Centralize, standardize, and automate security operations
With broad integrations, rich functions, hundreds of pre-built playbooks and simple customization, FortiSOAR is designed to be the central hub for the critical operations that protect and power your organization.
Alert ingestion and bi-directional integrations
The foundation of FortiSOAR is connectivity. Integration flexibility and connectors to over 500 multivendor products allows FortiSOAR to ingest alerts from virtually any security source and interact with any IT system or application. The pre-built connectors each support an array of actions, typically bi-directional, that enable automated commands, queries, and actions useful for investigation, remediation, and notifications.
Investigation, response, and case management
FortiSOAR can automatically triage, enrich, and assess alerts from virtually any security product. Routine alerts can be automatically handled and closed. Priority alerts are mapped to the MITRE ATT&CK framework and intelligently grouped into incidents for deeper investigation. ML-driven task automation and playbook recommendations augment rich investigation features, suggest actions, and execute complete remediation steps. FortiSOAR supports complete case management features as well as two-way linkages to ticketing and communications systems, and includes a secure mobile application.
Collaboration and incident war room
The FortiSOAR investigation interface makes it simple to for analysts to collaborate, and supports communications and playbook permissions via email, Zoom, Slack, Teams and other popular methods. Analysts can also trigger a dedicated war room for streamlined and collaborative high-priority incident management. War room functions include invitation-only access, task management, collaboration tools, dedicated private communications, reporting, and full forensics-level logging of all activities.
Threat intelligence management
FortiSOAR automatically ingests aggregates, normalizes and curates, a wide range of IT/OT threat feeds, including Fortinet's FortiGuard threat intel data. Relevant intel automatically enriches alerts and is presented during analyst investigations. As a complete Threat Intel Platform, FortiSOAR supports IOC export via STIX, TAXII, and CSV, a dedicated goal-based threat intelligence management workspace, and request ticketing and assignment to facilitate threat research, collaboration and sharing.
Asset and vulnerability management
FortiSOAR integrates with asset management and vulnerability scanning systems to give you a complete risk-based picture of your IT/OT assets - including identification, criticality, vulnerability status, and alert conditions. Analysts and managers can use this information to launch automated remediation or other playbooks and assign and track tasks. Alert and incident investigation is enriched and accelerated by having complete asset profiles at hand without the need to access other systems or tools.
Workforce and SLA management
FortiSOAR provides all of the key functions a SOC manager needs to run effective operations. The system can automatically assign tasks based on priority, expertise matching and analyst task backlog. Leaders can define and manage work queues, manage shift schedules, and staff calendaring. Team and individual SLA metrics can be defined and tracked. Standard reports suiting both enterprise and MSSP uses can be easily customized or newly created.
Playbook and connector creation
The patented playbook design experience provides a visual drag/drop graphical user interface (GUI) and a low-code rapid development mode that allows users to easily create playbooks without technical coding skills. Hundreds of prebuilt playbooks and automated actions can be used as building blocks, while the FortiSOAR Recommendation Engine provides inline step guidance. The designer function includes full CI/CD support as well as a simulation engine for testing. New connector creation is supported by an intuitive and guided wizard application.
