FortiNDR Cloud App supported actions

This integration supports the following actions:

test connectivity	Validate the asset configuration for connectivity using supplied configuration. This is a special action used by Splunk SOAR to check the asset health.
on poll	Retrieve latest Detections from the FortiNDR Cloud Service. This is a special action used by Splunk SOAR to ingest events from the FortiNDR Cloud service.
create detection rule	Create a new detection rule.
get detection events	Get a list of the events associated with a specific detection.
get rule events	Get a list of the events that match a specific rule.
resolve detection	Resolve a specific detection.
get detection rules	Get a list of detection rules.
get detections	Get information about the detections.
get entity file	Get information about a file.
get entity dhcp	Get DHCP information about an IP address.
get entity pdns	Get passive DNS information about an IP or domain.
get entity summary	Get summary information about an IP or domain.
get telemetry network	Get network telemetry data grouped by time.
get telemetry packetstats	Get packetstats telemetry data grouped by time.
get telemetry events	Get event telemetry data grouped by time.
create task	Create a new PCAP task.
get tasks	Get a list of all the PCAP tasks.
get devices	Get a list of all devices.
get sensors	Get a list of all sensors.

test connectivity

This action is used by Splunk SOAR to validate the health of the asset configuration by checking its connectivity using the supplied configuration.

Type	Test
Read only	True
Action Parameters	No parameters are required for this action
Action Output	No Output

on poll

This action is used by Splunk SOAR to retrieve the latest Detections from the FortiNDR Cloud Service and add them into Splunk SOAR as new containers. It is called by Splunk SOAR at the scheduled interval and uses the arguments specified in the asset settings to filter the Detections to be ingested. Detections are searched between the last poll and 10 minutes from the current date. This 10-minutes lag is required to allow time for the detections to be processed by the FortiNDR Cloud service backend. The recommended collection interval is 300 seconds (5 mins).

The first time it is called, it will get the value of the First Poll argument and go back the specified amount of time to check for detections that happens after. Next, a checkpoint is created with the searched interval to avoid duplicating or missing detections.

Type

Ingest

Read only

True

Action Parameters

These parameters are provided during the Asset Configuration in the Asset Settings tab.

Parameter	Required	Description	Type
first_poll	required	First Poll (<number> <time unit>, e.g., 12 hours, 7 days).	string
polling_delay	optional	Polling delay in minutes. This is required to allow time for the detections to be added before polling them. (default: 10 minutes)	numeric
muted	optional	Set to true to include muted detections. Default to false	numeric
muted_rule	optional	Set to true to include muted rules. Default to false	boolean
muted_device	optional	Set to true to include muted devices. Default to false	boolean
account_uuid	optional	Account UUID to filter retrieved detections	string

Action Output

No output

create detection rule

This action is used to communicate with the FortiNDR Cloud service to create a new detection rule.

Type

Generic

Read only

False

Action Parameters

Parameter	Required	Description	Type
name	required	The name of the rule.	string
category	required	The category of the rule.	string
severity	required	The severity of the rule.	string
confidence	required	The confidence of the rule.	string
description	optional	A description for the rule.	string
specificity	optional	Specificity	string
account_uuid	required	Account where the rule will be created.	string
query_signature	required	The IQL query for the rule.	string
device_ip_fields	optional	List, separated by ',' of event fields to check for impacted devices. Using 'DEFAULT' if not provided	string
indicator_fields	optional	List, separated by ',' of the indicator's fields	string
primary_attack_id	optional	Primary Attack ID	string
run_account_uuids	required	Account UUIDs on which this rule will run. This will usually be just your own account UUID. Separate multiple accounts with a comma.	string
secondary_attack_id	optional	Secondary Attack ID	string
auto_resolution_minutes	required	The number of minutes after which detections will be auto-resolved. If 0 then detections have to be manually resolved.	numeric

Action Output

Data Path’s prefix: action_result.data.*.rule

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": CreateDetectionRule }
action_result.message	string	CreateDetectionRule request was successfully completed.
action_result.parameter	string
<prefix>.uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.account_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.shared_account_uuids	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.run_account_uuids	string	["55f39b72-2622-4137-9051-bc2ff364f059"]
<prefix>.name	string	AR T1595
<prefix>.category	string	Attack:Infection Vector
<prefix>.query_signature	string	ip IN ('1.1.1.1','2.2.2.2') AND event_type = 'dns'
<prefix>.description	string
<prefix>.severity	string	high, moderate or low
<prefix>.confidence	string	high, moderate or low
<prefix>.auto_resolution_minutes	numeric	10080
<prefix>.enabled	boolean	True \| False
<prefix>.created_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.updated_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.critical_updated	string	2019-01-30T00:00:00.000Z
<prefix>.primary_attack_id	string
<prefix>.secondary_attack_id	string
<prefix>.specificity	string
<prefix>.rule_accounts	string
<prefix>.device_ip_fields	string	DEFAULT
<prefix>.indicator_fields	string	Src.ip
<prefix>.source_excludes	string	Zscaler

get detection events

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return, default: 100, max: 10000.	numeric
offset	optional	The number of records to skip past.	numeric
detection_uuid	required	Detection UUID to get events for	string

Action Output

Data Path’s prefix: action_result.data.*.detection_events.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDetectionEvents }
action_result.message	string	Detection Events request was successfully completed.retrieved successfully.
action_result.parameter	string
<prefix>.src_ip	string	8.8.8.8
<prefix>.dst_ip	string	9.9.9.9
<prefix>.src_port	numeric	53
<prefix>.dst_port	numeric	32
<prefix>.host_domain	string
<prefix>.flow_id	string	Cpv6xc2a3gA6fA8WE
<prefix>.event_type	string	dns
<prefix>.sensor_id	string	sen1
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.customer_id	string	gig
<prefix>.uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b
<prefix>.detection_uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b
<prefix>.rule_uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b

get rule events

This action is used to communicate with the FortiNDR Cloud service to GET a list of the events that match a specific rule.

