FortiAnalyzer is the NOC-SOC security analysis tool built with an operations perspective. FortiAnalyzer (FAZ) supports analytics-powered use cases to provide better detection against breaches.
This document provides information about the Fortinet FortiAnalyzer Connector, which facilitates automated interactions with your Fortinet FortiAnalyzer server using FortiSOAR™ playbooks. Add the Fortinet FortiAnalyzer Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as creating and updating incidents on Fortinet FortiAnalyzer and retrieving user and endpoint information from Fortinet FortiAnalyzer.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiAnalyzer. Currently, "events" in Fortinet FortiAnalyzer are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section
Connector Version: 1.4.0
FortiSOAR™ Version Tested on: 6.4.4-3164
FortiAnalyzer Version Tested on: VM64-KVMv6.4.4 Interim build 4751
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiAnalyzer connector in version 1.4.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortianalyzer
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiAnalyzer connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Username | Username used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Password | Password used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| ADOM Name | Administrative domain name of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Port | Port number used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. By default, this is set to 10405. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Incident | Creates a new incident record in Fortinet FortiAnalyzer based on the incident reporter, affected endpoint, and other input parameters you have specified. | create_incident Investigation |
| Get Incident | Retrieves all incidents or a specific incident from Fortinet FortiAnalyzer based on the input parameters you have specified. | list_incidents Investigation |
| Update Incident | Updates incident fields like severity, category, status, etc. corresponding to a specific incident in Fortinet FortiAnalyzer based on the incident ID and other input parameters you have specified. | update_incident_details Investigation |
| Get Events For Incident | Retrieves all events associated with a specified incident in Fortinet FortiAnalyzer based on the incident ID you have specified. | get_events_for_incident Investigation |
| Get Executed Report List | Retrieves a list of all executed reports that have been generated or are in the pending state from Fortinet FortiAnalyzer based on the time frame you have specified. | get_reports Investigation |
| Get Report Schedule List | Retrieve a list of all report schedules from Fortinet FortiAnalyzer. | get_schedules Investigation |
| Run Report | Runs a report on the Fortinet FortiAnalyzer based on the report ID and schedule ID you have specified. | run_report Investigation |
| Get Report File | Retrieves a specific generated report file from Fortinet FortiAnalyzer based on the report ID you have specified and adds that report file to FortiSOAR as an 'Attachment' | get_generated_report Investigation |
| Get User Info | Retrieves information for all users or specific users from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_users Investigation |
| Get Endpoint Info | Retrieves information for all endpoints or specific endpoints from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_endpoints Investigation |
| List Log Fields | Retrieves all log fields from Fortinet FortiAnalyzer based on the device and log type and other input parameters you have specified. | list_log_fields Investigation |
| Get Log-File Content | Retrieves the content of a specified logfile from Fortinet FortiAnalyzer based on the device ID, filename, and other input parameters you have specified. | get_log_file_content Investigation |
| Log Search over Log-File | Runs a log search task for a single logfile from Fortinet FortiAnalyzer based on the device ID, filename, and other input parameters you have specified. | log_search_over_log_file Investigation |
| Get Log-File State | Retrieves the state of a log file from Fortinet FortiAnalyzer based on the device ID, filename, and other input parameters you have specified. | get_log_file_state Investigation |
| Start Log Search Request | Starts a new task to search for logs in Fortinet FortiAnalyzer based on the device ID, device name, and other input parameters you have specified. | start_log_search_request Investigation |
| Fetch Log Search Result by Task ID | Starts a new task to retrieve the log search results from Fortinet FortiAnalyzer based on the task ID and other input parameters you have specified. | fetch_log_search_result_by_task_id Investigation |
| Get Event | Retrieves all the events or a specific event from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_alerts Investigation |
| Get Event Log | Retrieves the logs associated with a specific event from Fortinet FortiAnalyzer based on the FAZ event ID and other input parameters you have specified. | get_alert_event_logs Investigation |
| Get Incident Assets | Retrieves a list of assets affected by the specified incident from FortiAnalyzer based on the incident ID and other parameters you have specified. | get_incident_assets Investigation |
| Get Incident Attachments | Retrieves all attachments (i.e. Comments, Events, Report, Indicators etc.) associated with the specified incident from FortiAnalyzer based on the incident ID you have specified and other parameters you have specified. | get_attachments_for_incident Investigation |
| Update Incident Attachment | Updates incident attachment fields associated with a specific incident in FortiAnalyzer based on the incident ID and other input parameters you have specified | update_attachment Investigation |
| Get ADOMs | Retrieves all ADOMs from Fortinet FortiAnalyzer. | get_adoms Investigation |
| Add a Master Device | Adds a master device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, and other input parameters you have specified. | add_master_device Investigation |
| Add a Slave Device | Adds a slave device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, master device name, and master device serial number you have specified. | add_slave_device Investigation |
| Add a New Device | Adds a new device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, and other input parameters you have specified. | add_new_device Investigation |
| Get Devices | Retrieves all devices from the Fortinet FortiAnalyzer device manager database. | get_devices Investigation |
| Get Log Status | Retrieves the last log time and log rate per device[vdom] from Fortinet FortiAnalyzer. This operation retrieves the log status for all devices or the log status for particular devices based on the device ID you have specified. | get_log_status Investigation |
| Get Device Information | Retrieves device information from Fortinet FortiAnalyzer based on the device name you have specified. | get_device_info Investigation |
| Authorize Device | Authorizes the device in Fortinet FortiAnalyzer based on the device name, serial number and other input parameters you have specified. | authorize_device Investigation |
| Delete a Device | Deletes a specific device from Fortinet FortiAnalyzer based on the device name you have specified. | delete_device Investigation |
| Parameter | Description |
|---|---|
| Incident Reporter | Name of reporter of the incident that you want to create in Fortinet FortiAnalyzer. |
| Affected Endpoint | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| Assigned To | (Optional) Name of person to which you want to assign the incident that you want to create in Fortinet FortiAnalyzer. |
