Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.3 Administration Guide
    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Connector actions

    Connector actions

    This topic provides details for the following connectors:

    For more information about the uses of ITSM connectors, see Configuring ITSM connectors.

    Local Connector

    The local connector is the default connector for FortiAnalyzer and is available automatically. The local connector displays a set of predefined FortiAnalyzer actions to be used within playbooks.

    Local connectors include the following actions:

    Name

    Description

    Update Asset and Identity

    Update FortiAnalyzer's Asset and Identity.

    Get Events

    Get events.

    Get Endpoint Vulnerabilities

    Get endpoint vulnerabilities.

    Create Incident

    Create a new incident.

    Update Incident

    Update an existing incident.

    Attach Data to Incident

    Attach the specified data to an existing incident.

    Run Report

    Run the specified FortiAnalyzer report.

    Get EPEU from incidents

    Get the EPEU from an incident.

    Enrich Start

    Start indicator enrichment workflow.

    Enrich Aggregate

    Aggregate indicator enrichment results.

    Enrich Save

    Save indicator enrichment.

    Get Disk Usage

    Get FortiAnalyzer's disk usage.

    Get Virtual Memory

    Get FortiAnalyzer's virtual memory.

    Get CPU Usage

    Get FortiAnalyzer's CPU usage.
    FortiOS Connector

    The FortiOS connector is added after the first FortiGate has been authorized on an ADOM. Additional devices authorized to the ADOM are displayed as separate entries within the same connector. FortiOS connectors are available in FortiGate and Fabric ADOMs.

    Enabling FortiOS actions

    The actions available with FortiOS connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming Webhook trigger must be created in FortiOS before they are shown as actions in FortiAnalyzer. FortiOS automation rules are configured on FortiOS in Security Fabric > Automation. For information on creating FortiOS automation rules, see the FortiOS administration guide.

    Rules for FortiOS actions:

    • Automation rules must use the Incoming Webhook trigger.

    • Automation rules are configured on FortiGate devices individually.

    • When multiple FortiOS connectors are configured, FortiAnalyzer decides which device to call based on the devid (serial number) identified in the task. FortiGate serial numbers can be manually entered or supplied by a preceding task.

    • Automation rules must have unique names to be displayed in the task's Action dropdown menu. Rules sharing the same name will appear only once, as they are considered to be the same automation rule configured on multiple FortiGate devices.

    • FortiOS automation rules are only displayed in Incidents & Events > Automation > Active Connectors when they are enabled in FortiOS.

    FortiGuard Connector

    The FortiGuard connector is automatically configured when a valid license has been applied to FortiAnalyzer.

    FortiGuard connectors include the following actions:

    Name

    Description

    Lookup Indicator

    Lookup indicators in FortiGuard to get threat intelligence.

    FGD Enrich

    Get the reputation report for indicator enrichment.
    Note

    The FortiGuard connector cannot be used in an air-gap environment.

    EMS Connector

    FortiClient EMS connectors are configured as Security Fabric connectors. See Configuring security fabric connectors. Individual FortiClient EMS connector actions can be toggled on and off while editing the connector.

    FortiClient EMS connectors include the following actions:

    Name

    Description

    Get Endpoints

    Retrieve list of endpoints and all of the related information to enrich FortiAnalyzer asset and identity views.

    Quarantine

    Quarantines an endpoint.

    Unquarantine

    Unquarantines an endpoint.

    Vulnerability Scan

    Run a vulnerability scan on endpoints.

    AV Quick Scan

    Run a quick antivirus scan on endpoints.

    AV Full Scan

    Run a full antivirus scan on endpoints.

    Get Software Inventory

    Retrieve list of software and apps installed on an endpoint to enrich FortiAnalyzer asset view.

    Get Process List

    Retrieve list of running process on endpoints OS.

    Get Vulnerabilities

    Retrieve list of endpoint vulnerabilities on endpoints OS.

    Tag Endpoints

    Tag endpoints.

    Untag Endpoints

    Untag endpoints.
    FortiEDR Connector

    FortiEDR connectors include the following actions:

    Name

    Description

    Create Exception

    Creates a new exception in Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Create IPSet

    Creates an IPSet in Fortinet FortiEDR using the set of IP addresses and other parameters you have specified.