This action is used to communicate with the FortiNDR Cloud service to GET a list of the events related to a specific detection.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
offset	optional	The number of records to skip past.	numeric
rule_uuid	required	Rule UUID to get events for.	string
account_uuid	optional	Account uuid to filter by.	string
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric

Data Path’s prefix: action_result.data.*.rule_events.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetRuleEvents }
action_result.message	string	GetRuleEvents request was successfully completed.
action_result.parameter	string
<prefix>.src_ip	string	8.8.8.8
<prefix>.dst_ip	string	9.9.9.9
<prefix>.src_port	numeric	53
<prefix>.dst_port	numeric	32
<prefix>.host_domain	string
<prefix>.flow_id	string	Cpv6xc2a3gA6fA8WE
<prefix>.event_type	string	dns
<prefix>.sensor_id	string	sen1
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.customer_id	string	gig
<prefix>.uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b

resolve detection

This action is used to communicate with the FortiNDR Cloud service to resolve a specific detection.

Type

Generic

Read only

False

Action Parameters

Parameter

Required

Description

Type

resolution

required

Resolution state. Options:

true_positive_mitigated,
true_posititve_no_actionfalse_positive, unknown'

string

detection_uuid

required

Detection UUID to resolve.

string

resolution_comment

optional

Optional comment for the resolution.

string

Action Output

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": ResolveDetection }
action_resultmessage	string	ResolveDetection request was successfully completed.
action_result.data	string
action_result.parameter	string

get detection rules

This action is used to communicate with the FortiNDR Cloud service to get a list of rules.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
offset	optional	The number of records to skip past.	numeric
search	optional	Filter name or category.	string
enabled	optional	Enabled rules only	boolean
sort_by	optional	The field to sort by: created, updated, detections, severity, confidence, category, last_seen, detections_muted. Default is updated.	string
category	optional	Category to filter by.	string
severity	optional	Filter by severity: high, moderate, low.	string
confidence	optional	Filter by confidence: high, moderate, low.	string
sort_order	optional	Sort direction (asc or desc).	string
account_uuid	optional	For those with access to multiple accounts, specify a single account to return results from.	string
has_detections	optional	Include rules that have unmuted, unresolved detections.	boolean
rule_account_muted	optional	Include muted rules: true / false.	boolean

Action Output

Data Path’s prefix: action_result.data.*.rules.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDetectionRules }
action_result.message	string	GetDetectionRules request was successfully completed.
action_result.parameter	string
<prefix>.enabled	boolean	True \| False
<prefix>.updated_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.rule_accounts	string
<prefix>.auto_resolution_minutes	numeric	10080
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.account_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.confidence	string	high, moderate or low
<prefix>.name	string	AR T1595
<prefix>.created_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.query_signature	string	ip IN ('1.1.1.1','2.2.2.2') AND event_type = 'dns'
<prefix>.shared_account_uuids	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.run_account_uuids	string	["55f39b72-2622-4137-9051-bc2ff364f059"]
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.description	string
<prefix>.severity	string	high, moderate or low
<prefix>.category	string	Attack:Infection Vector

get detections

This action is used to communicate with the FortiNDR Cloud service to get information about the detections.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
muted	optional	List detections that a user muted: true / false.	boolean
offset	optional	The number of records to skip past.	numeric
status	optional	Filter by detection status: active, resolved.	string
include	optional	Include additional information in the response (i.e.rules,indicators add the rules and the indicators to the response). Comma-separated lists are supported.	string
sort_by	optional	Field to sort by: first_seen, last_seen, status, device_ip, indicator_count.	string
device_ip	optional	Device IP to filter by.	string
rule_uuid	optional	Filter to a specific rule.	string
sensor_id	optional	Sensor ID to filter by.	string
muted_rule	optional	List detections for muted rules.	boolean
sort_order	optional	Sort direction (asc or desc).	string
account_uuid	optional	For those with access to multiple accounts, specify a single account to return results from.	string
muted_device	optional	List detections for muted devices: true / false.	boolean
active_end_date	optional	Active end date to filter by (exclusive).	string
created_end_date	optional	Created end date to filter by (exclusive).	string
active_start_date	optional	Active start date to filter by (inclusive).	string
created_start_date	optional	Created start date to filter by (inclusive).	string
created_or_shared_end_date	optional	Created or shared end date to filter by (exclusive).	string
created_or_shared_start_date	optional	Created or shared start date to filter by (inclusive).	string

Action Output

Data Path’s prefix: action_result.data.*.detections

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDetections }
action_result.message	string	GetDetections request was successfully completed.
action_result.parameter	string
<prefix>.muted_rule	boolean	true or false
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.account_uuid	string	1e5dbd92-9dca-4f36-bec5-c292172cbeaa
<prefix>.resolution_timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.muted	boolean	true or false
<prefix>.resolution	string	auto_resolved
<prefix>.muted_user_uuid	string	d025f073-c01e-4ee9-a89b-72f972a75a16
<prefix>.resolution_user_uuid	string	b92cd6e0-dd24-4bee-838a-d0dfbeda621a
<prefix>.status	string	active or resolved
<prefix>.resolution_comment	string
<prefix>.muted_comment	string
<prefix>.sensor_id	string	sen1
<prefix>.rule_uuid	string	58c2e22d-8b64-43ac-89a2-6c82ce66935e
<prefix>.uuid	string	cf576032-2f42-4b3e-90be-3c51e5128b03
<prefix>.muted_device_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.device_ip	string	10.70.43.58

get entity file

This action is used to communicate with the FortiNDR Cloud service to get information about a file.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
hash	required	File hash. Can be an MD5, SHA1, or SHA256 hash of the file.	string

