JSON API Incident Integration
These JSON REST APIs allow you to integrate incidents from FortiSIEM. This is used for ServiceNow SecOps integration.
A list of FortiSIEM Incident attributes can be found here.
Refer to Example Usage for Incident Integration examples.
Fetch Incidents
This API retrieves incidents from FSIEM database.
URI | Method | Additional Information |
---|---|---|
/phoenix/rest/pub/incident | GET |
Parameters "status": [0], * "incidentId":[8064], * "timeFrom": 1620677781736, (Required) * "timeTo": 1620684981736, (Required) * "start":0,(optional) * "size": 500 (by default, return 500 incidents each time) |
/phoenix/rest/pub/incident | POST |
Payload: { "filters": { " status": [0], "incidentId":[8064] }, "start":0,(optional) "size":500,(by default, return 500 incidents each time) "timeFrom": 1620677781736, (Required if incidentId is not specified) "timeTo": 1620684981736, (Required if incidentId is not specified) "orderBy": "incidentLastSeen", (this field must be in the list of fields) "descending": true, "fields": [ "eventSeverityCat", "eventSeverity", "incidentLastSeen", "incidentFirstSeen", "eventType", "eventName", "incidentSrc", "incidentTarget", "incidentDetail", "incidentRptIp", "incidentRptDevName", "incidentStatus", "incidentComments", "customer", "incidentClearedReason", "incidentClearedTime", "incidentClearedUser", "count", "incidentId", "incidentSrc", "incidentTarget", "incidentExtUser", "incidentExtClearedTime", "incidentExtTicketId", "incidentExtTicketState", "incidentExtTicketType", "incidentReso", "phIncidentCategory", "phSubIncidentCategory", "incidentTitle", "attackTechnique", "attackTactic" ] } Returns: { "total": 317, "start":0, "size": 10, "data": [ { "incidentTitle": "SNMP service down on wk5794.fortinet.com", "eventSeverity": 10, "incidentFirstSeen": 1621941030000, "incidentReso": 1, "incidentRptIp": "172.30.57.94", "incidentLastSeen": 1621987770000, "incidentSrc": "", "count": 54, "attackTechnique": "[{\"name\": \"Service Stop\", \"techniqueid\": \"T1489\"}]", "eventType": "PH_RULE_SNMP_DOWN", "phIncidentCategory": 1, "incidentClearedTime": 0, "incidentTarget": "hostIpAddr:172.30.57.94, hostName:wk5794.fortinet.com,", "attackTactic": "Impact", "eventSeverityCat": "HIGH", "incidentDetail": "", "incidentRptDevName": "wk5794.fortinet.com", "eventName": "SNMP Service Unavailable", "incidentId": 114780, "incidentStatus": 0, "customer": "Super" }, . .. ] } |
Fetch Trigger Events
This API retrieves triggering events from incidents.
URI | Method | Additional Information |
---|---|---|
/phoenix/rest/pub/incident/triggeringEvents?incidentId=8&size=10 | GET |
Parameters: incidentId: FortiSIEM incident Id (Required) size: indicates how many trigger events return, 10 events by default if no size specific. Returns: [ { "custId": 1, "index": 0, "id": 6482650188627892000, "eventType": "PH_DEV_MON_PERFMON_JOB_DELAY_HIGH", "receiveTime": 1621557630000, "rawMessage": "<174>May 20 17:40:30 [PH_DEV_MON_PERFMON_JOB_DELAY_HIGH]:[jobName]=CPU Util(SNMP),[phCustId]=1,[hostName]=FGT50E3U17000553,[eventSeverity]=PHL_INFO,[phEventCategory]=3,[hostIpAddr]=172.30.58.50,[procName]=AppServer,[relayDevName]=sp5875,[relayDevIpAddr]=172.30.58.75,[phLogDetail]=A performance metric delay for a single device crossed high water mark", "nid": "6482650188627892238", "attributes": { "1": "PH_DEV_MON_PERFMON_JOB_DELAY_HIGH", "2": 1, "7": 1621557630000, "8": "172.30.58.75", "9": "172.30.58.75", "10": "sp5875", "11": "sp5875", "12": 1, "13": "<174>May 20 17:40:30 [PH_DEV_MON_PERFMON_JOB_DELAY_HIGH]:[jobName]=CPU Util(SNMP),[phCustId]=1,[hostName]=FGT50E3U17000553,[eventSeverity]=PHL_INFO,[phEventCategory]=3,[hostIpAddr]=172.30.58.50,[procName]=AppServer,[relayDevName]=sp5875,[relayDevIpAddr]=172.30.58.75,[phLogDetail]=A performance metric delay for a single device crossed high water mark", "15": 6482650188627892000, "16": 3, "17": 1, "21": 1, "24": "LOW", "43": "Fortinet", "44": "FortiSIEM", "53": "Super", "110": 1, "122": "PHBoxParser", "129": 1, "1005": "172.30.58.50", "1006": "FGT50E3U17000553", "2007": "AppServer", "4506": "CPU Util(SNMP)" }, "eventAttributes": [ ], "dataStr": { } } ] |
Update Incidents
This API allows you to update incident ticket status.
URI | Method | Additional Information |
---|---|---|
/phoenix/rest/pub/incident/update/{incidentId} | POST |
Parameter: IncidentId: FortiSIEM incident Id (Required) Payload: { "incidentExtUser":"User A", "incidentExtClearedTime":1620677781736, (Timestamp) "incidentExtTicketId":"INS00456", (Required) "incidentExtTicketState":"Closed", "incidentExtTicketType":"" } |
Integer Field Mapping to Descriptions
Incident Status
"incidentStatus":,
ACTIVE = 0;
AUTOMATICALLY CLEARED = 1;
MANUALLY CLEARED = 2;
SYSTEM CLEARED = 3
Incident Resolution
"incidentReso":
None = 0
Open = 1
TruePositive = 2
FalsePositive = 3
InProgress = 4
Incident Category
"phIncidentCategory":,
AVAILABILITY = 1;
PERFORMANCE = 2;
CHANGE = 3;
SECURITY = 4;
OTHER = 5;
FortiSIEM Incident Attributes List
"eventSeverityCat",
"eventSeverity",
"incidentLastSeen",
"incidentFirstSeen",
"eventType",
"eventName",
"incidentSrc",
"incidentTarget",
"incidentDetail",
"incidentRptIp",
"incidentRptDevName",
"incidentStatus",
"incidentComments",
"customer",
"incidentClearedReason",
"incidentClearedTime",
"incidentClearedUser",
"count",
"incidentId",
"incidentExtUser",
"incidentExtClearedTime",
"incidentExtTicketId",
"incidentExtTicketState",
"incidentExtTicketType",
"incidentReso",
"phIncidentCategory",
"phSubIncidentCategory",
"incidentTitle",
"attackTechnique",
"attackTactic"