Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Notifications via HTTPS

When an incident triggers, FortiSIEM can push an XML file containing Incident details via HTTP(S) POST.

The FortiSIEM AONotification.xsd file shows the XML schema for incident notifications.

 

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="incident">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="name"/>
<xs:element type="xs:string" name="description"/>
<xs:element type="xs:string" name="displayTime"/>
<xs:element type="xs:string" name="incidentSource"/>
<xs:element name="incidentTarget">
<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
	<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:string">
					<xs:attribute type="xs:string" name="attribute"/>
					<xs:attribute type="xs:string" name="name"/>	
                                </xs:extension>
			</xs:simpleContent>
	</xs:complexType>
</xs:element>
	</xs:sequence>
	</xs:complexType>
	</xs:element>
<xs:element name="incidentDetails">
	<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:float">
					<xs:attribute type="xs:string" name="name"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>
	</xs:sequence>
	</xs:complexType>
</xs:element>
	<xs:element type="xs:string" name="affectedBizSrvc"/>
	<xs:element type="xs:string" name="identityLocation"/>
	</xs:sequence>
	<xs:attribute type="xs:short" name="incidentId"/>
	<xs:attribute type="xs:string" name="ruleType"/>
		<xs:attribute type="xs:byte" name="severity"/>
		<xs:attribute type="xs:byte" name="repeatCount"/>
		<xs:attribute type="xs:string" name="organization"/>
		<xs:attribute type="xs:string" name="status"/>
		</xs:complexType>
	</xs:element>
</xs:schema>

 

The description of each field is as follows:

Section Field Description
Generic
incidentId Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEM by this ID.
ruleId Unique id of the rule in FortiSIEM
vendor FortiSIEM
severity Incident severity: HIGH | MEDIUM | LOW
organization The name of the organization for which this incident occurred
status New, Update or Clear
repeatCout how many times this incident has occurred
name Name of the rule that triggered the incident
description Description of the rule including conditions under which the rule is written to trigger
displayTime Time when this incident occurred
incidentTarget Where the incident occurred, or the target of an IPS alert. It consists of attribute, name and value pairs.
attribute Parsed event attribute id
name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute's value
incidentSource For security-related incidents, where the incident originated
attribute Parsed event attribute id
name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute's value
incidentDetails Rule-specific details that caused the incident to trigger shown as an attribute with name and value pairs.
attribute Parsed event attribute id
name Display name of the attribute
Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute's value
affectedBizSrvc A comma-separated list of business service names
deviceDetails Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
  • ipAddr
  • hostName
  • vendor
  • model
  • version
  • users - Logged on users using this IP info obtained from Active Directory
    • userName - Active Directory login name
    • fullName - Full name of this user in Active Directory or defined manually
    • email - email address of the user in Active Directory or defined manually
    • jobTitle - jobTitle of the user in Active Directory or defined manually
    • First and last seen times for this IP address to user binding

Notifications via HTTPS

When an incident triggers, FortiSIEM can push an XML file containing Incident details via HTTP(S) POST.

The FortiSIEM AONotification.xsd file shows the XML schema for incident notifications.

 

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="incident">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="name"/>
<xs:element type="xs:string" name="description"/>
<xs:element type="xs:string" name="displayTime"/>
<xs:element type="xs:string" name="incidentSource"/>
<xs:element name="incidentTarget">
<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
	<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:string">
					<xs:attribute type="xs:string" name="attribute"/>
					<xs:attribute type="xs:string" name="name"/>	
                                </xs:extension>
			</xs:simpleContent>
	</xs:complexType>
</xs:element>
	</xs:sequence>
	</xs:complexType>
	</xs:element>
<xs:element name="incidentDetails">
	<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:float">
					<xs:attribute type="xs:string" name="name"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>
	</xs:sequence>
	</xs:complexType>
</xs:element>
	<xs:element type="xs:string" name="affectedBizSrvc"/>
	<xs:element type="xs:string" name="identityLocation"/>
	</xs:sequence>
	<xs:attribute type="xs:short" name="incidentId"/>
	<xs:attribute type="xs:string" name="ruleType"/>
		<xs:attribute type="xs:byte" name="severity"/>
		<xs:attribute type="xs:byte" name="repeatCount"/>
		<xs:attribute type="xs:string" name="organization"/>
		<xs:attribute type="xs:string" name="status"/>
		</xs:complexType>
	</xs:element>
</xs:schema>

 

The description of each field is as follows:

Section Field Description
Generic
incidentId Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEM by this ID.
ruleId Unique id of the rule in FortiSIEM
vendor FortiSIEM
severity Incident severity: HIGH | MEDIUM | LOW
organization The name of the organization for which this incident occurred
status New, Update or Clear
repeatCout how many times this incident has occurred
name Name of the rule that triggered the incident
description Description of the rule including conditions under which the rule is written to trigger
displayTime Time when this incident occurred
incidentTarget Where the incident occurred, or the target of an IPS alert. It consists of attribute, name and value pairs.
attribute Parsed event attribute id
name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute's value
incidentSource For security-related incidents, where the incident originated
attribute Parsed event attribute id
name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute's value
incidentDetails Rule-specific details that caused the incident to trigger shown as an attribute with name and value pairs.
attribute Parsed event attribute id
name Display name of the attribute
Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute's value
affectedBizSrvc A comma-separated list of business service names
deviceDetails Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
  • ipAddr
  • hostName
  • vendor
  • model
  • version
  • users - Logged on users using this IP info obtained from Active Directory
    • userName - Active Directory login name
    • fullName - Full name of this user in Active Directory or defined manually
    • email - email address of the user in Active Directory or defined manually
    • jobTitle - jobTitle of the user in Active Directory or defined manually
    • First and last seen times for this IP address to user binding