Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Suyog
Staff
Staff

Created on ‎08-12-2021 11:13 PM Edited on ‎08-06-2022 03:54 AM By Community Manager

Article Id 220041

MSSP IR Content Pack 7.0.1

Overview

This article describes the FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) for Managed Security Service Providers (MSSPs). This content pack enables users to experience the power and capability of FortiSOAR™ incident response in a Multi-tenant architecture.

FortiSOAR™ is built using modular architecture and the FSR IR Content Pack is the implementation of best practices to configure and use FortiSOAR™ in an optimal manner. The FSR Content Pack also contains a lot of sample/simulation/training data that enables you to experience FortiSOAR™ without having all the devices.

Release Notes

This section describes the enhancements and new features introduced in FortiSOAR™ MSSP Content Pack.

New features and enhancements

 

Feature

Details

Enhanced all the Investigation playbooks to be compatible the MSSP environment

All the Investigation playbooks that are present in the 04-Use Cases collection in the MSSP Content Pack have been enhanced to be compatible with MSSP environments.
Note: These playbooks are compatible with FortiSOAR version 7.0.1.

Automatic installations of all required connectors and widgets

All connectors and widgets that are required for an MSSP environment are automatically installed.

Automatic creation of the default global variables

All the default global variables that are required for an MSSP environment are automatically created.

Automatic configuration of the Code Snippet and SLA Calculator connectors

The Code Snippet and SLA Calculator connectors are automatically configured.

 

 

Deploying the MSSP Content Pack

  1. Download and extract the “Content_Pack.json.zip” file that is attached to this document.
  2. Import the “Content_Pack.json” file on both the “Master” and “Tenant” nodes, using the following steps:
    1. Open the FortiSOAR instance, and click System Settings.
    2. In the “Application Editor” section, click Configuration Import.
    3. On the “Configuration Import” page, click Import From File to open the Import Configurations Wizard.
    4. Upload the “Content_Pack.json” file and click Continue.
    5. On the “Configuration” page, review the list of configurations that are displayed, and then click Continue.
      Important: All the configuration options displayed on this page are required.
    6. On the “Review Import page”, review the import details that you are importing and then click Run Import to begin the import process.
      Once the import is completed, the MSSP Content Pack is deployed.

Setting up the environment

  1. Enable the remote execution flag for all the playbooks in 05-Actions collection on the Tenant systems by executing the “Enable Remote Execution Flag (Tenant Only)” playbook as follows:
    1. Open the FortiSOAR instance, and from the navigation panel, click the Alerts
    2. Click Execute and then select Enable Remote Execution Flag (Tenant Only).
      Important: Before you execute the “Enable Remote Execution Flag (Tenant Only)” playbook, ensure that there is no “Playbook Mappings” in “Remote Tenant Manager” under “Multitenancy Section” on the Master node.

c0cc590f3c5b461dbd95e71d37892c35.pngc0cc590f3c5b461dbd95e71d37892c35.png
After the “Enable Remote Execution Flag (Tenant Only)” playbook is executed, you will notice that “Playbook Mappings” is added in “Remote Tenant Manager” under “Multitenancy Section” on the Master node.
f3b8c38cbd0847c3a8eebd9015827b62.pngf3b8c38cbd0847c3a8eebd9015827b62.png

  1. Map Aliases of remote actions playbooks on the Master node by executing the “Remote Alias Mapping (Master Only)” playbook as follows:
    1. From the navigation panel, click the Alerts
    2. Click Execute and then select Remote Alias Mapping (Master Only).
  2. Click System Settings and in the “Application Editor” section, click Modules to modify the record uniqueness in the mmd for various modules as follows:
    1. For the Alerts and Incidents modules, add SourceID and Tenant fields in the “Record Uniqueness” section.
      61d696dd7d6542899ef3fdd31a1fe3d7.png61d696dd7d6542899ef3fdd31a1fe3d7.png
    2. For the Indicator module, add Type, Value, and Tenant fields in the “Record Uniqueness” section.
      1ea53b8b2c844e22a6c4946a36751ab0.png1ea53b8b2c844e22a6c4946a36751ab0.png
    3. For the SLA module, add Severtiy and Tenant fields in the “Record Uniqueness” section.
      6ccd03dc1fa542bf941afea98e14e6ce.png6ccd03dc1fa542bf941afea98e14e6ce.png
  3. Disable SLA Playbooks from the 08 - Case Management collection on the Tenant (“SLA” keyword). This is required because, SLA operations on all records, i.e. records of Master or Tenant, get performed on the Master only.
    8a51a16350fe4d739642d04b14f6af1c.png8a51a16350fe4d739642d04b14f6af1c.png
Define Tenant SLA by adding SLA records for the Tenant in the “SLA Templates” module on the Master.
2a31b3df4cc14521bd5c1c464ac01104.png2a31b3df4cc14521bd5c1c464ac01104.png
MSSP_Content_Pack_v7.0.1.zip
Labels:
587
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.