FortiAnalyzer is the NOC-SOC security analysis tool built with an operations perspective. FortiAnalyzer supports analytics-powered use cases to provide better detection against breaches.
This document provides information about the Fortinet FortiAnalyzer Connector, which facilitates automated interactions, with your Fortinet FortiAnalyzer server using FortiSOAR™ playbooks. Add the Fortinet FortiAnalyzer Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as creating and updating incidents on the Fortinet FortiAnalyzer and retrieving user and endpoint information from Fortinet FortiAnalyzer.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiAnalyzer. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortianalyzer
For the procedure to configure a connector, click here
In FortiSOAR™ , on the Connectors page, click the Fortinet FortiAnalyzer connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
Username | Username used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
Password | Password used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
ADOM Name | Administrative domain name of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
Port | Port number used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. By default, this is set to 10405. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Incident | Creates a new incident record in Fortinet FortiAnalyzer based on the incident reporter, affected endpoint and other input parameters you have specified. | create_incident Investigation |
Fetch Incidents | Fetches all incidents or a specific incident from Fortinet FortiAnalyzer based on the input parameters you have specified. | list_incidents Investigation |
Update Incident | Updates incident fields like severity, category, status etc. corresponding to a specific incident in Fortinet FortiAnalyzer based on the incident ID and other input parameters you have specified. | update_incident_details Investigation |
Get Events For Incident | Retrieves all events associated with a specified incident in Fortinet FortiAnalyzer based on the incident ID you have specified. | get_events_for_incident Investigation |
Get Reports | Retrieves a list of all reports that have been generated or are in the pending state from Fortinet FortiAnalyzer based on the time frame you have specified. | get_reports Investigation |
List Schedules | Retrieve a list of all schedules from Fortinet FortiAnalyzer. | get_schedules Investigation |
Run Report | Runs a report on the Fortinet FortiAnalyzer based on the report ID and schedule ID you have specified. | run_report Investigation |
Get Generated Report | Retrieves a specific generated report from Fortinet FortiAnalyzer based on the report ID you have specified. | get_generated_report Investigation |
List Users | Retrieves a list of all users or specific users from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_users Investigation |
List Endpoints | Retrieves a list of all endpoints or specific endpoints from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_endpoints Investigation |
Parameter | Description |
---|---|
Incident Reporter | Name of reporter of the incident that you want to create in Fortinet FortiAnalyzer. |
Affected Endpoint | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop) . |
Category | (Optional) Category in which you want to create the incident in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) Severity level that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Status that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. |
Description | (Optional) Description of the incident that you want to create in Fortinet FortiAnalyzer. |
Other Fields | (Optional) Additional fields in the JSON format that you want to add to the incident, which you want to create in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"result": {
"incid": ""
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Incident IDs | List of incident IDs based on which you want to fetch incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
Status | Status of the incident using which you want to filter incidents to be fetched from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Filter | Query filter using which you want to filter incidents to be fetched from Fortinet FortiAnalyzer. For example, status='analysis' and severity='low' |
Detail Level | Level of detail that you want to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default) or Extended. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
Sort | Select this checkbox if you want to sort the incidents by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"severity": "",
"category": "",
"incid": "",
"euid": "",
"description": "",
"endpoint": "",
"refinfo": "",
"attach_revision": "",
"epid": "",
"createtime": "",
"status": "",
"attach_lastupdate": "",
"lastuser": "",
"revision": "",
"reporter": "",
"lastupdate": ""
}
],
"status": {
"code": "",
"message": ""
},
"detail-level": ""
},
"id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update in Fortinet FortiAnalyzer. |
Category | (Optional) Category that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Status | (Optional) Status that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Affected Endpoint | (Optional) Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop) . |
