Overview
This article describes the FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK) for Managed Security Service Providers (MSSPs). It enables users to experience the power and capability of FortiSOAR™ incident response in a Multi-tenant architecture. FortiSOAR™ is built using modular architecture and the FSR IR Content Pack is the implementation of best practices to configure and use FortiSOAR™ in an optimal manner. The FSR Content Pack also contains a lot of sample/simulation/training data that enables you to experience FortiSOAR™ without having all the devices.
MSSP Specific Changes
System View Template (SVT)
Introduced a field named “Tenant” in “Add New”, “Details View” and “List View” for following modules:- Alerts
- List View
-
- Add New
-
- Details View
Note: Similar changes have been done for below modules as well
- Incidents
- Indicators
- Assets
- Tasks
Dashboards
Introduced following two new dashboards- MSSP Overview: Displays a brief overview of all tenants
- Tenant Overview: Display detailed information of a particular tenant
Reports
Introduced the following four new reports that take their inputs as the “Tenant Name”:- Tenant Weekly Alerts Reports
- Tenant Weekly Incidents Reports
- Tenant Overdue Alerts Activity
- Tenant Overdue Incident Activity
Playbooks
- To perform “remediate actions” on a dedicated tenant, “Remote Reference Playbooks” in the “05- Actions” collection are added. New playbooks are prefixed with “Remote”.
- Extract Indicator
- Enrichment
Deployment Steps:
- Download the “Content_Pack.json.zip”, which is attached with this document
- Extract “Content_Pack.json.zip”
- Import “Content_Pack.json” on both the “Master” and “Tenant” nodes.
- Perform the following steps to import the JSON file:
- Click System Settings
- Click the “Configuration Import” option in the “Application Editor” section
- Click the “Import From File” button, which opens the “Import Configurations” wizard
- Upload the “Content_Pack.json” file and click “Continue”
- On the “Configuration” page, a list of configurations are shown. Review the configuration options and click “Continue” to import the configurations. Important: All the configuration options displayed on this page are required.
- Wait for import to finish.
- Install connectors on both the “Master” and “Tenant” nodes.
- Login to a console session as a “sudo” user.
- Execute the following command to install all required connectors:
-
yum install -y cyops-connector-activedirectory cyops-connector-alienvault-otx cyops-connector-alienvault-usm-anywhere cyops-connector-threatstream cyops-connector-carbonblack-response cyops-connector-elasticsearch cyops-connector-exchange cyops-connector-fortigate-firewall cyops-connector-fortinet-fortimail cyops-connector-fortinet-fortios cyops-connector-fortinet-fortisandbox cyops-connector-fortinet-fortisiem cyops-connector-fortinet-web-filter-lookup cyops-connector-arcsight cyops-connector-qradar cyops-connector-ipstack cyops-connector-jask-asoc cyops-connector-jira cyops-connector-logrhythm cyops-connector-mcafee-esm cyops-connector-microsoft-sccm cyops-connector-rapid7-insightvm cyops-connector-sophos-utm-9 cyops-connector-splunk cyops-connector-symantec-atp cyops-connector-symantec-cloudsoc cyops-connector-symantec-dlp cyops-connector-symantec-edr-cloud cyops-connector-tenable-io cyops-connector-threatq cyops-connector-virustotal cyops-connector-vmware-vsphere cyops-connector-mxtoolbox cyops-connector-slacalculator cyops-connector-symantec-sepm cyops-connector-symantec-webpulse-site-review cyops-connector-symantec-cloud cyops-connector-symantec-edr cyops-connector-symantec-ccsvm cyops-connector-symantec-ica cyops-connector-symantec-cas cyops-connector-symantec-icdx cyops-connector-symantec-messaging-gateway cyops-connector-symantec-deepsight-intelligence cyops-connector-symantec-mss cyops-connector-symantec-security-analytics cyops-connector-fortinet-fortianalyzer cyops-connector-carbonblack-defense cyops-connector-cyberark cyops-connector-phishme-intelligence cyops-connector-urlscan-io cyops-connector-xforce cyops-connector-palo-alto-networks-panorama cyops-connector-nmap-scanner cyops-connector-carbonblack-protect-bit9 cyops-connector-fortisoar-soc-simulator cyops-connector-servicenow cyops-connector-awss3 cyops-connector-fortinet-fortiedrbind-utils cyops-connector-mitre-attack - After the connectors are installed, proceed with widget Installation on both “Master” and “Tenant” nodes.
- Click the “Widget Library” option from LHS navigation panel.
- Select the following widgets and install them:
- SLA Count Down Timer
- Incident Correlations
Setting up an environment
- Configure the “Code Snippet” connector with the default configuration on both Master and Tenant systems.
- To create Global variables and SLA templates on both the Master and Tenant systems, run the “Create Default Global Variables” playbook as follows:
- Click the Alerts module from the LHS navigation panel.
- Click the ‘Execute’ button and then select ‘Create Default Global Variables’
- Enable the remote execution flag for all ”Action” playbooks on Tenant system by executing the “Enable Remote Execution Flag” playbook as follows:
- Click the Alerts module from the LHS navigation panel.
- Click the ‘Execute’ button and then select “Enable Remote Execution Flag”.
- Generate a playbook alias on the Master system by executing the “Alias Mapping” playbook:
- Click the Alerts module from the LHS navigation panel.
- Click the ‘Execute’ button and then select “Alias Mapping”.
Once you have completed the above steps, refer to https://community.fortinet.com/t5/FortiSOAR/Incident-Response-Content-Pack-7-0-1/ta-p/220150 article for Incident Response Content Pack.
