Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

LogPoint enables organizations to convert data into actionable intelligence, improving their cybersecurity posture and creating immediate business value. 

This document provides information about the LogPoint connector, which facilitates automated interactions, with your LogPoint server using FortiSOAR™ playbooks. Add the LogPoint connector, as a step in FortiSOAR™ playbooks and perform automated operations for collecting, analyzing, and monitoring your machine data.

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ versions: 4.12.1-253 

Authored By: Fortinet 

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-logpoint

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of LogPoint server to which you will connect and perform automated operations and credentials (username-secret key pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the LogPoint connector row, and in the Configure tab enter the required configuration details. 

Parameter Description
Server URL URL of the LogPoint server to which you will connect and perform automated operations.
Username Username to access the LogPoint server to which you will connect and perform automated operations.
Secret Key Secret Key to access the LogPoint to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Repos Retrieves a list of all the repos from the LogPoint system. get_repos
Investigation
Get Log Points Retrieves a list of all Log Points from the LogPoint system. get_log_points
Investigation
Get Devices Retrieves a list of all devices from LogPoint system. get_devices
Investigation
Get Time Zone Retrieves Time Zone information from the LogPoint system. get_timezone
Investigation
Get Live Search Retrieves information about Live Searches from the LogPoint system. get_live_search
Investigation
Get Search ID Searches the LogPoint system based on the time range and query you have specified and returns a search ID. get_search_id
Investigation
Get Response Retrieves the response of a search operation from LogPoint system based on the Search ID you have specified. get_response
Investigation

operation: Get Repos

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "allowed_repos": [ 
         { 
             "address": "", 
             "repo": "" 
         } 
     ], 
     "logpoint": [ 
         { 
             "ip": "", 
             "name": "" 
         } 
     ], 
     "success": "" 
}

operation: Get Log Points

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "success": "", 
     "allowed_loginspects": [ 
         { 
             "ip": "", 
             "name": "" 
         } 
     ] 
}

operation: Get Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "allowed_devices": [], 
     "logpoint": [], 
     "success": "" 
}

operation: Get Time Zone

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "hour_format": "", 
     "date_format": "", 
     "success": "", 
     "timezone": "" 
}

operation: Get Live Search

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "livesearches": [ 
         { 
             "query_info": { 
                 "lucene_query": "", 
                 "columns": [], 
                 "aliases": [], 
                 "success": "", 
                 "query_filter": "", 
                 "grouping": [], 
                 "fieldsToExtract": [], 
                 "query_type": "" 
             }, 
             "vid": "", 
             "generated_by": "", 
             "limit": "", 
             "timerange_hour": "", 
             "searchname": "", 
             "flush_on_trigger": "", 
             "timerange_minute": "", 
             "tid": "", 
             "description": "", 
             "life_id": "", 
             "query": "", 
             "timerange_second": "", 
             "timerange_day": "" 
         } 
     ], 
     "success": "" 
}

operation: Get Search ID

Input parameters

Parameter Description
Time Range Time range based on which you want to search the LogPoint system. You can choose either a Relative time such as Last 1 hour, Last x.. etc, from the options provided, or click Calendar Period to specify a calendar period, such as This Month, or click Custom to specify a custom time range.
  • If you click Lastx..., then in the Count field, enter the count for the selected time range type, and from the Type drop-down list, select the type of the time range. You can select from Minutes, Hours, Days, Months, Years. For example, if you have specified 30 in the count field and selected the type as Minutes, this means that the LogPoint system will be searched for the last 30 minutes.
  • If you click Calendar Period, then from the Period drop-down list, select the calendar period for which you want to search the LogPoint system. You can choose from the following options: Today, Yesterday, This Week, This Month, Last Week, or Last Month.
  • If you click Custom, then in the From field, you must specify the datetime from when you want to start the search and in the To field, you must specify the datetime till when you want to end the search.
Query Parameter Parameter of the query based on which you want to search the LogPoint system.
You can choose some predefined query parameters, such as Time Zone, User, etc, or you can select Custom to define your own query in the Query field.
If you choose a predefined query parameter then you must specify the query associated with the parameter selected. For example, if you choose Time Zone, then you must specify the time zone for which you want to extract logs from the LogPoint system, or if you choose User, then you must specify the user for whom you want to extract logs from the LogPoint system.
Limit (Optional) Maximum number of records that this operation should retrieve from the LogPoint System.
By default, this is set to 30.
Timeout (Optional) Time, in seconds, after which this operation will timeout, i.e., time in seconds for which the search ID is Valid.
By default, this is set to 60.
Repos (Optional) Repos on the LogPoint system on which you want to run the search operation.

Output

The output contains the following populated JSON schema:

     "lookup": "", 
     "search_id": "", 
     "time_range": [], 
     "query_filter": "", 
     "latest": "", 
     "success": "", 
     "searchId": "", 
     "query_type": "" 
}

operation: Get Response

Input parameters

Parameter Description
Search ID Search ID based on which you want to retrieve the response from the LogPoint system.  
Note: You can retrieve the search ID using the Get Search ID operation.

Output

The output contains the following populated JSON schema:

     "status": {}, 
     "complete": "", 
     "version": "", 
     "time_range": [], 
     "orig_search_id": "", 
     "final": "", 
     "query_type": "", 
     "success": "", 
     "estim_count": "", 
     "extracted_terms": [] 
}

Included playbooks

The Sample - logpoint - 1.0.0 playbook collection comes bundled with the LogPoint connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the LogPoint connector.