    Delete IPSet

    Deletes specific IPSets from Fortinet FortiEDR based on the IPSet names and other input parameters you have specified.

    Get Agent Groups

    Retrieves a list of all agent group lists from Fortinet FortiEDR.

    Get Collector List

    Retrieves the list of the collectors from Fortinet FortiEDR based on the device names or IDs, and other input parameters you have specified.

    Get Event By ID

    Retrieves a specific event from Fortinet FortiEDR based on the event ID you have specified.

    Get Event Count

    Retrieves the event count from Fortinet FortiEDR based on the filter parameters you have specified.

    Get Event Exceptions

    Retrieves the list of event exceptions from Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Get Event List Extended

    Retrieves archived/unarchived events together from Fortinet FortiEDR based on the filter parameters you have specified.

    Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.

    Get Events

    Retrieves all the events from Fortinet FortiEDR that match the condition(s) you have specified.

    Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.

    This action can be configured for data ingestion.

    Get Exception List

    Retrieves the list of all exceptions or specific exceptions from Fortinet FortiEDR based on the input parameters you have specified.

    Get IPSet List

    Retrieves a list of IPSets from Fortinet FortiEDR based on the IP address and other input parameters you have specified.

    Get Raw Data Items

    Retrieves the raw data items from Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Get Raw JSON Event Data

    Retrieve the raw data of specific events from Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Get System Summary

    Retrieves a summary of the environment from Fortinet FortiEDR.

    Isolate Collector

    Isolates a collector from the Fortinet FortiEDR network based on the list of device IDs or names, and other input parameters you have specified.

    Move Collectors

    Move collectors between organizations based on the collectors, target collectors group, and other input parameters that you have specified.

    Remediate Device

    Takes remedial actions on Fortinet FortiEDR such as killing a process, deleting a file and/or cleaning persistent data on which malware was detected based on the device type, device name/ID, and other input parameters you have specified.

    Unisolate Connector

    Unisolates a collector from the Fortinet FortiEDR network based on the device ID and other input parameters you have specified.

    Update Events

    Updates events in Fortinet FortiEDR that match the condition(s) you have specified.

    Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.

    Update Exception

    Updates a specific exception in Fortinet FortiEDR based on the event ID, exception ID, and other input parameters you have specified.

    Update IPSet

    Updates IP addresses in the specific IPSet in Fortinet FortiEDR using the set of IP addresses, the IPSet name, and other parameters you have specified.
    FortiMail Connector

    FortiMail connectors are configured as Security Fabric connectors. See Configuring security fabric connectors.

    FortiMail connectors include the following actions:

    Name

    Description

    Get Email Statistics

    Query a given email address.

    Get Sender Reputation

    Query a given sender's reputation information.

    Add Sender to Blocklist

    Update system and domain level blocklist.

    Get Session Profile

    Get the session profile from FortiMail.

    Delete Session Profile

    Delete the session profile from FortiMail.

    Get Sender Block List

    Get the list of blocked senders' email addresses from a session profile.

    Get Sender Safe List

    Get the list of safelisted senders' email addresses from a session profile.

    Get Recipient Block List

    Get the list of blocked recipients' email adddresses from a session profile.

    Get Recipient Safe List

    Get the list of safelisted recipients' email adddresses from a session profile.

    Block Sender Email with Session Profile

    Block sender's email address with a session profile.

    Unblock Sender Email with Session Profile

    Unblock sender's email address with a session profile.

    Block Recipient Email with Session Profile

    Block recipient's email address within a session profile.

    Unblock Recipient Email with Session Profile

    Unblock recipient's email address within a session profile.
    FortiCASB Connector

    FortiCASB connectors are configured as Security Fabric connectors. See Configuring security fabric connectors.

    Creating a FortiCASB connector will automatically create the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled to use the predefined Default-Shadow-IT-Events event handler. For more information, see Predefined basic event handlers.

    FortiCASB connectors include the following actions:

    Name

    Description

    Get Cloud Data from FCASB

    Retrieve cloud application, user, and file information.
    FortiAuthenticator Connector

    The FortiAuthenticator connector includes the following actions:

    Name

    Description

    Get Schema

    Retrieves a report for all the endpoint actions within FortiAuthenticator.

