Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Integration API Guide

    Home FortiSIEM 6.5.0 Integration API Guide
    6.5.0
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.6
    5.2.5
    5.2.1
    5.1.0
    5.0.0
    4.10.0

    Notification via HTTPS

    Notifications via HTTPS

    When an incident triggers, FortiSIEM can push an XML file containing Incident details via HTTP(S) POST.

    Release Added: 5.1

    The FortiSIEM AONotification.xsd file shows the XML schema for incident notifications.

    <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="incident">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="name"/>
<xs:element type="xs:string" name="description"/>
<xs:element type="xs:string" name="displayTime"/>
<xs:element type="xs:string" name="incidentSource"/>
<xs:element name="incidentTarget">
<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
	<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:string">
					<xs:attribute type="xs:string" name="attribute"/>
					<xs:attribute type="xs:string" name="name"/>	
                                </xs:extension>
			</xs:simpleContent>
	</xs:complexType>
    </xs:element>
	</xs:sequence>
	</xs:complexType>
	</xs:element>
<xs:element name="incidentDetails">
	<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:float">
					<xs:attribute type="xs:string" name="name"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>
	</xs:sequence>
	</xs:complexType>
</xs:element>
	<xs:element type="xs:string" name="affectedBizSrvc"/>
	<xs:element type="xs:string" name="identityLocation"/>
	</xs:sequence>
	<xs:attribute type="xs:short" name="incidentId"/>
	<xs:attribute type="xs:string" name="ruleType"/>
		<xs:attribute type="xs:byte" name="severity"/>
		<xs:attribute type="xs:byte" name="repeatCount"/>
		<xs:attribute type="xs:string" name="organization"/>
		<xs:attribute type="xs:string" name="status"/>
		</xs:complexType>
	</xs:element>
</xs:schema>

    The description of each field is as follows:

    Section Field Description
    Generic
    incidentId Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEM by this ID.
    ruleId Unique id of the rule in FortiSIEM
    vendor FortiSIEM
    severity Incident severity: HIGH | MEDIUM | LOW
    organization The name of the organization for which this incident occurred
    status New, Update or Clear
    repeatCout how many times this incident has occurred
    name Name of the rule that triggered the incident
    description Description of the rule including conditions under which the rule is written to trigger
    displayTime Time when this incident occurred
    incidentTarget Where the incident occurred, or the target of an IPS alert. It consists of attribute, name and value pairs.
    attribute Parsed event attribute id
    name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
    value The attribute's value
    incidentSource For security-related incidents, where the incident originated
    attribute Parsed event attribute id
    name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
    value The attribute's value
    incidentDetails Rule-specific details that caused the incident to trigger shown as an attribute with name and value pairs.
    attribute Parsed event attribute id
    name Display name of the attribute
    Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
    value The attribute's value
    affectedBizSrvc A comma-separated list of business service names
    deviceDetails Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
    • ipAddr
    • hostName
    • vendor
    • model
    • version
    • users - Logged on users using this IP info obtained from Active Directory
      • userName - Active Directory login name
      • fullName - Full name of this user in Active Directory or defined manually
      • email - email address of the user in Active Directory or defined manually
      • jobTitle - jobTitle of the user in Active Directory or defined manually
      • First and last seen times for this IP address to user binding
    Previous
    Next

    Notification via HTTPS

    Notifications via HTTPS

    When an incident triggers, FortiSIEM can push an XML file containing Incident details via HTTP(S) POST.

    Release Added: 5.1

    The FortiSIEM AONotification.xsd file shows the XML schema for incident notifications.

    <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="incident">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="name"/>
<xs:element type="xs:string" name="description"/>
<xs:element type="xs:string" name="displayTime"/>
<xs:element type="xs:string" name="incidentSource"/>
<xs:element name="incidentTarget">
<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
	<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:string">
					<xs:attribute type="xs:string" name="attribute"/>
					<xs:attribute type="xs:string" name="name"/>	
                                </xs:extension>
			</xs:simpleContent>
	</xs:complexType>
    </xs:element>
	</xs:sequence>
	</xs:complexType>
	</xs:element>
<xs:element name="incidentDetails">
	<xs:complexType>
	<xs:sequence>
	<xs:element name="entry">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:float">
					<xs:attribute type="xs:string" name="name"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>
	</xs:sequence>
	</xs:complexType>
</xs:element>
	<xs:element type="xs:string" name="affectedBizSrvc"/>
	<xs:element type="xs:string" name="identityLocation"/>
	</xs:sequence>
	<xs:attribute type="xs:short" name="incidentId"/>
	<xs:attribute type="xs:string" name="ruleType"/>
		<xs:attribute type="xs:byte" name="severity"/>
		<xs:attribute type="xs:byte" name="repeatCount"/>
		<xs:attribute type="xs:string" name="organization"/>
		<xs:attribute type="xs:string" name="status"/>
		</xs:complexType>
	</xs:element>
</xs:schema>

    The description of each field is as follows:

    Section Field Description
    Generic
    incidentId Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEM by this ID.
    ruleId Unique id of the rule in FortiSIEM
    vendor FortiSIEM
    severity Incident severity: HIGH | MEDIUM | LOW
    organization The name of the organization for which this incident occurred
    status New, Update or Clear
    repeatCout how many times this incident has occurred
    name Name of the rule that triggered the incident
    description Description of the rule including conditions under which the rule is written to trigger
    displayTime Time when this incident occurred
    incidentTarget Where the incident occurred, or the target of an IPS alert. It consists of attribute, name and value pairs.
    attribute Parsed event attribute id
    name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
    value The attribute's value
    incidentSource For security-related incidents, where the incident originated
    attribute Parsed event attribute id
    name Display name of the attribute. Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
    value The attribute's value
    incidentDetails Rule-specific details that caused the incident to trigger shown as an attribute with name and value pairs.
    attribute Parsed event attribute id
    name Display name of the attribute
    Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
    value The attribute's value
    affectedBizSrvc A comma-separated list of business service names
    deviceDetails Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
    • ipAddr
    • hostName
    • vendor
    • model
    • version
    • users - Logged on users using this IP info obtained from Active Directory
      • userName - Active Directory login name
      • fullName - Full name of this user in Active Directory or defined manually
      • email - email address of the user in Active Directory or defined manually
      • jobTitle - jobTitle of the user in Active Directory or defined manually
      • First and last seen times for this IP address to user binding
    Previous
    Next