Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Integration API Guide

Notification via Email

Email is the most common form of incident notification. While FortiSIEM has a default email format, users can also create their own email templates from the FortiSIEM GUI.

The screenshots show three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed.

Release Added: 5.1

NEW

UPDATE

CLEAR

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body format

Section Field Description
Affected Business Services  (optional)    
Generic    
Identity and Location   - Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
- Host name
- User
- Domain
- Nearest switch name/port or VPN gateway or Wireless Controller
- First and last seen times for this IP address to identity/location binding
Incident Details   Rule-specific details that caused the incident to trigger
Incident Source   For security-related incidents, where the incident originated
Incident Target   Where the incident occurred, or the target of an IPS alert
Rule Rule Name Name of the rule, repeated in the subject line
  Incident Id Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEMby this ID.
  Time Time when this incident occurred
  Severity Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
  Incident Count How many times this incident has occurred. For NEW incidents, the count is 1.
  Rule Description  
  Host Name (optional)  
  Host IP (optional)  
  Other attributes as defined in rule  
  Host Name (optional)  
  Host IP (optional)  

Notification via SMS

SMS notification is a shortened version of email notification.

Release Added: 5.1

Notification via Email

Email is the most common form of incident notification. While FortiSIEM has a default email format, users can also create their own email templates from the FortiSIEM GUI.

The screenshots show three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed.

Release Added: 5.1

NEW

UPDATE

CLEAR

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body format

Section Field Description
Affected Business Services  (optional)    
Generic    
Identity and Location   - Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
- Host name
- User
- Domain
- Nearest switch name/port or VPN gateway or Wireless Controller
- First and last seen times for this IP address to identity/location binding
Incident Details   Rule-specific details that caused the incident to trigger
Incident Source   For security-related incidents, where the incident originated
Incident Target   Where the incident occurred, or the target of an IPS alert
Rule Rule Name Name of the rule, repeated in the subject line
  Incident Id Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEMby this ID.
  Time Time when this incident occurred
  Severity Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
  Incident Count How many times this incident has occurred. For NEW incidents, the count is 1.
  Rule Description  
  Host Name (optional)  
  Host IP (optional)  
  Other attributes as defined in rule  
  Host Name (optional)  
  Host IP (optional)  

Notification via SMS

SMS notification is a shortened version of email notification.

Release Added: 5.1