Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.
This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortimanager
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations. |
Username | Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
Password | Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
ADOM | Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format. |
Port | Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Incident | Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. | create_incident Investigation |
List Incident | Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. | get_incidents Investigation |
Get Events Related to Incident | Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. | get_incident_events Investigation |
Get Device List | Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
get_devices Investigation |
Get Events | Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values. |
get_alert_event Investigation |
Get Event Details | Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. | get_alert_logs Investigation |
Update Incident | Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. | create_incident Investigation |
Parameter | Description |
---|---|
Reporter | Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin. |
Endpoint Name | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID | (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
Category | (Optional) Category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) Severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the new incident that you want to create in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Incident ID | ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager. |
Detail Level | Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard". |
Filter | Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManagerFor example category="CAT2" and severity="medium" |
Sort By |
Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters:
|
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
Output schema when you choose “Detail Level” as 'Basic':
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_revision": "",
"attach_lastupdate": "",
"lastupdate": "",
"revision": "",
"incid": ""
}
]
}
}
Output schema when you choose “Detail Level” as 'Extended':
{
"result": {
"data": [
{
"endpoint": "",
"euname": "",
"epip": "",
"status": "",
"incid": "",
"attachments": [
{
"lastupdate": "",
"attachid": "",
"revision": ""
}
],
"lastupdate": "",
"osversion": "",
"attach_lastupdate": "",
"euid": "",
"category": "",
"epid": "",
"epname": "",
"revision": "",
"reporter": "",
"createtime": "",
"description": "",
"osname": "",
"mac": "",
"lastuser": "",
"severity": "",
"attach_revision": "",
"refinfo": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
"result": {
"data": [
{
"endpoint": "",
"reporter": "",
"createtime": "",
"description": "",
"status": "",
"incid": "",
"severity": "",
"lastuser": "",
"attach_lastupdate": "",
"lastupdate": "",
"euid": "",
"attach_revision": "",
"category": "",
"refinfo": "",
"epid": "",
"revision": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiManager. |
Attachment Type | Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"attachtype": "",
"lastupdate": "",
"incid": "",
"attachid": "",
"createtime": "",
"data": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
Device Name | Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"url": "",
"status": {
"code": "",
"message": ""
},
"data": [
{
"os_ver": "",
"build": "",
"ips_ext": "",
"foslic_inst_time": "",
"mgmt.__data[5]": "",
"lic_region": "",
"latitude": "",
"foslic_ram": "",
"faz.perm": "",
"branch_pt": "",
"ips_ver": "",
"foslic_utm": "",
"source": "",
"foslic_cpu": "",
"mgmt.__data[3]": "",
"mgmt.__data[2]": "",
"ha_mode": "",
"opts": "",
"last_resync": "",
"foslic_last_sync": "",
"conn_status": "",
"mgmt.__data[7]": "",
"patch": "",
"hw_rev_minor": "",
"mgmt.__data[1]": "",
"psk": "",
"checksum": "",
"faz.quota": "",
"ha_group_id": "",
"adm_usr": "",
"ha_group_name": "",
"faz.used": "",
"tunnel_cookie": "",
"conf_status": "",
"mgmt.__data[6]": "",
"last_checked": "",
"version": "",
"mgmt.__data[0]": "",
"ha_slave": "",
"name": "",
"longitude": "",
"platform_str": "",
"foslic_dr_site": "",
"tunnel_ip": "",
"oid": "",
"foslic_type": "",
"prefer_img_ver": "",
"location_from": "",
"vm_cpu_limit": "",
"mgmt_if": "",
"faz.full_act": "",
"av_ver": "",
"fex_cnt": "",
"fsw_cnt": "",
"mgmt.__data[4]": "",
"vm_mem": "",
"sn": "",
"logdisk_size": "",
"lic_flags": "",
"hostname": "",
"vm_mem_limit": "",
"vdom": [
{
"tab_status": "",
"opmode": "",
"name": "",
"devid": "",
"rtm_prof_id": "",
"status": "",
"comments": "",
"oid": "",
"ext_flags": "",
"node_flags": "",
"vpn_id": "",
"flags": ""
}
],
"tab_status": "",
"adm_pass": [],
"mgmt_id": "",
"beta": "",
"dev_status": "",