    Get User List

    Retrieves a list of users from FortiAuthenticator.

    Get User

    Retrieves details of a specific user from FortiAuthenticator based on the user ID, username, or email you have specified.

    Update User Status

    Updates the user status of a specific user in FortiAuthenticator based on the user ID and status you have specified.

    Get User Lockout Policy

    Retrieves User Lockout Policy details from FortiAuthenticator.
    FortiWeb Connector

    The FortiWeb connector includes the following actions:

    Name

    Description

    Get Anomaly Policy

    Retrieves the domain information of a specific Anomaly Detection policy from FortiWeb based on the policy name you have specified.

    Get Blocked IPs

    Retrieves all the blocked IPs from the FortiWeb server.

    Unblock IPs

    Release all IPs from the blocked IP list under a specific policy in FortiWeb or release one IP from the blocked IP list under a specific policy in FortiWeb based on the policy name and other input parameters you have specified.

    Get Blocked Users

    Retrieves all blocked users or specific blocked users from FortiWeb based on the input parameters you have specified.

    Unblock Users

    Releases users from the blocked user list in a server policy in FortiWeb based on the input parameters you have specified.

    Get Active Users

    Retrieves a list of active users by user tracking or site publish type from FortiWeb based on the input parameters you have specified.

    Delete Active Users

    Deletes active users from a specific policy from FortiWeb based on the policy ID and other input parameters you have specified.

    Get Client Info

    Retrieves client information in Client Management in FortiWeb based on the input parameters you have specified.

    Delete Client Information

    Deletes information for a specific client from Client Management in FortiWeb based on the client ID you have specified.

    Restore Client Threat Score

    Restores the threat score of a specific client to 0 in FortiWeb based on the client ID you have specified.

    Get All Virtual Servers

    Retrieves all virtual servers, virtual IP, and interfaces in each virtual server sub-table in the JSON format from FortiWeb.

    Get All Physical Servers

    Retrieves the IP addresses in the server pool of all physical servers in the JSON format from FortiWeb.

    Get Server Policy Status

    Retrieves the details including the status of a server policy from FortiWeb.

    Get Server Policy Traffic

    Retrieves traffic information for traffic on all the system server policies from FortiWeb, or traffic information for a specific system server policy based on the policy name you have specified from FortiWeb.
    FortiSandbox Connector

    The FortiSandbox connector includes the following actions:

    Name

    Description

    Get System Status

    Retrieves the status of the system from FortiSandbox.

    Get Scan Status

    Retrieves the scan stats for the last 7 days from FortiSandbox.

    Get Submission Job List

    Retrieves all job IDs associated with the submission ID you have specified from FortiSandbox.

    Get Job Verdict

    Retrieves job verdict detail for job ID you have specified from FortiSandbox.

    Get File Rating

    Retrieves file rating for the file type and filehash you have specified from FortiSandbox.

    Get URL Rating

    Get rating details for the URL you have specified from FortiSandbox.

    Get Job Behavior

    Retrieves job behavior details associated with the file type and filehash you have specified from FortiSandbox.

    Toggle FPN State

    Marks specified sample based on the Job ID you have specified as false negative or false positive in FortiSandbox.

    Get AV Rescan Result

    Retrieves AV-Rescan results for the time duration you have specified from FortiSandbox.

    Get File Verdict

    Retrieves the file verdict details for the file type and filehash you have specified from FortiSandbox.

    Get All Installed VM

    Retrieves the names and the clone numbers of all installed VMs on FortiSandbox.

    List Filehash or URL From Malware Package or URL Package

    Retrieves a list of file hashes or URLs based on the type you have specified from the Malware Package or URL Package in FortiSandbox.
    FortiAnalyzer Cloud Connector

    The FortiAnalyzer Cloud Connector can be configured to securely forward logs to FortiAnalyzer Cloud, allowing you to use FortiAnalyzer Cloud for centralized logging for third-party applications.

