Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiSOAR 7.6.5 Release Notes
    7.6.5
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.5.2
    7.5.1
    7.5.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.2
    7.2.1
    7.2.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.4
    6.4.3
    6.4.1
    6.4.0
    6.0.0

    New Features and Enhancements

    New Features and Enhancements

    This release introduces features and improvements that enhance usability, increase performance, and elevate your FortiSOAR™ experience.

    FortiSOAR User Interface Enhancements

    Improved Markdown Editor

    • Fields whose type was set to "Rich Text (Markdown Editor)" were previously slow to render, which negatively impacted UI performance. This release introduces several improvements to deliver a faster and smoother editing experience:
      • Faster Loading with Markdown as View-Only Mode: The Markdown editor now loads in a view-only mode, reducing load times and preventing UI lag.
      • Optional Lazy Loading for Better Stability: Markdown Editor fields now support lazy loading, reducing CPU usage and helping prevent “Page Unresponsive” issues. Lazy loading is disabled by default to preserve existing behavior, but can be enabled as needed.
        • Form View: Markdown fields now initially render as plain textareas. The full editor loads only when the user clicks the field, improving responsiveness.
        • Detail View: Fields display in read-only mode by default. If the field is editable, the user clicks once to open the textarea and clicks again to open the editor.
      • Optimized Content Display with Configurable Word Limit: Markdown fields now display up to 50 words by default when in 'View' mode for faster page loads. Users can click View More to reveal the full content. Both the word-limit feature and the maximum word count are fully configurable.
      For more information, see the Working with Detail Views topic in the Customize Modules and Data Views chapter of the "User Guide."

    iFrame Configuration Settings

    • Release 7.6.5 introduces iFrame configuration options that allow you to control how external content is embedded within the application. Sandbox restrictions are enabled by default for enhanced security, and you require to specify which domains are allowed to load inside iFrames (by default, all domains are blocked). For details, see the iFrame Settings topic in the Application Configuration section of the "Administration Guide."

    Bulk Activation and Deactivation of Schedules

    • You can now activate or deactivate schedules in bulk. Previously, users had to disable and re-enable each schedule individually, which was time-consuming and inefficient when managing a large number of schedules, for example during upgrades or maintenance. This new capability streamlines the process by allowing you to pause or restart multiple schedules with just a few clicks. For details, see the Schedules chapter in the "User Guide."

    Copy Uploaded Files Directly to Collaboration Comments

    • You can copy files uploaded through the File Upload widget directly into the Comments tab of the Collaboration pane. When pasted, the file is automatically added as an attachment, with no need to reupload it through the form editor or create a new file. For details, see the File Upload topic in the Build and Customize Dashboards, Templates, and Widgets chapter of the "User Guide."

    Enhanced Relationship Widgets

    • The Relationships and Relationships Single Line Card widgets have been enhanced with a Filter Criteria section. This allows you to define filtering rules for related module records, which are applied automatically when the grid loads for more focused data display. For details, see the Working with Template Widgets chapter of the "User Guide."

    Playbook Enhancements

    Secure Password Input via User Prompt

    • Starting with release 7.6.5, users can securely provide passwords to FortiSOAR via a manual input prompt. This allows users without connector-page access to enter credentials that can be used in automation workflows, such as playbooks that create or update connector configurations. For details, see the Playbook Triggers chapter in the "Playbooks Guide."

    Improved Default View for Global Executed Playbook Logs

    • To improve the user experience when viewing executed playbook logs, the global Executed Playbook Log view (accessed from the upper-right corner of the screen) now defaults to displaying logs from the past 7 days. This setting is configurable: users can disable the limit to view all playbook executions or adjust the number of days shown. This enhancement reduces the number of clicks required to access older execution logs and provides a more streamlined viewing experience. For details, see the Viewing Executed Playbook Logs topic in the Playbook Execution and Debugging chapter and the Optimizing and Troubleshooting chapter of the "Playbooks Guide."

    Improved Jinja Editor

    • The Jinja Editor now slides in from the right, improving screen-space usage and providing more room to view and edit input and output expressions for a better overall experience. Additionally, step results are now handled correctly in the Jinja Editor and are presented in dictionary format, allowing step-level Jinja expressions to be evaluated without modification. For details, see the Jinja Editor topic in the Dynamic Values chapter of the "Playbooks Guide."

