Roster Management

Summary

Shift management in a large SOC environment presents challenges with automating handover and takeover of the duties, for ongoing alerts. FortiSOAR has developed a dedicated module that allows SOCs to manage their roster and automate these processes easily.

Tasks achieved

1. Dedicated shift roster
2. Adding users to shift roster
3. Creating daily roster
4. Automation for handover and takeover of alerts
5. Automated report generation
6. Automated email reports

Applicability:

Applicable for FortiSOAR Enterprise v.7.0 onwards.

Prerequisites

1. Download the “RosterManagement.zip” file attached with this document
2. Ensure that the FortiSOAR user has a “Security Administrator” role so that CRUD permissions can be assigned to the “Rosters” module.
3. Configure the Code Snippet connector.
4. Install the xlsxwriter python package (Used for preparing a .xls report attachment for email).
   1. Login to the FortiSOAR CLI as a root user 
   2. Install “xlsxwriter” package using the following command
      #sudo -u nginx /opt/cyops-integrations/.env/bin/python3 /opt/cyops-integrations/.env/bin/pip3 install xlsxwriter
      8052bf5204c843a0b7b67013c0fdc780.png

Setting Up the FortiSOAR Environment

1. Login to the FotiSOAR console.
2. Go to Settings -> Application Editor -> Import Wizard and import the “RosterManagement.json” file, which imports the following items to your FortiSOAR environment:
   1. “Rosters” Module
   2. Two Picklists
      1. Analyst List
      2. Days
   3. “Roster Management playbook” collection
   4. Three Global Variables
      1. Roster_Email
      2. Roster_Timezone
      3. Current_Roster_Analysts

3. To access the “Rosters” module, apply CRUD permissions to the “Roster” module. Go to Settings -> Security Management -> Roles -> Full App Permissions -> Set Role Permissions -> Select the CRUD permissions in the Roster module row -> click Save.
   d2f991dc80cf42ea8b497d8a43072555.png
4. Add the “Rosters” module to the FortiSOAR Navigation window. Go to Settings -> Application Editor -> Navigation. On the “Modules” tab select the “Rosters” module and click “Add To Menu”. Move the “Roster” module in the “Automation” group and click Save.
   a52b8bfe01564064b26b6657fd2445df.png
5. In the “Roster_Email” global variable, add the email addresses of the persons to whom you want to send the shift report.
   649d03aef2e74a00996dc9a2d92d5452.png
6. In the “Roster_Timezone” global variable add the timezone to be applied to the roster. The timezone should be in the UTC+XX:XX or UTC-XX:XX format.
   4e0c956233184229ba1bfac38c901821.png
7. Open the Roster Module, click execute and select “01 Get FortiSOAR Users > Add to Roster”.
   2e88f43f622249dabff4133e54082ec9.png
8. The “01 Get FortiSOAR Users > Add to Roster” playbook adds FortiSOAR users (Except CS Admin) automatically to the “Analyst List” picklist.
   96a3c1786164472b96d8de4a678110ae.png
9. Create a roster for a week and assign analysts to “Analysts Shift” and “Shift Timing” respectively.
   467578dd8e18431d9bee1c0a658863a1.png
   8452d470fdbe4c149b649affe9dd45c9.png
10. Create three “Schedules” for Morning Shift (6:00 Hrs), Afternoon Shift (13:00 Hrs), and Night Shift (20:00 Hrs). Go to “Navigation Window” -> “Automation” -> “Schedules”. Click the “Create New Schedule” button. In the Schedule Details dialog, from the Playbook drop-down list,  select “02 Roster Management” and add the other schedule details, and then click Save.
    039479ab1c734759b1c52607bc3e01ea.png
11. After completion of shift following tasks gets executed automatically:
    1. Computation of the total unclosed alerts of the previous shift.
    2. Equitable distribution of the unclosed alerts of the previous shift analysts to the next shift analysts.
    3. The generation of the report is as follows:
       e052d0974b144d46b3ab1f611da05f26.png
    4. Automatic deactivation of the previous shift analysts (Users) and activation of the next shift analysts.
    5. Automatic assignment of alerts created in any shift to the analysts of that shift, using the “Assign Random Analyst to Unassigned Alerts within Shift” playbook.

Further Scope:

1. The current design activates and de-activates the analysts. However, FSR 7.0.1 brings in the concept of Concurrent Users, where this might not be needed anymore. You can delete those steps from the playbook as suitable.
2. Reports can contain more fields if needed for additional context.
3. Currently all the users (except CS Admin) get added to the Roster, which can be more controlled if selected users are only relevant for the Roster. You can skip the playbook which does that and also add users manually to Roster if needed.