  • Get Devices
  • Get Live Search
  • Get Log Points
  • Get Repos
  • Get Response
  • Get Search ID
  • Get Time Zone

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

LogPoint enables organizations to convert data into actionable intelligence, improving their cybersecurity posture and creating immediate business value. 

This document provides information about the LogPoint connector, which facilitates automated interactions, with your LogPoint server using FortiSOAR™ playbooks. Add the LogPoint connector, as a step in FortiSOAR™ playbooks and perform automated operations for collecting, analyzing, and monitoring your machine data.

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ versions: 4.12.1-253 

Authored By: Fortinet 

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-logpoint

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the LogPoint connector row, and in the Configure tab enter the required configuration details. 

Parameter Description
Server URL URL of the LogPoint server to which you will connect and perform automated operations.
Username Username to access the LogPoint server to which you will connect and perform automated operations.
Secret Key Secret Key to access the LogPoint to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Repos Retrieves a list of all the repos from the LogPoint system. get_repos
Investigation
Get Log Points Retrieves a list of all Log Points from the LogPoint system. get_log_points
Investigation
Get Devices Retrieves a list of all devices from LogPoint system. get_devices
Investigation
Get Time Zone Retrieves Time Zone information from the LogPoint system. get_timezone
Investigation
Get Live Search Retrieves information about Live Searches from the LogPoint system. get_live_search
Investigation
Get Search ID Searches the LogPoint system based on the time range and query you have specified and returns a search ID. get_search_id
Investigation
Get Response Retrieves the response of a search operation from LogPoint system based on the Search ID you have specified. get_response
Investigation

operation: Get Repos

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "allowed_repos": [ 
         { 
             "address": "", 
             "repo": "" 
         } 
     ], 
     "logpoint": [ 
         { 
             "ip": "", 
             "name": "" 
         } 
     ], 
     "success": "" 
}

operation: Get Log Points

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "success": "", 
     "allowed_loginspects": [ 
         { 
             "ip": "", 
             "name": "" 
         } 
     ] 
}

operation: Get Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "allowed_devices": [], 
     "logpoint": [], 
     "success": "" 
}

operation: Get Time Zone

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "hour_format": "", 
     "date_format": "", 
     "success": "", 
     "timezone": "" 
}

operation: Get Live Search

Input parameters

None.

Output

The output contains the following populated JSON schema:

     "livesearches": [ 
         { 
             "query_info": { 
                 "lucene_query": "", 
                 "columns": [], 
                 "aliases": [], 
                 "success": "", 
                 "query_filter": "", 
                 "grouping": [], 
                 "fieldsToExtract": [], 
                 "query_type": "" 
             }, 
             "vid": "", 
             "generated_by": "", 
             "limit": "", 
             "timerange_hour": "", 
             "searchname": "", 
             "flush_on_trigger": "", 
             "timerange_minute": "", 
             "tid": "", 
             "description": "", 
             "life_id": "", 
             "query": "", 
             "timerange_second": "", 
             "timerange_day": "" 
         } 
     ], 
     "success": "" 
}

operation: Get Search ID

Input parameters

Parameter Description
Time Range Time range based on which you want to search the LogPoint system. You can choose either a Relative time such as Last 1 hour, Last x.. etc, from the options provided, or click Calendar Period to specify a calendar period, such as This Month, or click Custom to specify a custom time range.
  • If you click Lastx..., then in the Count field, enter the count for the selected time range type, and from the Type drop-down list, select the type of the time range. You can select from Minutes, Hours, Days, Months, Years. For example, if you have specified 30 in the count field and selected the type as Minutes, this means that the LogPoint system will be searched for the last 30 minutes.
  • If you click Calendar Period, then from the Period drop-down list, select the calendar period for which you want to search the LogPoint system. You can choose from the following options: Today, Yesterday, This Week, This Month, Last Week, or Last Month.
  • If you click Custom, then in the From field, you must specify the datetime from when you want to start the search and in the To field, you must specify the datetime till when you want to end the search.
Query Parameter Parameter of the query based on which you want to search the LogPoint system.
You can choose some predefined query parameters, such as Time Zone, User, etc, or you can select Custom to define your own query in the Query field.
If you choose a predefined query parameter then you must specify the query associated with the parameter selected. For example, if you choose Time Zone, then you must specify the time zone for which you want to extract logs from the LogPoint system, or if you choose User, then you must specify the user for whom you want to extract logs from the LogPoint system.
Limit (Optional) Maximum number of records that this operation should retrieve from the LogPoint System.
By default, this is set to 30.
Timeout (Optional) Time, in seconds, after which this operation will timeout, i.e., time in seconds for which the search ID is Valid.
By default, this is set to 60.
Repos (Optional) Repos on the LogPoint system on which you want to run the search operation.

Output

The output contains the following populated JSON schema:

     "lookup": "", 
     "search_id": "", 
     "time_range": [], 
     "query_filter": "", 
     "latest": "", 
     "success": "", 
     "searchId": "", 
     "query_type": "" 
}

operation: Get Response

Input parameters

Parameter Description
Search ID Search ID based on which you want to retrieve the response from the LogPoint system.  
Note: You can retrieve the search ID using the Get Search ID operation.

Output

The output contains the following populated JSON schema:

     "status": {}, 
     "complete": "", 
     "version": "", 
     "time_range": [], 
     "orig_search_id": "", 
     "final": "", 
     "query_type": "", 
     "success": "", 
     "estim_count": "", 
     "extracted_terms": [] 
}

Included playbooks

The Sample - logpoint - 1.0.0 playbook collection comes bundled with the LogPoint connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the LogPoint connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.