Severity | (Optional) Severity level that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. |
Description | (Optional) Description of the incident that you want to update in Fortinet FortiAnalyzer. |
Other Fields | (Optional) Additional fields in the JSON format that you want to modify in the incident, which you want to update in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"status": {
"code": "",
"message": ""
}
},
"id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiAnalyzer. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"createtime": "",
"data": "",
"incid": "",
"lastuser": "",
"attachid": "",
"lastupdate": "",
"revision": "",
"attachtype": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
Parameter | Description |
---|---|
State | State of the report that you want to retrieve from Fortinet FortiAnalyzer. The states that are supported are: pending-running or generated. |
Start Time | Starting datetime from when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
End Time | Ending datetime till when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
The output contains the following populated JSON schema:
{
"result": {
"count": "",
"revision": "",
"data": [
{
"devtype": "",
"state": "",
"profileid": "",
"date": "",
"title": "",
"timestamp-end": "",
"adminuser": "",
"schedule_color": "",
"format": [],
"tid": "",
"progress-percent": "",
"name": "",
"period-end": "",
"end": "",
"timestamp-start": "",
"start": "",
"period-start": ""
}
]
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
},
"data": [
{
"report-per-device": "",
"week-start": "",
"date-format": "",
"include-other": "",
"period-last-n": "",
"period-opt": "",
"display-device-by": "",
"schedule-valid-end": [],
"devices": [
{
"devices-name": ""
}
],
"schedule-color": "",
"filter": "",
"admin-user": "",
"filter-type": "",
"report-layout": [
{
"layout-id": ""
}
],
"email-report-per-device": "",
"language": "",
"ldap-user-case-change": "",
"orientation": "",
"name": "",
"time-period": "",
"print-report-filters": "",
"schedule-type": "",
"ldap-server": "",
"auto-hcache": "",
"display-table-contents": "",
"filter-logic": "",
"obfuscate-user": "",
"device-list-type": "",
"include-coverpage": "",
"output-format": "",
"schedule-valid-start": [],
"resolve-hostname": "",
"ldap-query": "",
"schedule-frequency": "",
"output-profile": "",
"dev-type": "",
"max-reports": "",
"status": ""
}
]
},
"jsonrpc": "",
"id": ""
}
Parameter | Description |
---|---|
Schedule | Name or ID of the schedule using which you want to run the report. Note: You can get the name or ID of the schedule using the "List Schedules" action. |
Report ID | ID of the report that you want to run on Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": ""
},
"id": ""
}
Parameter | Description |
---|---|
Task ID | Task ID of the generated report that you want to retrieve from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": "",
"length": "",
"name": "",
"data-type": "",
"checksum": "",
"data": ""
},
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
User IDs | List of user IDs based on which you want to fetch users from Fortinet FortiAnalyzer. For example, 1043,1055 or 1043 . |
Filter | Query filter using which you want to filter users to be fetched from Fortinet FortiAnalyzer. For example, euuuid='c0a74c48-2367-11ea-aedf-00090f000409' and euname='localhost' |
Detail Level | Level of detail that you want to retrieve for the users from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default) or Extended. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
Sort | Select this checkbox if you want to sort the users by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"workphone": "",
"socialid": {
"data": []
},
nbsp; "gender": "",
"authtype": "",
"euname": "",
"euuuid": "",
"euid": "",
"title": "",
"eugroup": "",
"employeeid": "",
"email": "",
"lastseen": "",
"workemail": "",
"firstseen": "",
"phone": "",
"firstname": "",
"birthday": "",
"homeaddr": "",
"lastname": "",
"workaddr": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint IDs | List of endpoint IDs based on which you want to fetch endpoints from Fortinet FortiAnalyzer. For example, 1047,1077 or 1077 .The list of endpoint ID's. e.g. 1047,1077 or 1077 |
Filter | Query filter using which you want to filter endpoints to be fetched from Fortinet FortiAnalyzer. For example, epname='10.0.10.3' and detectkey='10.0.10.3' |
Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
Sort | Select this checkbox if you want to sort the endpoints by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"epname": "",
"fctuid": "",
"detecttype": "",
"osname": "",
"detectkey": "",
"macip": [
{
"lastseen": "",
"epip": "",
"mac": ""
}
],
"lastseen": "",
"adomoid": "",
"epid": "",
"epdevtype": "",
"osversion": "",
"vd": "",
"devid": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
The Sample - Fortinet FortiAnalyzer - 1.0.0
playbook collection comes bundled with the Fortinet FortiAnalyzer connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Fortinet FortiAnalyzer connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
FortiAnalyzer is the NOC-SOC security analysis tool built with an operations perspective. FortiAnalyzer supports analytics-powered use cases to provide better detection against breaches.
