Fortinet Document Library

Version:


Table of Contents

Fortinet FortiManager

1.0.0
Copy Link

About the connector

Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.

This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Data Ingestion support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:

  • > FortiManager > Fetch
  • >> FortiManager > Handle Macro
  • FortiManager > Ingest

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortimanager

Prerequisites to configuring the connector

  • You must have the IP address or hostname of Fortinet FortiManager server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • You must enable "FortiAnalyzer Features" in FortiManager to view Incidents and their Events.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter Description
Hostname IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations.
Username Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
Password Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
ADOM Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format.
Port Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:

Function Description Annotation and Category
Create Incident Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. create_incident
Investigation
List Incident Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. get_incidents
Investigation
Get Events Related to Incident Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. get_incident_events
Investigation
Get Device List Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return devices matching all values.
get_devices
Investigation
Get Events Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return events matching all values.
get_alert_event
Investigation
Get Event Details Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. get_alert_logs
Investigation
Update Incident Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. create_incident
Investigation

operation: Create Incident

Input parameters

Parameter Description
Reporter Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin.
Endpoint Name Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).
Endpoint ID (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager.
End User ID (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager.
Category (Optional) Category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity (Optional) Severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status (Optional) Status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description (Optional) Description of the new incident that you want to create in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
     "jsonrpc": "",
     "id": "",
     "result": {
         "incid": ""
     }
}

operation: List Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Incident ID ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager.
Detail Level Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard".
Filter Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManager
For example category="CAT2" and severity="medium"
Sort By

Sorts the incidents by the specified field and order the results.

If you choose "Field", then you can specify the following parameters:

  • In the Field field specify the name of the field on which you want to sort the result. For example, severity, category, etc.
  • (Optional) In the Order field choose the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Ascending.
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:

Output schema when you choose “Detail Level” as 'Basic':
{
     "jsonrpc": "",
     "id": "",
     "result": {
         "status": {
             "code": "",
             "message": ""
         },
         "detail-level": "",
         "data": [
             {
                 "attach_revision": "",
                 "attach_lastupdate": "",
                 "lastupdate": "",
                 "revision": "",
                 "incid": ""
             }
         ]
     }
}

Output schema when you choose “Detail Level” as 'Extended':
{
     "result": {
         "data": [
             {
                 "endpoint": "",
                 "euname": "",
                 "epip": "",
                 "status": "",
                 "incid": "",
                 "attachments": [
                     {
                         "lastupdate": "",
                         "attachid": "",
                         "revision": ""
                     }
                 ],
                 "lastupdate": "",
                 "osversion": "",
                 "attach_lastupdate": "",
                 "euid": "",
                 "category": "",
                 "epid": "",
                 "epname": "",
                 "revision": "",
                 "reporter": "",
                 "createtime": "",
                 "description": "",
                 "osname": "",
                 "mac": "",
                 "lastuser": "",
                 "severity": "",
                 "attach_revision": "",
                 "refinfo": ""
             }
         ],
         "detail-level": "",
         "status": {
             "message": "",
             "code": ""
         }
     },
     "id": "",
     "jsonrpc": ""
}

Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
     "result": {
         "data": [
             {
                 "endpoint": "",
                 "reporter": "",
                 "createtime": "",
                 "description": "",
                 "status": "",
                 "incid": "",
                 "severity": "",
                 "lastuser": "",
                 "attach_lastupdate": "",
                 "lastupdate": "",
                 "euid": "",
                 "attach_revision": "",
                 "category": "",
                 "refinfo": "",
                 "epid": "",
                 "revision": ""
             }
         ],
         "detail-level": "",
         "status": {
             "message": "",
             "code": ""
         }
     },
     "id": "",
     "jsonrpc": ""
}

operation: Get Events Related to Incident

Input parameters

Parameter Description
Incident ID ID of the incident whose associated events you want to retrieve from Fortinet FortiManager.
Attachment Type Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report.
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
     "result": {
         "data": [
             {
                 "attachtype": "",
                 "lastupdate": "",
                 "incid": "",
                 "attachid": "",
                 "createtime": "",
                 "data": "",
                 "lastuser": "",
                 "revision": ""
             }
         ],
         "status": {
             "message": "",
             "code": ""
         }
     },
     "id": "",
     "jsonrpc": ""
}

