Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.6 Administration Guide
    7.4.6
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Creating or editing ITSM connectors

    Creating or editing ITSM connectors

    You can create ITSM connectors for ServiceNow, Slack, MS Teams, and Webhook.

    To create an ITSM connector:
    1. Go to Fabric View > Fabric Connectors, and click Create New.
    2. Under ITSM, click ServiceNow Connector, Slack Connector, MS Teams Connector, or Generic Connector and click Next.
    3. Configure the following options, and click OK:

      Property

      Description

      Name

      Enter a name for the fabric connector.

      Description

      (Optional) Enter a description for the fabric connector.

      Protocol

      Select HTTPS.

      For Slack connectors and Generic connectors, you can also select HTTP.

      Port

      Specify the port FortiAnalyzer uses to communicate with the external platform.

      Method

      For ServiceNow and MS Teams connectors, select POST.

      For Slack connectors, select POST or PUT.

      For Generic connectors, select one of the following:

      • POST

      • PUT

      • GET

      • PATCH

      • DELETE

      Title

      Type a title for the fabric connector.

      URL

      Type the URL of the external platform. This option is not available for the MS Teams connector.

      Using ServiceNow as an example, copy and paste the URL from ServiceNow API URL in the Connection to ServiceNow API section in ServiceNow > FortiAnalyzer System Properties.

      Custom HTTP Header

      Enable to use custom HTTP headers. This option is only available for Generic connectors.

      These headers store information in the form of key-value pairs. They can be used for communcation control, content description, authentication, session management, caching, and more.

      If enabled, add any number of HTTP Headers by clicking the plus sign (+). Enter the key-value pairs.

      Note

      When Custom HTTP Header is enabled, HTTP Authentication is no longer available for the connector. This is because you can use the custom HTTP headers for HTTP authentication instead.

      Teams Webhook URL

      Type the incoming webhook URL created in MS Teams. This option is only available for the MS Teams connectors.

      HTTP Body

      Type the HTTP body of the message that should be sent by the connector. This option is only available for Generic and MS Teams connectors.

      For example, { \"text\": \"<message to send>\" }. You also use ${} for macros in the message. For a list of supported macros, see Supported macros for the MS Teams Connector.

      HTTP Authentication

      Enable to use HTTP authentication. This option is not available for the MS Teams connectors.

      If enabled, select Basic or OAuth2 authentication type. Enter the User Name and Password, if applicable.

      Using a ServiceNow connector with Basic authenictation as an example, enter the username and password from the Connection to ServiceNow API section in ServiceNow > FortiAnalyzer System Properties.

      Using a Generic webhook connector with OAuth2 authentication as an example, enter the URL of the token service as well as the client ID and client secret for authentication.

      Status

      Enable or disable the fabric connector.

    To use a generic connector:

    Generic webhook connectors can be used to send notifications about incidents and events. After it is created, the connector can be added in the incident settings or in notification profiles for event handlers. They can also be used as part of a playbook; for example, see Playbook examples.

    To use a ServiceNow connector:

    ServiceNow connectors can be used to post incident change notices. After it is created, the ServiceNow connector can be added in the incident settings or as part of a playbook.

    To use a Slack connector:

    Slack connectors can be used to send messages in Slack about incidents and events. After it is created, the Slack connector can be added in the incident settings or notification profiles for event handlers.

    To use an MS Teams connector:

    MS Teams connectors can be used to send messages in MS Teams about incidents and events. After it is created, the MS Teams connector can be added in the incident settings, notification profiles for event handlers, or as part of a playbook.

    To edit an ITSM connector:
    1. Go to Fabric View > Fabric Connectors.
    2. Right-click an ITSM connector, and select Edit.

      The Edit Connectors dialog box is displayed.

