Fortinet black logo

Integration API Guide

Update Incident Attributes

This API enables you to update certain incident attributes.

Release Added

5.2.5

Methodology REST API based: Caller makes an HTTPS request with an input JSON containing the updated incident attributes
Request URLhttps://<FortiSIEM_Supervisor_IP>/phoenix
/rest/incident/external

Input Credentials
  • Enterprise deployments: User name and password of any FortiSIEM account that has the appropriate access. Use "super" as the organization for Enterprise deployments.
    Curl example: curl -k -u super/admin:Admin*123
  • Service Provider deployments: User name and password of Super Global account or Organization specific account and name. Make sure that the account has the appropriate access.
    Curl example with super organization: curl -k -u super/admin:Admin*123
    If querying for a specific organization, replace "super" with the organization name.
Input JSONContentType: application/json

RequestPayload:{"incidentId":"1","comments":"XYZ","incidentStatus":
"3","externalTicketType":"MEDIUM","externalTicketId":
"1111","externalTicketState":"CLOSED",
"externalAssignedUser":"ABC"}


  • incidentId – Incident ID for the incident to be updated
  • comments – Any comments
  • incidentStatus – 0 (Active), 1 (Auto Cleared), 2 (Manually Cleared), or 3 (System Cleared)
  • externalTicketType – Low, Medium, or High
  • externalTicketId – External Ticket ID
  • externalTicketState – New, Assigned, In Progress, or Closed
  • externalAssignedUser – External Assigned User
Output HTTP status code

Refer to Example Usage to get the list of monitored devices and attributes.

This API enables you to update certain incident attributes.

Release Added

5.2.5

Methodology REST API based: Caller makes an HTTPS request with an input JSON containing the updated incident attributes
Request URLhttps://<FortiSIEM_Supervisor_IP>/phoenix
/rest/incident/external

Input Credentials
  • Enterprise deployments: User name and password of any FortiSIEM account that has the appropriate access. Use "super" as the organization for Enterprise deployments.
    Curl example: curl -k -u super/admin:Admin*123
  • Service Provider deployments: User name and password of Super Global account or Organization specific account and name. Make sure that the account has the appropriate access.
    Curl example with super organization: curl -k -u super/admin:Admin*123
    If querying for a specific organization, replace "super" with the organization name.
Input JSONContentType: application/json

RequestPayload:{"incidentId":"1","comments":"XYZ","incidentStatus":
"3","externalTicketType":"MEDIUM","externalTicketId":
"1111","externalTicketState":"CLOSED",
"externalAssignedUser":"ABC"}


  • incidentId – Incident ID for the incident to be updated
  • comments – Any comments
  • incidentStatus – 0 (Active), 1 (Auto Cleared), 2 (Manually Cleared), or 3 (System Cleared)
  • externalTicketType – Low, Medium, or High
  • externalTicketId – External Ticket ID
  • externalTicketState – New, Assigned, In Progress, or Closed
  • externalAssignedUser – External Assigned User
Output HTTP status code

Refer to Example Usage to get the list of monitored devices and attributes.