Fortinet black logo

Integration API Guide

Notification via Email/SMS

Notification via Email

Email is the most common form of incident notification. While FortiSIEM has a default email format, users can also create their own email templates from the FortiSIEM GUI.

The screenshots show three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed.

Release Added: 5.1

NEW

UPDATE

CLEAR

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body format

Section Field Description
Affected Business Services (optional)
Generic
Identity and Location - Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
- Host name
- User
- Domain
- Nearest switch name/port or VPN gateway or Wireless Controller
- First and last seen times for this IP address to identity/location binding
Incident Details Rule-specific details that caused the incident to trigger
Incident Source For security-related incidents, where the incident originated
Incident Target Where the incident occurred, or the target of an IPS alert
Rule Rule Name Name of the rule, repeated in the subject line
Incident Id Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEMby this ID.
Time Time when this incident occurred
Severity Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
Incident Count How many times this incident has occurred. For NEW incidents, the count is 1.
Rule Description
Host Name (optional)
Host IP (optional)
Other attributes as defined in rule
Host Name (optional)
Host IP (optional)

Notification via SMS

SMS notification is a shortened version of email notification.

Release Added: 5.1

Notification via Email

Email is the most common form of incident notification. While FortiSIEM has a default email format, users can also create their own email templates from the FortiSIEM GUI.

The screenshots show three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed.

Release Added: 5.1

NEW

UPDATE

CLEAR

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body format

Section Field Description
Affected Business Services (optional)
Generic
Identity and Location - Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by FortiSIEM and shown in the Identity and Location tab.
- Host name
- User
- Domain
- Nearest switch name/port or VPN gateway or Wireless Controller
- First and last seen times for this IP address to identity/location binding
Incident Details Rule-specific details that caused the incident to trigger
Incident Source For security-related incidents, where the incident originated
Incident Target Where the incident occurred, or the target of an IPS alert
Rule Rule Name Name of the rule, repeated in the subject line
Incident Id Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEMby this ID.
Time Time when this incident occurred
Severity Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
Incident Count How many times this incident has occurred. For NEW incidents, the count is 1.
Rule Description
Host Name (optional)
Host IP (optional)
Other attributes as defined in rule
Host Name (optional)
Host IP (optional)

Notification via SMS

SMS notification is a shortened version of email notification.

Release Added: 5.1