This document provides information about the Fortinet FortiAnalyzer Connector, which facilitates automated interactions, with your Fortinet FortiAnalyzer server using FortiSOAR™ playbooks. Add the Fortinet FortiAnalyzer Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as creating and updating incidents on the Fortinet FortiAnalyzer and retrieving user and endpoint information from Fortinet FortiAnalyzer.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiAnalyzer. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortianalyzer
For the procedure to configure a connector, click here
In FortiSOAR™ , on the Connectors page, click the Fortinet FortiAnalyzer connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
Username | Username used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
Password | Password used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
ADOM Name | Administrative domain name of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
Port | Port number used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. By default, this is set to 10405. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Incident | Creates a new incident record in Fortinet FortiAnalyzer based on the incident reporter, affected endpoint and other input parameters you have specified. | create_incident Investigation |
Fetch Incidents | Fetches all incidents or a specific incident from Fortinet FortiAnalyzer based on the input parameters you have specified. | list_incidents Investigation |
Update Incident | Updates incident fields like severity, category, status etc. corresponding to a specific incident in Fortinet FortiAnalyzer based on the incident ID and other input parameters you have specified. | update_incident_details Investigation |
Get Events For Incident | Retrieves all events associated with a specified incident in Fortinet FortiAnalyzer based on the incident ID you have specified. | get_events_for_incident Investigation |
Get Reports | Retrieves a list of all reports that have been generated or are in the pending state from Fortinet FortiAnalyzer based on the time frame you have specified. | get_reports Investigation |
List Schedules | Retrieve a list of all schedules from Fortinet FortiAnalyzer. | get_schedules Investigation |
Run Report | Runs a report on the Fortinet FortiAnalyzer based on the report ID and schedule ID you have specified. | run_report Investigation |
Get Generated Report | Retrieves a specific generated report from Fortinet FortiAnalyzer based on the report ID you have specified. | get_generated_report Investigation |
List Users | Retrieves a list of all users or specific users from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_users Investigation |
List Endpoints | Retrieves a list of all endpoints or specific endpoints from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_endpoints Investigation |
Parameter | Description |
---|---|
Incident Reporter | Name of reporter of the incident that you want to create in Fortinet FortiAnalyzer. |
Affected Endpoint | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop) . |
Category | (Optional) Category in which you want to create the incident in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) Severity level that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Status that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. |
Description | (Optional) Description of the incident that you want to create in Fortinet FortiAnalyzer. |
Other Fields | (Optional) Additional fields in the JSON format that you want to add to the incident, which you want to create in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"result": {
"incid": ""
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Incident IDs | List of incident IDs based on which you want to fetch incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
Status | Status of the incident using which you want to filter incidents to be fetched from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Filter | Query filter using which you want to filter incidents to be fetched from Fortinet FortiAnalyzer. For example, status='analysis' and severity='low' |
Detail Level | Level of detail that you want to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default) or Extended. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
Sort | Select this checkbox if you want to sort the incidents by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"severity": "",
"category": "",
"incid": "",
"euid": "",
"description": "",
"endpoint": "",
"refinfo": "",
"attach_revision": "",
"epid": "",
"createtime": "",
"status": "",
"attach_lastupdate": "",
"lastuser": "",
"revision": "",
"reporter": "",
"lastupdate": ""
}
],
"status": {
"code": "",
"message": ""
},
"detail-level": ""
},
"id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update in Fortinet FortiAnalyzer. |
Category | (Optional) Category that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Status | (Optional) Status that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Affected Endpoint | (Optional) Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop) . |
