Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.2 Administration Guide
    7.6.2
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Microsoft management activity API connector

    Microsoft management activity API connector

    The Microsoft Management Activity API connector is available as part of version 25.01009 content pack.

    When configured to connect to your Microsoft Management Activity API, this connector can be used to perform the following actions:

    Action

    Description

    Ingest Microsoft Management Activity API Logs

    Ingest Office 365 and Azure AD activity logs from the Microsoft Management Activity API.

    When this action is run for the first time, it will automatically create an authorized device and assign it to the Office 365 Management Activity Log Parser. For this first run of the action, all logs from the last 24 hours will be ingested. In subsequent runs of this action, only new logs since the last fetch will be ingested and added to FortiAnalyzer.

    To use this action successfully, you must enable the Office 365 Management Activity Log Parser, which is also introduced in the version 25.01009 content pack. See To enable the Office 365 Management Activity Log Parser:.

    To use this action as part of a playbook, see To use the Microsoft Management Activity API connector in a playbook:.

    MS Management Activity Start Subscription

    Starts a subscription in Microsoft.

    MS Management Activity Stop Subscription

    Stops a subscription in Microsoft.

    MS Management Activity List Subscription

    Retrieves a current list of subscriptions in Microsoft.

    MS Management Activity List Content

    Retrieves content from Microsoft.
    To configure the Microsoft Management Activity API connector:

    1. Go to Incidents & Events > Automation > Active Connectors, and click Create New.

    2. For the connector type, select Microsoft Management Activity API v1.0.1 and click Next.

    3. In the Configuration tab, configure the following options:

      Option

      Description
      Name Enter a name for the connector or use the default.
      Description Enter a description for the connector or use the default.

      IP/FQDN

      Enter the IP or fully qualified domain name for the Microsoft Management Activity API.

      auth_type

      Select one of the following:

      • Application - Without a User

      • Delegated - On behalf of User

      client_id

      Enter the client ID for the Microsoft Management Activity API.

      client_secret

      Enter the client secret for the Microsoft Management Activity API.

      code

      Enter the code.

      This field is only required when the auth_type = Delegated - On behalf of User.

      redirect_url

      Enter the redirect URL.

      This field is only required when the auth_type = Delegated - On behalf of User.

      tenant_id

      Enter the tenant ID for the Microsoft Management Activity API.

    4. In the Action tab, view the actions available with the connector.

    5. In the Data Ingestion tab, enable or disable the Status according to your needs.

      This feature allows you to define schedules for when to pull the logs from the external resource.

      Caution

      In FortiAnalyzer 7.6.2, the Data Ingestion option is limited for this connector. You must manually create a playbook to ingest logs. See To use the Microsoft Management Activity API connector in a playbook:.

      When enabled, configure the following:

      Option

      Description
      Schedule Selection

      Select Single Schedule or Custom Schedule.

      • Single Schedule: configure the data ingestion schedule for all available enabled actions.

      • Custom Schedule: select each enabled action and click Edit to configure its data ingestion schedule.
      The start time of the schedule Select the date and time to begin the data ingestion schedule.

      The end time of the schedule

      Select the date and time to end the data ingestion schedule.

      The interval unit of the schedule

      Select the unit to set the interval for the schedule:

      • N-MINUTES

      • N-HOURS

      • N-DAYS

      • CRON

      The interval value of the schedule

      Set the integer. This is the interval for data ingestion according to The interval unit of the schedule.

      For example:

      • The interval unit of the schedule = N-HOURS

      • The interval value of the schedule = 5

      Data ingestion is scheduled for every 5 hours.

      Actions

      Enable the Actions that should perform data ingestion at the set schedule.

      Data ingestion schedules can only be configured for some actions; these actions are indicated in the Actions tab for the connector.

    6. To save the configuration, click OK.

      This connector and its status is now visible in the Active Connectors pane. It can be used as part of playbooks to perform the actions that were visible in the Actions tab.

