SECURITY OPERATIONS CENTER

AS A SERVICE
Augment your SOC with automation & Fortinet experts

DETECT

RESPOND

PROTECT

Q4/2022
 What is SOCaaS ?
Fortinet’s Security Operation Center-as-a-Service SOCaaS is a
cloud-based managed security monitoring service that analyzes
Service at a Glance security events generated from Customer’s FortiGate and other Fabric
Products, performs alert triage, and escalates confirmed threat
Detection Use Case notifications.
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/forticloud-
Compromised Hosts
socaas.pdf
Malware Detection

Unauthorized Access How does it work?

Policy Violation
Fortinet SOC collects & analyzes incoming logs 24 7 365, identifying
Botnet / C&C
confirmed and suspicious activity, which are first triaged by the SOC
Lateral Movement
analysis before final confirmation and escalation back to the customer
SOC team.

Operations & Integration During the SOCaaS on-boarding phase, many aspects are reviewed to

24 7 Monitoring & Alert Triage identify and close security gaps needed to detect incidents.

Cloud Service Portal

Reports

Quarterly Business Review

Detection & Escalation Tuning Logging to Fortinet

Log Storage

Powered by FortiGuard & SOAR

Logging

Detect
Hardening Best Practices

Logging Best Practices Protect

Health Monitoring

Tuning Recommendations
Investigate
Security Posture Review
SOCaaS
Improve

Escalate
SOC 2
TYPE II Remediate

Escalate to Customer

2
How does my SOC integrate with
SOCaaS? Threat Focus Areas
Fortinet SOCaaS detections are investigated Attacker can enter the network, perform
Preparation malicious transfers, and go undetected
24 7, and qualified incidents will be escalated to due to mis-configuration.
the customer SOC contact points. Alerts can be
Attacker probes the victim’s
received via Email or phone call, and all details are Reconnaissance infrastructure and gains insights into
provided within the SOCaaS Portal. vulnerable access points.

Attacker gains initial foot hold of the

Gain full visibility of the service, track SOC Initial Access victim’s network through successful
spear-phishing attacks.
escalated alerts, view the insights of the detected
threat and submit new service requests. Attacker is able to execute commands
Execution
or scripts on a local server.

Attacker is able to maintain a foothold

Persistence on a victim vulnerable server by replacing
legitimate code or adding start-up code.

Attacker is able to exploit weaknesses on

Privilege
the Victim’s network to gain access to root
Escalation
or admin account.

Attacker is able to hide or disguise their

Defense Evasion presence by disabling security software
or encrypting sessions.

Attacker has obtained username and

Credential Access passwords for the accounts associated
with members of senior management.

Attacker has obtained full control of the

victim’s server and has gained significant
Discovery
information regarding infrastructure assets
and privileged accounts.

Attackers is able to move through the

Lateral network from system to system by using
Movement legitimate credentials or installing
remote access code.

Attacker has gained access to local files

Collection or database stores and is gathering
confidential data.

Command Attacker has full remote control over

and Control a victim’s asset.

Attacker is using stealth techniques to

Exfiltration remove confidential data form
the victim’s network.

Attacker is using disruptive or stealth

Impact techniques to hide their presence and data
exfiltration exploits.
3

3
SOC Use Case Details

PRE ATTACK ATTACK

WEAPONIZATION EXPLOITATION COMMAND & CONTROL

Digitally - signed software Zerologin Exploit IoT C2 Network
SolarWinds Ryuk Trickbot
RECONNAISSANCE DELIVERY INSTALLATION ACTION ON OBJECTIVES
Supply Chain Mapping BEC Insertion Target OT Increasingly Malicious

SolarWinds Emotet Ekans Ransomware Extortion

Targeted Business
Interruption
Political/Hacktivism

PREPARATION
FortiGate Best Practices
Use cases which detect misconfigurations, gaps in visibility & detection, and logging problems.

Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

Device Logging Problems FortiGate Not applicable Available

Device misconfigurations
FortiGate UTM logs Available
Tuning Preventive Controls)

Device Logging Problems Additional Fabric Devices TBD Coming Soon

Device misconfigurations
Additional Fabric Devices TBD Coming Soon
Tuning Preventive Controls)

RECONNAISSANCE
Reconnaissance
Use cases which detect techniques actively or passively gathering information.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiGate Traffic, IPS Available

T1595 Active Scanning
FortiDeceptor Scan Detection Coming Soon

T1598 Phishing for Information FortiGate Email Filtering Coming Soon

NOTE Use Case coverage evolves rapidly, please consult the latest coverage published in FortiGuard at https://www.fortiguard.com/socaas/

4
SOC Use Case Details

DELIVERY
Initial Access
Use cases which detect compromised websites, applications, remote access, services or phishing attacks.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiGate Traffic, Web Filtering, DNS Filtering, IPS Available

T1189 Drive-by Compromise
FortiClient Anti-Exploit, Web Filtering BETA

FortiGate IPS Available

Exploit Public- FortiWeb Attack Coming Soon

T1190
Facing Application
FortiGate WAF Coming Soon

T1133 External Remote Services FortiGate Application Control, Traffic Available

FortiClient USB Device Control, Anti-Virus BETA

Replication Through
T1091
Removable Media
FortiEDR Security Logs Coming Soon

FortiGate Anti-Virus, DNS and Web Filtering Available

T1566 Phishing
FortiMail + FortiSandbox Email Filtering Coming Soon

EXPLOITATION
Execution
Use cases which detect when unauthorized code or software is enabled on a system.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiGate Application Control, Web and DNS filtering, Traffic Available

Command and Scripting
T1059
Interpreter
FortiEDR Security Logs Coming Soon

FortiGate IPS Available

Exploitation for Client
T1203
Execution
FortiClient Anti-Exploit BETA

FortiGate Application Control, Traffic Available

Software Deployment FortiClient Application Firewall Coming Soon

T1072
Tools

Forticlient MS Windows Events MS Windows Application Events Coming Soon

FortiClient Anti-Exploit BETA

FortiClient MS Windows Events MS Windows Application Events Coming Soon

T1204 User Execution

FortiEDR Security Logs Coming Soon

T1559 Inter-Process Communication FortiEDR Security Logs Coming Soon

T1106 Native API FortiEDR Security Logs Coming Soon

T1569 System Services FortiEDR Security Logs Coming Soon

5
SOC Use Case Details

Credential Access
Use cases which detect attempts to steal credentials such as keyloggers or credential dumping attacks.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiGate IPS, Traffic Available

T1110 Brute Force FortiClient +

MS Windows Security events Coming Soon
MS Windows Events

FortiWeb Application Control, Traffic Coming Soon

FortiGate IPS, Traffic Available

T1083 File and Directory Discovery

FortiClient +
MS Windows Security & Application Coming Soon
MS Windows Events

FortiEDR Security Logs Coming Soon

T1003 OS Credential Dumping
FortiClient +
MS Windows Security & Application Coming Soon
MS Windows Events

Discovery
Use cases which detect when attackers are attempting to gain knowledge about system and internal networks.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiGate IPS, Traffic Available

File and Directory
T1083
Discovery FortiClient +
MS Windows Security Events Coming Soon
MS Windows Events

T1046 Network Service Scanning FortiGate IPS, Traffic Available

T1135 Network Share Discovery FortiGate IPS, Traffic Available

T1018 Remote System Discovery FortiGate IPS, Traffic Available

6
SOC Use Case Details

Defense Evasion
Use cases which detect when attackers are attempting to circumvent protection controls.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiGate IPS Available

Exploitation for Defense

T1211 FortiClient FortiShield & Anti Exploit BETA
Evasion

FortiClient MS Windows Events MS Windows Security Coming Soon

FortiClient FortiShield BETA

T1462 Impair Defenses
FortiClient MS Windows Events MS Windows Security Coming Soon

Virtualization /
T1497 FortiClient MS Windows Events MS Windows Security Coming Soon
Sandbox Evasion

Obfuscated Files
T1027 FortiEDR Security Logs Coming Soon
or Information

System Script
T1216 FortiEDR Security Logs Coming Soon
Proxy Execution

Privilege Escalation
Use cases which detect attempts to gain higher-level permissions on a system or network.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiEDR Security Logs Coming Soon

Create or Modify System
T1543
Process
FortiClient MS Windows Events MS Windows Security Coming Soon

FortiEDR Security Logs Coming Soon

T1055 Process Injection

FortiClient MS Windows Events MS Windows Security Coming Soon

Exploitation for Privilege

T1068 FortiClient MS Windows Events MS Windows Security Coming Soon
Escalation

7
SOC Use Case Details

INSTALLATION
Lateral Movement
Use cases which detect attempts to gain unauthorized access to systems on a network from a presumably trusted source on the same
network.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiGate IPS Available