Severity | (Optional) Severity level that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. |
Description | (Optional) Description of the incident that you want to update in Fortinet FortiAnalyzer. |
Other Fields | (Optional) Additional fields in the JSON format that you want to modify in the incident, which you want to update in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"status": {
"code": "",
"message": ""
}
},
"id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiAnalyzer. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"createtime": "",
"data": "",
"incid": "",
"lastuser": "",
"attachid": "",
"lastupdate": "",
"revision": "",
"attachtype": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
Parameter | Description |
---|---|
State | State of the report that you want to retrieve from Fortinet FortiAnalyzer. The states that are supported are: pending-running or generated. |
Start Time | Starting datetime from when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
End Time | Ending datetime till when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
The output contains the following populated JSON schema:
{
"result": {
"count": "",
"revision": "",
"data": [
{
"devtype": "",
"state": "",
"profileid": "",
"date": "",
"title": "",
"timestamp-end": "",
"adminuser": "",
"schedule_color": "",
"format": [],
"tid": "",
"progress-percent": "",
"name": "",
"period-end": "",
"end": "",
"timestamp-start": "",
"start": "",
"period-start": ""
}
]
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
},
"data": [
{
"report-per-device": "",
"week-start": "",
"date-format": "",
"include-other": "",
"period-last-n": "",
"period-opt": "",
"display-device-by": "",
"schedule-valid-end": [],
"devices": [
{
"devices-name": ""
}
],
"schedule-color": "",
"filter": "",
"admin-user": "",
"filter-type": "",
"report-layout": [
{
"layout-id": ""
}
],
"email-report-per-device": "",
"language": "",
"ldap-user-case-change": "",
"orientation": "",
"name": "",
"time-period": "",
"print-report-filters": "",
"schedule-type": "",
"ldap-server": "",
"auto-hcache": "",
"display-table-contents": "",
"filter-logic": "",
"obfuscate-user": "",
"device-list-type": "",
"include-coverpage": "",
"output-format": "",
"schedule-valid-start": [],
"resolve-hostname": "",
"ldap-query": "",
"schedule-frequency": "",
"output-profile": "",
"dev-type": "",
"max-reports": "",
"status": ""
}
]
},
"jsonrpc": "",
"id": ""
}
Parameter | Description |
---|---|
Schedule | Name or ID of the schedule using which you want to run the report. Note: You can get the name or ID of the schedule using the "List Schedules" action. |
Report ID | ID of the report that you want to run on Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": ""
},
"id": ""
}
Parameter | Description |
---|---|
Task ID | Task ID of the generated report that you want to retrieve from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": "",
"length": "",
"name": "",
"data-type": "",
"checksum": "",
"data": ""
},
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
User IDs | List of user IDs based on which you want to fetch users from Fortinet FortiAnalyzer. For example, 1043,1055 or 1043 . |
Filter | Query filter using which you want to filter users to be fetched from Fortinet FortiAnalyzer. For example, euuuid='c0a74c48-2367-11ea-aedf-00090f000409' and euname='localhost' |
Detail Level | Level of detail that you want to retrieve for the users from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default) or Extended. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
Sort | Select this checkbox if you want to sort the users by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"workphone": "",
"socialid": {
"data": []
},
nbsp; "gender": "",
"authtype": "",
"euname": "",
"euuuid": "",
"euid": "",
"title": "",
"eugroup": "",
"employeeid": "",
"email": "",
"lastseen": "",
"workemail": "",
"firstseen": "",
"phone": "",
"firstname": "",
"birthday": "",
"homeaddr": "",
"lastname": "",
"workaddr": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Endpoint IDs | List of endpoint IDs based on which you want to fetch endpoints from Fortinet FortiAnalyzer. For example, 1047,1077 or 1077 .The list of endpoint ID's. e.g. 1047,1077 or 1077 |
Filter | Query filter using which you want to filter endpoints to be fetched from Fortinet FortiAnalyzer. For example, epname='10.0.10.3' and detectkey='10.0.10.3' |
Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
Sort | Select this checkbox if you want to sort the endpoints by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"epname": "",
"fctuid": "",
"detecttype": "",
"osname": "",
"detectkey": "",
"macip": [
{
"lastseen": "",
"epip": "",
"mac": ""
}
],
"lastseen": "",
"adomoid": "",
"epid": "",
"epdevtype": "",
"osversion": "",
"vd": "",
"devid": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
The Sample - Fortinet FortiAnalyzer - 1.0.0
playbook collection comes bundled with the Fortinet FortiAnalyzer connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Fortinet FortiAnalyzer connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.