    You can only configure one FortiAnalyzer Cloud Connector per on-premise FortiAnalyzer. This connector can only be enabled in the root ADOM of the on-premise FortiAnalyzer.

    The FortiAnalyzer Cloud Connector requires an access token from FortiAnalyzer Cloud. To create the access token, see the FortiAnalyzer Cloud Deployment Guide on the Fortinet Document Library.

    The FortiAnalyzer Cloud Connector can query FortiAnalyzer Cloud with the access token. This token cannot be created or renewed when the FortiAnalyzer Cloud account does not have an add on storage license. FortiAnalyzer Cloud will disconnect from the on-premise FortiAnalyzer when the token is expired or invalid.

    The FortiAnalyzer Cloud Connector includes the following actions:

    Name

    Description

    Forward Logs

    Forward logs to FortiAnalyzer Cloud. Edit this action to set the forwarding frequency for the connector.

    Once configured and enabled, all non-FortiGate logs, such as FortiMail, FortiClient EMS, or third-party logs in the root ADOM will be forwarded to the FortiAnalyzer Cloud. FortiAnalyzer will not connect to FortiAnalyzer Cloud when the token is expired. You must update the access token for the connector once it is expired.

    If the non-FortiGate devices have not yet been added in FortiAnalyzer Cloud, they will appear in the FortiAnalyzer Cloud Device Manager to be authorized. Once authorized, the logs can be viewed in the FortiAnalyzer Cloud Log View.

    You can use the following commands in the on-premise FortiAnalyzer CLI to troubleshoot the FortiAnalyzer Cloud Connector:

    • To check if the token has been configured correctly on the FortiAnalyzer Cloud Connector:

      diagnose test application logfwd 3

    • To check if the connection is successful and to view the log forwarding rate:

      diagnose test application logfwd 4
    VirusTotal Connector

    The VirusTotal connector is used as part of the indicator enrichment feature through the Indicator Enrichment playbook. To enable this connector, you must double-click the connector and add the API key. For more information, see Indicator enrichment.

    The VirusTotal connector includes the following actions:

    Name

    Description

    Query IP

    Retrieves a report from VirusTotal for the IP address submitted to determine if it is suspicious based on the IP address you have specified.

    Query Domain

    Retrieves a report from VirusTotal for the domain submitted to determine if it is suspicious based on the domain name you have specified.

    Query URL

    Retrieves a report from VirusTotal for the URL submitted to determine if it is suspicious based on the URL you have specified.

    VIRUSTOTAL Enrich

    Enrich the indicator.
    vSphere Connector

    The vSphere connector includes the following actions:

    Name

    Description

    Ingest vSphere Server Event Logs

    Retrieves event logs from vSphere and ingests into FortiAnalyzer.

    When you save a vSphere connector, a new playbook will automatically be added in the backend named, Ingest vSphere Server Event Logs. This playbook is run as per the schedule defined in the Data Ingestion tab. To configure Data Ingestion, see Configuring security fabric connectors. This playbook is not visible in the GUI, however its logs are available for troubleshooting under Playbook Monitor .

    After the first time the playbook is run, it will pull all the logs from the vSphere server to FortiAnalyzer. It will also create a new External-SIEM-Events device in Device Manager; the device is automatically authorized and only one of such device is created per ADOM for all of the third-party connectors. Then the logs pulled from the server can be seen in Log View > Logs > All alongside other Fabric/SIEM logs; the logs are parsed by the predefined VMware Log Parser and assigned to the new external SIEM device. In Log Browse, the logs files will be available from the new device. The next time the playbook runs, only the new logs after the previous pull will be fetched and added to Log View.

    The FortiAnalyzer CLI command "diagnose test application fazwatchd 10" can be used to check the ingestion stats or to manually trigger a playbook:

    diagnose test application fazwatchd 10

    Airflow Diag Usage:

    info show generic airflow information

    scheduler show airflow scheduler status

    global-monitor show global monitor status

    health-check-stat show health check status

    ingestion-stat show data ingestion status

    trigger-playbook execute a playbook

    reset reset airflow database

    logging-level set airflow logging level

    reset-log-dir reset airflow log directory

    Previous
    Next

    Connector actions

    Connector actions

    This topic provides details for the following connectors:

    For more information about the uses of ITSM connectors, see Configuring ITSM connectors.