    Enhanced User Prompt

    • Starting with release 7.6.5, the 'Build Input Prompt' includes a new option: +Add Required Condition. This enhancement lets you define when a field should be mandatory during step execution, giving you more precise control over your workflows. Requirement types have also been streamlined—Manual Inputs now support Required, Not Required, Required by Condition, and Required by Mapping, while Manual Triggers support Required, Not Required, and Required by Condition.
      Previously, fields could only be marked as required or not. With this added flexibility, the system can better account for functional differences between steps and apply required-field rules only when they are relevant. For details, see the Playbook Triggers chapter in the "Playbooks Guide."

    System and Security Updates

    Unique Encryption key for Data Protection

    • FortiSOAR 7.6.5 now automatically generates a unique encryption key, per instance, during the Configuration Wizard process. This change significantly strengthens data protection by securing stored credentials, database entries, and inter-service communication with 256-bit encryption — all while maintaining full backward compatibility. All passwords saved after deployment are encrypted using this new key. For more information, see the Deploying FortiSOAR chapter in the "Deployment Guide."

    Restricted 'csadmin sudo' for User Access Control

    • FortiSOAR 7.6.5 has limited the csadmin user’s sudo privileges to only the commands required to work with FortiSOAR, rather than granting full 'root' access. This enhancement aligns with the principle of least privilege, significantly reducing exposure to sensitive system files and strengthening overall platform security. Therefore, commands such as yum, systemctl, csadm, etc., must be prefixed with sudo, for example, sudo csadm --help.
      To open or edit a file, prefix the command with 'sudo' and specify the file’s full path (sudo vi <full path of file>).
      For example, sudo vi /opt/cyops-auth/utilities/das.ini.
      Note: For security reasons, 'root' access is provided via the system console and is not available over SSH.
      Since FortiSOAR 7.6.3, users running sudo commands as the ‘csadmin’ user have been prompted for a password on all systems except AWS. Together, these improvements ensure tighter access control and a more secure operating environment.

    Solution Packs, Connectors, and Widget Enhancements

    FortiSOAR 7.6.5 introduces significant enhancements across solution packs, connectors, and widgets—expanding automation capabilities, improving integration reliability, and boosting platform performance for SecOps teams.

    • Enhanced Solution Packs:
      • SOAR Framework Solution Pack (SFSP) v3.4.0: Delivers a broader and more flexible automation experience, including improved MSSP playbook execution, expanded indicator and file-content extraction, and noticeable SVT performance gains. Additional playbook updates, new localized strings, and targeted bug fixes further refine usability and reliability.
      • FortiAI v4.0.1: Ensures user prompts work correctly when modules lack correlated fields or key mappings in the Key Store, with the recommendation engine enabled.
      • OTbase Inventory v1.0.0: Adds support for managing vulnerabilities discovered in OTbase Inventory devices.
      • Outbreak Response – React2Shell Remote Code Execution v1.0.0: Introduces response capabilities for the React2Shell RCE threat.
      • Outbreak Response – UNC1549 Critical Infrastructure Espionage Attack v1.0.0 – Adds response workflows for the UNC1549 espionage campaign.
        Note: All widgets in the respective solution packs have been updated.
    • Enhanced Connectors: Impactful updates have been introduced across System, Fabric, and third-party connectors - few notable ones being:
      • System /Default Connectors:
        • SysLog v1.3.0: Fixes truncation of long messages.
        • FSR Agent Communications Bridge v1.2.0: Adds support for password-type fields in external manual playbook inputs and includes general improvements.
      • Fabric Connectors:
        Enhanced Fortinet Fabric connectors include:
        • Fortinet FortiDLP v1.1.0: Adds support to retrieve lists and details of agents, users, labels, and more.
        • Fortinet FortiProxy v1.0.1: Updates API authentication to use bearer tokens.
        • Fortinet FortiSIEM v5.4.3: Fixes issues with data ingestion and actions not executing as expected.
        • Fortinet FortiRecon EASM v1.2.0: Adds new actions, including updating IPs, assets, and issues.
      • Third-Party Connectors:
        • ServiceNow v3.5.0: Supports creating and editing business rules using API Key Authentication, enabling stronger and more modern integration security.
        • Exchange v4.7.0: Adds attachment and inline-image support for Send Reply, along with other improvements.
        • SendGrid v1.1.0, GSuite for Gmail v3.1.0, and Microsoft Graph Mail v1.4.0: Adds support for email templates.
        • HashiCorp Vault v2.0.0: Enhances access to secrets across an entire secret engine, including nested directories.
        • Google Threat Intelligence v1.0.0: New connector that provides visibility into threat actors, attacks, and IOCs.
        • CrowdStrike Falcon v3.1.0 – Adds Spotlight actions such as Search Vulnerabilities, Get Host List by Vulnerability, and Get CVE List by Vulnerability.
        • OKTA v1.1.0: Adds an action to revoke all active user sessions.
        • Jira v2.0.0: Updated to support the JIRA API v3.
        • Microsoft Entra ID v2.2.1: Renamed from Azure Active Directory; associated actions and playbooks updated.
        • Atlassian Confluence Cloud v1.0.0: New connector enabling collaboration and knowledge-management workflows.
        • AWS Commands v1.1.0: Adds an action to revoke active sessions associated with a role.
        • Cyware CTIX v2.0.0: Introduces 20+ new actions, including Create Intel via Open API, Get Threat Data, and Bulk Add Relation.
        • Darktrace v1.4.0: Adds support to retrieve enumerated types and corresponding string values.
        • Ansible Tower v2.0.0 and VMRAY v1.1.0: Introduces new actions that expand automation and malware-analysis workflows.
        • Mimecast S2 v3.0.0: Upgraded to the latest Mimecast API v2.0 for improved compatibility and functionality.
        • Alloy ITSM v1.0.0: A new connector that streamlines and automates ticket-based operations.
        • Rapid7 Threat Command Cloud v1.1.0: New connector for monitoring external threats across the web, deep web, and dark web.
        • SentinelOne v3.5.3: Added SSL verification to Create BlockList Item to prevent failures.
        • TEHTRIS EDR v1.0.0: New connector providing real-time endpoint detection and response.
        • URLhaus v1.1.0: New connector for collecting, tracking, and sharing malware URLs.
        • Elastic Kibana v1.0.0: New connector to search, visualize, and manage Elasticsearch data.
        • Elastic Security v1.0.0: New connector offering unified SIEM, endpoint, and cloud security.
      • Enhanced Widgets:
        • Language Pack v2.1.0: Adds more translatable strings, improving localization coverage and accuracy.
        • Widget Picklist as Phases v1.1.0: Updated the widget to correctly hide or disable picklist options based on the module’s Fields Editor setting.