    3. Edit the settings, and click OK.
    Supported macros for the MS Teams Connector

    Category

    Variable

    Macro

    Description

    Global

    type

    ${type}

    Notification type

    Global

    adom

    ${adom}

    Adom name

    Global

    from

    ${from}

    FAZ SN

    Global

    timestamp

    ${timestamp}

    Notification timestamp

    Event

    event

    ${event}

    All event fields

    Event

    eventid

    ${event.eventid}

    Event id

    Event

    alertid

    ${event.alertid}

    Alert id (same with eventid, but name consistent with previous notification format)

    Event

    logtype

    ${event.logtype}

    Log type

    Event

    devtype

    ${event.devtype}

    Device type

    Event

    eventtime

    ${event.eventtime}

    Event time

    Event

    alerttime

    ${event.alerttime}

    Alert time (same with eventtime, but name consistent with previous notification format)

    Event

    firstlogtime

    ${event.firstlogtime}

    First log time

    Event

    lastlogtime

    ${event.lastlogtime}

    Last log time

    Event

    devid

    ${event.devid}

    Device id

    Event

    devname

    ${event.devname}

    Device name

    Event

    eventtype

    ${event.eventtype}

    Event type

    Event

    groupby1

    ${event.groupby1}

    groupby1

    Event

    groupby2

    ${event.groupby2}

    grouby2

    Event

    groupby3

    ${event.groupby3}

    grouby3

    Event

    indicator

    ${event.indicator}

    indicator

    Event

    severity

    ${event.severity}

    severity

    Event

    subject

    ${even.subject}

    subject

    Event

    tag

    ${event.tag}

    tag

    Event

    triggername

    ${event.triggername}

    Trigger name

    Event

    vdom

    ${event.vdom}

    vdom

    Event

    epid

    ${event.epid}

    epid

    Event

    euid

    ${event.euid}

    euid

    Event

    epip

    ${event.epip}

    epip

    Event

    epname

    ${event.epname}

    epname

    Event

    euname

    ${event.euname}

    euname

    Event

    extrainfo

    ${event.extrainfo}

    Additional info

    Event

    log-length

    ${event.log-length}

    Log length

    Event

    log-detail

    ${event.log-detail}

    Log detail

    Incident

    incident

    ${incident}

    All incident fields

    Incident

    incid

    ${incident.incid}

    Incident ID

    Incident

    type

    ${incident.type}

    Notification type

    Incident

    revision

    ${incident.revision}

    revision

    Incident

    attach_revision

    ${incident.attach_revision}

    attach revision
    Previous
    Next

    Creating or editing ITSM connectors

    Creating or editing ITSM connectors

    You can create ITSM connectors for ServiceNow, Slack, MS Teams, and Webhook.

    To create an ITSM connector:
    1. Go to Fabric View > Fabric Connectors, and click Create New.
    2. Under ITSM, click ServiceNow Connector, Slack Connector, MS Teams Connector, or Generic Connector and click Next.
    3. Configure the following options, and click OK:

      Property

      Description

      Name

      Enter a name for the fabric connector.

      Description

      (Optional) Enter a description for the fabric connector.

      Protocol

      Select HTTPS.

      For Slack connectors and Generic connectors, you can also select HTTP.

      Port

      Specify the port FortiAnalyzer uses to communicate with the external platform.

      Method

      For ServiceNow and MS Teams connectors, select POST.

      For Slack connectors, select POST or PUT.

      For Generic connectors, select one of the following:

      • POST

      • PUT

      • GET

      • PATCH

      • DELETE

      Title

      Type a title for the fabric connector.

      URL

      Type the URL of the external platform. This option is not available for the MS Teams connector.

      Using ServiceNow as an example, copy and paste the URL from ServiceNow API URL in the Connection to ServiceNow API section in ServiceNow > FortiAnalyzer System Properties.

      Custom HTTP Header

      Enable to use custom HTTP headers. This option is only available for Generic connectors.

      These headers store information in the form of key-value pairs. They can be used for communcation control, content description, authentication, session management, caching, and more.

      If enabled, add any number of HTTP Headers by clicking the plus sign (+). Enter the key-value pairs.

      Note

      When Custom HTTP Header is enabled, HTTP Authentication is no longer available for the connector. This is because you can use the custom HTTP headers for HTTP authentication instead.

      Teams Webhook URL

      Type the incoming webhook URL created in MS Teams. This option is only available for the MS Teams connectors.

      HTTP Body

      Type the HTTP body of the message that should be sent by the connector. This option is only available for Generic and MS Teams connectors.