    Local Connector

    The local connector is the default connector for FortiAnalyzer and is available automatically. The local connector displays a set of predefined FortiAnalyzer actions to be used within playbooks.

    Local connectors include the following actions:

    Name

    Description

    Update Asset and Identity

    Update FortiAnalyzer's Asset and Identity.

    Get Events

    Get events.

    Get Endpoint Vulnerabilities

    Get endpoint vulnerabilities.

    Create Incident

    Create a new incident.

    Update Incident

    Update an existing incident.

    Attach Data to Incident

    Attach the specified data to an existing incident.

    Run Report

    Run the specified FortiAnalyzer report.

    Get EPEU from incidents

    Get the EPEU from an incident.

    Enrich Start

    Start indicator enrichment workflow.

    Enrich Aggregate

    Aggregate indicator enrichment results.

    Enrich Save

    Save indicator enrichment.

    Get Disk Usage

    Get FortiAnalyzer's disk usage.

    Get Virtual Memory

    Get FortiAnalyzer's virtual memory.

    Get CPU Usage

    Get FortiAnalyzer's CPU usage.
    FortiOS Connector

    The FortiOS connector is added after the first FortiGate has been authorized on an ADOM. Additional devices authorized to the ADOM are displayed as separate entries within the same connector. FortiOS connectors are available in FortiGate and Fabric ADOMs.

    Enabling FortiOS actions

    The actions available with FortiOS connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming Webhook trigger must be created in FortiOS before they are shown as actions in FortiAnalyzer. FortiOS automation rules are configured on FortiOS in Security Fabric > Automation. For information on creating FortiOS automation rules, see the FortiOS administration guide.

    Rules for FortiOS actions:

    • Automation rules must use the Incoming Webhook trigger.

    • Automation rules are configured on FortiGate devices individually.

    • When multiple FortiOS connectors are configured, FortiAnalyzer decides which device to call based on the devid (serial number) identified in the task. FortiGate serial numbers can be manually entered or supplied by a preceding task.

    • Automation rules must have unique names to be displayed in the task's Action dropdown menu. Rules sharing the same name will appear only once, as they are considered to be the same automation rule configured on multiple FortiGate devices.

    • FortiOS automation rules are only displayed in Incidents & Events > Automation > Active Connectors when they are enabled in FortiOS.

    FortiGuard Connector

    The FortiGuard connector is automatically configured when a valid license has been applied to FortiAnalyzer.

    FortiGuard connectors include the following actions:

    Name

    Description

    Lookup Indicator

    Lookup indicators in FortiGuard to get threat intelligence.

    FGD Enrich

    Get the reputation report for indicator enrichment.
    Note

    The FortiGuard connector cannot be used in an air-gap environment.

    EMS Connector

    FortiClient EMS connectors are configured as Security Fabric connectors. See Configuring security fabric connectors. Individual FortiClient EMS connector actions can be toggled on and off while editing the connector.

    FortiClient EMS connectors include the following actions:

    Name

    Description

    Get Endpoints

    Retrieve list of endpoints and all of the related information to enrich FortiAnalyzer asset and identity views.

    Quarantine

    Quarantines an endpoint.

    Unquarantine

    Unquarantines an endpoint.

    Vulnerability Scan

    Run a vulnerability scan on endpoints.

    AV Quick Scan

    Run a quick antivirus scan on endpoints.

    AV Full Scan

    Run a full antivirus scan on endpoints.

    Get Software Inventory

    Retrieve list of software and apps installed on an endpoint to enrich FortiAnalyzer asset view.

    Get Process List

    Retrieve list of running process on endpoints OS.

    Get Vulnerabilities

    Retrieve list of endpoint vulnerabilities on endpoints OS.

    Tag Endpoints

    Tag endpoints.

    Untag Endpoints

    Untag endpoints.
    FortiEDR Connector

    FortiEDR connectors include the following actions:

    Name

    Description

    Create Exception

    Creates a new exception in Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Create IPSet

    Creates an IPSet in Fortinet FortiEDR using the set of IP addresses and other parameters you have specified.