| Category | (Optional) Category in which you want to create the incident in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Severity | (Optional) Severity level that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
| Status | (Optional) Status that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. |
| Description | (Optional) Description of the incident that you want to create in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Additional fields in the JSON format that you want to add to the incident, which you want to create in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"result": {
"incid": ""
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident IDs | List of incident IDs based on which you want to retrieve incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Status | Status of the incident using which you want to filter incidents to be retrieved from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Filter | Query filter using which you want to filter incidents to be retrieved from Fortinet FortiAnalyzer. For example, status='analysis' and severity='low' |
| Detail Level | Level of detail that you want to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default), or Extended. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0 and the minimum supported value is "0". |
| Sort | Select this checkbox if you want to sort the incidents by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"severity": "",
"category": "",
"incid": "",
"euid": "",
"description": "",
"endpoint": "",
"refinfo": "",
"attach_revision": "",
"epid": "",
"createtime": "",
"status": "",
"attach_lastupdate": "",
"lastuser": "",
"revision": "",
"reporter": "",
"lastupdate": ""
}
],
"status": {
"code": "",
"message": ""
},
"detail-level": ""
},
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident that you want to update in Fortinet FortiAnalyzer. |
| Assigned To | (Optional) Name of person to which you want to assign the incident that you want to update in Fortinet FortiAnalyzer. |
| Category | (Optional) Category that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Status | (Optional) Status that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Affected Endpoint | (Optional) Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| Severity | (Optional) Severity level that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
| End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. |
| Description | (Optional) Description of the incident that you want to update in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Additional fields in the JSON format that you want to modify in the incident, which you want to update in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"status": {
"code": "",
"message": ""
}
},
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiAnalyzer. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say events starting from the 10th event. By default, this is set as 0 and the minimum supported value is "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"createtime": "",
"data": "",
"incid": "",
"lastuser": "",
"attachid": "",
"lastupdate": "",
"revision": "",
"attachtype": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| State | State of the executed report that you want to retrieve from Fortinet FortiAnalyzer. The states that are supported are: pending-running or generated. |
| Start Time | Starting DateTime from when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
| End Time | Ending DateTime till when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
The output contains the following populated JSON schema:
{
"result": {
"count": "",
"revision": "",
"data": [
{
"devtype": "",
"state": "",
"profileid": "",
"date": "",
"title": "",
"timestamp-end": "",
"adminuser": "",
"schedule_color": "",
"format": [],
"tid": "",
"progress-percent": "",
"name": "",
"period-end": "",
"end": "",
"timestamp-start": "",
"start": "",
"period-start": ""
}
]
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
},
"data": [
{
"report-per-device": "",
"week-start": "",
"date-format": "",
"include-other": "",
"period-last-n": "",
"period-opt": "",
"display-device-by": "",
"schedule-valid-end": [],
"devices": [
{
"devices-name": ""
}
],
"schedule-color": "",
"filter": "",
"admin-user": "",
"filter-type": "",
"report-layout": [
{
"layout-id": ""
}
],
"email-report-per-device": "",
"language": "",
"ldap-user-case-change": "",
"orientation": "",
"name": "",
"time-period": "",
"print-report-filters": "",
"schedule-type": "",
"ldap-server": "",
"auto-hcache": "",
"display-table-contents": "",
"filter-logic": "",
"obfuscate-user": "",
"device-list-type": "",
"include-coverpage": "",
"output-format": "",
"schedule-valid-start": [],
"resolve-hostname": "",
"ldap-query": "",
"schedule-frequency": "",
"output-profile": "",
"dev-type": "",
"max-reports": "",
"status": ""
}
]
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Schedule | Name or ID of the schedule using which you want to run the report. Note: You can get the name or ID of the schedule using the "Get Report Schedule List" action. |
| Report ID | ID of the report that you want to run on Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": ""
},
"id": ""
}
| Parameter | Description |
|---|---|
| Task ID | Task ID of the generated report that you want to retrieve from Fortinet FortiAnalyzer and adds that report file as an 'Attachment' in FortiSOAR. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": "",
"length": "",
"name": "",
"data-type": "",
"checksum": "",
"data": ""
},
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| User IDs | List of user IDs based on which you want to fetch user information from Fortinet FortiAnalyzer. For example, 1043,1055 or 1043. |
| Filter | Query filter using which you want to filter users to be fetched from Fortinet FortiAnalyzer. For example, euuuid='c0a74c48-2367-11ea-aedf-00090f000409' and euname='localhost' |
| Detail Level | Level of detail that you want to retrieve for the users from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default) or Extended. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say users starting from the 10th user. By default, this is set as 0 and the minimum supported value is "0". |
| Sort | Select this checkbox if you want to sort the users by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"workphone": "",
"socialid": {
"data": []
},
"gender": "",
"authtype": "",
"euname": "",
"euuuid": "",
"euid": "",
"title": "",
"eugroup": "",
"employeeid": "",
"email": "",
"lastseen": "",
"workemail": "",
"firstseen": "",
"phone": "",
"firstname": "",
"birthday": "",
"homeaddr": "",
"lastname": "",
"workaddr": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Endpoint IDs | List of endpoint IDs based on which you want to fetch endpoint information from Fortinet FortiAnalyzer. For example, 1047,1077 or 1077.The list of endpoint ID's. e.g. 1047,1077 or 1077 |
| Filter | Query filter using which you want to filter endpoints to be fetched from Fortinet FortiAnalyzer. For example, epname='10.0.10.3' and detectkey='10.0.10.3' |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoint starting from the 10th endpoint. By default, this is set as 0 and the minimum supported value is "0". |
| Sort | Select this checkbox if you want to sort the endpoints by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"epname": "",
"fctuid": "",
"detecttype": "",
"osname": "",
"detectkey": "",
"macip": [
{
"lastseen": "",
"epip": "",
"mac": ""
}
],
"lastseen": "",
"adomoid": "",
"epid": "",
"epdevtype": "",
"osversion": "",
"vd": "",
"devid": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Device Type | List of device types using which you want to retrieve log fields from Fortinet FortiAnalyzer. You can add device types such as FortiGate, FortiClient, FortiMail, FortiWeb, FortiSandbox, FortiDDos, FortiDeceptor, etc. |
