FortiSIEM Blog

Executive Summary:



  • Hiring skilled employees that can adequately protect the business from evolving threats
  • Orchestrating point solutions together & having consistent security protections across different environments
  • Too many alerts



  • Breaches caused from disgruntled ex-employees
  • Exploitation from lack of visibility in patch management
  • Security gaps from inconsistent security protections caused by the lack of communication between point products


What is Security Orchestration and Automation Response (SOAR):

  • Gartner defines SOAR as “technologies that enable organizations to take inputs from a variety of sources and apply workflows aligned to processes and procedures”
  • In layman’s term, a SOAR solution aggregate large amount of data into a single location and uses automation & orchestration to streamline processes for consistency & predictability


What is the problem FortiSOAR tries to solve:

  • Staff shortages & evolving threats
  • Siloed point products that do not communicate together
  • Alerts Fatigue


Who uses FortiSOAR:

  • Businesses looking to get advanced visibility into their SOC environments and streamline processes
  • MSSPs looking to provide services (e.g. MDR) to customers or build streamline processes of their own
  • Businesses wanting advanced case management that extend beyond the typical SOC environment


Comparing FortiSOAR with other existing SOAR solutions:

  • Advanced Case Management capabilities that extend beyond a typical SOC environment
  • Granular automation with an easy to understand user interface
  • Robust Build Your Own Solution (BYOS) that can be customized to a customer’s specific use case


Full Blog:


To keep up with emerging threats, emerging technologies should be used by organizations of any sizes. While traditional solutions are still needed, a streamlined approach is necessary for any companies looking to improve their security. Automation and orchestration are two terms that Security Operation Centers (SOCs) should be familiar with if they aren't already. A typical SOC environment comes from a business need to protect sensitive data due to business regulations, client requirements, past breaches, and/or business goals. With the emergence of new technologies and hyper-connectivity, combined with staff shortages/in-depth skill requirements and evolving threats, many organizations are finding themselves struggling to keep up with the plethora of data they need to protect, processes that they need to follow, and security controls that they need to monitor. Customers looking at point security products can often find themselves frustrated with having siloed controls, leaving them operationally inefficient and vulnerable to breaches.


Organizations that are concerned with being unable to hire enough security staff knowledgeable enough to adequately protect their business, want to streamline security processes and/or need to orchestrate their point security solutions together to handle incident response should use a Security Orchestration and Automation Response solution like FortiSOAR. FortiSOAR enable organizations to automate threat remediation, do case management for on & off network environments, and optimize their SOC environment.


Imagine a typical SOC environment with Tier 1 to Tier 4 Analysts. Tier 1 Analysts are responsible for alert triage, Tier 2 Analysts are tasked with Incident Response, Tier 3 Analysts are responsible for threat hunting, while Tier 4 Analysts are SOC Managers who define security strategies and managing the SOC, as well as measuring and reporting the performance to stakeholders. With the emergence of new technologies and new threats, SOCs need to leverage SOAR solutions like FortiSOAR to enable Analysts at each tier to become more pro-active, dynamic, and strategic, rather than reactive, static, and tactical. 


FortiSOAR compatibility with various different alert sources like SIEMs, UEBAs, Email Gateways, Firewalls, EDRs, enable analysts to gather data, from inside and outside the organization, into a central location. FortiSOAR utilizes data connectors from over 275 partners from different technology products. Now, a Tier 1 Analyst like Joe can easily build a dynamic/static repository where he chooses what data to ingest based on processes defined in his organization. In this example, Joe can use FortiSOAR's data ingestion wizard to pull all devices from FortiSIEM, for example, into FortiSOAR 





Once FortiSOAR has been populated with data, Joe can create incident response processes using playbooks that he created from an easy drag & drop interface and streamline any processes defined by the SOC Manager.




Joe can pick up the suspicious alerts, pulled from the auto-prioritized queue and can correlate them with any related incidents. Additionally, Joe can use indicators from various threat intelligence sources and correlate them with past alerts performed by automation. Joe can then review the incidents with these contextual information and decide whether or not to escalate the incidents to a Tier 2 analyst like Marvin.


Using information from Joe, Marvin can create his own playbooks and streamline how he does incident response. At each stage of the incident response (Detection, Investigation, Confirmation, Containment, Eradication, Recovery, Aftermath), Marvin can create playbooks to do automation and orchestration. Perhaps Marvin want to execute a playbook to look at an offending IP address against the threat intelligence configured on FortiSOAR to see if it matches against any known threat database, he could easily do so with FortiSOAR’s visual designer.




Jacky, a Tier 3 Analyst, can utilize data that Joe pulled to do threat hunting. Jacky can create her own playbooks or utilize OOB playbooks that FortiSOAR comes with to achieve this. If Jacky wants to create a playbook that searches for specified indicators using EDR tools and create alerts on them, she can with the visual designer. Whereas before, Jacky had to do much of this manually, she can now streamline the entire process with FortiSOAR.



Finally, Susan, the Tier 4 SOC Manager, can quickly pull performance metrics from FortiSOAR to measure the service level and ROI of the SOC, and deliver any reports necessary to leadership or the auditing team.


Now, let’s take it one step further. Not only can the SOC team orchestrate incident responses, but external teams can also use FortiSOAR's advanced case management capabilities to automate non-cyber threats. Legal, Finance, Physical Security Teams can also utilize FortiSOAR to streamline case managements to improve operational efficiency.


Whereas a typical SOAR solution only provides orchestration for security related incident response, FortiSOAR's advanced case management extends outside of the SOC environment. Granular automation (as well as powerful role based access control (RBAC)) enables these teams to streamline their own processes and improve operation by offering an easy to use interface to create automation playbooks. Stakeholders of these Business Units (BUs) can also have easy access to generate reports their own, measure performance and other custom metrics, and deliver these enterprise-level reports to leadership.


Continuing down that path, FortiSOAR is designed to meet complex MSSP needs. It provides the flexibility for MSSPs to implement either a multi-tenancy approach or a distributed tenancy approach. With this design, FortiSOAR easily integrates with MSSPs to provide data isolation to customers with strict data requirements while providing security expertise from MSSPs.


FortiSOAR is the only SOAR solution in the market that ties in threat intelligence, advanced case management that extends beyond SOCs, and orchestration while working with businesses of all sizes to streamline their security processes.


To learn more about FortiSOAR, please click here
Join our FUSE Community to get the latest updates and answers to your Fortinet questions! Click