    Delete IPSet

    Deletes specific IPSets from Fortinet FortiEDR based on the IPSet names and other input parameters you have specified.

    Get Agent Groups

    Retrieves a list of all agent group lists from Fortinet FortiEDR.

    Get Collector List

    Retrieves the list of the collectors from Fortinet FortiEDR based on the device names or IDs, and other input parameters you have specified.

    Get Event By ID

    Retrieves a specific event from Fortinet FortiEDR based on the event ID you have specified.

    Get Event Count

    Retrieves the event count from Fortinet FortiEDR based on the filter parameters you have specified.

    Get Event Exceptions

    Retrieves the list of event exceptions from Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Get Event List Extended

    Retrieves archived/unarchived events together from Fortinet FortiEDR based on the filter parameters you have specified.

    Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.

    Get Events

    Retrieves all the events from Fortinet FortiEDR that match the condition(s) you have specified.

    Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.

    This action can be configured for data ingestion.

    Get Exception List

    Retrieves the list of all exceptions or specific exceptions from Fortinet FortiEDR based on the input parameters you have specified.

    Get IPSet List

    Retrieves a list of IPSets from Fortinet FortiEDR based on the IP address and other input parameters you have specified.

    Get Raw Data Items

    Retrieves the raw data items from Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Get Raw JSON Event Data

    Retrieve the raw data of specific events from Fortinet FortiEDR based on the event ID and other input parameters you have specified.

    Get System Summary

    Retrieves a summary of the environment from Fortinet FortiEDR.

    Isolate Collector

    Isolates a collector from the Fortinet FortiEDR network based on the list of device IDs or names, and other input parameters you have specified.

    Move Collectors

    Move collectors between organizations based on the collectors, target collectors group, and other input parameters that you have specified.

    Remediate Device

    Takes remedial actions on Fortinet FortiEDR such as killing a process, deleting a file and/or cleaning persistent data on which malware was detected based on the device type, device name/ID, and other input parameters you have specified.

    Unisolate Connector

    Unisolates a collector from the Fortinet FortiEDR network based on the device ID and other input parameters you have specified.

    Update Events

    Updates events in Fortinet FortiEDR that match the condition(s) you have specified.

    Note: If none of the input parameters that you specify match the events in Fortinet FortiEDR, then an empty result set is returned.

    Update Exception

    Updates a specific exception in Fortinet FortiEDR based on the event ID, exception ID, and other input parameters you have specified.

    Update IPSet

    Updates IP addresses in the specific IPSet in Fortinet FortiEDR using the set of IP addresses, the IPSet name, and other parameters you have specified.
    FortiMail Connector

    FortiMail connectors are configured as Security Fabric connectors. See Configuring security fabric connectors.

    FortiMail connectors include the following actions:

    Name

    Description

    Get Email Statistics

    Query a given email address.

    Get Sender Reputation

    Query a given sender's reputation information.

    Add Sender to Blocklist

    Update system and domain level blocklist.

    Get Session Profile

    Get the session profile from FortiMail.

    Delete Session Profile

    Delete the session profile from FortiMail.

    Get Sender Block List

    Get the list of blocked senders' email addresses from a session profile.

    Get Sender Safe List

    Get the list of safelisted senders' email addresses from a session profile.

    Get Recipient Block List

    Get the list of blocked recipients' email adddresses from a session profile.

    Get Recipient Safe List

    Get the list of safelisted recipients' email adddresses from a session profile.

    Block Sender Email with Session Profile

    Block sender's email address with a session profile.

    Unblock Sender Email with Session Profile

    Unblock sender's email address with a session profile.

    Block Recipient Email with Session Profile

    Block recipient's email address within a session profile.

    Unblock Recipient Email with Session Profile

    Unblock recipient's email address within a session profile.
    FortiCASB Connector

    FortiCASB connectors are configured as Security Fabric connectors. See Configuring security fabric connectors.

    Creating a FortiCASB connector will automatically create the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled to use the predefined Default-Shadow-IT-Events event handler. For more information, see Predefined basic event handlers.