operation: Get Device List

Input parameters

Parameter Description
Device Name Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager.
Note: If a parameter is left blank or null, then this operation will return devices matching all values.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "result": [
         {
             "url": "",
             "status": {
                 "code": "",
                 "message": ""
             },
             "data": [
                 {
                     "os_ver": "",
                     "build": "",
                     "ips_ext": "",
                     "foslic_inst_time": "",
                     "mgmt.__data[5]": "",
                     "lic_region": "",
                     "latitude": "",
                     "foslic_ram": "",
                     "faz.perm": "",
                     "branch_pt": "",
                     "ips_ver": "",
                     "foslic_utm": "",
                     "source": "",
                     "foslic_cpu": "",
                     "mgmt.__data[3]": "",
                     "mgmt.__data[2]": "",
                     "ha_mode": "",
                     "opts": "",
                     "last_resync": "",
                     "foslic_last_sync": "",
                     "conn_status": "",
                     "mgmt.__data[7]": "",
                     "patch": "",
                     "hw_rev_minor": "",
                     "mgmt.__data[1]": "",
                     "psk": "",
                     "checksum": "",
                     "faz.quota": "",
                     "ha_group_id": "",
                     "adm_usr": "",
                     "ha_group_name": "",
                     "faz.used": "",
                     "tunnel_cookie": "",
                     "conf_status": "",
                     "mgmt.__data[6]": "",
                     "last_checked": "",
                     "version": "",
                     "mgmt.__data[0]": "",
                     "ha_slave": "",
                     "name": "",
                     "longitude": "",
                     "platform_str": "",
                     "foslic_dr_site": "",
                     "tunnel_ip": "",
                     "oid": "",
                     "foslic_type": "",
                     "prefer_img_ver": "",
                     "location_from": "",
                     "vm_cpu_limit": "",
                     "mgmt_if": "",
                     "faz.full_act": "",
                     "av_ver": "",
                     "fex_cnt": "",
                     "fsw_cnt": "",
                     "mgmt.__data[4]": "",
                     "vm_mem": "",
                     "sn": "",
                     "logdisk_size": "",
                     "lic_flags": "",
                     "hostname": "",
                     "vm_mem_limit": "",
                     "vdom": [
                         {
                             "tab_status": "",
                             "opmode": "",
                             "name": "",
                             "devid": "",
                             "rtm_prof_id": "",
                             "status": "",
                             "comments": "",
                             "oid": "",
                             "ext_flags": "",
                             "node_flags": "",
                             "vpn_id": "",
                             "flags": ""
                         }
                     ],
                     "tab_status": "",
                     "adm_pass": [],
                     "mgmt_id": "",
                     "beta": "",
                     "dev_status": "",
                     "os_type": "",
                     "vm_lic_expire": "",
                     "mgmt_mode": "",
                     "hdisk_size": "",
                     "ip": "",
                     "vm_status": "",
                     "db_status": "",
                     "mr": "",
                     "module_sn": "",
                     "hw_rev_major": "",
                     "flags": "",
                     "desc": "",
                     "app_ver": "",
                     "maxvdom": "",
                     "vm_cpu": "",
                     "conn_mode": "",
                     "node_flags": "",
                     "fap_cnt": "",
                     "mgt_vdom": ""
                 }
             ]
         }
     ]
}