Action Output

Data Path’s prefix: action_result.data.*.entity_file

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetEntityFile }
action_result.message	string	GetEntityFile request was successfully completed.
action_result.parameter	string
<prefix>.entity	string	75ce20257379b1d8bd88f7bfb01c6a6e3a32221212c623fbf10de61e8c379ff8
<prefix>.sha1	string	8965f4209f82bb13e15172bdf672912eebc2132d
<prefix>.sha256	string	75ce20257379b1d8bd88f7bfb01c6a6e3a32221212c623fbf10de61e8c379ff8
<prefix>.md5	string	95fcad6ceaefd749aa23fc5476863bb4
<prefix>.customer_id	string	gig
<prefix>.names	string	["TIAgentSetup.exe"]
<prefix>.mime_type	string	["application/x-dosexec"]
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.bytes	numeric	0
<prefix>.pe	string
<prefix>.prevalence_count_internal	numeric	0

get entity dhcp

This action is used to communicate with the FortiNDR Cloud service to get DHCP information about an IP addressentity.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
entity	required	IP to get DHCP data for.	string
end_date	optional	The latest date after which to exclude results. Day granularity, inclusive.	string
start_date	optional	The earliest date before which to exclude results. Day granularity, inclusive.	string
account_uuid	optional	Limit results to the specified account UUID(s). Defaults to all accounts for which the user has permission. Comma-separated lists are supported.	string

Action Output

Data Path’s prefix: action_result.data.*.entity dhcp*.

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetEntityDHCP }
action_result.message	string	GetEntityDHCP request was successfully completed.
action_result.parameter	string
<prefix>.customer_id	string	gig
<prefix>.hostnames	string	Somebody-iPhone
<prefix>.ip	string	8.8.8.8
<prefix>.lease_start	string	2019-01-30T00:00:00.000Z
<prefix>.lease_end	string	2019-01-30T00:00:00.000Z
<prefix>.mac	string	e3:84:2f:8e:50:e4
<prefix>.sensor_id	string	sen1
<prefix>.start_lease_as_long	numeric	1618939557975

get entity pdns

This action is used to communicate with the FortiNDR Cloud service to get passive DNS information about an IP or domain.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
entity	required	IP or Domain to get passive DNS data for.	string
source	optional	Limit the results to the specified data source(s). Note: Not all Sources populate all fields. Supported sources are: ICEBRG_DNS. Case insensitive. Comma-separated lists are supported.	string
end_date	optional	The latest date after which to exclude results. Day granularity, inclusive.	string
start_date	optional	The earliest date before which to exclude results. Day granularity, inclusive.	string
record_type	optional	Limit results to the specified DNS query type(s). Supported types are: A, AAAA, CNAME, MX, NS. Case insensitive. Comma-separated lists are supported.	string
account_uuid	optional	Limit results to the specified account UUID(s). Defaults to all accounts for which the user has permission. Comma-separated lists are supported.	string
resolve_external	optional	When true, the service will query non-ICEBRG data sources. false by default.	boolean

Action Output

Data Path’s prefix: action_result.data.*.entity pdns.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "endpoint": https://entity-uat.icebrg.io/v1/entity/{entity}/pdns, "request": GetEntityPDNS }
action_resultmessage	string	GetEntityPDNS request was successfully completed.
<prefix>.account_uuid	string	dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.record_type	string	a
<prefix>.resolved	string	8.8.8.8
<prefix>.sensor_id	string	sen1
<prefix>.source	string	icebrg_dns
<prefix>.customer_id	string	cust

get entity summary

This action is used to communicate with the FortiNDR Cloud service to get summary information about an IP or domain.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
entity	required	Entity name to retrieve summary information for.	string
entity_type	optional	Type of the entity we are searching. Allowed values are: ip, domain or file.	string
account_uuid	optional	Account uuid to filter by. If absent, all the caller's allowed accounts will be queried.	string

Action Output

Data Path’s prefix: action_result.data.*.entity_summary

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetEntitySummary }
action_result.message	string	GetEntitySummary request was successfully completed.
action_result.parameter	string
<prefix>.entity	string	8.8.8.8
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.prevalence_count_internal	numeric	8
<prefix>.tags.*.text	string	external
<prefix>.tags.*.account_code	string	act
<prefix>.tags.*.user_id	string	dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8
<prefix>.tags.*.create_date	string	2019-01-30T00:00:00.000Z
<prefix>.tags.*.entity	string	8.8.8.8
<prefix>.tags.*.public	boolean	True \| False

get telemetry network

This action is used to communicate with the FortiNDR Cloud service to get network telemetry data grouped by time.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
offset	optional	The number of records to skip past. Default is 0.	numeric
end_date	optional	End date to filter by.	string
interval	optional	The interval to filter by (day, month_to_day).	string
sort_order	optional	Sorts by account code first, then timestamp. asc or desc. The default is desc.	string
start_date	optional	Start date to filter by.	string
account_code	optional	Account code to filter by.	string
latest_each_month	optional	Filters out all but the latest day and month_to_date for each month.	boolean

Action Output

Data Path’s prefix: action_result.data.*.network_usage.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTelemetryNetwork }
action_result.message	string	GetTelemetryNetwork request was successfully completed.
action_result.parameter	string
<prefix>.account_code	string	gig
<prefix>.percentile_bps	numeric	6050493542
<prefix>.percentile	numeric	95
<prefix>.interval	string	day
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z

get telemetry packetstats

This action is used to communicate with the FortiNDR Cloud service to get packetstats telemetry data grouped by time.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
end_date	optional	End date/time to query for. The default is the current time.	string
group_by	optional	Optionally group results by: sensor_id, event_type.	string
interval	optional	Interval to group by: hour (default) or day.	string
sensor_id	optional	Sensor id to filter by.	string
event_type	optional	The type of event. Limited to flow, dns, http, ssl, and x509.	string
start_date	optional	Start date/time to query for. The default is 1 day ago for interval=hour or 30 days ago for interval=day.	string
account_code	optional	Account code to filter by.	string