    For details, see the FortiSOAR Content Hub.

    Previous
    Next

    New Features and Enhancements

    New Features and Enhancements

    This release introduces features and improvements that enhance usability, increase performance, and elevate your FortiSOAR™ experience.

    FortiSOAR User Interface Enhancements

    Improved Markdown Editor

    • Fields whose type was set to "Rich Text (Markdown Editor)" were previously slow to render, which negatively impacted UI performance. This release introduces several improvements to deliver a faster and smoother editing experience:
      • Faster Loading with Markdown as View-Only Mode: The Markdown editor now loads in a view-only mode, reducing load times and preventing UI lag.
      • Optional Lazy Loading for Better Stability: Markdown Editor fields now support lazy loading, reducing CPU usage and helping prevent “Page Unresponsive” issues. Lazy loading is disabled by default to preserve existing behavior, but can be enabled as needed.
        • Form View: Markdown fields now initially render as plain textareas. The full editor loads only when the user clicks the field, improving responsiveness.
        • Detail View: Fields display in read-only mode by default. If the field is editable, the user clicks once to open the textarea and clicks again to open the editor.
      • Optimized Content Display with Configurable Word Limit: Markdown fields now display up to 50 words by default when in 'View' mode for faster page loads. Users can click View More to reveal the full content. Both the word-limit feature and the maximum word count are fully configurable.
      For more information, see the Working with Detail Views topic in the Customize Modules and Data Views chapter of the "User Guide."

    iFrame Configuration Settings

    • Release 7.6.5 introduces iFrame configuration options that allow you to control how external content is embedded within the application. Sandbox restrictions are enabled by default for enhanced security, and you require to specify which domains are allowed to load inside iFrames (by default, all domains are blocked). For details, see the iFrame Settings topic in the Application Configuration section of the "Administration Guide."

    Bulk Activation and Deactivation of Schedules

    • You can now activate or deactivate schedules in bulk. Previously, users had to disable and re-enable each schedule individually, which was time-consuming and inefficient when managing a large number of schedules, for example during upgrades or maintenance. This new capability streamlines the process by allowing you to pause or restart multiple schedules with just a few clicks. For details, see the Schedules chapter in the "User Guide."