    To enable the Office 365 Management Activity Log Parser:

    This log parser is disabled by default. It must be enabled to properly ingest and parse logs using the Microsoft Management Activity API connector.

    1. Go to Log Parsers > Log Parsers and select the Office 365 Management Activity Log Parser.

    2. From the More dropdown, select Enable.

      Alternatively, you can right-click the log parser and select Enable from the shortcut menu.

    To use the Microsoft Management Activity API connector in a playbook:

    1. Go to Incidents & Events > Automation > Playbook, and click Create New.

    2. Select New Playbook created from scratch.

    3. Select a trigger for the playbook. In this example, the playbook will be triggered ON_DEMAND.

    4. Drag-and-drop any connector point from the trigger to add a new task.

      The Tasks pane displays available connectors.

    5. Select the Microsoft Management Activity API connector.

    6. Configure the automated action for the connector, and then click OK:

      Option

      Description
      Name Enter a name for the action
      Description Enter a description for the action.

      Connector

      The connector is automatically selected.

      Action

      Select the action for the connector to perform as part of this playbook.

      In this example, the Ingest Office 365 and Azure activity logs from MS Management Activity API action is used.

    7. Enter a Name and Description for the playbook.

    8. Save the playbook.

      Caution

      The Office 365 Management Activity Log Parser must be enabled to parse the logs ingested by this playbook. See To enable the Office 365 Management Activity Log Parser:.

      This playbook can now be run to ingest activity logs through the Microsoft Management Activity API connector.

      When this playbook is run for the first time, a new device is automatically created and authorized in Device Manager.

      This device is also automatically assigned to the related Office 365 Management Activity Log Parser in Incidents & Events > Log Parsers > Assigned Parsers.

      The ingested logs can be viewed in Log View > Logs > Log Browse or Log View > Logs > All. The logs can also quickly be found using the following filter: data_parsername="Office 365 Management Activity Log Parser". For example, see the Custom View below filtered for the ingested logs.

    Previous
    Next

    Microsoft management activity API connector

    Microsoft management activity API connector

    The Microsoft Management Activity API connector is available as part of version 25.01009 content pack.

    When configured to connect to your Microsoft Management Activity API, this connector can be used to perform the following actions:

    Action

    Description

    Ingest Microsoft Management Activity API Logs

    Ingest Office 365 and Azure AD activity logs from the Microsoft Management Activity API.

    When this action is run for the first time, it will automatically create an authorized device and assign it to the Office 365 Management Activity Log Parser. For this first run of the action, all logs from the last 24 hours will be ingested. In subsequent runs of this action, only new logs since the last fetch will be ingested and added to FortiAnalyzer.

    To use this action successfully, you must enable the Office 365 Management Activity Log Parser, which is also introduced in the version 25.01009 content pack. See To enable the Office 365 Management Activity Log Parser:.

    To use this action as part of a playbook, see To use the Microsoft Management Activity API connector in a playbook:.

    MS Management Activity Start Subscription

    Starts a subscription in Microsoft.

    MS Management Activity Stop Subscription

    Stops a subscription in Microsoft.

    MS Management Activity List Subscription

    Retrieves a current list of subscriptions in Microsoft.

    MS Management Activity List Content

    Retrieves content from Microsoft.
    To configure the Microsoft Management Activity API connector:

    1. Go to Incidents & Events > Automation > Active Connectors, and click Create New.

    2. For the connector type, select Microsoft Management Activity API v1.0.1 and click Next.

    3. In the Configuration tab, configure the following options:

      Option

      Description
      Name Enter a name for the connector or use the default.
      Description Enter a description for the connector or use the default.

      IP/FQDN

      Enter the IP or fully qualified domain name for the Microsoft Management Activity API.

      auth_type

      Select one of the following:

      • Application - Without a User

      • Delegated - On behalf of User

      client_id

      Enter the client ID for the Microsoft Management Activity API.

      client_secret

      Enter the client secret for the Microsoft Management Activity API.

      code

      Enter the code.

