Fortinet SOAR: Solution Overview, Features and Limitations

What Is Fortinet SOAR (FortiSOAR)? 

Fortinet SOAR (FortiSOAR) is a security orchestration, automation, and response (SOAR) solution that aims to simplify security operations for organizations. It is intended to address the challenges faced by security operations center (SOC) teams, network operations center (NOC) teams, and operational technology (OT) teams by unifying workflows, automating processes, and supporting threat detection and incident response.

FortiSOAR acts as a security operations hub, where organizations integrate their existing security tools, automate repetitive tasks, and standardize incident response procedures. It is designed to handle multiple integrations and prebuilt workflows.

This platform offers centralized threat intelligence, playbook customization, and risk-based vulnerability management. It can be deployed as a Software-as-a-Service (SaaS) solution, on-premises, or through managed security service providers (MSSPs).

This is part of a series of articles about FortiSIEM.

Key Features of FortiSOAR 

FortiSOAR provides the following features:

• Security incident response: Automates alert triage, investigation, and response workflows, integrating with other security tools. It includes prebuilt playbooks to support SOC, NOC, and OT teams.
• Case and workforce management: Provides tools for managing task assignments, tracking work queues, and handling team scheduling.
• Threat intelligence integration: Incorporates intelligence from FortiGuard Labs and other public sources to enrich investigations and support threat hunting.
• Asset and vulnerability management: Offers risk-based views of assets, vulnerability tracking, and automated mitigation workflows intended to improve operational efficiency.
• Compliance automation: Aims to simplify IT/OT compliance management through task automation, detailed reporting, and tracking of service-level agreements (SLAs).
• OT security management: Offers specialized integrations and playbooks for operational technology environments.
• Generative AI assistance: Leverages AI tools like FortiAI and a Recommendation Engine to help accelerate analyst workflows by providing insights and suggestions.
• Playbook designer: Includes a no- and low-code interface for creating custom automation workflows using drag-and-drop functionality, enabling teams with limited programming expertise to customize operations.
• Deployment options: Supports on-premises, public cloud, SaaS, and MSSP deployments.
• Content hub: Provides access to a library of connectors, playbooks, solutions, and community resources intended to improve system capabilities continuously.

Use Cases of FortiSOAR 

1. SOC Threat Investigation and Response

FortiSOAR automates alert triage, enrichment, and response by integrating with multiple security products. Routine alerts are automatically handled, while priority alerts are mapped to the MITRE ATT&CK framework and grouped into incidents for deeper analysis. 

Analysts are supported with playbook recommendations and can manage escalated incidents via a “war room” feature for collaboration and forensic tracking. Using the secure mobile application, analysts can respond to incidents from different locations.

2. Asset and Vulnerability Management

FortiSOAR integrates with asset management and vulnerability scanners to deliver a risk-based view of IT and OT assets. It provides insights into asset criticality, vulnerabilities, and alert conditions, helping teams to prioritize and address risks. 

Automated playbooks are designed to simplify remediation, while incident investigations benefit from enriched context with access to ready-made asset profiles.

3. OT Security Operations

Operational technology (OT) systems face growing risks due to their convergence with IT. FortiSOAR attempts to address these risks by enabling integrated OT security operations. It provides OT asset and vulnerability management features, industrial control system (ICS)-specific threat views, and OT-specific playbooks. 

These tools are meant to align with best practices recommended by the Cybersecurity and Infrastructure Security Agency (CISA), which help ensure protection for OT environments.

4. Compliance Automation and Reporting

FortiSOAR potentially simplifies compliance management by automating advisory updates, compliance tasks, and reporting. It supports tracking and dashboards tailored to various regulations, including GDPR, HIPAA, and US NERC CIP. 

Its SLA tracking, asset management, and vulnerability management features intend to help manage mandatory alerts and actions to maintain compliance.

5. Custom Playbook Creation

FortiSOAR offers a visual drag-and-drop interface for creating custom playbooks, which does not require technical coding skills. This low-code development is so that users can design and simulate workflows. 

The platform includes access to various prebuilt playbooks from the FortiSOAR Content Hub and inline guidance from the Recommendation Engine. This potentially makes it easier to implement and adapt automation to different needs.

6. MSSP Operations

FortiSOAR supports the deployment models required by managed security service providers (MSSPs). It enables shared and dedicated tenant setups, supports hierarchical and regional SOC structures, and offers per-tenant playbooks, alerts, and dashboards. 

MSSPs might benefit from the relatively flexible licensing and the focus on customizable services and managing costs.

Related content: Read our guide to SOAR security

Examples of FortiSOAR Solution Packs 

Automated Employee Onboarding

The Automated Employee Onboarding solution pack hopefully simplifies the onboarding and offboarding processes for large organizations, especially those with high employee turnover. While modern identity and access management (IAM) or single sign-on (SSO) systems manage most access, legacy systems often require manual configuration to grant or revoke permissions. This solution helps automate these processes using tools like Active Directory and email-based triggers.

The solution pack includes resources such as:

• Connectors: Integration with Exchange, Active Directory, MySQL, and SSH for communication and execution of tasks across platforms.
• Global variables: A demo mode for simulations without affecting live environments.
• Playbooks: Predefined workflows to onboard/offboard employees, create or disable user accounts on systems, and configure access to services like MySQL and SSH.