Action Output

Data Path’s prefix: action_result.data.*.packetstats.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTelemetryPacketStats }
action_result.message	string	GetTelemetryPacketStats request was successfully completed.
action_result.parameter	string
<prefix>.account_code	string	gig
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.interface_name	string
<prefix>.rx_bits_per_second	numeric	168359035095
<prefix>.rx_bytes	numeric	1044065401242303200
<prefix>.rx_errors	numeric	543523121859
<prefix>.rx_packets	numeric	1511658249026538
<prefix>.sensor_id	string	sen1
<prefix>.tx_bytes	numeric	1380372603073006
<prefix>.tx_errors	numeric	0
<prefix>.tx_packets	numeric	963173536282

get telemetry events

This action is used to communicate with the FortiNDR Cloud service to get event telemetry data grouped by time.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
end_date	optional	End date/time to query for. The default is the current time.	string
group_by	optional	Optionally group results by: sensor_id, event_type.	string
interval	optional	Interval to group by: hour (default) or day.	string
sensor_id	optional	Sensor id to filter by.	string
event_type	optional	The type of event. Limited to flow, dns, http, ssl, and x509.	string
start_date	optional	Start date/time to query for. The default is 1 day ago for interval=hour or 30 days ago for interval=day.	string
account_code	optional	Account code to filter by.	string
account_uuid	optional	Account uuid to filter by.	string

Action Output

Data Path’s prefix: action_result.data.*.telemetry_events.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTelemetryEvents }
action_result.message	string	GetTelemetryEvents request was successfully completed.
action_result.parameter	string
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.event_count	numeric	1000
<prefix>.sensor_id	string	sen1
<prefix>.event_type	string	flow
<prefix>.account_code	string	gig

create task

This action is used to communicate with the FortiNDR Cloud service to create a new PCAP task.

Type

Generic

Read only

False

Action Parameters

Parameter	Required	Description	Type
bpf	required	The Berkeley Packet Filter for capture filtering.	string
name	required	The name of the task.	string
sensor_ids	required	Sensor IDs on which this task will run (separate multiple accounts by comma). Comma-separated lists are supported.	string
description	required	A description for the task.	string
account_uuid	required	Account where the task will be created.	string
requested_end_date	required	The date the task will become inactive. (2019-12-31T23:59:59.000Z).	string
requested_start_date	required	The date the task will become active. (2019-01-30T00:00:00.000Z).	string

Action Output

Data Path’s prefix: action_result.data.*.task

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": CreateTask }
action_result.message	string	CreateTask request was successfully completed.
action_result.parameter	string
action_result.data	string
<prefix>.task_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.description	string
<prefix>.name	string	Meh-Ike phone 10001
<prefix>.sensor_ids	string	["sen1"]
<prefix>.account_code	string	gig
<prefix>.bpf	string	src host x.x.x.x and dst port 10001
<prefix>.created_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.updated_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.created_email	string	test@test.com
<prefix>.updated_email	string	test@test.com
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.requested_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.requested_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.actual_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.actual_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.status	string	inactive
<prefix>.files	string
<prefix>.has_files	boolean	True \| False

get tasks

This action is used to communicate with the FortiNDR Cloud service to get a list of all the PCAP tasks.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
task_uuid	optional	Filter to a specific task.	string

Action Output

Data Path’s prefix: action_result.data.*.tasks.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTasks }
action_result.message	string	GetTasks request was successfully completed.
action_result.parameter	string
<prefix>.task_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.actual_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.requested_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.updated_email	string	test@test.com
<prefix>.created_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.name	string	Meh-Ike phone 10001
<prefix>.status	string	inactive
<prefix>.created_email	string	test@test.com
<prefix>.updated_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.bpf	string	src host x.x.x.x and dst port 10001
<prefix>.actual_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.account_code	string	gig
<prefix>.requested_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.description	string
<prefix>.has_files	boolean	True \| False
<prefix>.sensor_ids	string	["sen1"]
<prefix>.files	string

get devices

This action is used to communicate with the FortiNDR Cloud service to get a list of all devices.

Type

Investigate

Read only

True

Parameter	Required	Description	Type
cidr	optional	Filter devices that are under a specific CIDR.	string
end_date	optional	Filter devices based on when they were seen.	string
sensor_id	optional	Filter devices that were observed by a specific sensor.	string
start_date	optional	Filter devices based on when they were seen.	string
traffic_direction	optional	Filter devices that have been noted to only have a certain directionality of traffic (external or "internal).	string

Action Output

Data Path’s prefix: action_result.data.*.devices.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDevices }
action_result.message	string	GetDevices request was successfully completed.
action_result.parameter	string
<prefix>.date	string	2019-01-30T00:00:00.000Z
<prefix>.external	boolean	True \| False
<prefix>.internal	boolean	True \| False
<prefix>.ip_address	string	8.8.8.8

get sensors

This action is used to communicate with the FortiNDR Cloud service to get a list of all sensors.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
enabled	optional	Filter by true or false. If not provided, all the sensors are returned.	boolean
include	optional	Include additional metadata such as status, interfaces, admin.sensor, admin.zeek, admin.suricata, and network_usage. Comma-separated lists are supported.	string
sensor_id	optional	ID of the sensor to filter by.	string
account_code	optional	Account code to filter by.	string
account_uuid	optional	UUID of account to filter by.	string

Action Output

Data Path’s prefix: action_result.data.*.sensors

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetSensors }
action_result.message	string	GetSensors request was successfully completed.
action_result.parameter	string
<prefix>.*.created	string	2019-01-30T00:00:00.000Z
<prefix>.*.updated	string	2019-01-30T00:00:00.000Z
<prefix>.*.sensor_id	string	sen1
<prefix>.*.account_code	string	gig
<prefix>.*.location	string	{ "latitude": 0, "longitude": 0 }
<prefix>.*.subdivison	string	USA
<prefix>.*.city	string	San Jose
<prefix>.*.country	string	USA
<prefix>.*.tags	string	Demo Sensor
<prefix>.*.pcap_enabled	boolean	True \| False

FortiNDR Cloud App supported actions

This integration supports the following actions:

test connectivity	Validate the asset configuration for connectivity using supplied configuration. This is a special action used by Splunk SOAR to check the asset health.
on poll	Retrieve latest Detections from the FortiNDR Cloud Service. This is a special action used by Splunk SOAR to ingest events from the FortiNDR Cloud service.
create detection rule	Create a new detection rule.
get detection events	Get a list of the events associated with a specific detection.
get rule events	Get a list of the events that match a specific rule.
resolve detection	Resolve a specific detection.
get detection rules	Get a list of detection rules.
get detections	Get information about the detections.
get entity file	Get information about a file.
get entity dhcp	Get DHCP information about an IP address.
get entity pdns	Get passive DNS information about an IP or domain.
get entity summary	Get summary information about an IP or domain.
get telemetry network	Get network telemetry data grouped by time.
get telemetry packetstats	Get packetstats telemetry data grouped by time.
get telemetry events	Get event telemetry data grouped by time.
create task	Create a new PCAP task.
get tasks	Get a list of all the PCAP tasks.
get devices	Get a list of all devices.
get sensors	Get a list of all sensors.

test connectivity

This action is used by Splunk SOAR to validate the health of the asset configuration by checking its connectivity using the supplied configuration.