      This field is only required when the auth_type = Delegated - On behalf of User.

      redirect_url

      Enter the redirect URL.

      This field is only required when the auth_type = Delegated - On behalf of User.

      tenant_id

      Enter the tenant ID for the Microsoft Management Activity API.

    4. In the Action tab, view the actions available with the connector.

    5. In the Data Ingestion tab, enable or disable the Status according to your needs.

      This feature allows you to define schedules for when to pull the logs from the external resource.

      Caution

      In FortiAnalyzer 7.6.2, the Data Ingestion option is limited for this connector. You must manually create a playbook to ingest logs. See To use the Microsoft Management Activity API connector in a playbook:.

      When enabled, configure the following:

      Option

      Description
      Schedule Selection

      Select Single Schedule or Custom Schedule.

      • Single Schedule: configure the data ingestion schedule for all available enabled actions.

      • Custom Schedule: select each enabled action and click Edit to configure its data ingestion schedule.
      The start time of the schedule Select the date and time to begin the data ingestion schedule.

      The end time of the schedule

      Select the date and time to end the data ingestion schedule.

      The interval unit of the schedule

      Select the unit to set the interval for the schedule:

      • N-MINUTES

      • N-HOURS

      • N-DAYS

      • CRON

      The interval value of the schedule

      Set the integer. This is the interval for data ingestion according to The interval unit of the schedule.

      For example:

      • The interval unit of the schedule = N-HOURS

      • The interval value of the schedule = 5

      Data ingestion is scheduled for every 5 hours.

      Actions

      Enable the Actions that should perform data ingestion at the set schedule.

      Data ingestion schedules can only be configured for some actions; these actions are indicated in the Actions tab for the connector.

    6. To save the configuration, click OK.

      This connector and its status is now visible in the Active Connectors pane. It can be used as part of playbooks to perform the actions that were visible in the Actions tab.

    To enable the Office 365 Management Activity Log Parser:

    This log parser is disabled by default. It must be enabled to properly ingest and parse logs using the Microsoft Management Activity API connector.

    1. Go to Log Parsers > Log Parsers and select the Office 365 Management Activity Log Parser.

    2. From the More dropdown, select Enable.

      Alternatively, you can right-click the log parser and select Enable from the shortcut menu.

    To use the Microsoft Management Activity API connector in a playbook:

    1. Go to Incidents & Events > Automation > Playbook, and click Create New.

    2. Select New Playbook created from scratch.

    3. Select a trigger for the playbook. In this example, the playbook will be triggered ON_DEMAND.

    4. Drag-and-drop any connector point from the trigger to add a new task.

      The Tasks pane displays available connectors.

    5. Select the Microsoft Management Activity API connector.

    6. Configure the automated action for the connector, and then click OK:

      Option

      Description
      Name Enter a name for the action
      Description Enter a description for the action.

      Connector

      The connector is automatically selected.

      Action

      Select the action for the connector to perform as part of this playbook.

      In this example, the Ingest Office 365 and Azure activity logs from MS Management Activity API action is used.

    7. Enter a Name and Description for the playbook.

    8. Save the playbook.

      Caution

      The Office 365 Management Activity Log Parser must be enabled to parse the logs ingested by this playbook. See To enable the Office 365 Management Activity Log Parser:.

      This playbook can now be run to ingest activity logs through the Microsoft Management Activity API connector.

      When this playbook is run for the first time, a new device is automatically created and authorized in Device Manager.

      This device is also automatically assigned to the related Office 365 Management Activity Log Parser in Incidents & Events > Log Parsers > Assigned Parsers.

      The ingested logs can be viewed in Log View > Logs > Log Browse or Log View > Logs > All. The logs can also quickly be found using the following filter: data_parsername="Office 365 Management Activity Log Parser". For example, see the Custom View below filtered for the ingested logs.

    Previous
    Next