FortiWeb Cloud is an cloud native SaaS based web application firewall (WAF) that protects web applications & APIs from the Open Worldwide Application Security Project's (OWASP) Top 10 threats, zero-day attacks, and other application layer attacks.
This document provides information about the Fortinet FortiWeb Cloud Connector, which facilitates automated interactions, with a Fortinet FortiWeb Cloud server using FortiSOAR™ playbooks. Add the Fortinet FortiWeb Cloud Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiWeb Cloud.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.4.2-3279
Fortinet FortiWeb Cloud Version Tested on: 23.3.a
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortiweb-cloud
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiWeb Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the FortiWeb Cloud server to connect and perform automated operations. |
| API Key | Specify the API key to access the endpoint to connect and perform the automated operations |
| Verify SSL | Select if the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Incident Dashboard Details | Retrieves information for the global setting configurations from FortiWeb Cloud based on the widget name, action name, and other filter criteria you have specified. | get_incident_dashboard_details Investigation |
| Get Incidents List | Retrieves a list of all incidents from FortiWeb Cloud based on the time range and other filter criteria you have specified. | get_incident_list Investigation |
| Get Incident Details | Retrieves information for a specific incident from FortiWeb Cloud based on the incident ID you have specified. | get_incident_details Investigation |
| Get Incident Timeline Details | Retrieves information for a specific incident timeline from FortiWeb Cloud based on the incident ID you have specified. | get_incident_timeline_details Investigation |
| Get Insight Events Summary | Retrieves a list of all insight events summary from FortiWeb Cloud. | get_insight_events_summary Investigation |
| Get Incident Aggregated Details | Retrieves information for a specific incident aggregated from FortiWeb Cloud based on the incident ID and group by parameters you have specified. | get_incident_aggregated_details Investigation |
| Get Insight Events | Retrieves information for insight events from FortiWeb Cloud based on the event type and other filter criteria you have specified. | get_insight_events Investigation |
| Parameter | Description |
|---|---|
| Widget Name | Select the name of the widget based on which to filter the incident dashboard retrieved from FortiWeb Cloud. You can choose from the following options:
|
| Action Name | Select the action name based on which to filter the incident dashboard retrieved from FortiWeb Cloud. You can choose from the following options:
|
| Host Name | Specify the name of the host based on which to retrieve information from FortiWeb Cloud. |
| Time Range | Specify the time range during which the incidents were created in FortiWeb Cloud, and from to retrieve incident dashboard details. For example: 24h or 7d to fetch incidents from the last 24 hours or 7 days, respectively. |
The output contains the following populated JSON schema:
Output schema when you choose Widget Name as Threats Timeline:
{
"start": "",
"end": "",
"line_data": [
{
"line_name": "",
"number": [
{
"id": "",
"value": "",
"time": ""
}
]
}
]
}
Output schema when you choose Widget Name as Incidents Timeline:
{
"start": "",
"end": "",
"line_data": [
{
"line_name": "",
"number": [
{
"id": "",
"value": "",
"time": ""
}
]
}
]
}
Output schema when you choose Widget Name as Source Country:
[
{
"name": "",
"value": ""
}
]
Output schema when you choose Widget Name as Attack Type:
[
{
"name": "",
"percentage": ""
}
]
Output schema when you choose Widget Name as High Risk:
[
{
"incident_id": "",
"platform": "",
"risk": "",
"name": ""
}
]
Output schema when you choose Widget Name as HTTP Host:
[
{
"name": "",
"threat_count": "",
"monitor_count": "",
"block_count": "",
"platform": ""
}
]
| Parameter | Description |
|---|---|
| Time Range | Specify the time range during which the incidents were created in FortiWeb Cloud, and from to retrieve incident dashboard details. For example: 24h or 7d to fetch incidents from the last 24 hours or 7 days, respectively. |
| Filter | Specify multiple key/value pairs in JSON format to filter incidents retrieved from FortiWeb Cloud. |
| Page Size | Specify the number of results, per page, that to include in the response of this operation. |
| Page Number | Specify the page number from which to fetch incidents from FortiWeb Cloud. |
The output contains the following populated JSON schema:
{
"total": "",
"result": [
{
"incident_id": "",
"platform": "",
"risk": "",
"description": "",
"threat_count": "",
"block_count": "",
"tags": [],
"lasttime": "",
"create_time": "",
"blocked": "",
"host_desc": "",
"app_names": []
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose details are to be retrieved from FortiWeb Cloud. |
The output contains the following populated JSON schema:
{
"incident_id": "",
"platform": "",
"risk": "",
"description": "",
"threat_count": "",
"block_count": "",
"tags": [],
"lasttime": "",
"create_time": "",
"blocked": "",
"host_desc": "",
"app_names": [],
"comments": [],
"attack_types": [],
"cve_ids": [],
"hosts": [],
"src_countries": [],
"firsttime": "",
"src_ips": [],
"http_urls": []
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose timeline details are to be retrieved from FortiWeb Cloud. |
The output contains the following populated JSON schema:
{
"start": "",
"end": "",
"line_data": [
{
"line_name": "",
"number": [
{
"id": "",
"value": "",
"time": ""
}
]
}
]
}
None.