Type	Test
Read only	True
Action Parameters	No parameters are required for this action
Action Output	No Output

on poll

Type

Ingest

Read only

True

Action Parameters

These parameters are provided during the Asset Configuration in the Asset Settings tab.

Parameter	Required	Description	Type
first_poll	required	First Poll (<number> <time unit>, e.g., 12 hours, 7 days).	string
polling_delay	optional	Polling delay in minutes. This is required to allow time for the detections to be added before polling them. (default: 10 minutes)	numeric
muted	optional	Set to true to include muted detections. Default to false	numeric
muted_rule	optional	Set to true to include muted rules. Default to false	boolean
muted_device	optional	Set to true to include muted devices. Default to false	boolean
account_uuid	optional	Account UUID to filter retrieved detections	string

Action Output

No output

create detection rule

This action is used to communicate with the FortiNDR Cloud service to create a new detection rule.

Type

Generic

Read only

False

Action Parameters

Parameter	Required	Description	Type
name	required	The name of the rule.	string
category	required	The category of the rule.	string
severity	required	The severity of the rule.	string
confidence	required	The confidence of the rule.	string
description	optional	A description for the rule.	string
specificity	optional	Specificity	string
account_uuid	required	Account where the rule will be created.	string
query_signature	required	The IQL query for the rule.	string
device_ip_fields	optional	List, separated by ',' of event fields to check for impacted devices. Using 'DEFAULT' if not provided	string
indicator_fields	optional	List, separated by ',' of the indicator's fields	string
primary_attack_id	optional	Primary Attack ID	string
run_account_uuids	required	Account UUIDs on which this rule will run. This will usually be just your own account UUID. Separate multiple accounts with a comma.	string
secondary_attack_id	optional	Secondary Attack ID	string
auto_resolution_minutes	required	The number of minutes after which detections will be auto-resolved. If 0 then detections have to be manually resolved.	numeric

Action Output

Data Path’s prefix: action_result.data.*.rule

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": CreateDetectionRule }
action_result.message	string	CreateDetectionRule request was successfully completed.
action_result.parameter	string
<prefix>.uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.account_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.shared_account_uuids	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.run_account_uuids	string	["55f39b72-2622-4137-9051-bc2ff364f059"]
<prefix>.name	string	AR T1595
<prefix>.category	string	Attack:Infection Vector
<prefix>.query_signature	string	ip IN ('1.1.1.1','2.2.2.2') AND event_type = 'dns'
<prefix>.description	string
<prefix>.severity	string	high, moderate or low
<prefix>.confidence	string	high, moderate or low
<prefix>.auto_resolution_minutes	numeric	10080
<prefix>.enabled	boolean	True \| False
<prefix>.created_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.updated_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.critical_updated	string	2019-01-30T00:00:00.000Z
<prefix>.primary_attack_id	string
<prefix>.secondary_attack_id	string
<prefix>.specificity	string
<prefix>.rule_accounts	string
<prefix>.device_ip_fields	string	DEFAULT
<prefix>.indicator_fields	string	Src.ip
<prefix>.source_excludes	string	Zscaler

get detection events

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return, default: 100, max: 10000.	numeric
offset	optional	The number of records to skip past.	numeric
detection_uuid	required	Detection UUID to get events for	string

Action Output

Data Path’s prefix: action_result.data.*.detection_events.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDetectionEvents }
action_result.message	string	Detection Events request was successfully completed.retrieved successfully.
action_result.parameter	string
<prefix>.src_ip	string	8.8.8.8
<prefix>.dst_ip	string	9.9.9.9
<prefix>.src_port	numeric	53
<prefix>.dst_port	numeric	32
<prefix>.host_domain	string
<prefix>.flow_id	string	Cpv6xc2a3gA6fA8WE
<prefix>.event_type	string	dns
<prefix>.sensor_id	string	sen1
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.customer_id	string	gig
<prefix>.uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b
<prefix>.detection_uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b
<prefix>.rule_uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b

get rule events

This action is used to communicate with the FortiNDR Cloud service to GET a list of the events that match a specific rule.

This action is used to communicate with the FortiNDR Cloud service to GET a list of the events related to a specific detection.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
offset	optional	The number of records to skip past.	numeric
rule_uuid	required	Rule UUID to get events for.	string
account_uuid	optional	Account uuid to filter by.	string
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric

Data Path’s prefix: action_result.data.*.rule_events.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetRuleEvents }
action_result.message	string	GetRuleEvents request was successfully completed.
action_result.parameter	string
<prefix>.src_ip	string	8.8.8.8
<prefix>.dst_ip	string	9.9.9.9
<prefix>.src_port	numeric	53
<prefix>.dst_port	numeric	32
<prefix>.host_domain	string
<prefix>.flow_id	string	Cpv6xc2a3gA6fA8WE
<prefix>.event_type	string	dns
<prefix>.sensor_id	string	sen1
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.customer_id	string	gig
<prefix>.uuid	string	a7015381-0484-11ee-a43f-067ff9e63f5b

resolve detection

This action is used to communicate with the FortiNDR Cloud service to resolve a specific detection.