    Copy Uploaded Files Directly to Collaboration Comments

    • You can copy files uploaded through the File Upload widget directly into the Comments tab of the Collaboration pane. When pasted, the file is automatically added as an attachment, with no need to reupload it through the form editor or create a new file. For details, see the File Upload topic in the Build and Customize Dashboards, Templates, and Widgets chapter of the "User Guide."

    Enhanced Relationship Widgets

    • The Relationships and Relationships Single Line Card widgets have been enhanced with a Filter Criteria section. This allows you to define filtering rules for related module records, which are applied automatically when the grid loads for more focused data display. For details, see the Working with Template Widgets chapter of the "User Guide."

    Playbook Enhancements

    Secure Password Input via User Prompt

    • Starting with release 7.6.5, users can securely provide passwords to FortiSOAR via a manual input prompt. This allows users without connector-page access to enter credentials that can be used in automation workflows, such as playbooks that create or update connector configurations. For details, see the Playbook Triggers chapter in the "Playbooks Guide."

    Improved Default View for Global Executed Playbook Logs

    • To improve the user experience when viewing executed playbook logs, the global Executed Playbook Log view (accessed from the upper-right corner of the screen) now defaults to displaying logs from the past 7 days. This setting is configurable: users can disable the limit to view all playbook executions or adjust the number of days shown. This enhancement reduces the number of clicks required to access older execution logs and provides a more streamlined viewing experience. For details, see the Viewing Executed Playbook Logs topic in the Playbook Execution and Debugging chapter and the Optimizing and Troubleshooting chapter of the "Playbooks Guide."

    Improved Jinja Editor

    • The Jinja Editor now slides in from the right, improving screen-space usage and providing more room to view and edit input and output expressions for a better overall experience. Additionally, step results are now handled correctly in the Jinja Editor and are presented in dictionary format, allowing step-level Jinja expressions to be evaluated without modification. For details, see the Jinja Editor topic in the Dynamic Values chapter of the "Playbooks Guide."

    Enhanced User Prompt

    • Starting with release 7.6.5, the 'Build Input Prompt' includes a new option: +Add Required Condition. This enhancement lets you define when a field should be mandatory during step execution, giving you more precise control over your workflows. Requirement types have also been streamlined—Manual Inputs now support Required, Not Required, Required by Condition, and Required by Mapping, while Manual Triggers support Required, Not Required, and Required by Condition.
      Previously, fields could only be marked as required or not. With this added flexibility, the system can better account for functional differences between steps and apply required-field rules only when they are relevant. For details, see the Playbook Triggers chapter in the "Playbooks Guide."

    System and Security Updates

    Unique Encryption key for Data Protection

    • FortiSOAR 7.6.5 now automatically generates a unique encryption key, per instance, during the Configuration Wizard process. This change significantly strengthens data protection by securing stored credentials, database entries, and inter-service communication with 256-bit encryption — all while maintaining full backward compatibility. All passwords saved after deployment are encrypted using this new key. For more information, see the Deploying FortiSOAR chapter in the "Deployment Guide."

    Restricted 'csadmin sudo' for User Access Control

    • FortiSOAR 7.6.5 has limited the csadmin user’s sudo privileges to only the commands required to work with FortiSOAR, rather than granting full 'root' access. This enhancement aligns with the principle of least privilege, significantly reducing exposure to sensitive system files and strengthening overall platform security. Therefore, commands such as yum, systemctl, csadm, etc., must be prefixed with sudo, for example, sudo csadm --help.
      To open or edit a file, prefix the command with 'sudo' and specify the file’s full path (sudo vi <full path of file>).
      For example, sudo vi /opt/cyops-auth/utilities/das.ini.
      Note: For security reasons, 'root' access is provided via the system console and is not available over SSH.
      Since FortiSOAR 7.6.3, users running sudo commands as the ‘csadmin’ user have been prompted for a password on all systems except AWS. Together, these improvements ensure tighter access control and a more secure operating environment.

    Solution Packs, Connectors, and Widget Enhancements

    FortiSOAR 7.6.5 introduces significant enhancements across solution packs, connectors, and widgets—expanding automation capabilities, improving integration reliability, and boosting platform performance for SecOps teams.

    • Enhanced Solution Packs:
      • SOAR Framework Solution Pack (SFSP) v3.4.0: Delivers a broader and more flexible automation experience, including improved MSSP playbook execution, expanded indicator and file-content extraction, and noticeable SVT performance gains. Additional playbook updates, new localized strings, and targeted bug fixes further refine usability and reliability.
      • FortiAI v4.0.1: Ensures user prompts work correctly when modules lack correlated fields or key mappings in the Key Store, with the recommendation engine enabled.
      • OTbase Inventory v1.0.0: Adds support for managing vulnerabilities discovered in OTbase Inventory devices.
      • Outbreak Response – React2Shell Remote Code Execution v1.0.0: Introduces response capabilities for the React2Shell RCE threat.
      • Outbreak Response – UNC1549 Critical Infrastructure Espionage Attack v1.0.0 – Adds response workflows for the UNC1549 espionage campaign.
        Note: All widgets in the respective solution packs have been updated.
    • Enhanced Connectors: Impactful updates have been introduced across System, Fabric, and third-party connectors - few notable ones being:
      • System /Default Connectors:
        • SysLog v1.3.0: Fixes truncation of long messages.
        • FSR Agent Communications Bridge v1.2.0: Adds support for password-type fields in external manual playbook inputs and includes general improvements.
      • Fabric Connectors:
        Enhanced Fortinet Fabric connectors include:
        • Fortinet FortiDLP v1.1.0: Adds support to retrieve lists and details of agents, users, labels, and more.
        • Fortinet FortiProxy v1.0.1: Updates API authentication to use bearer tokens.
        • Fortinet FortiSIEM v5.4.3: Fixes issues with data ingestion and actions not executing as expected.
        • Fortinet FortiRecon EASM v1.2.0: Adds new actions, including updating IPs, assets, and issues.
      • Third-Party Connectors:
        • ServiceNow v3.5.0: Supports creating and editing business rules using API Key Authentication, enabling stronger and more modern integration security.
        • Exchange v4.7.0: Adds attachment and inline-image support for Send Reply, along with other improvements.
        • SendGrid v1.1.0, GSuite for Gmail v3.1.0, and Microsoft Graph Mail v1.4.0: Adds support for email templates.
        • HashiCorp Vault v2.0.0: Enhances access to secrets across an entire secret engine, including nested directories.
        • Google Threat Intelligence v1.0.0: New connector that provides visibility into threat actors, attacks, and IOCs.
        • CrowdStrike Falcon v3.1.0 – Adds Spotlight actions such as Search Vulnerabilities, Get Host List by Vulnerability, and Get CVE List by Vulnerability.
        • OKTA v1.1.0: Adds an action to revoke all active user sessions.
        • Jira v2.0.0: Updated to support the JIRA API v3.
        • Microsoft Entra ID v2.2.1: Renamed from Azure Active Directory; associated actions and playbooks updated.
        • Atlassian Confluence Cloud v1.0.0: New connector enabling collaboration and knowledge-management workflows.
        • AWS Commands v1.1.0: Adds an action to revoke active sessions associated with a role.
        • Cyware CTIX v2.0.0: Introduces 20+ new actions, including Create Intel via Open API, Get Threat Data, and Bulk Add Relation.
        • Darktrace v1.4.0: Adds support to retrieve enumerated types and corresponding string values.
        • Ansible Tower v2.0.0 and VMRAY v1.1.0: Introduces new actions that expand automation and malware-analysis workflows.
        • Mimecast S2 v3.0.0: Upgraded to the latest Mimecast API v2.0 for improved compatibility and functionality.
        • Alloy ITSM v1.0.0: A new connector that streamlines and automates ticket-based operations.
        • Rapid7 Threat Command Cloud v1.1.0: New connector for monitoring external threats across the web, deep web, and dark web.
        • SentinelOne v3.5.3: Added SSL verification to Create BlockList Item to prevent failures.
        • TEHTRIS EDR v1.0.0: New connector providing real-time endpoint detection and response.
        • URLhaus v1.1.0: New connector for collecting, tracking, and sharing malware URLs.
        • Elastic Kibana v1.0.0: New connector to search, visualize, and manage Elasticsearch data.
        • Elastic Security v1.0.0: New connector offering unified SIEM, endpoint, and cloud security.
      • Enhanced Widgets:
        • Language Pack v2.1.0: Adds more translatable strings, improving localization coverage and accuracy.
        • Widget Picklist as Phases v1.1.0: Updated the widget to correctly hide or disable picklist options based on the module’s Fields Editor setting.

    For details, see the FortiSOAR Content Hub.

    Previous
    Next