"os_type": "",
"vm_lic_expire": "",
"mgmt_mode": "",
"hdisk_size": "",
"ip": "",
"vm_status": "",
"db_status": "",
"mr": "",
"module_sn": "",
"hw_rev_major": "",
"flags": "",
"desc": "",
"app_ver": "",
"maxvdom": "",
"vm_cpu": "",
"conn_mode": "",
"node_flags": "",
"fap_cnt": "",
"mgt_vdom": ""
}
]
}
]
}
Parameter | Description |
---|---|
Filter | Filter expression using which you want to retrieve events from Fortinet FortiManager.'event_value', 'severity', 'trigger_name', 'count', 'comment' and 'flags' are supported.For example, trigger_name='Local Device Event' and severity >= 3 or subject='desc:User login from SSH failed' |
Time Range | Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters:
|
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"alerttime": "",
"triggername": "",
"devname": "",
"vdom": "",
"filterid": "",
"filterkey": "",
"devtype": "",
"eventtype": "",
"groupby1": "",
"euid": "1",
"subject": "",
"devid": "",
"alertid": "",
"extrainfo": "",
"euname": "",
"epname": "",
"ackflag": "",
"logcount": "",
"filtercksum": "",
"tag": "",
"updatetime": "",
"epid": "1",
"severity": "",
"readflag": "",
"lastlogtime": "",
"firstlogtime": ""
}
]
},
"id": ""
}
Parameter | Description |
---|---|
Alert ID | ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action. |
Time Order | Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"id": "",
"result": {
"data": [
{
"log_id": "",
"devname": "",
"userfrom": "",
"time": "",
"dstepid": "",
"desc": "",
"user": "",
"dtime": "",
"msg": "",
"type": "",
"devid": "",
"dsteuid": "",
"euid": "",
"date": "",
"idseq": "",
"itime_t": "",
"epid": "",
"subtype": "",
"level": "",
"itime": ""
}
]
},
"jsonrpc": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update in FortiManager. |
Endpoint Name | Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID |
(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
Category | (Optional) Category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) Severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the incident that you want to update in Fortinet FortiManager. |
Last Revision | (Optional) Last version of the incident that you want to update in Fortinet FortiManager. |
Last User | (Optional) Last user of the incident that you want to update in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}
The Sample - Fortinet Fortimanager - 1.0.0
playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.
This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortimanager
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations. |
Username | Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
Password | Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
ADOM | Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format. |
Port | Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Incident | Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. | create_incident Investigation |
List Incident | Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. | get_incidents Investigation |
Get Events Related to Incident | Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. | get_incident_events Investigation |
Get Device List | Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
get_devices Investigation |
Get Events | Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values. |
get_alert_event Investigation |
Get Event Details | Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. | get_alert_logs Investigation |
Update Incident | Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. | create_incident Investigation |
Parameter | Description |
---|---|
Reporter | Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin. |
Endpoint Name | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID | (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
Category | (Optional) Category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) Severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the new incident that you want to create in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Incident ID | ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager. |
Detail Level | Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard". |
Filter | Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManagerFor example category="CAT2" and severity="medium" |
Sort By |
Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters:
|
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
Output schema when you choose “Detail Level” as 'Basic':
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_revision": "",
"attach_lastupdate": "",
"lastupdate": "",
"revision": "",
"incid": ""
}
]
}
}
Output schema when you choose “Detail Level” as 'Extended':
{
"result": {
"data": [
{
"endpoint": "",
"euname": "",
"epip": "",
"status": "",
"incid": "",
"attachments": [
{
"lastupdate": "",
"attachid": "",
"revision": ""
}
],