      For example, { \"text\": \"<message to send>\" }. You also use ${} for macros in the message. For a list of supported macros, see Supported macros for the MS Teams Connector.

      HTTP Authentication

      Enable to use HTTP authentication. This option is not available for the MS Teams connectors.

      If enabled, select Basic or OAuth2 authentication type. Enter the User Name and Password, if applicable.

      Using a ServiceNow connector with Basic authenictation as an example, enter the username and password from the Connection to ServiceNow API section in ServiceNow > FortiAnalyzer System Properties.

      Using a Generic webhook connector with OAuth2 authentication as an example, enter the URL of the token service as well as the client ID and client secret for authentication.

      Status

      Enable or disable the fabric connector.

    To use a generic connector:

    Generic webhook connectors can be used to send notifications about incidents and events. After it is created, the connector can be added in the incident settings or in notification profiles for event handlers. They can also be used as part of a playbook; for example, see Playbook examples.

    To use a ServiceNow connector:

    ServiceNow connectors can be used to post incident change notices. After it is created, the ServiceNow connector can be added in the incident settings or as part of a playbook.

    To use a Slack connector:

    Slack connectors can be used to send messages in Slack about incidents and events. After it is created, the Slack connector can be added in the incident settings or notification profiles for event handlers.

    To use an MS Teams connector:

    MS Teams connectors can be used to send messages in MS Teams about incidents and events. After it is created, the MS Teams connector can be added in the incident settings, notification profiles for event handlers, or as part of a playbook.

    To edit an ITSM connector:
    1. Go to Fabric View > Fabric Connectors.
    2. Right-click an ITSM connector, and select Edit.

      The Edit Connectors dialog box is displayed.

    3. Edit the settings, and click OK.
    Supported macros for the MS Teams Connector

    Category

    Variable

    Macro

    Description

    Global

    type

    ${type}

    Notification type

    Global

    adom

    ${adom}

    Adom name

    Global

    from

    ${from}

    FAZ SN

    Global

    timestamp

    ${timestamp}

    Notification timestamp

    Event

    event

    ${event}

    All event fields

    Event

    eventid

    ${event.eventid}

    Event id

    Event

    alertid

    ${event.alertid}

    Alert id (same with eventid, but name consistent with previous notification format)

    Event

    logtype

    ${event.logtype}

    Log type

    Event

    devtype

    ${event.devtype}

    Device type

    Event

    eventtime

    ${event.eventtime}

    Event time

    Event

    alerttime

    ${event.alerttime}

    Alert time (same with eventtime, but name consistent with previous notification format)

    Event

    firstlogtime

    ${event.firstlogtime}

    First log time

    Event

    lastlogtime

    ${event.lastlogtime}

    Last log time

    Event

    devid

    ${event.devid}

    Device id

    Event

    devname

    ${event.devname}

    Device name

    Event

    eventtype

    ${event.eventtype}

    Event type

    Event

    groupby1

    ${event.groupby1}

    groupby1

    Event

    groupby2

    ${event.groupby2}

    grouby2

    Event

    groupby3

    ${event.groupby3}

    grouby3

    Event

    indicator

    ${event.indicator}

    indicator

    Event

    severity

    ${event.severity}

    severity

    Event

    subject

    ${even.subject}

    subject

    Event

    tag

    ${event.tag}

    tag

    Event

    triggername

    ${event.triggername}

    Trigger name

    Event

    vdom

    ${event.vdom}

    vdom

    Event

    epid

    ${event.epid}

    epid

    Event

    euid

    ${event.euid}

    euid

    Event

    epip

    ${event.epip}

    epip

    Event

    epname

    ${event.epname}

    epname

    Event

    euname

    ${event.euname}

    euname

    Event

    extrainfo

    ${event.extrainfo}

    Additional info

    Event

    log-length

    ${event.log-length}

    Log length

    Event

    log-detail

    ${event.log-detail}

    Log detail

    Incident

    incident

    ${incident}

    All incident fields

    Incident

    incid

    ${incident.incid}

    Incident ID

    Incident

    type

    ${incident.type}

    Notification type

    Incident

    revision

    ${incident.revision}

    revision

    Incident

    attach_revision

    ${incident.attach_revision}

    attach revision
    Previous
    Next