SLA Management
FortiSOAR provides you with a SLA Templates
module using which you can create in-built SLA management for incidents and alerts.
You can define SLAs for incidents and alerts at varying degrees of severity and track whether those SLAs are met or missed.
The SLA feature requires the SOAR Framework Solution Pack to be installed. |
FortiSOAR contains "06 - IRP - Case Management" playbooks collection that automatically tracks the SLAs of alerts and incidents and other OOB playbooks that demonstrate various use cases.The SLA Calculator connector is used for calculating the SLA due dates based on the locale and work hours that you have been specified. For more information on the SLA calculator, see the SLA calculator documentation on the FortiSOAR Connectors page.
Permissions required for managing SLAs
To create and manage SLAs, you must be assigned a role with a minimum of Create
, Read
, and Update
permission on the SLA Templates
module, Execute
permission on the Playbooks
module, Usage
permission on the Widgets
module, along with the default Read
permission on the Application
module. Appropriate permissions are also required to be assigned for the module, Alert/Incident on which you want to define the SLA.
Working with SLA Templates
FortiSOAR includes SLA templates for each of the severity levels defined for incidents or alerts, i.e, 5 SLA Templates for each severity level, i.e., Critical, High, Medium, Low, and Minimal, is added by default in FortiSOAR.
You can set SLAs for both alerts and incidents using the same SLA Template.
To view or edit existing SLA templates, do the following:
- Click Automation > SLA Templates in the left navigation bar.
- Click the row of the SLA template that you want to view or edit. For example, click the SLA for High, i.e., for alerts or incidents whose severity is set to 'High'.
- View the following set SLAs set:
Time to acknowledge an incident or alert (Incident Ack Time
/Alert Ack Time
): 20 minutes. Acknowledgment SLAs are tracked on the setting of the status of incidents to 'In Progress' and alerts to 'Investigating'.
Time to respond to an incident or alert (Incident Response Time
/Alert Response Time
): 30 minutes. Response SLAs are tracked on the setting of the of the status of incidents to 'Resolved' and alerts to 'Closed'.
Similarly, SLAs can be paused (Pause Incident SLA On
/Pause Alert SLA On
) when the status of incidents is set to 'Awaiting' and alerts to 'Pending'.
You can edit the values of any of the above fields, for example,Incident Ack Time
based on your requirements:
To edit the SLA template in a form view, click the Edit Record button, edit the values, and then click Save.
You can similarly add new SLA templates for alerts and incidents as per your requirement by clicking Add on the SLA Templates
page.
Viewing setting of SLAs on a record
You can view fields related to SLAs in the detail view of your alert or incident record, where you will see fields such as Ack Due Date, Ack Date, Ack SLA, Response Due Date, etc. using which you can track whether or not the SLAs have been met.
Records must be in the “Open” state along with a proper severity set for the acknowledgement and response SLAs to be calculated. |
Open an alert record to view the status of the SLAs, i.e., whether they have been met, missed, or awaiting some action. For example, in the following image, the Ack SLA for an alert with High severity has been Met, whereas the response SLA timer is running at 23 minutes 18 seconds, and the Response SLA it is set to Awaiting Action. You can also see that the status of this alert is set to 'Investigating' which is why the acknowledgment SLA is met. Once the investigation of this alert is completed and its status is set to 'Closed', the time for the response will be calculated and according the Response SLA will be set to Met or Missed: