Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Namrata
Staff
Staff

Created on ‎10-04-2021 10:49 PM Edited on ‎08-06-2022 10:27 PM By Community Manager

Article Id 220035

MSSP IR Content Pack 7.0.2

Overview

This article describes the FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) for Managed Security Service Providers (MSSPs). This content pack enables users to experience the power and capability of FortiSOAR™ incident response in a multi-tenant architecture.

FortiSOAR™ is built using modular architecture and the FSR IR Content Pack is the implementation of best practices to configure and use FortiSOAR™ in an optimal manner. The FSR Content Pack also contains a lot of sample/simulation/training data that enables you to experience FortiSOAR™ without having all the devices.

Deploying the MSSP Content Pack

  1. Download and extract the fsr-cp-mssp.zip file that is attached to this document.
  2. Import the fsr-cp-mssp.zip file on both the “Master” and “Tenant” nodes, using the following steps:
    1. Open the FortiSOAR instance, and click System Settings.
    2. In the “Application Editor” section, click Import Wizard.
    3. On the “Import Wizard” page, click Import From File to open the Import Wizard.
    4. Upload the fsr-cp-mssp.zip file and click Continue.
    5. On the “Configuration” page, review the list of configurations that are displayed, and then click Continue.
      Important: All the configuration options displayed on this page are required.
    6. On the “Review Import page”, review the import details that you are importing and then click Run Import to begin the import process.
      Once the import is completed, the MSSP Content Pack is deployed.

Once you have completed installing the MSSP Content Pack, you can choose to import other Content Pack’s (using the same steps mentioned above) based on your requirements:

Content Pack

Details

Symantec Content Pack (fsr-cp-symantec-solutions.zip)

The use cases and ingestion playbooks related to Symantec Solutions have been moved to the Symantec Content Pack (CP) zip file (fsr-cp-symantec-solutions.zip).

MITRE ATT&CK Content Pack (fsr-cp-mitre-attack.zip)

The MITRE ATT&CK Content Pack has been added to enable users to use the information and knowledge base that’s provided by the MITRE ATT&CK Framework to its full extent.

Vulnerability Management Content Pack (fsr-cp-vulnerability-management.zip)

The ingestion playbooks related to Vulnerability Management have been moved to the  Vulnerability Management Content Pack (CP) zip file (fsr-cp-vulnerability-management.zip).

Scenarios Content Pack (fsr-cp-soc-simulator.zip )

The Scenarios Content Pack contains all the playbook collections related to ‘SOC Simulator’.

Note: All these zip files are attached to this article.

Setting up the environment

  1. Enable the remote execution flag for all the playbooks in 05-Actions collection on the Tenant systems by executing the “Enable Remote Execution Flag (Tenant Only)” playbook as follows:
    1. Open the FortiSOAR instance, and from the navigation panel, click the Alerts
    2. Click Execute and then select Enable Remote Execution Flag (Tenant Only).
      Important: Before you execute the “Enable Remote Execution Flag (Tenant Only)” playbook, ensure that there are no “Playbook Mappings” in “Remote Tenant Manager” under “Multitenancy Section” on the Master node.
       e5b8ea303b334576b82b1b56b791f6de.pnge5b8ea303b334576b82b1b56b791f6de.pngAfter the “Enable Remote Execution Flag (Tenant Only)” playbook is executed, you will notice that “Playbook Mappings” is added in “Remote Tenant Manager” under “Multitenancy Section” on the Master node.a772540268594e67914d98310863e287.pnga772540268594e67914d98310863e287.png
  2. Map Aliases of remote actions playbooks on the Master node by executing the “Remote Alias Mapping (Master Only)” playbook as follows:
    1. From the navigation panel, click the Alerts
    2. Click Execute and then select Remote Alias Mapping (Master Only).
  3. Click System Settings and in the “Application Editor” section, click Modules to modify the record uniqueness in the mmd for various modules as follows:
    1. For the Alerts and Incidents modules, add "Source ID" and "Tenant" fields in the “Record Uniqueness” section.
      e8062f49f5b54305b34083efebaf5839.pnge8062f49f5b54305b34083efebaf5839.png
  4. Disable SLA Playbooks from the 08 - Case Management collection on the Tenant (“SLA” keyword). This is required because, SLA operations on all records, i.e. records of Master or Tenant, get performed on the Master only.
    c40274970c9c45fab3b996f480dfdb0f.pngc40274970c9c45fab3b996f480dfdb0f.png
  5. Configure “SLA Calculator" connector (Master Only)28c58b7c46e846a892b62d368724af48.png28c58b7c46e846a892b62d368724af48.png
  6. Create SLA Templates Records (Master Only)
    1. From the navigation panel, click the Automation. Select SLAs
    2. Click Execute button and select Create Default SLA Templates.fb1b245ffb454c44955d7510a403e02f.pngfb1b245ffb454c44955d7510a403e02f.png
    3. Click on Add button to create SLA records for Tenant.b2e9d1dd679c45f4b58c3c09f62bffc6.pngb2e9d1dd679c45f4b58c3c09f62bffc6.png
    4. Add SLA record for all the Severity for Tenantca96b7191ac147dc9f6ffae89e3025df.pngca96b7191ac147dc9f6ffae89e3025df.png

Release Notes - Version 7.0.2

This section describes the enhancements and new features introduced in FortiSOAR™ MSSP Content Pack.

New features and enhancements

Feature

Details

Created a new collection named “05 - Actions (Remote)”

All the MSSP related Actions playbooks i.e., "Remote Action - *" playbooks, "Alias Mapping" playbooks, and "Enable Remote Execution Flag" playbooks have been moved to the "05 - Actions (Remote)" collection from “05 - Actions” collection.

Modified “02 - Enrich” collection

The "02 - Enrich" collection is updated as follows to facilitate the smooth execution of Indicator Extraction and Enrichment Playbooks:

  • Added "Get License Details" step 
  • Added the Is MSSP Environment" condition  
  • Added the "Is Tenant Shared" condition

 

fsr-cp-mssp.zip
fsr-cp-mitre-attack.zip
fsr-cp-symantec-solutions.zip
fsr-cp-vulnerability-management.zip
fsr-cp-soc-simulator.zip
Labels:
446
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.