The output contains the following populated JSON schema:
{
"detail": "",
"result": {
"summary": [
{
"type": "",
"active": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose aggregated details are to be retrieved from FortiWeb Cloud. |
| Group By | Select the grouping criteria based on which to filter incident aggregated details retrieved from FortiWeb Cloud. Select Logs to get sample attack logs of a specific incident. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Group By as Logs:
{
"total": "",
"result": [
{
"msg": "",
"log_id": "",
"threat_level": "",
"signature_cve_id": "",
"owasp_top10": "",
"main_type": "",
"http_url": "",
"srccountry": "",
"src_ip": "",
"signature_id": "",
"date_time": "",
"sub_type": "",
"action": "",
"msg_id": "",
"country_flag": "",
"_id": ""
}
]
}
Output schema when you choose some other option in Group By parameter:
{
"total": "",
"result": [
{
"name": "",
"threat_count": "",
"monitor_count": "",
"block_count": "",
"platform": ""
}
]
}
| Parameter | Description |
|---|---|
| Event Type | Select the type of the event based on which to filter insight events retrieved from FortiWeb Cloud. You can choose from the following options:
|
| Cursor | Specify the cursor value based on which to filter insight events retrieved from FortiWeb Cloud.
Leave the cursor value empty, to list the items of the first page. Use the value of the Use the value of the |
| Page Size | Specify the number of results, per page, to include in the response of this operation. The values can be 10, 20, or 30. |
| Forward | Select this option to fetch records from the next page. Clear this checkbox to fetch records from the previous page. |
The output contains the following populated JSON schema:
Output schema when you choose Event Type as Exposed Server:
{
"detail": "",
"result": {
"type": "",
"events": [
{
"id": "",
"app_name": "",
"origin_server": [],
"exposed_dns": "",
"direct_access": "",
"last_updated": ""
}
],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as Trust IP:
{
"detail": "",
"result": {
"type": "",
"events": [],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as Unprotected Host:
{
"detail": "",
"result": {
"type": "",
"events": [],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as Monitor Service:
{
"detail": "",
"result": {
"type": "",
"events": [],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as WAF Config Alarm:
{
"detail": "",
"result": {
"type": "",
"events": [
{
"id": "",
"app_name": "",
"configuration": "",
"status": "",
"last_updated": ""
}
],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
The Sample - Fortinet FortiWeb Cloud - 1.0.0 playbook collection comes bundled with the Fortinet FortiWeb Cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiWeb Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
FortiWeb Cloud is an cloud native SaaS based web application firewall (WAF) that protects web applications & APIs from the Open Worldwide Application Security Project's (OWASP) Top 10 threats, zero-day attacks, and other application layer attacks.
This document provides information about the Fortinet FortiWeb Cloud Connector, which facilitates automated interactions, with a Fortinet FortiWeb Cloud server using FortiSOAR™ playbooks. Add the Fortinet FortiWeb Cloud Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiWeb Cloud.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.4.2-3279
Fortinet FortiWeb Cloud Version Tested on: 23.3.a
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortiweb-cloud
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiWeb Cloud connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the FortiWeb Cloud server to connect and perform automated operations. |
| API Key | Specify the API key to access the endpoint to connect and perform the automated operations |
| Verify SSL | Select if the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Incident Dashboard Details | Retrieves information for the global setting configurations from FortiWeb Cloud based on the widget name, action name, and other filter criteria you have specified. | get_incident_dashboard_details Investigation |
| Get Incidents List | Retrieves a list of all incidents from FortiWeb Cloud based on the time range and other filter criteria you have specified. | get_incident_list Investigation |
| Get Incident Details | Retrieves information for a specific incident from FortiWeb Cloud based on the incident ID you have specified. | get_incident_details Investigation |
| Get Incident Timeline Details | Retrieves information for a specific incident timeline from FortiWeb Cloud based on the incident ID you have specified. | get_incident_timeline_details Investigation |
| Get Insight Events Summary | Retrieves a list of all insight events summary from FortiWeb Cloud. | get_insight_events_summary Investigation |
| Get Incident Aggregated Details | Retrieves information for a specific incident aggregated from FortiWeb Cloud based on the incident ID and group by parameters you have specified. | get_incident_aggregated_details Investigation |
| Get Insight Events | Retrieves information for insight events from FortiWeb Cloud based on the event type and other filter criteria you have specified. | get_insight_events Investigation |
| Parameter | Description |
|---|---|
| Widget Name | Select the name of the widget based on which to filter the incident dashboard retrieved from FortiWeb Cloud. You can choose from the following options:
|
| Action Name | Select the action name based on which to filter the incident dashboard retrieved from FortiWeb Cloud. You can choose from the following options:
|
| Host Name | Specify the name of the host based on which to retrieve information from FortiWeb Cloud. |
