Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Connectors

Connectors displays the automated actions that can be performed in playbooks using configured FortiSoC connectors.

Local (FortiAnalyzer), FortiOS, FortiMail, FortiGuard, and FortiClient EMS connectors are supported. To view FortiSoC connectors, go to FortiSoC > Automation > Connectors.

FortiOS devices are organized by standalone, Cooperative Security Fabric (CSF), and high availability (HA). Clicking a CSF or HA grouping will expand the list to display all FortiGate members.

The status of FortiSoC connectors are indicated with a colored icon:

  • Green: The API connection successful.
  • Black: The API connection is unknown.
  • Red: The API connection is down.

You can see when the status was last updated by hovering your mouse over the status icon. Click the refresh icon to get an updated status.

The following information is displayed for configured connectors:

Connector type

Field

Description

Local, FortiMail, FortiGuard and EMS connectors Name The name of the action.
Description A description of the action.
Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Output

The output available with the action.

Not applicable to FortiGuard connectors.

FOS connectors

Automation Rule

The name of the automation rule created on FortiOS.

Automation Action

The action(s) that occur when the task is triggered.

Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Configuring FortiSoC connectors

Local Connector

The local connector is the default connector for FortiAnalyzer and is available automatically. The local connector displays a set of predefined FortiAnalyzer actions to be used within playbooks.

Local connectors include the following actions:

Name

Description

Output

Update Asset and Identity Update FortiAnalyzer's Asset and Identity.

N/A

Get Events

Get events.

events

Get Endpoint Vulnerabilities

Get endpoint vulnerabilities.

vulnerabilities

Create Incident

Create a new incident.

incident_id

Update Incident

Update an existing incident.

N/A

Attach Data to Incident

Attach the specified data to an existing incident.

attach_ids

Run Report

Run the specified FortiAnalyzer report.

report_uuid

Get EPEU from incidents

Get the EPEU from an incident.

epeu

EMS Connector

FortiClient EMS connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors. Individual FortiClient EMS connector actions can be toggled on and off while editing the connector in Fabric View.

FortiClient EMS connectors include the following actions:

Name

Description

Output

Get Endpoints Retrieve list of endpoints and all of the related information to enrich FortiAnalyzer asset and identity views.

ems_endpoints

Quarantine

Quarantines an endpoint.

N/A

Unquarantine

Unquarantines an endpoint.

N/A

Vulnerability Scan

Run a vulnerability scan on endpoints.

N/A

AV Quick Scan

Run a quick antivirus scan on endpoints.

N/A

AV Full Scan

Run a full antivirus scan on endpoints.

N/A

Get Software Inventory

Retrieve list of software and apps installed on an endpoint to enrich FortiAnalyzer asset view.

softwares

Get Process List

Retrieve list of running process on endpoints OS.

processes

Get Vulnerabilities

Retrieve list of endpoint vulnerabilities on endpoints OS.

vulnerabilities

Tag Endpoints

Tag endpoints.

N/A

Untag Endpoints

Untag endpoints.

N/A

FortiMail Connector

FortiMail connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors.

Individual FortiMail connector actions can be toggled on and off while editing the connector in Fabric View.

FortiMail connectors include the following actions:

Name

Description

Output

Get Email Statistics

Query a given email address.

statistics

Get Sender Reputation

Query a given sender's reputation information.

reputation

Add Sender to Blocklist Update system and domain level blocklist.

N/A

FortiGuard Connector

The FortiGuard connector is automatically configured in FortiSoC when a valid license has been applied to FortiAnalyzer.

FortiGuard connectors include the following actions:

Name

Description

Lookup Indicator

Lookup indicators in FortiGuard to get threat intelligence.

FortiOS Connector

The FortiOS connector is added after the first FortiGate has been authorized on an ADOM. Additional devices authorized to the ADOM are displayed as separate entries within the same connector. FortiOS connectors are available in FortiGate and Fabric ADOMs.

Enabling FortiOS actions

The actions available with FortiOS connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming Webhook trigger must be created in FortiOS before they are shown as actions in FortiSoC. FortiOS automation rules are configured on FortiOS in Security Fabric > Automation. For information on creating FortiOS automation rules, see the FortiOS administration guide.

Rules for FortiOS actions:

  • Automation rules must use the Incoming Webhook trigger.
  • Automation rules are configured on FortiGate devices individually.
  • When multiple FortiOS connectors are configured, FortiAnalyzer decides which device to call based on the devid (serial number) identified in the task. FortiGate serial numbers can be manually entered or supplied by a preceding task.
  • Automation rules must have unique names to be displayed in the task's Action dropdown menu. Rules sharing the same name will appear only once, as they are considered to be the same automation rule configured on multiple FortiGate devices.
  • FortiOS automation rules are only displayed in FortiSoC when they are enabled in FortiOS.

