Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Integrating using the Event Streaming Service API

    Integrating using the Event Streaming Service API

    To enable a SIEM tool to receive events from FortiDLP’s Event Streaming Service API, the SIEM tool needs to access events from the stream endpoint. For websocket mode, this entails opening a websocket connection, and for long polling mode, this entails executing an HTTP GET request.

    Once a successful request is made, event messages will be sent as a response, including the fields detailed in Event message fields.

    Authorization

    A FortiDLP API access token, generated as part of the steps in Generating an event stream and access token, is required as a bearer token header when a request is made to the API. The API can then authenticate the request and authorize access to event stream data.

    Example

    In the example below, you would need to replace {API access token} with the value of the API access token.

    Authorization: Bearer {API access token}

    API endpoint

    To retrieve event stream data from the Event Streaming Service, you need to make an API request to the /api/siem endpoint. To do this, for the endpoint URL, you just need to provide the URL of the event stream you generated in Generating an event stream and access token. The endpoint’s root is the FortiDLP tenant in which the event stream was created, and the stream_id query parameter has the unique identifier of the event stream as its value.

    Example

    The following is an example event stream URL:

    https://example.reveal.nextdlp.com/api/siem?stream_id=316fbbdf-af75-475b-677b-f3d78a546879

    How to integrate in websocket mode

    To continuously stream events to the SIEM tool, follow these steps.

    1. Open a websocket connection, providing:
      1. the authorization information above and
      2. the API endpoint information above.
    2. Decode each event message as JSON.
    3. Call the websocket’s receive() or recv() function so that the SIEM tool can ingest the events.
    Note

    To stop streaming events, the websocket connection needs to be closed.

    FortiDLP will periodically close the websocket connection if it has been active for a long time. If this occurs, reconnecting is required to resume ingestion of the event stream.
    How to integrate in long polling mode

    To request a batch of events from the SIEM tool, follow these steps.

    Note

    The API will respond with events after 30 seconds or will respond with events earlier if 1000 events are collected from the queue.
    1. Create an HTTP GET request, providing:
      1. the authorization information above and
      2. the API endpoint information above.
    2. Do one of the following to specify the way event messages should be formatted in the SIEM tool:
      1. To receive each event message formatted as line-separated JSON, provide a format query parameter with the value of jsonlines.
        Example

        The following specifies jsonlines as the message format.

        https://example.reveal.nextdlp.com/api/siem?stream_id=316fbbdf-af75-475b-677b-f3d78a546879&format=jsonlines

      2. To receive all events as arrays contained in a single JSON object, provide a format query parameter with the value of json.
        Example

        The following specifies json as the message format.

        https://example.reveal.nextdlp.com/api/siem?stream_id=316fbbdf-af75-475b-677b-f3d78a546879&format=json

    3. Execute the request.
    Example

    For an example of how to integrate with Microsoft Sentinel, refer to the Next DLP Support Portal article here.
    Previous
    Next

    Integrating using the Event Streaming Service API

    Integrating using the Event Streaming Service API

    To enable a SIEM tool to receive events from FortiDLP’s Event Streaming Service API, the SIEM tool needs to access events from the stream endpoint. For websocket mode, this entails opening a websocket connection, and for long polling mode, this entails executing an HTTP GET request.

    Once a successful request is made, event messages will be sent as a response, including the fields detailed in Event message fields.

    Authorization

    A FortiDLP API access token, generated as part of the steps in Generating an event stream and access token, is required as a bearer token header when a request is made to the API. The API can then authenticate the request and authorize access to event stream data.

    Example

    In the example below, you would need to replace {API access token} with the value of the API access token.

    Authorization: Bearer {API access token}

    API endpoint

    To retrieve event stream data from the Event Streaming Service, you need to make an API request to the /api/siem endpoint. To do this, for the endpoint URL, you just need to provide the URL of the event stream you generated in Generating an event stream and access token. The endpoint’s root is the FortiDLP tenant in which the event stream was created, and the stream_id query parameter has the unique identifier of the event stream as its value.

    Example

    The following is an example event stream URL:

    https://example.reveal.nextdlp.com/api/siem?stream_id=316fbbdf-af75-475b-677b-f3d78a546879

    How to integrate in websocket mode

    To continuously stream events to the SIEM tool, follow these steps.

    1. Open a websocket connection, providing:
      1. the authorization information above and
      2. the API endpoint information above.
    2. Decode each event message as JSON.
    3. Call the websocket’s receive() or recv() function so that the SIEM tool can ingest the events.
    Note

    To stop streaming events, the websocket connection needs to be closed.

    FortiDLP will periodically close the websocket connection if it has been active for a long time. If this occurs, reconnecting is required to resume ingestion of the event stream.
    How to integrate in long polling mode

    To request a batch of events from the SIEM tool, follow these steps.

    Note

    The API will respond with events after 30 seconds or will respond with events earlier if 1000 events are collected from the queue.
    1. Create an HTTP GET request, providing:
      1. the authorization information above and
      2. the API endpoint information above.
    2. Do one of the following to specify the way event messages should be formatted in the SIEM tool:
      1. To receive each event message formatted as line-separated JSON, provide a format query parameter with the value of jsonlines.
        Example

        The following specifies jsonlines as the message format.

        https://example.reveal.nextdlp.com/api/siem?stream_id=316fbbdf-af75-475b-677b-f3d78a546879&format=jsonlines

      2. To receive all events as arrays contained in a single JSON object, provide a format query parameter with the value of json.
        Example

        The following specifies json as the message format.

        https://example.reveal.nextdlp.com/api/siem?stream_id=316fbbdf-af75-475b-677b-f3d78a546879&format=json

    3. Execute the request.
    Example

    For an example of how to integrate with Microsoft Sentinel, refer to the Next DLP Support Portal article here.
    Previous
    Next