Type

Generic

Read only

False

Action Parameters

Parameter

Required

Description

Type

resolution

required

Resolution state. Options:

true_positive_mitigated,
true_posititve_no_actionfalse_positive, unknown'

string

detection_uuid

required

Detection UUID to resolve.

string

resolution_comment

optional

Optional comment for the resolution.

string

Action Output

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": ResolveDetection }
action_resultmessage	string	ResolveDetection request was successfully completed.
action_result.data	string
action_result.parameter	string

get detection rules

This action is used to communicate with the FortiNDR Cloud service to get a list of rules.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
offset	optional	The number of records to skip past.	numeric
search	optional	Filter name or category.	string
enabled	optional	Enabled rules only	boolean
sort_by	optional	The field to sort by: created, updated, detections, severity, confidence, category, last_seen, detections_muted. Default is updated.	string
category	optional	Category to filter by.	string
severity	optional	Filter by severity: high, moderate, low.	string
confidence	optional	Filter by confidence: high, moderate, low.	string
sort_order	optional	Sort direction (asc or desc).	string
account_uuid	optional	For those with access to multiple accounts, specify a single account to return results from.	string
has_detections	optional	Include rules that have unmuted, unresolved detections.	boolean
rule_account_muted	optional	Include muted rules: true / false.	boolean

Action Output

Data Path’s prefix: action_result.data.*.rules.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDetectionRules }
action_result.message	string	GetDetectionRules request was successfully completed.
action_result.parameter	string
<prefix>.enabled	boolean	True \| False
<prefix>.updated_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.rule_accounts	string
<prefix>.auto_resolution_minutes	numeric	10080
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.account_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.confidence	string	high, moderate or low
<prefix>.name	string	AR T1595
<prefix>.created_user_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.query_signature	string	ip IN ('1.1.1.1','2.2.2.2') AND event_type = 'dns'
<prefix>.shared_account_uuids	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.run_account_uuids	string	["55f39b72-2622-4137-9051-bc2ff364f059"]
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.description	string
<prefix>.severity	string	high, moderate or low
<prefix>.category	string	Attack:Infection Vector

get detections

This action is used to communicate with the FortiNDR Cloud service to get information about the detections.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
muted	optional	List detections that a user muted: true / false.	boolean
offset	optional	The number of records to skip past.	numeric
status	optional	Filter by detection status: active, resolved.	string
include	optional	Include additional information in the response (i.e.rules,indicators add the rules and the indicators to the response). Comma-separated lists are supported.	string
sort_by	optional	Field to sort by: first_seen, last_seen, status, device_ip, indicator_count.	string
device_ip	optional	Device IP to filter by.	string
rule_uuid	optional	Filter to a specific rule.	string
sensor_id	optional	Sensor ID to filter by.	string
muted_rule	optional	List detections for muted rules.	boolean
sort_order	optional	Sort direction (asc or desc).	string
account_uuid	optional	For those with access to multiple accounts, specify a single account to return results from.	string
muted_device	optional	List detections for muted devices: true / false.	boolean
active_end_date	optional	Active end date to filter by (exclusive).	string
created_end_date	optional	Created end date to filter by (exclusive).	string
active_start_date	optional	Active start date to filter by (inclusive).	string
created_start_date	optional	Created start date to filter by (inclusive).	string
created_or_shared_end_date	optional	Created or shared end date to filter by (exclusive).	string
created_or_shared_start_date	optional	Created or shared start date to filter by (inclusive).	string

Action Output

Data Path’s prefix: action_result.data.*.detections

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDetections }
action_result.message	string	GetDetections request was successfully completed.
action_result.parameter	string
<prefix>.muted_rule	boolean	true or false
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.account_uuid	string	1e5dbd92-9dca-4f36-bec5-c292172cbeaa
<prefix>.resolution_timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.muted	boolean	true or false
<prefix>.resolution	string	auto_resolved
<prefix>.muted_user_uuid	string	d025f073-c01e-4ee9-a89b-72f972a75a16
<prefix>.resolution_user_uuid	string	b92cd6e0-dd24-4bee-838a-d0dfbeda621a
<prefix>.status	string	active or resolved
<prefix>.resolution_comment	string
<prefix>.muted_comment	string
<prefix>.sensor_id	string	sen1
<prefix>.rule_uuid	string	58c2e22d-8b64-43ac-89a2-6c82ce66935e
<prefix>.uuid	string	cf576032-2f42-4b3e-90be-3c51e5128b03
<prefix>.muted_device_uuid	string	55f39b72-2622-4137-9051-bc2ff364f059
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.device_ip	string	10.70.43.58

get entity file

This action is used to communicate with the FortiNDR Cloud service to get information about a file.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
hash	required	File hash. Can be an MD5, SHA1, or SHA256 hash of the file.	string

Action Output

Data Path’s prefix: action_result.data.*.entity_file

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetEntityFile }
action_result.message	string	GetEntityFile request was successfully completed.
action_result.parameter	string
<prefix>.entity	string	75ce20257379b1d8bd88f7bfb01c6a6e3a32221212c623fbf10de61e8c379ff8
<prefix>.sha1	string	8965f4209f82bb13e15172bdf672912eebc2132d
<prefix>.sha256	string	75ce20257379b1d8bd88f7bfb01c6a6e3a32221212c623fbf10de61e8c379ff8
<prefix>.md5	string	95fcad6ceaefd749aa23fc5476863bb4
<prefix>.customer_id	string	gig
<prefix>.names	string	["TIAgentSetup.exe"]
<prefix>.mime_type	string	["application/x-dosexec"]
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.bytes	numeric	0
<prefix>.pe	string
<prefix>.prevalence_count_internal	numeric	0

get entity dhcp

This action is used to communicate with the FortiNDR Cloud service to get DHCP information about an IP addressentity.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
entity	required	IP to get DHCP data for.	string
end_date	optional	The latest date after which to exclude results. Day granularity, inclusive.	string
start_date	optional	The earliest date before which to exclude results. Day granularity, inclusive.	string
account_uuid	optional	Limit results to the specified account UUID(s). Defaults to all accounts for which the user has permission. Comma-separated lists are supported.	string

Action Output

Data Path’s prefix: action_result.data.*.entity dhcp*.