Connectors

Connectors displays the automated actions that can be performed in playbooks using configured FortiSoC connectors.

Local (FortiAnalyzer), FortiOS, FortiMail, FortiGuard, and FortiClient EMS connectors are supported. To view FortiSoC connectors, go to FortiSoC > Automation > Connectors.

FortiOS devices are organized by standalone, Cooperative Security Fabric (CSF), and high availability (HA). Clicking a CSF or HA grouping will expand the list to display all FortiGate members.

The status of FortiSoC connectors are indicated with a colored icon:

  • Green: The API connection successful.
  • Black: The API connection is unknown.
  • Red: The API connection is down.

You can see when the status was last updated by hovering your mouse over the status icon. Click the refresh icon to get an updated status.

The following information is displayed for configured connectors:

Connector type

Field

Description

Local, FortiMail, FortiGuard and EMS connectors Name The name of the action.
Description A description of the action.
Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Output

The output available with the action.

Not applicable to FortiGuard connectors.

FOS connectors

Automation Rule

The name of the automation rule created on FortiOS.

Automation Action

The action(s) that occur when the task is triggered.

Parameter

The parameters that can be specified when configuring the action.

Required parameters are listed with an asterisk.

Configuring FortiSoC connectors

Local Connector

The local connector is the default connector for FortiAnalyzer and is available automatically. The local connector displays a set of predefined FortiAnalyzer actions to be used within playbooks.

Local connectors include the following actions:

Name

Description

Output

Update Asset and Identity Update FortiAnalyzer's Asset and Identity.

N/A

Get Events

Get events.

events

Get Endpoint Vulnerabilities

Get endpoint vulnerabilities.

vulnerabilities

Create Incident

Create a new incident.

incident_id

Update Incident

Update an existing incident.

N/A

Attach Data to Incident

Attach the specified data to an existing incident.

attach_ids

Run Report

Run the specified FortiAnalyzer report.

report_uuid

Get EPEU from incidents

Get the EPEU from an incident.

epeu

EMS Connector

FortiClient EMS connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors. Individual FortiClient EMS connector actions can be toggled on and off while editing the connector in Fabric View.

FortiClient EMS connectors include the following actions:

Name

Description

Output

Get Endpoints Retrieve list of endpoints and all of the related information to enrich FortiAnalyzer asset and identity views.

ems_endpoints

Quarantine

Quarantines an endpoint.

N/A

Unquarantine

Unquarantines an endpoint.

N/A

Vulnerability Scan

Run a vulnerability scan on endpoints.

N/A

AV Quick Scan

Run a quick antivirus scan on endpoints.

N/A

AV Full Scan

Run a full antivirus scan on endpoints.

N/A

Get Software Inventory

Retrieve list of software and apps installed on an endpoint to enrich FortiAnalyzer asset view.

softwares

Get Process List

Retrieve list of running process on endpoints OS.

processes

Get Vulnerabilities

Retrieve list of endpoint vulnerabilities on endpoints OS.

vulnerabilities

Tag Endpoints

Tag endpoints.

N/A

Untag Endpoints

Untag endpoints.

N/A

FortiMail Connector

FortiMail connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors.

Individual FortiMail connector actions can be toggled on and off while editing the connector in Fabric View.

FortiMail connectors include the following actions:

Name

Description

Output

Get Email Statistics

Query a given email address.

statistics

Get Sender Reputation

Query a given sender's reputation information.

reputation

Add Sender to Blocklist Update system and domain level blocklist.

N/A

FortiGuard Connector

The FortiGuard connector is automatically configured in FortiSoC when a valid license has been applied to FortiAnalyzer.

FortiGuard connectors include the following actions:

Name

Description

Lookup Indicator

Lookup indicators in FortiGuard to get threat intelligence.

FortiOS Connector

The FortiOS connector is added after the first FortiGate has been authorized on an ADOM. Additional devices authorized to the ADOM are displayed as separate entries within the same connector. FortiOS connectors are available in FortiGate and Fabric ADOMs.

Enabling FortiOS actions

The actions available with FortiOS connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming Webhook trigger must be created in FortiOS before they are shown as actions in FortiSoC. FortiOS automation rules are configured on FortiOS in Security Fabric > Automation. For information on creating FortiOS automation rules, see the FortiOS administration guide.

Rules for FortiOS actions:

  • Automation rules must use the Incoming Webhook trigger.
  • Automation rules are configured on FortiGate devices individually.
  • When multiple FortiOS connectors are configured, FortiAnalyzer decides which device to call based on the devid (serial number) identified in the task. FortiGate serial numbers can be manually entered or supplied by a preceding task.
  • Automation rules must have unique names to be displayed in the task's Action dropdown menu. Rules sharing the same name will appear only once, as they are considered to be the same automation rule configured on multiple FortiGate devices.
  • FortiOS automation rules are only displayed in FortiSoC when they are enabled in FortiOS.