FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
FortiSOAR™ provides you with a SLA Templates module using which you can create in-built SLA management for incidents and alerts. 
You can define SLAs for incidents and alerts at varying degrees of severity and track whether those SLAs are met or missed. 

Important: To use the SLA feature, you must Install the FSR-IR-CONTENT-PACK on a fresh installation of FortiSOAR™. NEVER install the content pack after you have modified any data or have any existing data. If you proceed with installing the FSR-IR-CONTENT-PACK after you have modified or added data, then the customizations or data might be lost.

The FSR-IR-CONTENT-PACK contains the "Case Management" playbooks collection that automatically tracks the SLAs of the case management workflows and other OOB playbooks that demonstrate various use cases. For more information on the FSR-IR-CONTENT-PACK, see the FSR-IR-CONTENT-PACK article  present in the Fortinet Knowledge Base.

Note: To view automatic tracking of SLAs on your incident or alert records, you do not need to modify the "Case Management" playbooks collection. However, you require to schedule some playbooks in this collection as described in this article.

After you have installed the FSR-IR-CONTENT-PACK, you can view the default case management playbook collection named "Case Management" that help you manage your case SLA workflows. You can view the default case management playbooks by clicking the Settings icon in the top-bar to open the "System Configuration" page. Click the System Fixtures tab and then click the Case Management link to open the case management playbook collection. 

Within the case management playbook collection, for the "Incidents" records you have two playbooks: "Incident > [04] Check for Ack SLA violations" and "Incident > [05] Check for Response SLA violations", which you can schedule as per your defined SLAs. The "Incident > [04] Check for Ack SLA violations" playbook checks for acknowledgement SLA violations of the Open Incidents after every 5 minutes and the "Incident > [05] Check for Response SLA violations" playbook checks for response SLA violations of the acknowledged Incidents after every 5 minutes. You should set the schedule interval at the lowest number set in the SLA templates. 
Therefore, if for example you have set the lowest number in SLA templates is the acknowledgement SLA of 10 minutes, then you will schedule the "Incident > [04] Check for Ack SLA violations" playbook to run every 10 minutes.

To schedule the "Incident > [04] Check for Ack SLA violations" playbook:
  1. Click Automation > Schedules in the left navigation bar. 
  2. Click Create New Schedule.
  3. In the "Schedule Details" dialog, enter the following details:
    1. In the Name field, add the name of the schedule. 
    2. If you want to start the schedule immediately after creating the schedule, click the Start Schedule checkbox.
    3. From the Playbook drop-down list, select the "Incident > [04] Check for Ack SLA violations" playbook.
    4. In the "Schedule Frequency" section, select the Every X minute option and enter */10 in the minute field.   
      This schedules the playbook to run every 10 minutes. 
    5. Enter the other details as required and then click Save to save the schedule. For more information on scheduling, see the Schedules chapter in the "User Guide."
Similarly, you can schedule the "Incident > [05] Check for Response SLA violations" playbook to check response SLA violations of the acknowledged Incidents, and the "Alert > [04] Check for Ack SLA violations" playbook to check acknowledgement SLA violations for Alerts.

Important: Records must be in the “Open” state along with a proper severity set for the acknowledgement and response SLAs to be calculated.

For more information on SLA such as creating SLAs, viewing incident or alert records to know whether the SLAs have been met or missed, etc, see the SLA Management chapter in the "Administration Guide."