Exploitation of Remote FortiDeceptor IPS Coming Soon

T1210
Services

FortiWeb Attack Coming Soon

FortiGate + FortiSandbox Anti-Virus, Web Filtering Available

T1534 Internal Spearphishing FortiGate Email Filtering Coming Soon

FortiMail + FortiSandbox Email Filtering, Anti Virus Coming Soon

FortiGate IPS, Anti-Virus, Traffic Available

T1570 Lateral Tool Transfer
FortiGate + FortiSandbox Anti-Virus Available

FortiGate Traffic Available

T1021 Remote Services
FortiClient MS Windows Events Windows Application Events Coming Soon

FortiGate Application Control, Traffic Available

T1072 Software Deployment Tools FortiClient Application Firewall Coming Soon

FortiClient MS Windows Events Windows Application Events Coming Soon

FortiClient USB Device Control, Anti-Virus BETA

Replication Through
T1091
Removable Media
FortiEDR Security Logs Coming Soon

8
SOC Use Case Details

Persistence
Use cases which detect attempts to keep access to systems across restarts, changed credentials, and other interruptions that
could cut off adversary access.

MITRE ID Use Case Descrip on Fabric Device Log Source Fabric Device Logs & For Guard Service Availability

FortiEDR Security Logs Coming Soon

T1543 Create or Modify System Process
FortiClient MS Windows Events MS Windows Security Coming Soon

FortiEDR Security Logs Coming Soon

T1546 Event Triggered Execution
FortiClient MS Windows Events MS Windows Security Coming Soon

T1176 Browser Extensions FortiGate Traffic Available

T1133 External Remote Services FortiGate Application Control, Traffic Available

T1574 Hijack Execution Flow FortiEDR Security Logs Coming Soon

9
SOC Use Case Details

C2
Collection
Use cases which detect techniques used by attackers to gather information for the purpose of exfiltration.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

T1602 Data from Configuration Repository FortiGate Traffic, IPS Available

Command & Control

Use cases which detect suspicious traffic originating from internal system to external destinations.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

T1071 Application Layer Protocol FortiGate IPS, Web and DNS Filtering, Traffic Available

T1132 Data Encoding FortiGate IPS, Web and DNS Filtering, Traffic Available

T1001 Data Obfuscation FortiGate IPS, Web and DNS Filtering, Traffic Available

T1568 Dynamic Resolution FortiGate IPS, Web and DNS Filtering, Traffic Available

T1573 Encrypted Channel FortiGate IPS, Web and DNS Filtering, Traffic Available

T1008 Fallback Channels FortiGate IPS, Web and DNS Filtering, Traffic Available

FortiGate IPS, Web and DNS Filtering, Traffic Available

T1105 Ingress Tool Transfer FortiGate + FortiSandbox Anti Virus Available

FortiClient + FortiSandbox Anti Virus BETA

T1104 Multi-Stage Channels FortiGate IPS, Web and DNS Filtering, Traffic Available

T1095 Non-Application Layer Protocol FortiGate IPS, Web and DNS Filtering, Traffic Available

T1571 Non-Standard Port FortiGate IPS, Web and DNS Filtering, Traffic Available

T1572 Protocol Tunneling FortiGate IPS, Web and DNS Filtering, Traffic Coming Soon

FortiGate Traffic & Application Control Available

T1219 Remote Access Software
FortiClient Application Control BETA

Communication Through
T1092 FortiClient USB Device Control Available
Removable Media

10
SOC Use Case Details

ACTIONS
Exfiltration
Use cases which detect techniques that adversaries may use to steal data and avoiding detection while removing it.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

T1041 Exfiltration Over C2 Channel FortiGate IPS, Web and DNS Filtering, Traffic Available

T1052 Exfiltration Over Physical Medium FortiClient USB Device Control Available

T1567 Exfiltration Over Web Service FortiClient Traffic Coming Soon

Exfiltration Over Alternative

T1048 FortiGate Traffic Coming Soon
Protocol

T1537 Transfer Data to Cloud Account FortiGate Traffic, Application Firewall Coming Soon

Impact
Use cases which detect techniques that adversaries may use to disrupt availability or compromise integrity by manipulating
business and operational processes.

MITRE ID Use Case Description Fabric Device Log Source Fabric Device Logs & FortiGuard Service Availability

FortiEDR Security Logs Coming Soon

T1486 Data Encrypted for Impact
FortiClient MS Windows events MS Windows Security Coming Soon

11
Visit Fortinet.com for more details.

Q4/2022 11.09.22