Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Connectors

Connectors displays the automated actions that can be performed in playbooks using configured FortiSoC connectors.

Local (FortiAnalyzer), FortiOS, FortiMail, FortiGuard, and FortiClient EMS connectors are supported. To view FortiSoC connectors, go to FortiSoC > Automation > Connectors.

The following information is displayed for configured connectors:

Connector type

Field

Description

Local, FortiMail, FortiGuard and EMS connectors Name The name of the action.
Description A description of the action.
Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Output

The output available with the action.

Not applicable to FortiGuard connectors.

FOS connectors

Automation Rule

The name of the automation rule created on FortiOS.

Automation Action

The action(s) that occur when the task is triggered.

Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Configuring FortiSoC connectors

Local Connector

The local connector is the default connector for FortiAnalyzer and is available automatically. The local connector displays a set of predefined FortiAnalyzer actions to be used within playbooks.

Local connectors include the following actions:

Update Asset and Identity Update FortiAnalyzer's Asset and Identity.

Get Events

Get events.

Get Endpoint Vulnerabilities

Get endpoint vulnerabilities.

Create Incident

Create a new incident.

Update Incident

Update an existing incident.

Attach Data to Incident

Attach the specified data to an existing incident.

Run Report

Run the specified FortiAnalyzer report.

EMS Connector

FortiClient EMS connectors are configured as Security Fabric connectors in Fabric View> Fabric Connectors. See Creating or editing Security Fabric connectors. Individual FortiClient EMS connector actions can be toggled on and off while editing the connector in Fabric View.

FortiClient EMS connectors include the following actions:

Get Endpoints Retrieve list of endpoints and all of the related information to enrich FortiAnalyzer asset and identity views.

Quarantine

Quarantines an endpoint.

Unquarantine

Unquarantines an endpoint.

Vulnerability Scan

Run a vulnerability scan on endpoints.

AV Quick Scan

Run a quick antivirus scan on endpoints.

AV Full Scan

Run a full antivirus scan on endpoints.

Get Software Inventory

Retrieve list of software and apps installed on an endpoint to enrich FortiAnalyzer asset view.

Get Process List

Retrieve list of running process on endpoints OS.

Get Vulnerabilities

Retrieve list of endpoint vulnerabilities on endpoints OS.

 

FortiMail Connector

FortiMail connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors.

Individual FortiMail connector actions can be toggled on and off while editing the connector in Fabric View.

FortiMail connectors include the following actions:

Get Email Statistics

Query a given email address.

Get Sender Reputation

Query a given sender's reputation information.

Add Sender to Blocklist Update system and domain level blocklist.

FortiGuard Connector

The FortiGuard connector is automatically configured in FortiSoC when a valid license has been applied to FortiAnalyzer.

FortiGuard connectors include the following actions:

Get IOC Info Get indicator of compromise (IOC) information from FortiGuard.

Get Threat Info

Get threat information from FortiGuard.

FortiOS Connector

The FortiOS connector is added after the first FortiGate has been authorized on an ADOM. Additional devices authorized to the ADOM are displayed as separate entries within the same connector. FortiOS connectors are available in FortiGate and Fabric ADOMs.

Enabling FortiOS actions

The actions available with FortiOS connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming Webhook trigger must be created in FortiOS before they are shown as actions in FortiSoC. FortiOS automation rules are configured on FortiOS in Security Fabric > Automation. For information on creating FortiOS automation rules, see the FortiOS administration guide.

Rules for FortiOS actions:

  • Automation rules must use the Incoming Webhook trigger.
  • Automation rules are configured on FortiGate devices individually.
  • When multiple FortiOS connectors are configured, FortiAnalyzer decides which device to call based on the devid (serial number) identified in the task. FortiGate serial numbers can be manually entered or supplied by a preceding task.
  • Automation rules must have unique names to be displayed in the task's Action dropdown menu. Rules sharing the same name will appear only once, as they are considered to be the same automation rule configured on multiple FortiGate devices.
  • FortiOS automation rules are only displayed in FortiSoC when they are enabled in FortiOS.