operation: Get Events

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Filter Filter expression using which you want to retrieve events from Fortinet FortiManager.
'event_value', 'severity', 'trigger_name', 'count', 'comment' and 'flags' are supported.
For example, trigger_name='Local Device Event' and severity >= 3 or subject='desc:User login from SSH failed'
Time Range Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager.
If you select this checkbox, then you must specify the following parameters:
  • Start Time: Starting datetime from when you want to retrieve events from Fortinet FortiManager.
    Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified.
    Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37'
  • End Time: Ending datetime till when you want to retrieve events from Fortinet FortiManager.
    Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified.
    Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37'
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
     "jsonrpc": "",
     "result": {
         "data": [
             {
                 "alerttime": "",
                 "triggername": "",
                 "devname": "",
                 "vdom": "",
                 "filterid": "",
                 "filterkey": "",
                 "devtype": "",
                 "eventtype": "",
                 "groupby1": "",
                 "euid": "1",
                 "subject": "",
                 "devid": "",
                 "alertid": "",
                 "extrainfo": "",
                 "euname": "",
                 "epname": "",
                 "ackflag": "",
                 "logcount": "",
                 "filtercksum": "",
                 "tag": "",
                 "updatetime": "",
                 "epid": "1",
                 "severity": "",
                 "readflag": "",
                 "lastlogtime": "",
                 "firstlogtime": ""
             }
         ]
     },
     "id": ""
}

operation: Get Event Details

Input parameters

Parameter Description
Alert ID ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager.
Note: You can find the "Alert IDs" using the "Get Events" action.
Time Order Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending.
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "result": {
         "data": [
             {
                 "log_id": "",
                 "devname": "",
                 "userfrom": "",
                 "time": "",
                 "dstepid": "",
                 "desc": "",
                 "user": "",
                 "dtime": "",
                 "msg": "",
                 "type": "",
                 "devid": "",
                 "dsteuid": "",
                 "euid": "",
                 "date": "",
                 "idseq": "",
                 "itime_t": "",
                 "epid": "",
                 "subtype": "",
                 "level": "",
                 "itime": ""
             }
         ]
     },
     "jsonrpc": ""
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update in FortiManager.
Endpoint Name Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).
Endpoint ID

(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager.

End User ID (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager.
Category (Optional) Category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity (Optional) Severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status (Optional) Status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description (Optional) Description of the incident that you want to update in Fortinet FortiManager.
Last Revision (Optional) Last version of the incident that you want to update in Fortinet FortiManager.
Last User (Optional) Last user of the incident that you want to update in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
     "jsonrpc": "",
     "id": "",
     "result": {
         "status": {
             "code": "",
             "message": ""
         }
     }
}

Included playbooks

The Sample - Fortinet Fortimanager - 1.0.0 playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.

  • Create Incident
  • > FortiManager > Fetch
  • >> FortiManager > Handle Macro
  • FortiManager > Ingest
  • Get Device List
  • Get Event Details
  • Get Events
  • Get Events Related to Incident
  • List Incident
  • Update Incident

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.

This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Data Ingestion support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation. The following playbooks have been added to support data ingestion:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortimanager

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter Description
Hostname IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations.
Username Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
Password Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
ADOM Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format.
Port Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:

Function Description Annotation and Category
Create Incident Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. create_incident
Investigation
List Incident Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. get_incidents
Investigation
Get Events Related to Incident Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. get_incident_events
Investigation
Get Device List Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return devices matching all values.
get_devices
Investigation
Get Events Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified.
Note: If a parameter is left blank or null, then this operation will return events matching all values.
get_alert_event
Investigation
Get Event Details Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. get_alert_logs
Investigation
Update Incident Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. create_incident
Investigation

operation: Create Incident

Input parameters

Parameter Description
Reporter Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin.
Endpoint Name Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).
Endpoint ID (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager.
End User ID (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager.
Category (Optional) Category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity (Optional) Severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status (Optional) Status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description (Optional) Description of the new incident that you want to create in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
     "jsonrpc": "",
     "id": "",
     "result": {
         "incid": ""
     }
}

operation: List Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Incident ID ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager.
Detail Level Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard".
Filter Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManager
For example category="CAT2" and severity="medium"
Sort By

Sorts the incidents by the specified field and order the results.

