Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.
This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-fortinet-fortimanager
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
| Parameter | Description |
|---|---|
| Hostname | IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations. |
| Username | Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
| Password | Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
| ADOM | Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format. |
| Port | Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Incident | Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. | create_incident Investigation |
| List Incident | Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. | get_incidents Investigation |
| Get Events Related to Incident | Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. | get_incident_events Investigation |
| Get Device List | Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
get_devices Investigation |
| Get Events | Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values. |
get_alert_event Investigation |
| Get Event Details | Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. | get_alert_logs Investigation |
| Update Incident | Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. | create_incident Investigation |
| Parameter | Description |
|---|---|
| Reporter | Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin. |
| Endpoint Name | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
| Endpoint ID | (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
| End User ID | (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
| Category | (Optional) Category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Severity | (Optional) Severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
| Status | (Optional) Status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Description | (Optional) Description of the new incident that you want to create in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident ID | ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager. |
| Detail Level | Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard". |
| Filter | Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManagerFor example category="CAT2" and severity="medium" |
| Sort By |
Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters:
|
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
Output schema when you choose “Detail Level” as 'Basic':
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_revision": "",
"attach_lastupdate": "",
"lastupdate": "",
"revision": "",
"incid": ""
}
]
}
}
Output schema when you choose “Detail Level” as 'Extended':
{
"result": {
"data": [
{
"endpoint": "",
"euname": "",
"epip": "",
"status": "",
"incid": "",
"attachments": [
{
"lastupdate": "",
"attachid": "",
"revision": ""
}
],
"lastupdate": "",
"osversion": "",
"attach_lastupdate": "",
"euid": "",
"category": "",
"epid": "",
"epname": "",
"revision": "",
"reporter": "",
"createtime": "",
"description": "",
"osname": "",
"mac": "",
"lastuser": "",
"severity": "",
"attach_revision": "",
"refinfo": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
"result": {
"data": [
{
"endpoint": "",
"reporter": "",
"createtime": "",
"description": "",
"status": "",
"incid": "",
"severity": "",
"lastuser": "",
"attach_lastupdate": "",
"lastupdate": "",
"euid": "",
"attach_revision": "",
"category": "",
"refinfo": "",
"epid": "",
"revision": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiManager. |
| Attachment Type | Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"attachtype": "",
"lastupdate": "",
"incid": "",
"attachid": "",
"createtime": "",
"data": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
| Parameter | Description |
|---|---|
| Device Name | Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"url": "",
"status": {
"code": "",
"message": ""
},
"data": [
{
"os_ver": "",
"build": "",
"ips_ext": "",
"foslic_inst_time": "",
"mgmt.__data[5]": "",
"lic_region": "",
"latitude": "",
"foslic_ram": "",
"faz.perm": "",
"branch_pt": "",
"ips_ver": "",
"foslic_utm": "",
"source": "",
"foslic_cpu": "",
"mgmt.__data[3]": "",
"mgmt.__data[2]": "",
"ha_mode": "",
"opts": "",
"last_resync": "",
"foslic_last_sync": "",
"conn_status": "",
"mgmt.__data[7]": "",
"patch": "",
"hw_rev_minor": "",
"mgmt.__data[1]": "",
"psk": "",
"checksum": "",
"faz.quota": "",
"ha_group_id": "",
"adm_usr": "",
"ha_group_name": "",
"faz.used": "",
"tunnel_cookie": "",
"conf_status": "",
"mgmt.__data[6]": "",
"last_checked": "",
"version": "",
"mgmt.__data[0]": "",
"ha_slave": "",
"name": "",
"longitude": "",
"platform_str": "",
"foslic_dr_site": "",
"tunnel_ip": "",
"oid": "",
"foslic_type": "",
"prefer_img_ver": "",
"location_from": "",
"vm_cpu_limit": "",
"mgmt_if": "",
"faz.full_act": "",
"av_ver": "",
"fex_cnt": "",
"fsw_cnt": "",
"mgmt.__data[4]": "",
"vm_mem": "",
"sn": "",
"logdisk_size": "",
"lic_flags": "",
"hostname": "",
"vm_mem_limit": "",
"vdom": [
{
"tab_status": "",
"opmode": "",
"name": "",
"devid": "",
"rtm_prof_id": "",
"status": "",
"comments": "",
"oid": "",
"ext_flags": "",
"node_flags": "",
"vpn_id": "",
"flags": ""
}
],
"tab_status": "",
"adm_pass": [],
"mgmt_id": "",
"beta": "",
"dev_status": "",
"os_type": "",
"vm_lic_expire": "",
"mgmt_mode": "",