| Log Type | Type of log using which you want to filter logs to be retrieved from Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| Subtype | Subtype of the log using which you want to filter logs to be retrieved from Fortinet FortiAnalyzer. For example, logdev, system, fazsys, logging, logfile, dvm, etc. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
],
"private-field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID | ID of the device hosting the log file whose content you want to retrieve from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Name of the log file whose content you want to retrieve from Fortinet FortiAnalyzer. |
| VDOM | Name of the VDOM using which you want to filter log files and retrieve the log file content from Fortinet FortiAnalyzer. For example, root |
| Data Type | Type of returned data of log file whose content you want to retrieve from Fortinet FortiAnalyzer. e.g. 'text/gzip/base64, csv/gzip/base64', etc. Default is base64. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Length | (Optional) Length in bytes, of the file content, that this operation should return. Values supported are: Default is set to 1048576, Minimum Value is set to 1, and Maximum Value is set to 52428800. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"checksum": "",
"data": "",
"data-type": "",
"length": "",
"log-count": "",
"offset": "",
"logfile-orig-size": ""
}
}
| Parameter | Description |
|---|---|
| Device ID | ID of the device hosting the log file based on which you want to search for the log file in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Name of the log file that you want to search in Fortinet FortiAnalyzer. |
| VDOM | Name of the VDOM based on which you want to search the log file content in Fortinet FortiAnalyzer. For example, root. |
| Log Type | Type of log that you want to search in Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| Case Sensitive | Select this option if you want to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Filter | Query filter using which you want to filter logs to be searched in Fortinet FortiAnalyzer. For example, subtype='forward' and srcname='LAN-FSW-GUEST'. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Limit | (Optional) Maximum number of log records that this operation should return. Values supported are: Default is set to 50, Minimum Value is set to 1, and Maximum Value is set to 500. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"logver": "",
"idseq": "",
"itime": "",
"devid": "",
"vd": "",
"date": "",
"time": "",
"logid": "",
"type": "",
"subtype": "",
"level": "",
"eventtime": "",
"tz": "",
"srcip": "",
"srcname": "",
"srcport": "",
"srcintf": "",
"srcintfrole": "",
"dstip": "",
"dstport": "",
"dstintf": "",
"dstintfrole": "",
"srcuuid": "",
"dstuuid": "",
"sessionid": "",
"proto": "",
"action": "",
"policyid": "",
"policytype": "",
"poluuid": "",
"service": "",
"dstcountry": "",
"srccountry": "",
"trandisp": "",
"duration": "",
"sentbyte": "",
"rcvdbyte": "",
"sentpkt": "",
"rcvdpkt": "",
"appcat": "",
"srchwvendor": "",
"osname": "",
"mastersrcmac": "",
"srcmac": "",
"srcserver": "",
"dtime": "",
"itime_t": "",
"devname": ""
}
],
"return-lines": "",
"total-count": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Device ID |
ID of the device hosting the log file whose state you want to retrieve from Fortinet FortiAnalyzer. For example, |
| Filename | Name of the log file whose state you want to retrieve from Fortinet FortiAnalyzer. |
| VDOM | Name of the VDOM using which you want to filter log files and retrieve the log file state from Fortinet FortiAnalyzer. For example, root. |
| Start Time | (Optional) Start DateTime from when you want to retrieve the state of log files from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
| End Time | (Optional) Start DateTime till when you want to retrieve the state of log files from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"device-file-list": [
{
"device-id": "",
"device-name": "",
"endtime": "",
"starttime": "",
"vdom-file-list": [
{
"endtime": "",
"logfile-list": {
"elog": {
"files": [
{
"endtime": "",
"filename": "",
"fsize": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
}
},
"starttime": "",
"vdom-name": ""
}
]
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID |
ID of the device hosting the log file based on which you want to start the search for logs in Fortinet FortiAnalyzer. For example, |
| Device Name | Name of the device based on which you want to start the search for logs from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Start Time | (Optional) Start DateTime from when you want to search for logs from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| End Time | (Optional) End DateTime till when you want to search for logs from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| Log Type | Type of log using which you want to filter logs to be searched in Fortinet FortiAnalyzer. You can choose from options such as Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| Filter | Query filter using which you want to filter logs to be searched in Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Case Sensitive | Select this option if you want to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Time Order | Order to sort the results retrieved from the Fortinet FortiAnalyzer. You can choose between ASC or DESC. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"tid": ""
}
}
| Parameter | Description |
|---|---|
| Task ID | ID of the task log search using which you want to retrieve the log search result from Fortinet FortiAnalyzer. For example, 193200136. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Limit | (Optional) Maximum number of log records that this operation should return. Values supported are: Default is set to 50, Minimum Value is set to 1, and Maximum Value is set to 500. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"app": "",
"appcat": "",
"date": "",
"devid": "",
"devname": "",
"devtype": "",
"dstcountry": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"duration": "",
"itime": "",
"itime_t": "",
"level": "",
"logid": "",
"logver": "",
"mastersrcmac": "",
"osname": "",
"policyid": "",
"proto": "",
"rcvdbyte": "",
"rcvdpkt": "",
"sentbyte": "",
"sentpkt": "",
"service": "",
"sessionid": "",
"srccountry": "",
"srcintf": "",
"srcip": "",
"srcmac": "",
"srcname": "",
"srcport": "",
"subtype": "",
"time": "",
"trandisp": "",
"transip": "",
"transport": "",
"type": "",
"vd": ""
}
],
"percentage": "",
"return-lines": "",
"status": {
"code": "",
"message": ""
},
"tid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Start Time | Start DateTime from when you want to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | End DateTime till when you want to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Alert IDs | List of alert IDs, i.e., the FAZ event IDs, based on which you want to fetch events from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361 |
| Device ID | ID of the device based on which you want to search for events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Device Name | Name of the device based on which you want to search for events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filter | Query filter using which you want to search for events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
| Limit | Maximum number of log records that this operation should return. Values supported are: Default is set to 1000, Minimum Value is set to 1, and Maximum Value is set to 2000. |
| Offset | Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"ack_flag": "",
"addi_info": "",
"alert_id": "",
"count": "",
"ctime": "",
"dev_name": "",
"devid": "",
"epid": "",
"epname": "",
"euid": "",
"euname": "",
"event_info": "",