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetEntityDHCP }
action_result.message	string	GetEntityDHCP request was successfully completed.
action_result.parameter	string
<prefix>.customer_id	string	gig
<prefix>.hostnames	string	Somebody-iPhone
<prefix>.ip	string	8.8.8.8
<prefix>.lease_start	string	2019-01-30T00:00:00.000Z
<prefix>.lease_end	string	2019-01-30T00:00:00.000Z
<prefix>.mac	string	e3:84:2f:8e:50:e4
<prefix>.sensor_id	string	sen1
<prefix>.start_lease_as_long	numeric	1618939557975

get entity pdns

This action is used to communicate with the FortiNDR Cloud service to get passive DNS information about an IP or domain.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
entity	required	IP or Domain to get passive DNS data for.	string
source	optional	Limit the results to the specified data source(s). Note: Not all Sources populate all fields. Supported sources are: ICEBRG_DNS. Case insensitive. Comma-separated lists are supported.	string
end_date	optional	The latest date after which to exclude results. Day granularity, inclusive.	string
start_date	optional	The earliest date before which to exclude results. Day granularity, inclusive.	string
record_type	optional	Limit results to the specified DNS query type(s). Supported types are: A, AAAA, CNAME, MX, NS. Case insensitive. Comma-separated lists are supported.	string
account_uuid	optional	Limit results to the specified account UUID(s). Defaults to all accounts for which the user has permission. Comma-separated lists are supported.	string
resolve_external	optional	When true, the service will query non-ICEBRG data sources. false by default.	boolean

Action Output

Data Path’s prefix: action_result.data.*.entity pdns.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "endpoint": https://entity-uat.icebrg.io/v1/entity/{entity}/pdns, "request": GetEntityPDNS }
action_resultmessage	string	GetEntityPDNS request was successfully completed.
<prefix>.account_uuid	string	dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.record_type	string	a
<prefix>.resolved	string	8.8.8.8
<prefix>.sensor_id	string	sen1
<prefix>.source	string	icebrg_dns
<prefix>.customer_id	string	cust

get entity summary

This action is used to communicate with the FortiNDR Cloud service to get summary information about an IP or domain.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
entity	required	Entity name to retrieve summary information for.	string
entity_type	optional	Type of the entity we are searching. Allowed values are: ip, domain or file.	string
account_uuid	optional	Account uuid to filter by. If absent, all the caller's allowed accounts will be queried.	string

Action Output

Data Path’s prefix: action_result.data.*.entity_summary

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetEntitySummary }
action_result.message	string	GetEntitySummary request was successfully completed.
action_result.parameter	string
<prefix>.entity	string	8.8.8.8
<prefix>.first_seen	string	2019-01-30T00:00:00.000Z
<prefix>.last_seen	string	2019-01-30T00:00:00.000Z
<prefix>.prevalence_count_internal	numeric	8
<prefix>.tags.*.text	string	external
<prefix>.tags.*.account_code	string	act
<prefix>.tags.*.user_id	string	dc9ab97f-9cdf-46af-8ca2-e71e8e8243c8
<prefix>.tags.*.create_date	string	2019-01-30T00:00:00.000Z
<prefix>.tags.*.entity	string	8.8.8.8
<prefix>.tags.*.public	boolean	True \| False

get telemetry network

This action is used to communicate with the FortiNDR Cloud service to get network telemetry data grouped by time.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
limit	optional	The number of records to return. Default: 100 Maximum: 1000	numeric
offset	optional	The number of records to skip past. Default is 0.	numeric
end_date	optional	End date to filter by.	string
interval	optional	The interval to filter by (day, month_to_day).	string
sort_order	optional	Sorts by account code first, then timestamp. asc or desc. The default is desc.	string
start_date	optional	Start date to filter by.	string
account_code	optional	Account code to filter by.	string
latest_each_month	optional	Filters out all but the latest day and month_to_date for each month.	boolean

Action Output

Data Path’s prefix: action_result.data.*.network_usage.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTelemetryNetwork }
action_result.message	string	GetTelemetryNetwork request was successfully completed.
action_result.parameter	string
<prefix>.account_code	string	gig
<prefix>.percentile_bps	numeric	6050493542
<prefix>.percentile	numeric	95
<prefix>.interval	string	day
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z

get telemetry packetstats

This action is used to communicate with the FortiNDR Cloud service to get packetstats telemetry data grouped by time.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
end_date	optional	End date/time to query for. The default is the current time.	string
group_by	optional	Optionally group results by: sensor_id, event_type.	string
interval	optional	Interval to group by: hour (default) or day.	string
sensor_id	optional	Sensor id to filter by.	string
event_type	optional	The type of event. Limited to flow, dns, http, ssl, and x509.	string
start_date	optional	Start date/time to query for. The default is 1 day ago for interval=hour or 30 days ago for interval=day.	string
account_code	optional	Account code to filter by.	string

Action Output

Data Path’s prefix: action_result.data.*.packetstats.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTelemetryPacketStats }
action_result.message	string	GetTelemetryPacketStats request was successfully completed.
action_result.parameter	string
<prefix>.account_code	string	gig
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.interface_name	string
<prefix>.rx_bits_per_second	numeric	168359035095
<prefix>.rx_bytes	numeric	1044065401242303200
<prefix>.rx_errors	numeric	543523121859
<prefix>.rx_packets	numeric	1511658249026538
<prefix>.sensor_id	string	sen1
<prefix>.tx_bytes	numeric	1380372603073006
<prefix>.tx_errors	numeric	0
<prefix>.tx_packets	numeric	963173536282

get telemetry events

This action is used to communicate with the FortiNDR Cloud service to get event telemetry data grouped by time.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
end_date	optional	End date/time to query for. The default is the current time.	string
group_by	optional	Optionally group results by: sensor_id, event_type.	string
interval	optional	Interval to group by: hour (default) or day.	string
sensor_id	optional	Sensor id to filter by.	string
event_type	optional	The type of event. Limited to flow, dns, http, ssl, and x509.	string
start_date	optional	Start date/time to query for. The default is 1 day ago for interval=hour or 30 days ago for interval=day.	string
account_code	optional	Account code to filter by.	string
account_uuid	optional	Account uuid to filter by.	string

Action Output

Data Path’s prefix: action_result.data.*.telemetry_events.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTelemetryEvents }
action_result.message	string	GetTelemetryEvents request was successfully completed.
action_result.parameter	string
<prefix>.timestamp	string	2019-01-30T00:00:00.000Z
<prefix>.event_count	numeric	1000
<prefix>.sensor_id	string	sen1
<prefix>.event_type	string	flow
<prefix>.account_code	string	gig

create task

This action is used to communicate with the FortiNDR Cloud service to create a new PCAP task.

