FortiSIEM Blog

One of the responsibilities of a SOC team is to ensure that all incidents are tracked and resolved in a timely manner as well as making sure security processes are consistent. To that end, a Security Orchestration, Automation, and Response (SOAR) solution can be utilized to help the SOC team streamline their security processes. So, let’s learn how mid-sized enterprises can utilize FortiSOAR with the help of a service provider to help augment their SOC environment.  Along with the mid-sized / large SOC teams, smaller IT/SOC teams can also enjoy the FortiSOAR add-on within FortiAnalyzer to help with streamlining incident response.

While a service provider isn’t required to use FortiSOAR, SOC teams with constraint resources or compliance requirements might want to use a service provider to help fill these gaps. The benefits of using FortiSOAR with a managed security service provider include:

  • Augmenting SOC (reducing time to resolution, 24/7 monitoring, etc.)
  • Technical collaboration and expertise (creating automation playbooks, incident collaboration, etc.)
  • Faster SOAR on-ramp to streamline security processes.


To understand this better, below is a diagram that shows the flexibility of how FortiSOAR can be deployed. Mid-sized enterprises can utilize FortiSOAR’s multi-tenant support in 1 of 3 ways as shown in the diagram below.

  • Distributed – Local SOC team co-manage with the service provider’s SOC
  • Dedicated – Service provider manage FortiSOAR, but dedicated nodes are deployed at the customer site for performance requirements.
  • Shared – Logs are sent directly from the customer environment to the service provider’s SOC.


Each model has its own use cases. So, choosing the right model is dependent on the customer’s own environment and requirements. For mid-enterprises with a strict data requirement, a distributed deployment might make more sense. This way, the local SOC team can have full control of their data and choose what kind of data is being sent to the FortiSOAR located in the service provider’s (SP) environment. From the screenshot below, we see that customer with strict data can choose what data they send over as broad as at the module level or granular as at the field level.



Now, there are 3 steps any customer would need to do when deploying and maintaining FortiSOAR. Security service providers can help at each of these 3 steps:

  • Ingest
  • Correlate
  • Decide

To streamline security processes, you need information. To get that information, you would need to ingest data either through manual record creations, or through connectors. This can also be thought of like a marketplace. FortiSOAR’s connector store comes with over 380+ out of the box (OOB) connectors (and growing) that integrates with different vendors and Fortinet solutions.


A common setup might be to aggregate logs from a log aggregation solution like FortiSIEM or FortiAnalyzer, and ingest the alerts into FortiSOAR. FortiSOAR also support integrations with all other SIEM vendors. Security service providers can help customers with this step for customers new to the platform.

Once you ingested alerts, the next step would be to correlate records coming from different products. This means creating playbooks with FortiSOAR’s visual playbook editor to create a logical workflow, something that analysts already do manually. Correlating records enable analysts to quickly visualize and understand the impact of a certain alert. Understanding this can help them react faster and reduce the impact of any breaches. The image below shows a playbook within FortiSOAR’s visual playbook editor. The playbook helps automate the process for finding malicious indicators of compromises (IoCs) within the customer environment, correlating the records, and blocking the IPs. FortiSOAR’s visual playbook editor is designed to be simple to use by security experts with no programming knowledge. Service providers can work with customers to understand their process and create playbooks to help them streamline the processes.


Finally, the last step puts a human-centric approach around incident response which is about deciding what to do with identified incidents and the associated crisis. FortiSOAR’s case management and crisis management capabilities enable analysts to automate trivial steps, collaborate with security service providers to do incident response and mitigate cyber threats. Analysts can use FortiSOAR’s war room to manage do crisis management or utilize FortiSOAR’s case management capabilities for rapid incident response.



In summary, analysts looking to augment their SOC should look to FortiSOAR to help them with streamlining security processes. Service providers can help smaller SOC teams to provide 24/7 monitoring, a faster on-ramp experience to streamline security processes, and more. As the SOC team grow in resources, Fortinet’s SOC maturity model can be used for a seamless experience to gain in-depth visibility into threats.



See this topic in action. View the video here.

Learn more about FortiSOAR, please visit Fortinet’s website here.

Join Fortinet’s FUSE community to learn more about FortiSOAR.