If you choose "Field", then you can specify the following parameters:

  • In the Field field specify the name of the field on which you want to sort the result. For example, severity, category, etc.
  • (Optional) In the Order field choose the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Ascending.
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:

Output schema when you choose “Detail Level” as 'Basic':
{
     "jsonrpc": "",
     "id": "",
     "result": {
         "status": {
             "code": "",
             "message": ""
         },
         "detail-level": "",
         "data": [
             {
                 "attach_revision": "",
                 "attach_lastupdate": "",
                 "lastupdate": "",
                 "revision": "",
                 "incid": ""
             }
         ]
     }
}

Output schema when you choose “Detail Level” as 'Extended':
{
     "result": {
         "data": [
             {
                 "endpoint": "",
                 "euname": "",
                 "epip": "",
                 "status": "",
                 "incid": "",
                 "attachments": [
                     {
                         "lastupdate": "",
                         "attachid": "",
                         "revision": ""
                     }
                 ],
                 "lastupdate": "",
                 "osversion": "",
                 "attach_lastupdate": "",
                 "euid": "",
                 "category": "",
                 "epid": "",
                 "epname": "",
                 "revision": "",
                 "reporter": "",
                 "createtime": "",
                 "description": "",
                 "osname": "",
                 "mac": "",
                 "lastuser": "",
                 "severity": "",
                 "attach_revision": "",
                 "refinfo": ""
             }
         ],
         "detail-level": "",
         "status": {
             "message": "",
             "code": ""
         }
     },
     "id": "",
     "jsonrpc": ""
}

Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
     "result": {
         "data": [
             {
                 "endpoint": "",
                 "reporter": "",
                 "createtime": "",
                 "description": "",
                 "status": "",
                 "incid": "",
                 "severity": "",
                 "lastuser": "",
                 "attach_lastupdate": "",
                 "lastupdate": "",
                 "euid": "",
                 "attach_revision": "",
                 "category": "",
                 "refinfo": "",
                 "epid": "",
                 "revision": ""
             }
         ],
         "detail-level": "",
         "status": {
             "message": "",
             "code": ""
         }
     },
     "id": "",
     "jsonrpc": ""
}

operation: Get Events Related to Incident

Input parameters

Parameter Description
Incident ID ID of the incident whose associated events you want to retrieve from Fortinet FortiManager.
Attachment Type Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report.
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
     "result": {
         "data": [
             {
                 "attachtype": "",
                 "lastupdate": "",
                 "incid": "",
                 "attachid": "",
                 "createtime": "",
                 "data": "",
                 "lastuser": "",
                 "revision": ""
             }
         ],
         "status": {
             "message": "",
             "code": ""
         }
     },
     "id": "",
     "jsonrpc": ""
}

operation: Get Device List

Input parameters

Parameter Description
Device Name Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager.
Note: If a parameter is left blank or null, then this operation will return devices matching all values.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "result": [
         {
             "url": "",
             "status": {
                 "code": "",
                 "message": ""
             },
             "data": [
                 {
                     "os_ver": "",
                     "build": "",
                     "ips_ext": "",
                     "foslic_inst_time": "",
                     "mgmt.__data[5]": "",
                     "lic_region": "",
                     "latitude": "",
                     "foslic_ram": "",
                     "faz.perm": "",
                     "branch_pt": "",
                     "ips_ver": "",
                     "foslic_utm": "",
                     "source": "",
                     "foslic_cpu": "",
                     "mgmt.__data[3]": "",
                     "mgmt.__data[2]": "",
                     "ha_mode": "",
                     "opts": "",
                     "last_resync": "",
                     "foslic_last_sync": "",
                     "conn_status": "",
                     "mgmt.__data[7]": "",
                     "patch": "",
                     "hw_rev_minor": "",
                     "mgmt.__data[1]": "",
                     "psk": "",
                     "checksum": "",
                     "faz.quota": "",
                     "ha_group_id": "",
                     "adm_usr": "",
                     "ha_group_name": "",
                     "faz.used": "",
                     "tunnel_cookie": "",
                     "conf_status": "",
                     "mgmt.__data[6]": "",
                     "last_checked": "",
                     "version": "",
                     "mgmt.__data[0]": "",
                     "ha_slave": "",
                     "name": "",
                     "longitude": "",
                     "platform_str": "",
                     "foslic_dr_site": "",
                     "tunnel_ip": "",
                     "oid": "",
                     "foslic_type": "",
                     "prefer_img_ver": "",
                     "location_from": "",
                     "vm_cpu_limit": "",
                     "mgmt_if": "",
                     "faz.full_act": "",
                     "av_ver": "",
                     "fex_cnt": "",
                     "fsw_cnt": "",
                     "mgmt.__data[4]": "",
                     "vm_mem": "",
                     "sn": "",
                     "logdisk_size": "",
                     "lic_flags": "",
                     "hostname": "",
                     "vm_mem_limit": "",
                     "vdom": [
                         {
                             "tab_status": "",
                             "opmode": "",
                             "name": "",
                             "devid": "",
                             "rtm_prof_id": "",
                             "status": "",
                             "comments": "",
                             "oid": "",
                             "ext_flags": "",
                             "node_flags": "",
                             "vpn_id": "",
                             "flags": ""
                         }
                     ],
                     "tab_status": "",
                     "adm_pass": [],
                     "mgmt_id": "",
                     "beta": "",
                     "dev_status": "",
                     "os_type": "",
                     "vm_lic_expire": "",
                     "mgmt_mode": "",
                     "hdisk_size": "",
                     "ip": "",
                     "vm_status": "",
                     "db_status": "",
                     "mr": "",
                     "module_sn": "",
                     "hw_rev_major": "",
                     "flags": "",
                     "desc": "",
                     "app_ver": "",
                     "maxvdom": "",
                     "vm_cpu": "",
                     "conn_mode": "",
                     "node_flags": "",
                     "fap_cnt": "",
                     "mgt_vdom": ""
                 }
             ]
         }
     ]
}