"event_name": "",
"event_status": "",
"event_type": "",
"last_occurrence": "",
"last_update": "",
"read_flag": "",
"severity": "",
"trigger_name": "",
"vd_name": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Alert ID | List of alert IDs, i.e., FAZ event IDs, based on which you want to retrieve event logs from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361. |
| Limit | Maximum number of log records that this operation should return. Values supported are: Default is set to 1000, Minimum Value is set to 1, and Maximum Value is set to 2000. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Time Order | Order to sort the results retrieved from the Fortinet FortiAnalyzer. You can choose between ASC or DESC. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"alert_log_seqnum": "",
"cat": "",
"catdesc": "",
"crlevel": "",
"crscore": "",
"devid": "",
"devname": "",
"direction": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"epid": "",
"euid": "",
"eventtype": "",
"fctuid": "",
"hostname": "",
"id": "",
"itime": "",
"level": "",
"logid": "",
"logver": "",
"method": "",
"msg": "",
"policyid": "",
"profile": "",
"proto": "",
"rcvdbyte": "",
"reqtype": "",
"sentbyte": "",
"service": "",
"sessionid": "",
"srcintf": "",
"srcip": "",
"srcport": "",
"subtype": "",
"type": "",
"unauthuser": "",
"url": "",
"vd": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated affected assets you want to retrieve from Fortinet FortiAnalyzer. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default: 50 Min: 1 Max: 2000 |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say assets starting from the 10th asset. By default, this is set as 0 and the minimum supported value is "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"seqid": "",
"incid": "",
"srctype": "",
"srcinfo": "",
"ctime": "",
"epid": "",
"euid": "",
"epname": "",
"euname": ""
}
],
"status": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated attachments you want to retrieve from Fortinet FortiAnalyzer. |
| Attachment Type | The attachment type based on which you want to fetch the attachment for the specified incident. Values supported are: alertevent, sysnote, note, file, report, history, and logsearchfilter. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default: 50 Min: 1 Max: 2000 |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say attachments starting from the 10th attachment. By default, this is set as 0 and the minimum supported value is "0". |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"attachid": "",
"attachtype": "",
"createtime": "",
"data": "",
"incid": "",
"lastupdate": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Attachment ID | ID of the attachment that you want to update in Fortinet FortiAnalyzer. |
| Data | The attachment data in the 'json' format that you want to update in Fortinet FortiAnalyzer. |
| Attachment Source | (Optional) Attachment source that you want to update in the incident attachment, which you want to update in Fortinet FortiAnalyzer. You can specify one of the following options: manual or playbook. |
| Attachment Source ID | (Optional) ID of the attachment source, i.e., 'user name' if you have specified the manual type attachment source or 'playbook UUID' if you have specified the playbook type attachment source for the incident attachment that you want to update in Fortinet FortiAnalyzer. |
| Attachment Source Trigger | (Optional) Attachment Trigger information that you want to update in the incident attachment in Fortinet FortiAnalyzer. |
| Last User | (Optional) Name of the user name who updated the incident attachment that you want to update in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"oid": "",
"name": "",
"desc": "",
"state": "",
"mode": "",
"os_ver": "",
"mr": "",
"flags": "",
"mig_os_ver": "",
"mig_mr": "",
"obj_customize": "",
"tab_status": "",
"logview_customize": "",
"restricted_prds": "",
"log_db_retention_hours": "",
"log_file_retention_hours": "",
"log_disk_quota": "",
"log_disk_quota_split_ratio": "",
"log_disk_quota_alert_thres": "",
"uuid": "",
"create_time": "",
"workspace_mode": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_DEV |
| IP Address | IP address of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Serial number of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000166969 |
| OS Version | (Optional) OS version of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Slave Device Name | Name of the slave device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Slave Device Name: Branch_Dev_01 |
| Slave Device Serial Number | Serial number of the slave device that you want to add to the Fortinet FortiAnalyzer device manager database. Slave Device Serial Number: XXVM02TM20007936 |
| Master Device Name | Name of the master device under which you want to add the slave device in the Fortinet FortiAnalyzer device manager database. Master Device Name: Enterprise_DEV |
| Master Device Serial Number | Serial number of the master device under which you want to add the slave device in the Fortinet FortiAnalyzer device manager database. Master Device Serial Number: XXVM010000166969 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_Dev |
| IP Address | IP address of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Serial number of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000212677 |
| OS Version | (Optional) OS version of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"adm_pass": [
"",
""
],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device ID | (Optional) Device ID based on which you want to fetch the log status and the log rate per device from Fortinet FortiAnalyzer. Device ID: XXVM02TM20007478 |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"vdoms": [
{
"vdom": "",
"last-log-time": "",
"last-log-timestamp": "",
"lograte": ""
}
],
"devid": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device whose information you want to retrieve from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"adm_pass": [],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device that you want to authorize in Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| Serial Number | Serial number of the device that you want to authorize in Fortinet FortiAnalyzer. For example, Serial Number: XXVM010000212677 |
| OS Version | (Optional) OS version of the device that you want to authorize in Fortinet FortiAnalyzer. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"faz.perm": "",
"flags": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device that you want to delete from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
The Sample - Fortinet FortiAnalyzer - 1.4.0 playbook collection comes bundled with the Fortinet FortiAnalyzer connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiAnalyzer connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events and their related logs from FAZ. Currently, "events" in FAZ are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FAZ "Events" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FAZ into FortiSOAR™. It also lets you pull some sample data from FAZ using which you can define the mapping of data between FAZ and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FAZ event.
On the Field Mapping screen, map the fields of a FAZ event to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventtype parameter of a FAZ event to the type parameter of a FortiSOAR™ alert, click the Type field and then click the eventtype field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FAZ, so that the content gets pulled from the FAZ integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FAZ every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., events will be pulled from FAZ every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.
