Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Splunk-SOAR for FortiNDR Cloud

    Home FortiNDR Cloud 2024.10.0 Splunk-SOAR for FortiNDR Cloud
    2024.10.0
    2024.10.0

    Viewing Events in Splunk SOAR

    Viewing Events in Splunk SOAR

    You can view events polled from FortiNDR Cloud service on the Home page in the Events widget. This widget shows the number of events that were ingested during the specified time frame in the upper-left corner of the page. Events are grouped by Label, Severity, Sensitivity (confidence) or Status.

    To get the list of events:
    • Click the widget, or
    • Go to Sources > Events.

    The list may be filtered depending on how you opened the list. The filter options are displayed on the left side of the page above the events list. You can modify the filters as needed.

    All the events generated by this integration are prefixed with Fortinet FortiNDR Cloud. You can use this prefix to filter the event list to only show events from this integration. Each of these events, contains an artifact with the detections details.

    The following table shows all the fields contained in the artifact.

    Field Name

    Require on Resolve

    created

    Detection’s creation date and time

    fnc_category

    Detection’s rule category

    fnc_first_seen

    The date and time the detection was first seen

    fnc_last_seen

    The date and time the detection was last seen

    fnc_severity

    Detection’s rule severity

    xfnc_confidence

    Detection’s rule confidence

    fnc_status

    Detection’s status

    fnc_detection_id

    Detection’s id

    fnc_device_ip

    Detection’s affected device IP

    fnc_primary_attack_id

    Rule’s primary attack id

    fnc_secondary_attack_id

    Rule’s secondary attack ID

    fnc_rule_url

    Rule’s url in the FortiNDR Cloud Portal

    fnc_detection

    Detection’s raw json

    Previous
    Next

    Viewing Events in Splunk SOAR

    Viewing Events in Splunk SOAR

    You can view events polled from FortiNDR Cloud service on the Home page in the Events widget. This widget shows the number of events that were ingested during the specified time frame in the upper-left corner of the page. Events are grouped by Label, Severity, Sensitivity (confidence) or Status.

    To get the list of events:
    • Click the widget, or
    • Go to Sources > Events.

    The list may be filtered depending on how you opened the list. The filter options are displayed on the left side of the page above the events list. You can modify the filters as needed.

    All the events generated by this integration are prefixed with Fortinet FortiNDR Cloud. You can use this prefix to filter the event list to only show events from this integration. Each of these events, contains an artifact with the detections details.

    The following table shows all the fields contained in the artifact.

    Field Name

    Require on Resolve

    created

    Detection’s creation date and time

    fnc_category

    Detection’s rule category

    fnc_first_seen

    The date and time the detection was first seen

    fnc_last_seen

    The date and time the detection was last seen

    fnc_severity

    Detection’s rule severity

    xfnc_confidence

    Detection’s rule confidence

    fnc_status

    Detection’s status

    fnc_detection_id

    Detection’s id

    fnc_device_ip

    Detection’s affected device IP

    fnc_primary_attack_id

    Rule’s primary attack id

    fnc_secondary_attack_id

    Rule’s secondary attack ID

    fnc_rule_url

    Rule’s url in the FortiNDR Cloud Portal

    fnc_detection

    Detection’s raw json

    Previous
    Next