Notifications via HTTPS
When an incident triggers, FortiSIEM can push an XML file containing Incident details via HTTP(S) POST.
The FortiSIEM AONotification.xsd
file shows the XML schema for incident notifications.
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="incident"> <xs:complexType> <xs:sequence> <xs:element type="xs:string" name="name"/> <xs:element type="xs:string" name="description"/> <xs:element type="xs:string" name="displayTime"/> <xs:element type="xs:string" name="incidentSource"/> <xs:element name="incidentTarget"> <xs:complexType> <xs:sequence> <xs:element name="entry"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute type="xs:string" name="attribute"/> <xs:attribute type="xs:string" name="name"/> </xs:extension> </xs:simpleContent> </xs:complexType>
</xs:element> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="incidentDetails"> <xs:complexType> <xs:sequence> <xs:element name="entry"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:float"> <xs:attribute type="xs:string" name="name"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> <xs:element type="xs:string" name="affectedBizSrvc"/> <xs:element type="xs:string" name="identityLocation"/> </xs:sequence> <xs:attribute type="xs:short" name="incidentId"/> <xs:attribute type="xs:string" name="ruleType"/> <xs:attribute type="xs:byte" name="severity"/> <xs:attribute type="xs:byte" name="repeatCount"/> <xs:attribute type="xs:string" name="organization"/> <xs:attribute type="xs:string" name="status"/> </xs:complexType> </xs:element> </xs:schema>
The description of each field is as follows:
Section | Field | Description |
---|---|---|
Generic | ||
incidentId | Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEM by this ID. | |
ruleId | Unique id of the rule in FortiSIEM | |
vendor | FortiSIEM | |
severity | Incident severity: HIGH | MEDIUM | LOW | |
organization | The name of the organization for which this incident occurred | |
status | New, Update or Clear | |
repeatCout | how many times this incident has occurred | |
name | Name of the rule that triggered the incident | |
description | Description of the rule including conditions under which the rule is written to trigger | |
displayTime | Time when this incident occurred | |
incidentTarget | Where the incident occurred, or the target of an IPS alert. It consists of attribute, name and value pairs. | |
attribute | Parsed event attribute id | |
name | Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc. | |
value | The attribute's value | |
incidentSource | For security-related incidents, where the incident originated | |
attribute | Parsed event attribute id | |
name | Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc. | |
value | The attribute's value | |
incidentDetails | Rule-specific details that caused the incident to trigger shown as an attribute with name and value pairs. | |
attribute | Parsed event attribute id | |
name |
Display name of the attribute Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc. |
|
value | The attribute's value | |
affectedBizSrvc | A comma-separated list of business service names | |
deviceDetails | Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
|