operation: Get Events

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Filter Filter expression using which you want to retrieve events from Fortinet FortiManager.
'event_value', 'severity', 'trigger_name', 'count', 'comment' and 'flags' are supported.
For example, trigger_name='Local Device Event' and severity >= 3 or subject='desc:User login from SSH failed'
Time Range Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager.
If you select this checkbox, then you must specify the following parameters:
  • Start Time: Starting datetime from when you want to retrieve events from Fortinet FortiManager.
    Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified.
    Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37'
  • End Time: Ending datetime till when you want to retrieve events from Fortinet FortiManager.
    Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified.
    Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37'
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
     "jsonrpc": "",
     "result": {
         "data": [
             {
                 "alerttime": "",
                 "triggername": "",
                 "devname": "",
                 "vdom": "",
                 "filterid": "",
                 "filterkey": "",
                 "devtype": "",
                 "eventtype": "",
                 "groupby1": "",
                 "euid": "1",
                 "subject": "",
                 "devid": "",
                 "alertid": "",
                 "extrainfo": "",
                 "euname": "",
                 "epname": "",
                 "ackflag": "",
                 "logcount": "",
                 "filtercksum": "",
                 "tag": "",
                 "updatetime": "",
                 "epid": "1",
                 "severity": "",
                 "readflag": "",
                 "lastlogtime": "",
                 "firstlogtime": ""
             }
         ]
     },
     "id": ""
}

operation: Get Event Details

Input parameters

Parameter Description
Alert ID ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager.
Note: You can find the "Alert IDs" using the "Get Events" action.
Time Order Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending.
Limit Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "result": {
         "data": [
             {
                 "log_id": "",
                 "devname": "",
                 "userfrom": "",
                 "time": "",
                 "dstepid": "",
                 "desc": "",
                 "user": "",
                 "dtime": "",
                 "msg": "",
                 "type": "",
                 "devid": "",
                 "dsteuid": "",
                 "euid": "",
                 "date": "",
                 "idseq": "",
                 "itime_t": "",
                 "epid": "",
                 "subtype": "",
                 "level": "",
                 "itime": ""
             }
         ]
     },
     "jsonrpc": ""
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update in FortiManager.
Endpoint Name Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).
Endpoint ID

(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager.

End User ID (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager.
Category (Optional) Category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity (Optional) Severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status (Optional) Status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description (Optional) Description of the incident that you want to update in Fortinet FortiManager.
Last Revision (Optional) Last version of the incident that you want to update in Fortinet FortiManager.
Last User (Optional) Last user of the incident that you want to update in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
     "jsonrpc": "",
     "id": "",
     "result": {
         "status": {
             "code": "",
             "message": ""
         }
     }
}

Included playbooks

The Sample - Fortinet Fortimanager - 1.0.0 playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.