Type

Generic

Read only

False

Action Parameters

Parameter	Required	Description	Type
bpf	required	The Berkeley Packet Filter for capture filtering.	string
name	required	The name of the task.	string
sensor_ids	required	Sensor IDs on which this task will run (separate multiple accounts by comma). Comma-separated lists are supported.	string
description	required	A description for the task.	string
account_uuid	required	Account where the task will be created.	string
requested_end_date	required	The date the task will become inactive. (2019-12-31T23:59:59.000Z).	string
requested_start_date	required	The date the task will become active. (2019-01-30T00:00:00.000Z).	string

Action Output

Data Path’s prefix: action_result.data.*.task

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": CreateTask }
action_result.message	string	CreateTask request was successfully completed.
action_result.parameter	string
action_result.data	string
<prefix>.task_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.description	string
<prefix>.name	string	Meh-Ike phone 10001
<prefix>.sensor_ids	string	["sen1"]
<prefix>.account_code	string	gig
<prefix>.bpf	string	src host x.x.x.x and dst port 10001
<prefix>.created_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.updated_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.created_email	string	test@test.com
<prefix>.updated_email	string	test@test.com
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.requested_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.requested_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.actual_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.actual_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.status	string	inactive
<prefix>.files	string
<prefix>.has_files	boolean	True \| False

get tasks

This action is used to communicate with the FortiNDR Cloud service to get a list of all the PCAP tasks.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
task_uuid	optional	Filter to a specific task.	string

Action Output

Data Path’s prefix: action_result.data.*.tasks.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetTasks }
action_result.message	string	GetTasks request was successfully completed.
action_result.parameter	string
<prefix>.task_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.actual_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.requested_start_time	string	2019-01-30T00:00:00.000Z
<prefix>.updated_email	string	test@test.com
<prefix>.created_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.created	string	2019-01-30T00:00:00.000Z
<prefix>.name	string	Meh-Ike phone 10001
<prefix>.status	string	inactive
<prefix>.created_email	string	test@test.com
<prefix>.updated_uuid	string	32329e78-c51f-4da4-bd56-6bfb35d84a9c
<prefix>.bpf	string	src host x.x.x.x and dst port 10001
<prefix>.actual_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.account_code	string	gig
<prefix>.requested_end_time	string	2019-01-30T00:00:00.000Z
<prefix>.updated	string	2019-01-30T00:00:00.000Z
<prefix>.description	string
<prefix>.has_files	boolean	True \| False
<prefix>.sensor_ids	string	["sen1"]
<prefix>.files	string

get devices

This action is used to communicate with the FortiNDR Cloud service to get a list of all devices.

Type

Investigate

Read only

True

Parameter	Required	Description	Type
cidr	optional	Filter devices that are under a specific CIDR.	string
end_date	optional	Filter devices based on when they were seen.	string
sensor_id	optional	Filter devices that were observed by a specific sensor.	string
start_date	optional	Filter devices based on when they were seen.	string
traffic_direction	optional	Filter devices that have been noted to only have a certain directionality of traffic (external or "internal).	string

Action Output

Data Path’s prefix: action_result.data.*.devices.*

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetDevices }
action_result.message	string	GetDevices request was successfully completed.
action_result.parameter	string
<prefix>.date	string	2019-01-30T00:00:00.000Z
<prefix>.external	boolean	True \| False
<prefix>.internal	boolean	True \| False
<prefix>.ip_address	string	8.8.8.8

get sensors

This action is used to communicate with the FortiNDR Cloud service to get a list of all sensors.

Type

Investigate

Read only

True

Action Parameters

Parameter	Required	Description	Type
enabled	optional	Filter by true or false. If not provided, all the sensors are returned.	boolean
include	optional	Include additional metadata such as status, interfaces, admin.sensor, admin.zeek, admin.suricata, and network_usage. Comma-separated lists are supported.	string
sensor_id	optional	ID of the sensor to filter by.	string
account_code	optional	Account code to filter by.	string
account_uuid	optional	UUID of account to filter by.	string

Action Output

Data Path’s prefix: action_result.data.*.sensors

Data Path	Type	Example Values
action_result.status	string	success, failed
action_result.summary	string	{ "response_count": 1, "request": GetSensors }
action_result.message	string	GetSensors request was successfully completed.
action_result.parameter	string
<prefix>.*.created	string	2019-01-30T00:00:00.000Z
<prefix>.*.updated	string	2019-01-30T00:00:00.000Z
<prefix>.*.sensor_id	string	sen1
<prefix>.*.account_code	string	gig
<prefix>.*.location	string	{ "latitude": 0, "longitude": 0 }
<prefix>.*.subdivison	string	USA
<prefix>.*.city	string	San Jose
<prefix>.*.country	string	USA
<prefix>.*.tags	string	Demo Sensor
<prefix>.*.pcap_enabled	boolean	True \| False

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Splunk-SOAR for FortiNDR Cloud

FortiNDR Cloud App supported actions

FortiNDR Cloud App supported actions

test connectivity

on poll

create detection rule

get detection events

get rule events

resolve detection

get detection rules

get detections

get entity file

get entity dhcp

get entity pdns