"hdisk_size": "",
"ip": "",
"vm_status": "",
"db_status": "",
"mr": "",
"module_sn": "",
"hw_rev_major": "",
"flags": "",
"desc": "",
"app_ver": "",
"maxvdom": "",
"vm_cpu": "",
"conn_mode": "",
"node_flags": "",
"fap_cnt": "",
"mgt_vdom": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| Filter | Filter expression using which you want to retrieve events from Fortinet FortiManager.'event_value', 'severity', 'trigger_name', 'count', 'comment' and 'flags' are supported.For example, trigger_name='Local Device Event' and severity >= 3 or subject='desc:User login from SSH failed' |
| Time Range | Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters:
|
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"alerttime": "",
"triggername": "",
"devname": "",
"vdom": "",
"filterid": "",
"filterkey": "",
"devtype": "",
"eventtype": "",
"groupby1": "",
"euid": "1",
"subject": "",
"devid": "",
"alertid": "",
"extrainfo": "",
"euname": "",
"epname": "",
"ackflag": "",
"logcount": "",
"filtercksum": "",
"tag": "",
"updatetime": "",
"epid": "1",
"severity": "",
"readflag": "",
"lastlogtime": "",
"firstlogtime": ""
}
]
},
"id": ""
}
| Parameter | Description |
|---|---|
| Alert ID | ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action. |
| Time Order | Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"id": "",
"result": {
"data": [
{
"log_id": "",
"devname": "",
"userfrom": "",
"time": "",
"dstepid": "",
"desc": "",
"user": "",
"dtime": "",
"msg": "",
"type": "",
"devid": "",
"dsteuid": "",
"euid": "",
"date": "",
"idseq": "",
"itime_t": "",
"epid": "",
"subtype": "",
"level": "",
"itime": ""
}
]
},
"jsonrpc": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident that you want to update in FortiManager. |
| Endpoint Name | Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
| Endpoint ID |
(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
| End User ID | (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
| Category | (Optional) Category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Severity | (Optional) Severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
| Status | (Optional) Status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Description | (Optional) Description of the incident that you want to update in Fortinet FortiManager. |
| Last Revision | (Optional) Last version of the incident that you want to update in Fortinet FortiManager. |
| Last User | (Optional) Last user of the incident that you want to update in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}
The Sample - Fortinet Fortimanager - 1.0.0 playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.
This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 6.0.0-790
Authored By: Fortinet
Certified: Yes
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-fortinet-fortimanager
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
| Parameter | Description |
|---|---|
| Hostname | IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations. |
| Username | Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
| Password | Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
| ADOM | Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format. |
| Port | Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Incident | Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. | create_incident Investigation |
| List Incident | Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. | get_incidents Investigation |
| Get Events Related to Incident | Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. | get_incident_events Investigation |
| Get Device List | Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
get_devices Investigation |
| Get Events | Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values. |
get_alert_event Investigation |
| Get Event Details | Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. | get_alert_logs Investigation |
| Update Incident | Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. | create_incident Investigation |
| Parameter | Description |
|---|---|
| Reporter | Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin. |
| Endpoint Name | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
| Endpoint ID | (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
| End User ID | (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
| Category | (Optional) Category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Severity | (Optional) Severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
| Status | (Optional) Status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Description | (Optional) Description of the new incident that you want to create in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident ID | ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager. |
| Detail Level | Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard". |
| Filter | Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManagerFor example category="CAT2" and severity="medium" |
| Sort By |
Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters:
|
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
Output schema when you choose “Detail Level” as 'Basic':
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_revision": "",
"attach_lastupdate": "",
"lastupdate": "",
"revision": "",
"incid": ""
}
]
}
}
