About the connector
Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.
This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions, with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.
Version information
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with Fortinet FortiSIEM Version: 5.0.1 and later
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of a Fortinet FortiSIEM server to which you will connect and perform automated operations and the credentials, such as the username and password to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Fortinet FortiSIEM connector and click Configure to configure the following parameters.
| Parameter |
Description |
| Server URL |
URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
| Username |
Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
| Password |
Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
| Domain |
Domain that you will access on the Fortinet FortiSIEM server to perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get All Devices |
Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. |
get_devices
Investigation |
| Get All Devices For Specified IP Address Range |
Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. |
get_devices
Investigation |
| Get Device Information |
Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. |
get_devices
Investigation |
| List Monitored Devices and Attributes |
Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. |
get_devices
Investigation |
| List Monitored Organizations |
Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. |
get_domains
Investigation |
| List Incidents |
Retrieves a list and details of incidents from the Fortinet FortiSIEM server.
This list will be filtered if you specify the domain ID and DateTime. Otherwise, by default, an unfiltered list of incidents that have occurred in the Last 2 hours on the Fortinet FortiSIEM server are returned by this operation. |
get_incidents
Investigation |
operation: Get All Devices
Input parameters
None.
Output
The JSON output contains a short description for all devices that are configured on the Fortinet FortiSIEM server.
Following image displays a sample output:
operation: Get All Devices For Specified IP Address Range
Input parameters
| Parameter |
Description |
| Include IP SET |
Value of IP addresses based on which you want for retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100 |
| Exclude IP SET |
(Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format. |
Output
The JSON output contains a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified.
Following image displays a sample output:
operation: Get Device Information
Input parameters
| Parameter |
Description |
| Device IP |
IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server. |
Output
The JSON output contains the details for the specified device that is configured on the Fortinet FortiSIEM server, based on the device IP that you have specified.
Following image displays a sample output:
operation: List Monitored Devices and Attributes
Input parameters
None.
Output
The JSON output contains a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server.
Following image displays a sample output:
operation: List Monitored Organizations
Input parameters
None.
Output
The JSON output contains a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server.
Following image displays a sample output:
operation: List Incidents
Input parameters
| Parameter |
Description |
| Domain ID |
(Optional) ID of the domain whose incidents you want to retrieve from the Fortinet FortiSIEM server. If you specify the domain ID then domain-specific incidents are retrieved. |
| Time Selection |
(Optional) Specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server.
For example, if you choose Last 24 Hours, then this operation retrieves a list of incidents that have occurred in the last 24 hours, from the Fortinet FortiSIEM server.
Choose from the following options: Last 2 Hours, Last 10 Hours, Last 24 Hours, Last 3 Days, Last 5 Days, Last 7 Days, Last 15 Days, Last 25 Days, Last 30 Days, Last 50 Days, Last 60 Days, Last 90 Days, Last 120 Days, or Last 180 Days.
Note: By default, this is set to Last 2 Hours. |
| Customize Time |
(Optional) Specify the DateTime for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. |
Output
The JSON output contains a list and details of incidents retrieved from the Fortinet FortiSIEM server, based on the parameters that you have specified. If you do not specify any parameters, then the JSON output contains an unfiltered list of incidents that have occurred in the Last 2 hours on the Fortinet FortiSIEM server.
Following image displays a sample output:
Included playbooks
The Sample - Fortinet FortiSIEM - 1.0.0 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.
- Get All Devices
- Get All Devices For Specified IP Address Range
- Get Device Information
- List Incidents
- List Monitored Devices and Attributes
- List Monitored Organizations
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