    FortiCASB connectors include the following actions:

    Name

    Description

    Get Cloud Data from FCASB

    Retrieve cloud application, user, and file information.
    FortiAuthenticator Connector

    The FortiAuthenticator connector includes the following actions:

    Name

    Description

    Get Schema

    Retrieves a report for all the endpoint actions within FortiAuthenticator.

    Get User List

    Retrieves a list of users from FortiAuthenticator.

    Get User

    Retrieves details of a specific user from FortiAuthenticator based on the user ID, username, or email you have specified.

    Update User Status

    Updates the user status of a specific user in FortiAuthenticator based on the user ID and status you have specified.

    Get User Lockout Policy

    Retrieves User Lockout Policy details from FortiAuthenticator.
    FortiWeb Connector

    The FortiWeb connector includes the following actions:

    Name

    Description

    Get Anomaly Policy

    Retrieves the domain information of a specific Anomaly Detection policy from FortiWeb based on the policy name you have specified.

    Get Blocked IPs

    Retrieves all the blocked IPs from the FortiWeb server.

    Unblock IPs

    Release all IPs from the blocked IP list under a specific policy in FortiWeb or release one IP from the blocked IP list under a specific policy in FortiWeb based on the policy name and other input parameters you have specified.

    Get Blocked Users

    Retrieves all blocked users or specific blocked users from FortiWeb based on the input parameters you have specified.

    Unblock Users

    Releases users from the blocked user list in a server policy in FortiWeb based on the input parameters you have specified.

    Get Active Users

    Retrieves a list of active users by user tracking or site publish type from FortiWeb based on the input parameters you have specified.

    Delete Active Users

    Deletes active users from a specific policy from FortiWeb based on the policy ID and other input parameters you have specified.

    Get Client Info

    Retrieves client information in Client Management in FortiWeb based on the input parameters you have specified.

    Delete Client Information

    Deletes information for a specific client from Client Management in FortiWeb based on the client ID you have specified.

    Restore Client Threat Score

    Restores the threat score of a specific client to 0 in FortiWeb based on the client ID you have specified.

    Get All Virtual Servers

    Retrieves all virtual servers, virtual IP, and interfaces in each virtual server sub-table in the JSON format from FortiWeb.

    Get All Physical Servers

    Retrieves the IP addresses in the server pool of all physical servers in the JSON format from FortiWeb.

    Get Server Policy Status

    Retrieves the details including the status of a server policy from FortiWeb.

    Get Server Policy Traffic

    Retrieves traffic information for traffic on all the system server policies from FortiWeb, or traffic information for a specific system server policy based on the policy name you have specified from FortiWeb.
    FortiSandbox Connector

    The FortiSandbox connector includes the following actions:

    Name

    Description

    Get System Status

    Retrieves the status of the system from FortiSandbox.

    Get Scan Status

    Retrieves the scan stats for the last 7 days from FortiSandbox.

    Get Submission Job List

    Retrieves all job IDs associated with the submission ID you have specified from FortiSandbox.

    Get Job Verdict

    Retrieves job verdict detail for job ID you have specified from FortiSandbox.

    Get File Rating

    Retrieves file rating for the file type and filehash you have specified from FortiSandbox.

    Get URL Rating

    Get rating details for the URL you have specified from FortiSandbox.

    Get Job Behavior

    Retrieves job behavior details associated with the file type and filehash you have specified from FortiSandbox.

    Toggle FPN State

    Marks specified sample based on the Job ID you have specified as false negative or false positive in FortiSandbox.

    Get AV Rescan Result

    Retrieves AV-Rescan results for the time duration you have specified from FortiSandbox.

    Get File Verdict

    Retrieves the file verdict details for the file type and filehash you have specified from FortiSandbox.

    Get All Installed VM

    Retrieves the names and the clone numbers of all installed VMs on FortiSandbox.

    List Filehash or URL From Malware Package or URL Package

    Retrieves a list of file hashes or URLs based on the type you have specified from the Malware Package or URL Package in FortiSandbox.
    FortiAnalyzer Cloud Connector

    The FortiAnalyzer Cloud Connector can be configured to securely forward logs to FortiAnalyzer Cloud, allowing you to use FortiAnalyzer Cloud for centralized logging for third-party applications.