Connectors

Connectors displays the automated actions that can be performed in playbooks using configured FortiSoC connectors.

Local (FortiAnalyzer), FortiOS, FortiMail, FortiGuard, and FortiClient EMS connectors are supported. To view FortiSoC connectors, go to FortiSoC > Automation > Connectors.

The following information is displayed for configured connectors:

Connector type

Field

Description

Local, FortiMail, FortiGuard and EMS connectors Name The name of the action.
Description A description of the action.
Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Output

The output available with the action.

Not applicable to FortiGuard connectors.

FOS connectors

Automation Rule

The name of the automation rule created on FortiOS.

Automation Action

The action(s) that occur when the task is triggered.

Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Configuring FortiSoC connectors

Local Connector

The local connector is the default connector for FortiAnalyzer and is available automatically. The local connector displays a set of predefined FortiAnalyzer actions to be used within playbooks.

Local connectors include the following actions:

Update Asset and Identity Update FortiAnalyzer's Asset and Identity.

Get Events

Get events.

Get Endpoint Vulnerabilities

Get endpoint vulnerabilities.

Create Incident

Create a new incident.

Update Incident

Update an existing incident.

Attach Data to Incident

Attach the specified data to an existing incident.

Run Report

Run the specified FortiAnalyzer report.

EMS Connector

FortiClient EMS connectors are configured as Security Fabric connectors in Fabric View> Fabric Connectors. See Creating or editing Security Fabric connectors. Individual FortiClient EMS connector actions can be toggled on and off while editing the connector in Fabric View.

FortiClient EMS connectors include the following actions:

Get Endpoints Retrieve list of endpoints and all of the related information to enrich FortiAnalyzer asset and identity views.

Quarantine

Quarantines an endpoint.

Unquarantine

Unquarantines an endpoint.

Vulnerability Scan

Run a vulnerability scan on endpoints.

AV Quick Scan

Run a quick antivirus scan on endpoints.

AV Full Scan

Run a full antivirus scan on endpoints.

Get Software Inventory

Retrieve list of software and apps installed on an endpoint to enrich FortiAnalyzer asset view.

Get Process List

Retrieve list of running process on endpoints OS.

Get Vulnerabilities

Retrieve list of endpoint vulnerabilities on endpoints OS.

 

FortiMail Connector

FortiMail connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors.

Individual FortiMail connector actions can be toggled on and off while editing the connector in Fabric View.

FortiMail connectors include the following actions:

Get Email Statistics

Query a given email address.

Get Sender Reputation

Query a given sender's reputation information.

Add Sender to Blocklist Update system and domain level blocklist.

FortiGuard Connector

The FortiGuard connector is automatically configured in FortiSoC when a valid license has been applied to FortiAnalyzer.

FortiGuard connectors include the following actions:

Get IOC Info Get indicator of compromise (IOC) information from FortiGuard.

Get Threat Info

Get threat information from FortiGuard.

FortiOS Connector

The FortiOS connector is added after the first FortiGate has been authorized on an ADOM. Additional devices authorized to the ADOM are displayed as separate entries within the same connector. FortiOS connectors are available in FortiGate and Fabric ADOMs.

Enabling FortiOS actions

The actions available with FortiOS connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming Webhook trigger must be created in FortiOS before they are shown as actions in FortiSoC. FortiOS automation rules are configured on FortiOS in Security Fabric > Automation. For information on creating FortiOS automation rules, see the FortiOS administration guide.

Rules for FortiOS actions:

  • Automation rules must use the Incoming Webhook trigger.
  • Automation rules are configured on FortiGate devices individually.
  • When multiple FortiOS connectors are configured, FortiAnalyzer decides which device to call based on the devid (serial number) identified in the task. FortiGate serial numbers can be manually entered or supplied by a preceding task.
  • Automation rules must have unique names to be displayed in the task's Action dropdown menu. Rules sharing the same name will appear only once, as they are considered to be the same automation rule configured on multiple FortiGate devices.
  • FortiOS automation rules are only displayed in FortiSoC when they are enabled in FortiOS.