidents from FAZ, FortiSOAR investigation playbooks automatically extract incident artifacts like associated events, asset information, user information, and other details from the incident. These artifacts are then enriched either by using integration with Fortinet Security Fabric products like FortiSIEM, FortiAnalyzer, FortiSandbox, FortiGuard, and the likes, and/or using third party integrations like Virus Total, Anomali ThreatStream, URLVoid, AbuseIPDB, and many others. FortiSOAR helps in taking immediate or approval based remediation actions on the malicious IOCs, for example, blocking it on the Fortigate firewalls or adding it in the FortiSIEM or FortiEDR blacklists.

Current actions supported by the connector:

Create Incident
Creates a new incident record in FortiAnalyzer based on the incident reporter, affected endpoint, and other input parameters you have specified.
Fetch Incidents
Fetches all incidents or specific incidents from FortiAnalyzer based on the input parameters specified.
Update Incident
Updates incident fields like severity, category, status, etc. corresponding to a specific incident in FortiAnalyzer based on the incident ID and other input parameters specified.
Get Events For Incident
Retrieves all events associated with a specified incident in FortiAnalyzer based on the incident ID you have specified.
Get Reports
Retrieves a list of all reports that have been generated or are in the pending state from FortiAnalyzer based on the time frame you have specified.
List Schedules
Retrieve a list of all schedules from FortiAnalyzer.
Run Report
Runs a report on the FortiAnalyzer based on the report ID and schedule ID you have specified.
Get Generated Report
Retrieves a specific generated report from FortiAnalyzer based on the report ID you have specified.

Let's use this thread to discuss more use cases wrt this integration and suggestions to further enhance the FAZ integration.

Amit Jain

Thanks for sharing @Amit
CTO (SOAR Business) | VP of Engineering