Data ingestion in the Fortinet FortiAnalyzer connector v1.1.0 pulls "Incidents" from FAZ and in v1.2.0 and later, it pulls "Events". If you want to pull both Incidents and Events, then you need to create two configurations as follows:
FortiAnalyzer is the NOC-SOC security analysis tool built with an operations perspective. FortiAnalyzer (FAZ) supports analytics-powered use cases to provide better detection against breaches.
This document provides information about the Fortinet FortiAnalyzer Connector, which facilitates automated interactions with your Fortinet FortiAnalyzer server using FortiSOAR™ playbooks. Add the Fortinet FortiAnalyzer Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as creating and updating incidents on Fortinet FortiAnalyzer and retrieving user and endpoint information from Fortinet FortiAnalyzer.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiAnalyzer. Currently, "events" in Fortinet FortiAnalyzer are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section
Connector Version: 1.4.0
FortiSOAR™ Version Tested on: 6.4.4-3164
FortiAnalyzer Version Tested on: VM64-KVMv6.4.4 Interim build 4751
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiAnalyzer connector in version 1.4.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortianalyzer
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiAnalyzer connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Username | Username used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Password | Password used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| ADOM Name | Administrative domain name of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Port | Port number used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. By default, this is set to 10405. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Incident | Creates a new incident record in Fortinet FortiAnalyzer based on the incident reporter, affected endpoint, and other input parameters you have specified. | create_incident Investigation |
| Get Incident | Retrieves all incidents or a specific incident from Fortinet FortiAnalyzer based on the input parameters you have specified. | list_incidents Investigation |
| Update Incident | Updates incident fields like severity, category, status, etc. corresponding to a specific incident in Fortinet FortiAnalyzer based on the incident ID and other input parameters you have specified. | update_incident_details Investigation |
| Get Events For Incident | Retrieves all events associated with a specified incident in Fortinet FortiAnalyzer based on the incident ID you have specified. | get_events_for_incident Investigation |
| Get Executed Report List | Retrieves a list of all executed reports that have been generated or are in the pending state from Fortinet FortiAnalyzer based on the time frame you have specified. | get_reports Investigation |
| Get Report Schedule List | Retrieve a list of all report schedules from Fortinet FortiAnalyzer. | get_schedules Investigation |
| Run Report | Runs a report on the Fortinet FortiAnalyzer based on the report ID and schedule ID you have specified. | run_report Investigation |
| Get Report File | Retrieves a specific generated report file from Fortinet FortiAnalyzer based on the report ID you have specified and adds that report file to FortiSOAR as an 'Attachment' | get_generated_report Investigation |
| Get User Info | Retrieves information for all users or specific users from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_users Investigation |
| Get Endpoint Info | Retrieves information for all endpoints or specific endpoints from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_endpoints Investigation |
| List Log Fields | Retrieves all log fields from Fortinet FortiAnalyzer based on the device and log type and other input parameters you have specified. | list_log_fields Investigation |
| Get Log-File Content | Retrieves the content of a specified logfile from Fortinet FortiAnalyzer based on the device ID, filename, and other input parameters you have specified. | get_log_file_content Investigation |
| Log Search over Log-File | Runs a log search task for a single logfile from Fortinet FortiAnalyzer based on the device ID, filename, and other input parameters you have specified. | log_search_over_log_file Investigation |
| Get Log-File State | Retrieves the state of a log file from Fortinet FortiAnalyzer based on the device ID, filename, and other input parameters you have specified. | get_log_file_state Investigation |
| Start Log Search Request | Starts a new task to search for logs in Fortinet FortiAnalyzer based on the device ID, device name, and other input parameters you have specified. | start_log_search_request Investigation |
| Fetch Log Search Result by Task ID | Starts a new task to retrieve the log search results from Fortinet FortiAnalyzer based on the task ID and other input parameters you have specified. | fetch_log_search_result_by_task_id Investigation |
| Get Event | Retrieves all the events or a specific event from Fortinet FortiAnalyzer based on the input parameters you have specified. | get_alerts Investigation |
| Get Event Log | Retrieves the logs associated with a specific event from Fortinet FortiAnalyzer based on the FAZ event ID and other input parameters you have specified. | get_alert_event_logs Investigation |
| Get Incident Assets | Retrieves a list of assets affected by the specified incident from FortiAnalyzer based on the incident ID and other parameters you have specified. | get_incident_assets Investigation |
| Get Incident Attachments | Retrieves all attachments (i.e. Comments, Events, Report, Indicators etc.) associated with the specified incident from FortiAnalyzer based on the incident ID you have specified and other parameters you have specified. | get_attachments_for_incident Investigation |
| Update Incident Attachment | Updates incident attachment fields associated with a specific incident in FortiAnalyzer based on the incident ID and other input parameters you have specified | update_attachment Investigation |
| Get ADOMs | Retrieves all ADOMs from Fortinet FortiAnalyzer. | get_adoms Investigation |
| Add a Master Device | Adds a master device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, and other input parameters you have specified. | add_master_device Investigation |
| Add a Slave Device | Adds a slave device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, master device name, and master device serial number you have specified. | add_slave_device Investigation |
| Add a New Device | Adds a new device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, and other input parameters you have specified. | add_new_device Investigation |
| Get Devices | Retrieves all devices from the Fortinet FortiAnalyzer device manager database. | get_devices Investigation |
| Get Log Status | Retrieves the last log time and log rate per device[vdom] from Fortinet FortiAnalyzer. This operation retrieves the log status for all devices or the log status for particular devices based on the device ID you have specified. | get_log_status Investigation |
| Get Device Information | Retrieves device information from Fortinet FortiAnalyzer based on the device name you have specified. | get_device_info Investigation |
| Authorize Device | Authorizes the device in Fortinet FortiAnalyzer based on the device name, serial number and other input parameters you have specified. | authorize_device Investigation |
| Delete a Device | Deletes a specific device from Fortinet FortiAnalyzer based on the device name you have specified. | delete_device Investigation |
| Parameter | Description |
|---|---|
| Incident Reporter | Name of reporter of the incident that you want to create in Fortinet FortiAnalyzer. |