    You can only configure one FortiAnalyzer Cloud Connector per on-premise FortiAnalyzer. This connector can only be enabled in the root ADOM of the on-premise FortiAnalyzer.

    The FortiAnalyzer Cloud Connector requires an access token from FortiAnalyzer Cloud. To create the access token, see the FortiAnalyzer Cloud Deployment Guide on the Fortinet Document Library.

    The FortiAnalyzer Cloud Connector can query FortiAnalyzer Cloud with the access token. This token cannot be created or renewed when the FortiAnalyzer Cloud account does not have an add on storage license. FortiAnalyzer Cloud will disconnect from the on-premise FortiAnalyzer when the token is expired or invalid.

    The FortiAnalyzer Cloud Connector includes the following actions:

    Name

    Description

    Forward Logs

    Forward logs to FortiAnalyzer Cloud. Edit this action to set the forwarding frequency for the connector.

    Once configured and enabled, all non-FortiGate logs, such as FortiMail, FortiClient EMS, or third-party logs in the root ADOM will be forwarded to the FortiAnalyzer Cloud. FortiAnalyzer will not connect to FortiAnalyzer Cloud when the token is expired. You must update the access token for the connector once it is expired.

    If the non-FortiGate devices have not yet been added in FortiAnalyzer Cloud, they will appear in the FortiAnalyzer Cloud Device Manager to be authorized. Once authorized, the logs can be viewed in the FortiAnalyzer Cloud Log View.

    You can use the following commands in the on-premise FortiAnalyzer CLI to troubleshoot the FortiAnalyzer Cloud Connector:

    • To check if the token has been configured correctly on the FortiAnalyzer Cloud Connector:

      diagnose test application logfwd 3

    • To check if the connection is successful and to view the log forwarding rate:

      diagnose test application logfwd 4
    VirusTotal Connector

    The VirusTotal connector is used as part of the indicator enrichment feature through the Indicator Enrichment playbook. To enable this connector, you must double-click the connector and add the API key. For more information, see Indicator enrichment.

    The VirusTotal connector includes the following actions:

    Name

    Description

    Query IP

    Retrieves a report from VirusTotal for the IP address submitted to determine if it is suspicious based on the IP address you have specified.

    Query Domain

    Retrieves a report from VirusTotal for the domain submitted to determine if it is suspicious based on the domain name you have specified.

    Query URL

    Retrieves a report from VirusTotal for the URL submitted to determine if it is suspicious based on the URL you have specified.

    VIRUSTOTAL Enrich

    Enrich the indicator.
    vSphere Connector

    The vSphere connector includes the following actions:

    Name

    Description

    Ingest vSphere Server Event Logs

    Retrieves event logs from vSphere and ingests into FortiAnalyzer.

    When you save a vSphere connector, a new playbook will automatically be added in the backend named, Ingest vSphere Server Event Logs. This playbook is run as per the schedule defined in the Data Ingestion tab. To configure Data Ingestion, see Configuring security fabric connectors. This playbook is not visible in the GUI, however its logs are available for troubleshooting under Playbook Monitor .

    After the first time the playbook is run, it will pull all the logs from the vSphere server to FortiAnalyzer. It will also create a new External-SIEM-Events device in Device Manager; the device is automatically authorized and only one of such device is created per ADOM for all of the third-party connectors. Then the logs pulled from the server can be seen in Log View > Logs > All alongside other Fabric/SIEM logs; the logs are parsed by the predefined VMware Log Parser and assigned to the new external SIEM device. In Log Browse, the logs files will be available from the new device. The next time the playbook runs, only the new logs after the previous pull will be fetched and added to Log View.

    The FortiAnalyzer CLI command "diagnose test application fazwatchd 10" can be used to check the ingestion stats or to manually trigger a playbook:

    diagnose test application fazwatchd 10

    Airflow Diag Usage:

    info show generic airflow information

    scheduler show airflow scheduler status

    global-monitor show global monitor status

    health-check-stat show health check status

    ingestion-stat show data ingestion status

    trigger-playbook execute a playbook

    reset reset airflow database

    logging-level set airflow logging level

    reset-log-dir reset airflow log directory

    Previous
    Next