Overview
This article describes the FortiSOAR™ Incident Response Content Pack (FSR-IR-CONTENT-PACK or Content Pack) for Managed Security Service Providers (MSSPs). This content pack enables users to experience the power and capability of FortiSOAR™ incident response in a multi-tenant architecture.
FortiSOAR™ is built using modular architecture and the FSR IR Content Pack is the implementation of best practices to configure and use FortiSOAR™ in an optimal manner. The FSR Content Pack also contains a lot of sample/simulation/training data that enables you to experience FortiSOAR™ without having all the devices.
Deploying the MSSP Content Pack
- Download and extract the fsr-cp-mssp.zip file that is attached to this document.
- Import the fsr-cp-mssp.zip file on both the “Master” and “Tenant” nodes, using the following steps:
- Open the FortiSOAR instance, and click System Settings.
- In the “Application Editor” section, click Import Wizard.
- On the “Import Wizard” page, click Import From File to open the Import Wizard.
- Upload the fsr-cp-mssp.zip file and click Continue.
- On the “Configuration” page, review the list of configurations that are displayed, and then click Continue.
Important: All the configuration options displayed on this page are required. - On the “Review Import page”, review the import details that you are importing and then click Run Import to begin the import process.
Once the import is completed, the MSSP Content Pack is deployed.
Once you have completed installing the MSSP Content Pack, you can choose to import other Content Pack’s (using the same steps mentioned above) based on your requirements:
- fsr-cp-mitre-attack.zip: For details on MITRE ATT&CK content pack, please see the https://community.fortinet.com/t5/FortiSOAR/MITRE-ATT-amp-CK-Content-Pack-7-0-2-Release/ta-p/220034 .
- fsr-cp-soc-simulator.zip
- fsr-cp-symantec-solutions.zip
- fsr-cp-vulnerability-management.zip
|
Content Pack |
Details |
|
Symantec Content Pack (fsr-cp-symantec-solutions.zip) |
The use cases and ingestion playbooks related to Symantec Solutions have been moved to the Symantec Content Pack (CP) zip file (fsr-cp-symantec-solutions.zip). |
|
MITRE ATT&CK Content Pack (fsr-cp-mitre-attack.zip) |
The MITRE ATT&CK Content Pack has been added to enable users to use the information and knowledge base that’s provided by the MITRE ATT&CK Framework to its full extent. |
|
Vulnerability Management Content Pack (fsr-cp-vulnerability-management.zip) |
The ingestion playbooks related to Vulnerability Management have been moved to the Vulnerability Management Content Pack (CP) zip file (fsr-cp-vulnerability-management.zip). |
|
Scenarios Content Pack (fsr-cp-soc-simulator.zip ) |
The Scenarios Content Pack contains all the playbook collections related to ‘SOC Simulator’. |
|
Note: All these zip files are attached to this article. |
|
Setting up the environment
- Enable the remote execution flag for all the playbooks in 05-Actions collection on the Tenant systems by executing the “Enable Remote Execution Flag (Tenant Only)” playbook as follows:
- Open the FortiSOAR instance, and from the navigation panel, click the Alerts
- Click Execute and then select Enable Remote Execution Flag (Tenant Only).
Important: Before you execute the “Enable Remote Execution Flag (Tenant Only)” playbook, ensure that there are no “Playbook Mappings” in “Remote Tenant Manager” under “Multitenancy Section” on the Master node.
e5b8ea303b334576b82b1b56b791f6de.pngAfter the “Enable Remote Execution Flag (Tenant Only)” playbook is executed, you will notice that “Playbook Mappings” is added in “Remote Tenant Manager” under “Multitenancy Section” on the Master node.
a772540268594e67914d98310863e287.png
- Map Aliases of remote actions playbooks on the Master node by executing the “Remote Alias Mapping (Master Only)” playbook as follows:
- From the navigation panel, click the Alerts
- Click Execute and then select Remote Alias Mapping (Master Only).
- Click System Settings and in the “Application Editor” section, click Modules to modify the record uniqueness in the mmd for various modules as follows:
- For the Alerts and Incidents modules, add "Source ID" and "Tenant" fields in the “Record Uniqueness” section.
e8062f49f5b54305b34083efebaf5839.png
- For the Alerts and Incidents modules, add "Source ID" and "Tenant" fields in the “Record Uniqueness” section.
- Disable SLA Playbooks from the 08 - Case Management collection on the Tenant (“SLA” keyword). This is required because, SLA operations on all records, i.e. records of Master or Tenant, get performed on the Master only.
c40274970c9c45fab3b996f480dfdb0f.png
- Configure “SLA Calculator" connector (Master Only)
28c58b7c46e846a892b62d368724af48.png
- Create SLA Templates Records (Master Only)
- From the navigation panel, click the Automation. Select SLAs
- Click Execute button and select Create Default SLA Templates.
fb1b245ffb454c44955d7510a403e02f.png
- Click on Add button to create SLA records for Tenant.
b2e9d1dd679c45f4b58c3c09f62bffc6.png
- Add SLA record for all the Severity for Tenant
ca96b7191ac147dc9f6ffae89e3025df.png
Release Notes - Version 7.0.2
This section describes the enhancements and new features introduced in FortiSOAR™ MSSP Content Pack.
New features and enhancements
|
Feature |
Details |
|
Created a new collection named “05 - Actions (Remote)” |
All the MSSP related Actions playbooks i.e., "Remote Action - *" playbooks, "Alias Mapping" playbooks, and "Enable Remote Execution Flag" playbooks have been moved to the "05 - Actions (Remote)" collection from “05 - Actions” collection. |
|
Modified “02 - Enrich” collection |
The "02 - Enrich" collection is updated as follows to facilitate the smooth execution of Indicator Extraction and Enrichment Playbooks:
|