| Affected Endpoint | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| Assigned To | (Optional) Name of person to which you want to assign the incident that you want to create in Fortinet FortiAnalyzer. |
| Category | (Optional) Category in which you want to create the incident in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Severity | (Optional) Severity level that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
| Status | (Optional) Status that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. |
| Description | (Optional) Description of the incident that you want to create in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Additional fields in the JSON format that you want to add to the incident, which you want to create in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"result": {
"incid": ""
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident IDs | List of incident IDs based on which you want to retrieve incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Status | Status of the incident using which you want to filter incidents to be retrieved from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Filter | Query filter using which you want to filter incidents to be retrieved from Fortinet FortiAnalyzer. For example, status='analysis' and severity='low' |
| Detail Level | Level of detail that you want to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default), or Extended. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0 and the minimum supported value is "0". |
| Sort | Select this checkbox if you want to sort the incidents by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"severity": "",
"category": "",
"incid": "",
"euid": "",
"description": "",
"endpoint": "",
"refinfo": "",
"attach_revision": "",
"epid": "",
"createtime": "",
"status": "",
"attach_lastupdate": "",
"lastuser": "",
"revision": "",
"reporter": "",
"lastupdate": ""
}
],
"status": {
"code": "",
"message": ""
},
"detail-level": ""
},
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident that you want to update in Fortinet FortiAnalyzer. |
| Assigned To | (Optional) Name of person to which you want to assign the incident that you want to update in Fortinet FortiAnalyzer. |
| Category | (Optional) Category that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
| Status | (Optional) Status that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Affected Endpoint | (Optional) Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| Severity | (Optional) Severity level that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low. |
| End User ID | (Optional) ID of the end user that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. |
| Description | (Optional) Description of the incident that you want to update in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Additional fields in the JSON format that you want to modify in the incident, which you want to update in Fortinet FortiAnalyzer. For example, {"epid":123} |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"status": {
"code": "",
"message": ""
}
},
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated events you want to retrieve from Fortinet FortiAnalyzer. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say events starting from the 10th event. By default, this is set as 0 and the minimum supported value is "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"createtime": "",
"data": "",
"incid": "",
"lastuser": "",
"attachid": "",
"lastupdate": "",
"revision": "",
"attachtype": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| State | State of the executed report that you want to retrieve from Fortinet FortiAnalyzer. The states that are supported are: pending-running or generated. |
| Start Time | Starting DateTime from when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
| End Time | Ending DateTime till when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports. |
The output contains the following populated JSON schema:
{
"result": {
"count": "",
"revision": "",
"data": [
{
"devtype": "",
"state": "",
"profileid": "",
"date": "",
"title": "",
"timestamp-end": "",
"adminuser": "",
"schedule_color": "",
"format": [],
"tid": "",
"progress-percent": "",
"name": "",
"period-end": "",
"end": "",
"timestamp-start": "",
"start": "",
"period-start": ""
}
]
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
},
"data": [
{
"report-per-device": "",
"week-start": "",
"date-format": "",
"include-other": "",
"period-last-n": "",
"period-opt": "",
"display-device-by": "",
"schedule-valid-end": [],
"devices": [
{
"devices-name": ""
}
],
"schedule-color": "",
"filter": "",
"admin-user": "",
"filter-type": "",
"report-layout": [
{
"layout-id": ""
}
],
"email-report-per-device": "",
"language": "",
"ldap-user-case-change": "",
"orientation": "",
"name": "",
"time-period": "",
"print-report-filters": "",
"schedule-type": "",
"ldap-server": "",
"auto-hcache": "",
"display-table-contents": "",
"filter-logic": "",
"obfuscate-user": "",
"device-list-type": "",
"include-coverpage": "",
"output-format": "",
"schedule-valid-start": [],
"resolve-hostname": "",
"ldap-query": "",
"schedule-frequency": "",
"output-profile": "",
"dev-type": "",
"max-reports": "",
"status": ""
}
]
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Schedule | Name or ID of the schedule using which you want to run the report. Note: You can get the name or ID of the schedule using the "Get Report Schedule List" action. |
| Report ID | ID of the report that you want to run on Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": ""
},
"id": ""
}
| Parameter | Description |
|---|---|
| Task ID | Task ID of the generated report that you want to retrieve from Fortinet FortiAnalyzer and adds that report file as an 'Attachment' in FortiSOAR. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": "",
"length": "",
"name": "",
"data-type": "",
"checksum": "",
"data": ""
},
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| User IDs | List of user IDs based on which you want to fetch user information from Fortinet FortiAnalyzer. For example, 1043,1055 or 1043. |
| Filter | Query filter using which you want to filter users to be fetched from Fortinet FortiAnalyzer. For example, euuuid='c0a74c48-2367-11ea-aedf-00090f000409' and euname='localhost' |
| Detail Level | Level of detail that you want to retrieve for the users from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default) or Extended. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say users starting from the 10th user. By default, this is set as 0 and the minimum supported value is "0". |
| Sort | Select this checkbox if you want to sort the users by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"workphone": "",
"socialid": {
"data": []
},
"gender": "",
"authtype": "",
"euname": "",
"euuuid": "",
"euid": "",
"title": "",
"eugroup": "",
"employeeid": "",
"email": "",
"lastseen": "",
"workemail": "",
"firstseen": "",
"phone": "",
"firstname": "",
"birthday": "",
"homeaddr": "",
"lastname": "",
"workaddr": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Endpoint IDs | List of endpoint IDs based on which you want to fetch endpoint information from Fortinet FortiAnalyzer. For example, 1047,1077 or 1077.The list of endpoint ID's. e.g. 1047,1077 or 1077 |
| Filter | Query filter using which you want to filter endpoints to be fetched from Fortinet FortiAnalyzer. For example, epname='10.0.10.3' and detectkey='10.0.10.3' |
| Limit | Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000". |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoint starting from the 10th endpoint. By default, this is set as 0 and the minimum supported value is "0". |
| Sort | Select this checkbox if you want to sort the endpoints by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"epname": "",