Output schema when you choose “Detail Level” as 'Extended':
{
"result": {
"data": [
{
"endpoint": "",
"euname": "",
"epip": "",
"status": "",
"incid": "",
"attachments": [
{
"lastupdate": "",
"attachid": "",
"revision": ""
}
],
"lastupdate": "",
"osversion": "",
"attach_lastupdate": "",
"euid": "",
"category": "",
"epid": "",
"epname": "",
"revision": "",
"reporter": "",
"createtime": "",
"description": "",
"osname": "",
"mac": "",
"lastuser": "",
"severity": "",
"attach_revision": "",
"refinfo": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
"result": {
"data": [
{
"endpoint": "",
"reporter": "",
"createtime": "",
"description": "",
"status": "",
"incid": "",
"severity": "",
"lastuser": "",
"attach_lastupdate": "",
"lastupdate": "",
"euid": "",
"attach_revision": "",
"category": "",
"refinfo": "",
"epid": "",
"revision": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiManager. |
| Attachment Type | Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"attachtype": "",
"lastupdate": "",
"incid": "",
"attachid": "",
"createtime": "",
"data": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
| Parameter | Description |
|---|---|
| Device Name | Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"url": "",
"status": {
"code": "",
"message": ""
},
"data": [
{
"os_ver": "",
"build": "",
"ips_ext": "",
"foslic_inst_time": "",
"mgmt.__data[5]": "",
"lic_region": "",
"latitude": "",
"foslic_ram": "",
"faz.perm": "",
"branch_pt": "",
"ips_ver": "",
"foslic_utm": "",
"source": "",
"foslic_cpu": "",
"mgmt.__data[3]": "",
"mgmt.__data[2]": "",
"ha_mode": "",
"opts": "",
"last_resync": "",
"foslic_last_sync": "",
"conn_status": "",
"mgmt.__data[7]": "",
"patch": "",
"hw_rev_minor": "",
"mgmt.__data[1]": "",
"psk": "",
"checksum": "",
"faz.quota": "",
"ha_group_id": "",
"adm_usr": "",
"ha_group_name": "",
"faz.used": "",
"tunnel_cookie": "",
"conf_status": "",
"mgmt.__data[6]": "",
"last_checked": "",
"version": "",
"mgmt.__data[0]": "",
"ha_slave": "",
"name": "",
"longitude": "",
"platform_str": "",
"foslic_dr_site": "",
"tunnel_ip": "",
"oid": "",
"foslic_type": "",
"prefer_img_ver": "",
"location_from": "",
"vm_cpu_limit": "",
"mgmt_if": "",
"faz.full_act": "",
"av_ver": "",
"fex_cnt": "",
"fsw_cnt": "",
"mgmt.__data[4]": "",
"vm_mem": "",
"sn": "",
"logdisk_size": "",
"lic_flags": "",
"hostname": "",
"vm_mem_limit": "",
"vdom": [
{
"tab_status": "",
"opmode": "",
"name": "",
"devid": "",
"rtm_prof_id": "",
"status": "",
"comments": "",
"oid": "",
"ext_flags": "",
"node_flags": "",
"vpn_id": "",
"flags": ""
}
],
"tab_status": "",
"adm_pass": [],
"mgmt_id": "",
"beta": "",
"dev_status": "",
"os_type": "",
"vm_lic_expire": "",
"mgmt_mode": "",
"hdisk_size": "",
"ip": "",
"vm_status": "",
"db_status": "",
"mr": "",
"module_sn": "",
"hw_rev_major": "",
"flags": "",
"desc": "",
"app_ver": "",
"maxvdom": "",
"vm_cpu": "",
"conn_mode": "",
"node_flags": "",
"fap_cnt": "",
"mgt_vdom": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| Filter | Filter expression using which you want to retrieve events from Fortinet FortiManager.'event_value', 'severity', 'trigger_name', 'count', 'comment' and 'flags' are supported.For example, trigger_name='Local Device Event' and severity >= 3 or subject='desc:User login from SSH failed' |
| Time Range | Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters:
|
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"alerttime": "",
"triggername": "",
"devname": "",
"vdom": "",
"filterid": "",
"filterkey": "",
"devtype": "",
"eventtype": "",
"groupby1": "",
"euid": "1",
"subject": "",
"devid": "",
"alertid": "",
"extrainfo": "",
"euname": "",
"epname": "",
"ackflag": "",
"logcount": "",
"filtercksum": "",
"tag": "",
"updatetime": "",
"epid": "1",
"severity": "",
"readflag": "",
"lastlogtime": "",
"firstlogtime": ""
}
]
},
"id": ""
}
| Parameter | Description |
|---|---|
| Alert ID | ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action. |
| Time Order | Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"id": "",
"result": {
"data": [
{
"log_id": "",
"devname": "",
"userfrom": "",
"time": "",
"dstepid": "",
"desc": "",
"user": "",
"dtime": "",
"msg": "",
"type": "",
"devid": "",
"dsteuid": "",
"euid": "",
"date": "",
"idseq": "",
"itime_t": "",
"epid": "",
"subtype": "",
"level": "",
"itime": ""
}
]
},
"jsonrpc": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident that you want to update in FortiManager. |
| Endpoint Name | Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
| Endpoint ID |
(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
| End User ID | (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
| Category | (Optional) Category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Severity | (Optional) Severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
| Status | (Optional) Status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Description | (Optional) Description of the incident that you want to update in Fortinet FortiManager. |
| Last Revision | (Optional) Last version of the incident that you want to update in Fortinet FortiManager. |
| Last User | (Optional) Last user of the incident that you want to update in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}
The Sample - Fortinet Fortimanager - 1.0.0 playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
