Connecting FortiSIEM with LogPoint SOAR

Hi,

The LogPoint SOAR component is an integral part of the LogPoint SIEM - so the idea is that it would always be the LogPoint SIEM that triggers incidents for the SOAR Playbooks to spring into action. So in that sense, if the FortiSIEM still applies its own intelligence to create alerts etc., it would need to forward these to the LogPoint SIEM in a way so that they can be normalised, and so that the LogPoint SIEM can raise an alert with all the information the SOAR needs to run its playbooks. FortiSIEM cannot raise alerts with the LogPoint SOAR directly.

We do not have a normaliser for these potential FortiSIEM alerts, and one of the reasons is that third party SIEM alerts are usually bespoke to each event - an alert for a Security incident might look vastly different to an alert because a server is down, and the data that comes with them, and might be needed in a Playbook is different again. Depending on the type of alerts that we would expect to see fed into the LogPoint SIEM it might be possible to build such normalisers.

Once something is triggered from the LogPoint SIEM, the SOAR Playbooks themselves can in fact interact with FortiSIEM for further evaluations during the run of a playbook - FortiSIEM is already available as an entity in SOAR, and we can for example run certain queries against it or clear an incident from within our playbooks.

So it would really come down to the unique use cases, and the type of incidents that get raised and how they would make their way into the LogPoint SIEM.