"fctuid": "",
"detecttype": "",
"osname": "",
"detectkey": "",
"macip": [
{
"lastseen": "",
"epip": "",
"mac": ""
}
],
"lastseen": "",
"adomoid": "",
"epid": "",
"epdevtype": "",
"osversion": "",
"vd": "",
"devid": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Device Type | List of device types using which you want to retrieve log fields from Fortinet FortiAnalyzer. You can add device types such as FortiGate, FortiClient, FortiMail, FortiWeb, FortiSandbox, FortiDDos, FortiDeceptor, etc. |
| Log Type | Type of log using which you want to filter logs to be retrieved from Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| Subtype | Subtype of the log using which you want to filter logs to be retrieved from Fortinet FortiAnalyzer. For example, logdev, system, fazsys, logging, logfile, dvm, etc. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
],
"private-field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID | ID of the device hosting the log file whose content you want to retrieve from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Name of the log file whose content you want to retrieve from Fortinet FortiAnalyzer. |
| VDOM | Name of the VDOM using which you want to filter log files and retrieve the log file content from Fortinet FortiAnalyzer. For example, root |
| Data Type | Type of returned data of log file whose content you want to retrieve from Fortinet FortiAnalyzer. e.g. 'text/gzip/base64, csv/gzip/base64', etc. Default is base64. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Length | (Optional) Length in bytes, of the file content, that this operation should return. Values supported are: Default is set to 1048576, Minimum Value is set to 1, and Maximum Value is set to 52428800. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"checksum": "",
"data": "",
"data-type": "",
"length": "",
"log-count": "",
"offset": "",
"logfile-orig-size": ""
}
}
| Parameter | Description |
|---|---|
| Device ID | ID of the device hosting the log file based on which you want to search for the log file in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Name of the log file that you want to search in Fortinet FortiAnalyzer. |
| VDOM | Name of the VDOM based on which you want to search the log file content in Fortinet FortiAnalyzer. For example, root. |
| Log Type | Type of log that you want to search in Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| Case Sensitive | Select this option if you want to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Filter | Query filter using which you want to filter logs to be searched in Fortinet FortiAnalyzer. For example, subtype='forward' and srcname='LAN-FSW-GUEST'. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Limit | (Optional) Maximum number of log records that this operation should return. Values supported are: Default is set to 50, Minimum Value is set to 1, and Maximum Value is set to 500. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"logver": "",
"idseq": "",
"itime": "",
"devid": "",
"vd": "",
"date": "",
"time": "",
"logid": "",
"type": "",
"subtype": "",
"level": "",
"eventtime": "",
"tz": "",
"srcip": "",
"srcname": "",
"srcport": "",
"srcintf": "",
"srcintfrole": "",
"dstip": "",
"dstport": "",
"dstintf": "",
"dstintfrole": "",
"srcuuid": "",
"dstuuid": "",
"sessionid": "",
"proto": "",
"action": "",
"policyid": "",
"policytype": "",
"poluuid": "",
"service": "",
"dstcountry": "",
"srccountry": "",
"trandisp": "",
"duration": "",
"sentbyte": "",
"rcvdbyte": "",
"sentpkt": "",
"rcvdpkt": "",
"appcat": "",
"srchwvendor": "",
"osname": "",
"mastersrcmac": "",
"srcmac": "",
"srcserver": "",
"dtime": "",
"itime_t": "",
"devname": ""
}
],
"return-lines": "",
"total-count": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Device ID |
ID of the device hosting the log file whose state you want to retrieve from Fortinet FortiAnalyzer. For example, |
| Filename | Name of the log file whose state you want to retrieve from Fortinet FortiAnalyzer. |
| VDOM | Name of the VDOM using which you want to filter log files and retrieve the log file state from Fortinet FortiAnalyzer. For example, root. |
| Start Time | (Optional) Start DateTime from when you want to retrieve the state of log files from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
| End Time | (Optional) Start DateTime till when you want to retrieve the state of log files from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"device-file-list": [
{
"device-id": "",
"device-name": "",
"endtime": "",
"starttime": "",
"vdom-file-list": [
{
"endtime": "",
"logfile-list": {
"elog": {
"files": [
{
"endtime": "",
"filename": "",
"fsize": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
}
},
"starttime": "",
"vdom-name": ""
}
]
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID |
ID of the device hosting the log file based on which you want to start the search for logs in Fortinet FortiAnalyzer. For example, |
| Device Name | Name of the device based on which you want to start the search for logs from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Start Time | (Optional) Start DateTime from when you want to search for logs from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| End Time | (Optional) End DateTime till when you want to search for logs from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| Log Type | Type of log using which you want to filter logs to be searched in Fortinet FortiAnalyzer. You can choose from options such as Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| Filter | Query filter using which you want to filter logs to be searched in Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Case Sensitive | Select this option if you want to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Time Order | Order to sort the results retrieved from the Fortinet FortiAnalyzer. You can choose between ASC or DESC. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"tid": ""
}
}
| Parameter | Description |
|---|---|
| Task ID | ID of the task log search using which you want to retrieve the log search result from Fortinet FortiAnalyzer. For example, 193200136. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Limit | (Optional) Maximum number of log records that this operation should return. Values supported are: Default is set to 50, Minimum Value is set to 1, and Maximum Value is set to 500. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"app": "",
"appcat": "",
"date": "",
"devid": "",
"devname": "",
"devtype": "",
"dstcountry": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"duration": "",
"itime": "",
"itime_t": "",
"level": "",
"logid": "",
"logver": "",
"mastersrcmac": "",
"osname": "",
"policyid": "",
"proto": "",
"rcvdbyte": "",
"rcvdpkt": "",
"sentbyte": "",
"sentpkt": "",
"service": "",
"sessionid": "",
"srccountry": "",
"srcintf": "",
"srcip": "",
"srcmac": "",
"srcname": "",
"srcport": "",
"subtype": "",
"time": "",
"trandisp": "",
"transip": "",
"transport": "",
"type": "",
"vd": ""
}
],
"percentage": "",
"return-lines": "",
"status": {
"code": "",
"message": ""
},
"tid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Start Time | Start DateTime from when you want to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | End DateTime till when you want to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Alert IDs | List of alert IDs, i.e., the FAZ event IDs, based on which you want to fetch events from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361 |
| Device ID | ID of the device based on which you want to search for events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Device Name | Name of the device based on which you want to search for events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filter | Query filter using which you want to search for events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