The system maps users’ access needs via Active Directory groups, with the goal that each employee gets the appropriate permissions. Requests for provisioning typically originate from HR systems or email, and the automated playbooks help handle creating accounts, configuring mailboxes, and managing server access.

Brute Force Attack Response

The Brute Force Attack Response solution pack provides an automated response to login failures and brute force attempts. It aims to identify the source of attacks and assess the impact on affected systems.

Key features include:

• Integration with tools: It uses VirusTotal for IP reputation analysis, Active Directory for querying users, and Splunk for event ingestion and search.
• Scenarios: Demonstrations of brute force detection using connectors like FortiSIEM and Syslog.
• Playbooks: Prebuilt workflows to help investigate login failures, extract key indicators like source and destination IPs, and add to this data with threat intelligence.

By automating repetitive analysis tasks, the solution aims to reduce manual effort and improve response time. Security teams can isolate affected systems and block malicious actors to prevent further compromise.

C2 Malware Traffic Response

The C2 Malware Traffic Response solution pack focuses on handling command-and-control (C2) attacks. These attacks involve malware-infected systems communicating with an attacker’s server to steal data, download additional malware, or control infected systems.

Key components include:

• Scenario: A demonstration of a malicious outbound connection detected via known C2 ports.
• Playbooks: Tools to help investigate and contain the threat by isolating or blocking malicious IPs using Fortinet FortiGate and retrieving related indicators from threat intelligence sources.

This solution automates containment and investigation workflows, assisting security teams to mitigate the impact of C2 attacks. It also provides enriched intelligence to help analysts understand the scope and nature of the attack.

FortiSOAR Limitations 

FortiSOAR also has limitations that can affect the ease of use, integration capabilities, and overall user experience. These limitations were reported by users on Gartner Peer Insights:

• Connector development complexity: If a desired product lacks a prebuilt connector in FortiSOAR, users must develop one themselves. This process can be challenging and time-intensive, particularly for those unfamiliar with connector creation.
• Limited integration with some data sources: FortiSOAR struggles to integrate with certain data sources, which can hinder its ability to provide bi-directional communication across the entire security tech stack.
• Complex administration: The platform’s administration features are not user-friendly, making it difficult for teams to manage and configure without significant experience or training.
• Insufficient documentation: The documentation, especially regarding integrations with third-party tools, is often inadequate. This lack of detailed guidance can lead to challenges during setup and integration.
• High initial setup complexity: Setting up and configuring FortiSOAR can be time-consuming and complicated, with a steep learning curve for new users.
• Playbook and dashboard complexity: The platform’s playbook design and reporting features can be overly complex, with too many options that may overwhelm users, especially during initial implementation.
• Cost concerns: The cost of FortiSOAR can be excessive for some organizations. While it integrates well with other Fortinet products, this integration comes at a premium.

Related content: Read our guide to Fortinet competitors

Exabeam: Ultimate Fortinet SOAR Alternative

While Fortinet SOAR (FortiSOAR) provides security automation and orchestration capabilities, its complexity, rigid integration model, and reliance on prebuilt playbooks can limit adaptability in dynamic security environments. 

Exabeam takes a more flexible approach by combining SIEM, SOAR, and UEBA into a unified platform that streamlines investigations and automates response workflows without requiring extensive manual tuning. Unlike FortiSOAR, which focuses primarily on automating predefined tasks, Exabeam applies behavioral analytics to detect anomalies and adapt automation based on evolving threats. With prebuilt API integrations for a wide range of security tools—including Fortinet products—Exabeam provides broader visibility and faster response times, ensuring that security teams stay ahead of attackers while reducing operational overhead.

Exabeam is a leading provider of security information and event management (SIEM) solutions, combining UEBA, SIEM, SOAR, and TDIR to accelerate security operations. Its Security Operations platforms enable security teams to quickly detect, investigate, and respond to threats while enhancing operational efficiency.

Key Features:

• Scalable log collection and management: The open platform accelerates log onboarding by 70%, eliminating the need for advanced engineering skills while ensuring seamless log aggregation across hybrid environments.
• Behavioral analytics: Uses advanced analytics to baseline normal vs. abnormal behavior, detecting insider threats, lateral movement, and advanced attacks missed by signature-based systems. Customers report that Exabeam helps detect and respond to 90% of attacks before other vendors can catch them.
• Automated threat response: Simplifies security operations by automating incident timelines, reducing manual effort by 30%, and accelerating investigation times by 80%.
• Contextual incident investigation: Since Exabeam automates timeline creation and reduces time spent on menial tasks, it cuts the time to detect and respond to threats by over 50%. Pre-built correlation rules, anomaly detection models, and vendor integrations reduce alerts by 60%, minimizing false positives.
• SaaS and cloud-native options: Flexible deployment options provide scalability for cloud-first and hybrid environments, ensuring rapid time to value for customers. For organizations who can’t, or won’t move their SIEM to the cloud, Exabeam provides a market-leading, full featured, and self-hosted SIEM.
• Network visibility with NetMon: Delivers deep insight beyond firewalls and IDS/IPS, detecting threats like data theft and botnet activity while making investigation easier with flexible searching. Deep Packet Analytics (DPA) also builds on the NetMon Deep Packet Inspection (DPI) engine to interpret key indicators of compromise (IOCs).

Exabeam customers consistently highlight how its real-time visibility, automation, and productivity tools powered by AI, uplevel security talent, transforming overwhelmed analysts into proactive defenders while reducing costs and maintaining industry-leading support. For more information visit Exabeam.com