About the connector
SecurityBridge is an SAP native solution for Security and Event monitoring for SAP.
This document provides information about the SecurityBridge Connector, which facilitates automated interactions, with a SecurityBridge server using FortiSOAR™ playbooks. Add the SecurityBridge connector as a step in FortiSOAR™ playbooks and perform automated operations such as fetching events from SecurityBridge.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from SecurityBridge. Currently, the "events" ingested from SecurityBridge are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-securitybridge
Prerequisites to configuring the connector
- You must have the URL of the SecurityBridge server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the SecurityBridge server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SecurityBridge connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter |
Description |
| Server Address |
Specify the URL of the SecurityBridge to which you will connect and perform automated operations. |
| Username |
Specify the Username to access your SecurityBridge to which you will connect and perform automated operations. |
| Password |
Specify the Password to access your SecurityBridge to which you will connect and perform automated operations. |
| Server Port |
Specify the port used to access the SecurityBridge server. By default, this is set to 8000. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function |
Description |
Annotation and Category |
| Fetch Events |
Fetches events from SecurityBridge using filters such as the start and end time of the events and other filters you have specified. |
fetch_events
Investigation |
operation: Fetch Events
Input parameters
| Parameter |
Description |
| Start Time |
Select the starting date and time from when you want to fetch events from SecurityBridge. The DateTime format is YYYY-MM-DDTHH:mm:ss.ssssZ |
| End Time |
Select the ending date and time until when you want to fetch events from SecurityBridge. The DateTime format is YYYY-MM-DDTHH:mm:ss.ssssZ |
| Response Format |
Select the format in which you want to return the events retrieved from SecurityBridge. You can choose between JSON (default) or XML. |
Output
The output contains the following populated JSON schema:
Output schema when you choose "Response Format" as "JSON":
{
"d": {
"results": [
{
"__metadata": {
"id": "",
"uri": "",
"type": ""
},
"qFrom": "",
"qTo": "",
"qGuid": "",
"qSid": "",
"guid": "",
"timestamp": "",
"object": "",
"action": "",
"sid": "",
"client": "",
"severity": "",
"account": "",
"terminal": "",
"program": "",
"eventMsg": "",
"retroactive": "",
"recTimestamp": "",
"IPv4Address": "",
"transactionCode": "",
"eventUserType": "",
"eventUserGroup": "",
"systemType": "",
"eventAttr1": "",
"eventAttr2": "",
"eventAttr3": "",
"eventAttr4": "",
"eventAttr5": ""
}
]
}
}
Output schema when you choose "Response Format" as "XML":
The output contains a non-dictionary value.
Included playbooks
The Sample - SecurityBridge - 1.0.0 playbook collection comes bundled with the SecurityBridge connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SecurityBridge connector.
- > SecurityBridge > Fetch
- Fetch Events
- SecurityBridge > Ingest
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Data Ingestion Support
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from SecurityBridge. Currently, these "Events" from SecurityBridge are mapped to "Alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
Configure Data Ingestion
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming SecurityBridge "Events" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure the scheduled pulling of events from SecurityBridge into FortiSOAR™. It also lets you pull some sample events from SecurityBridge using which you can define the mapping of data between SecurityBridge and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the SecurityBridge events.
- To begin configuring data ingestion, click Configure Data Ingestion on the SecurityBridge connector’s "Configurations" page.
Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.
Sample data is required to create a field mapping between SecurityBridge data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
- On the Fetch Data screen, provide the configurations required to fetch SecurityBridge events.
Users can choose to pull data from SecurityBridge by specifying the last X minutes in which the events have been created or updated in SecurityBridge. The fetched data is used to create a mapping between the SecurityBridge events and FortiSOAR™ alerts.
Once you have completed specifying the configurations, click Fetch Data.
-
On the Field Mapping screen, map the fields of a SecurityBridge event to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventMsg parameter of a SecurityBridge event to the Description parameter of a FortiSOAR™ alert, click the Description field and then click the eventMsg field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
-
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to SecurityBridge, so that the content gets pulled from the SecurityBridge integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from SecurityBridge every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:
Once you have completed scheduling, click Save Settings & Continue.
-
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.
