View Only

ML Capabilities In FortiSOAR

  • 1.  ML Capabilities In FortiSOAR

    Posted Jun 01, 2021 12:01 AM
    There are often incoming questions on information about ML usage in FortiSOAR. With 7.0 adding more ML capabilities, here is a summary of ML capabilities in FSR - 

    ML Capabilities In FortiSOAR

    In FortiSOAR, Machine Learning primarily powers the Recommendation Engine apart from serving other extensible use cases. The Recommendation engine helps the analysts uncover patterns and similarities in the threats, suggesting if there is an underlying larger threat campaign. It also serves as the prediction engine, suggesting suitable assignments, severity etc. based on past similar threat patterns. Taking into this account, the ML capabilities within FortiSOAR are -

    1. Power FortiSOAR's Recommendation Engine - Users have the option to work with various ML models to get the right prediction that suits their need. Model training can be scheduled to account for new incoming data in the system.
    2. Auto-population of data - FortiSOAR Ingestion wizard utilizes these capabilities to allow users to choose the fields which they want to auto-populate during data ingestion. For example, users can get the assignment field auto-populated for incoming threats, thereby helping the SOC for quicker and more relevant analyst assignments, powered by past threat investigation patterns.
    3. Utility As ML Connector - The ML connector can be used within playbooks as part of building use cases. For e.g., to find similar threats to the incoming one and automatically group the high scoring ones into an incident.
    4. Building upon the ML Connector - With Connector wizard, power users can also enhance the ML connector to get more value out of the data. This could mean leveraging external ML APIs and other third-party products to generate more intelligence for consumption within FortiSOAR.
    5. Scaling - ML Connector can be run on a separate agent, thus allowing to account for scenarios where the data on which the models need to be trained is significantly large. The ability to be externalized enables the process to run separately without affecting the system performance as such.