| Time Range | Specify the time range during which the incidents were created in FortiWeb Cloud, and from to retrieve incident dashboard details. For example: 24h or 7d to fetch incidents from the last 24 hours or 7 days, respectively. |
The output contains the following populated JSON schema:
Output schema when you choose Widget Name as Threats Timeline:
{
"start": "",
"end": "",
"line_data": [
{
"line_name": "",
"number": [
{
"id": "",
"value": "",
"time": ""
}
]
}
]
}
Output schema when you choose Widget Name as Incidents Timeline:
{
"start": "",
"end": "",
"line_data": [
{
"line_name": "",
"number": [
{
"id": "",
"value": "",
"time": ""
}
]
}
]
}
Output schema when you choose Widget Name as Source Country:
[
{
"name": "",
"value": ""
}
]
Output schema when you choose Widget Name as Attack Type:
[
{
"name": "",
"percentage": ""
}
]
Output schema when you choose Widget Name as High Risk:
[
{
"incident_id": "",
"platform": "",
"risk": "",
"name": ""
}
]
Output schema when you choose Widget Name as HTTP Host:
[
{
"name": "",
"threat_count": "",
"monitor_count": "",
"block_count": "",
"platform": ""
}
]
| Parameter | Description |
|---|---|
| Time Range | Specify the time range during which the incidents were created in FortiWeb Cloud, and from to retrieve incident dashboard details. For example: 24h or 7d to fetch incidents from the last 24 hours or 7 days, respectively. |
| Filter | Specify multiple key/value pairs in JSON format to filter incidents retrieved from FortiWeb Cloud. |
| Page Size | Specify the number of results, per page, that to include in the response of this operation. |
| Page Number | Specify the page number from which to fetch incidents from FortiWeb Cloud. |
The output contains the following populated JSON schema:
{
"total": "",
"result": [
{
"incident_id": "",
"platform": "",
"risk": "",
"description": "",
"threat_count": "",
"block_count": "",
"tags": [],
"lasttime": "",
"create_time": "",
"blocked": "",
"host_desc": "",
"app_names": []
}
]
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose details are to be retrieved from FortiWeb Cloud. |
The output contains the following populated JSON schema:
{
"incident_id": "",
"platform": "",
"risk": "",
"description": "",
"threat_count": "",
"block_count": "",
"tags": [],
"lasttime": "",
"create_time": "",
"blocked": "",
"host_desc": "",
"app_names": [],
"comments": [],
"attack_types": [],
"cve_ids": [],
"hosts": [],
"src_countries": [],
"firsttime": "",
"src_ips": [],
"http_urls": []
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose timeline details are to be retrieved from FortiWeb Cloud. |
The output contains the following populated JSON schema:
{
"start": "",
"end": "",
"line_data": [
{
"line_name": "",
"number": [
{
"id": "",
"value": "",
"time": ""
}
]
}
]
}
None.
The output contains the following populated JSON schema:
{
"detail": "",
"result": {
"summary": [
{
"type": "",
"active": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose aggregated details are to be retrieved from FortiWeb Cloud. |
| Group By | Select the grouping criteria based on which to filter incident aggregated details retrieved from FortiWeb Cloud. Select Logs to get sample attack logs of a specific incident. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Group By as Logs:
{
"total": "",
"result": [
{
"msg": "",
"log_id": "",
"threat_level": "",
"signature_cve_id": "",
"owasp_top10": "",
"main_type": "",
"http_url": "",
"srccountry": "",
"src_ip": "",
"signature_id": "",
"date_time": "",
"sub_type": "",
"action": "",
"msg_id": "",
"country_flag": "",
"_id": ""
}
]
}
Output schema when you choose some other option in Group By parameter:
{
"total": "",
"result": [
{
"name": "",
"threat_count": "",
"monitor_count": "",
"block_count": "",
"platform": ""
}
]
}
| Parameter | Description |
|---|---|
| Event Type | Select the type of the event based on which to filter insight events retrieved from FortiWeb Cloud. You can choose from the following options:
|
| Cursor | Specify the cursor value based on which to filter insight events retrieved from FortiWeb Cloud.
Leave the cursor value empty, to list the items of the first page. Use the value of the Use the value of the |
| Page Size | Specify the number of results, per page, to include in the response of this operation. The values can be 10, 20, or 30. |
| Forward | Select this option to fetch records from the next page. Clear this checkbox to fetch records from the previous page. |
The output contains the following populated JSON schema:
Output schema when you choose Event Type as Exposed Server:
{
"detail": "",
"result": {
"type": "",
"events": [
{
"id": "",
"app_name": "",
"origin_server": [],
"exposed_dns": "",
"direct_access": "",
"last_updated": ""
}
],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as Trust IP:
{
"detail": "",
"result": {
"type": "",
"events": [],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as Unprotected Host:
{
"detail": "",
"result": {
"type": "",
"events": [],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as Monitor Service:
{
"detail": "",
"result": {
"type": "",
"events": [],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
Output schema when you choose Event Type as WAF Config Alarm:
{
"detail": "",
"result": {
"type": "",
"events": [
{
"id": "",
"app_name": "",
"configuration": "",
"status": "",
"last_updated": ""
}
],
"prev_cursor": "",
"next_cursor": "",
"total": ""
}
}
The Sample - Fortinet FortiWeb Cloud - 1.0.0 playbook collection comes bundled with the Fortinet FortiWeb Cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiWeb Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.