"lastupdate": "",
"osversion": "",
"attach_lastupdate": "",
"euid": "",
"category": "",
"epid": "",
"epname": "",
"revision": "",
"reporter": "",
"createtime": "",
"description": "",
"osname": "",
"mac": "",
"lastuser": "",
"severity": "",
"attach_revision": "",
"refinfo": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
"result": {
"data": [
{
"endpoint": "",
"reporter": "",
"createtime": "",
"description": "",
"status": "",
"incid": "",
"severity": "",
"lastuser": "",
"attach_lastupdate": "",
"lastupdate": "",
"euid": "",
"attach_revision": "",
"category": "",
"refinfo": "",
"epid": "",
"revision": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiManager. |
Attachment Type | Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"attachtype": "",
"lastupdate": "",
"incid": "",
"attachid": "",
"createtime": "",
"data": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
Device Name | Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"url": "",
"status": {
"code": "",
"message": ""
},
"data": [
{
"os_ver": "",
"build": "",
"ips_ext": "",
"foslic_inst_time": "",
"mgmt.__data[5]": "",
"lic_region": "",
"latitude": "",
"foslic_ram": "",
"faz.perm": "",
"branch_pt": "",
"ips_ver": "",
"foslic_utm": "",
"source": "",
"foslic_cpu": "",
"mgmt.__data[3]": "",
"mgmt.__data[2]": "",
"ha_mode": "",
"opts": "",
"last_resync": "",
"foslic_last_sync": "",
"conn_status": "",
"mgmt.__data[7]": "",
"patch": "",
"hw_rev_minor": "",
"mgmt.__data[1]": "",
"psk": "",
"checksum": "",
"faz.quota": "",
"ha_group_id": "",
"adm_usr": "",
"ha_group_name": "",
"faz.used": "",
"tunnel_cookie": "",
"conf_status": "",
"mgmt.__data[6]": "",
"last_checked": "",
"version": "",
"mgmt.__data[0]": "",
"ha_slave": "",
"name": "",
"longitude": "",
"platform_str": "",
"foslic_dr_site": "",
"tunnel_ip": "",
"oid": "",
"foslic_type": "",
"prefer_img_ver": "",
"location_from": "",
"vm_cpu_limit": "",
"mgmt_if": "",
"faz.full_act": "",
"av_ver": "",
"fex_cnt": "",
"fsw_cnt": "",
"mgmt.__data[4]": "",
"vm_mem": "",
"sn": "",
"logdisk_size": "",
"lic_flags": "",
"hostname": "",
"vm_mem_limit": "",
"vdom": [
{
"tab_status": "",
"opmode": "",
"name": "",
"devid": "",
"rtm_prof_id": "",
"status": "",
"comments": "",
"oid": "",
"ext_flags": "",
"node_flags": "",
"vpn_id": "",
"flags": ""
}
],
"tab_status": "",
"adm_pass": [],
"mgmt_id": "",
"beta": "",
"dev_status": "",
"os_type": "",
"vm_lic_expire": "",
"mgmt_mode": "",
"hdisk_size": "",
"ip": "",
"vm_status": "",
"db_status": "",
"mr": "",
"module_sn": "",
"hw_rev_major": "",
"flags": "",
"desc": "",
"app_ver": "",
"maxvdom": "",
"vm_cpu": "",
"conn_mode": "",
"node_flags": "",
"fap_cnt": "",
"mgt_vdom": ""
}
]
}
]
}
Parameter | Description |
---|---|
Filter | Filter expression using which you want to retrieve events from Fortinet FortiManager.'event_value', 'severity', 'trigger_name', 'count', 'comment' and 'flags' are supported.For example, trigger_name='Local Device Event' and severity >= 3 or subject='desc:User login from SSH failed' |
Time Range | Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters:
|
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"alerttime": "",
"triggername": "",
"devname": "",
"vdom": "",
"filterid": "",
"filterkey": "",
"devtype": "",
"eventtype": "",
"groupby1": "",
"euid": "1",
"subject": "",
"devid": "",
"alertid": "",
"extrainfo": "",
"euname": "",
"epname": "",
"ackflag": "",
"logcount": "",
"filtercksum": "",
"tag": "",
"updatetime": "",
"epid": "1",
"severity": "",
"readflag": "",
"lastlogtime": "",
"firstlogtime": ""
}
]
},
"id": ""
}
Parameter | Description |
---|---|
Alert ID | ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action. |
Time Order | Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending. |
Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"id": "",
"result": {
"data": [
{
"log_id": "",
"devname": "",
"userfrom": "",
"time": "",
"dstepid": "",
"desc": "",
"user": "",
"dtime": "",
"msg": "",
"type": "",
"devid": "",
"dsteuid": "",
"euid": "",
"date": "",
"idseq": "",
"itime_t": "",
"epid": "",
"subtype": "",
"level": "",
"itime": ""
}
]
},
"jsonrpc": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update in FortiManager. |
Endpoint Name | Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID |
(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
Category | (Optional) Category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) Severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the incident that you want to update in Fortinet FortiManager. |
Last Revision | (Optional) Last version of the incident that you want to update in Fortinet FortiManager. |
Last User | (Optional) Last user of the incident that you want to update in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}
The Sample - Fortinet Fortimanager - 1.0.0
playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.