| Limit | Maximum number of log records that this operation should return. Values supported are: Default is set to 1000, Minimum Value is set to 1, and Maximum Value is set to 2000. |
| Offset | Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"ack_flag": "",
"addi_info": "",
"alert_id": "",
"count": "",
"ctime": "",
"dev_name": "",
"devid": "",
"epid": "",
"epname": "",
"euid": "",
"euname": "",
"event_info": "",
"event_name": "",
"event_status": "",
"event_type": "",
"last_occurrence": "",
"last_update": "",
"read_flag": "",
"severity": "",
"trigger_name": "",
"vd_name": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Alert ID | List of alert IDs, i.e., FAZ event IDs, based on which you want to retrieve event logs from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361. |
| Limit | Maximum number of log records that this operation should return. Values supported are: Default is set to 1000, Minimum Value is set to 1, and Maximum Value is set to 2000. |
| Offset | (Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0. |
| Time Order | Order to sort the results retrieved from the Fortinet FortiAnalyzer. You can choose between ASC or DESC. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"alert_log_seqnum": "",
"cat": "",
"catdesc": "",
"crlevel": "",
"crscore": "",
"devid": "",
"devname": "",
"direction": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"epid": "",
"euid": "",
"eventtype": "",
"fctuid": "",
"hostname": "",
"id": "",
"itime": "",
"level": "",
"logid": "",
"logver": "",
"method": "",
"msg": "",
"policyid": "",
"profile": "",
"proto": "",
"rcvdbyte": "",
"reqtype": "",
"sentbyte": "",
"service": "",
"sessionid": "",
"srcintf": "",
"srcip": "",
"srcport": "",
"subtype": "",
"type": "",
"unauthuser": "",
"url": "",
"vd": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated affected assets you want to retrieve from Fortinet FortiAnalyzer. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default: 50 Min: 1 Max: 2000 |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say assets starting from the 10th asset. By default, this is set as 0 and the minimum supported value is "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"seqid": "",
"incid": "",
"srctype": "",
"srcinfo": "",
"ctime": "",
"epid": "",
"euid": "",
"epname": "",
"euname": ""
}
],
"status": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | ID of the incident whose associated attachments you want to retrieve from Fortinet FortiAnalyzer. |
| Attachment Type | The attachment type based on which you want to fetch the attachment for the specified incident. Values supported are: alertevent, sysnote, note, file, report, history, and logsearchfilter. |
| Limit | Maximum number of records that this operation should return. Values supported are: Default: 50 Min: 1 Max: 2000 |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say attachments starting from the 10th attachment. By default, this is set as 0 and the minimum supported value is "0". |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"attachid": "",
"attachtype": "",
"createtime": "",
"data": "",
"incid": "",
"lastupdate": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Attachment ID | ID of the attachment that you want to update in Fortinet FortiAnalyzer. |
| Data | The attachment data in the 'json' format that you want to update in Fortinet FortiAnalyzer. |
| Attachment Source | (Optional) Attachment source that you want to update in the incident attachment, which you want to update in Fortinet FortiAnalyzer. You can specify one of the following options: manual or playbook. |
| Attachment Source ID | (Optional) ID of the attachment source, i.e., 'user name' if you have specified the manual type attachment source or 'playbook UUID' if you have specified the playbook type attachment source for the incident attachment that you want to update in Fortinet FortiAnalyzer. |
| Attachment Source Trigger | (Optional) Attachment Trigger information that you want to update in the incident attachment in Fortinet FortiAnalyzer. |
| Last User | (Optional) Name of the user name who updated the incident attachment that you want to update in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"oid": "",
"name": "",
"desc": "",
"state": "",
"mode": "",
"os_ver": "",
"mr": "",
"flags": "",
"mig_os_ver": "",
"mig_mr": "",
"obj_customize": "",
"tab_status": "",
"logview_customize": "",
"restricted_prds": "",
"log_db_retention_hours": "",
"log_file_retention_hours": "",
"log_disk_quota": "",
"log_disk_quota_split_ratio": "",
"log_disk_quota_alert_thres": "",
"uuid": "",
"create_time": "",
"workspace_mode": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_DEV |
| IP Address | IP address of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Serial number of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000166969 |
| OS Version | (Optional) OS version of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Slave Device Name | Name of the slave device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Slave Device Name: Branch_Dev_01 |
| Slave Device Serial Number | Serial number of the slave device that you want to add to the Fortinet FortiAnalyzer device manager database. Slave Device Serial Number: XXVM02TM20007936 |
| Master Device Name | Name of the master device under which you want to add the slave device in the Fortinet FortiAnalyzer device manager database. Master Device Name: Enterprise_DEV |
| Master Device Serial Number | Serial number of the master device under which you want to add the slave device in the Fortinet FortiAnalyzer device manager database. Master Device Serial Number: XXVM010000166969 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_Dev |
| IP Address | IP address of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Serial number of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000212677 |
| OS Version | (Optional) OS version of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"adm_pass": [
"",
""
],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device ID | (Optional) Device ID based on which you want to fetch the log status and the log rate per device from Fortinet FortiAnalyzer. Device ID: XXVM02TM20007478 |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"vdoms": [
{
"vdom": "",
"last-log-time": "",
"last-log-timestamp": "",
"lograte": ""
}
],
"devid": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device whose information you want to retrieve from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"adm_pass": [],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device that you want to authorize in Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| Serial Number | Serial number of the device that you want to authorize in Fortinet FortiAnalyzer. For example, Serial Number: XXVM010000212677 |
| OS Version | (Optional) OS version of the device that you want to authorize in Fortinet FortiAnalyzer. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"faz.perm": "",
"flags": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Name of the device that you want to delete from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
The Sample - Fortinet FortiAnalyzer - 1.4.0 playbook collection comes bundled with the Fortinet FortiAnalyzer connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiAnalyzer connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events and their related logs from FAZ. Currently, "events" in FAZ are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FAZ "Events" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FAZ into FortiSOAR™. It also lets you pull some sample data from FAZ using which you can define the mapping of data between FAZ and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FAZ event.
On the Field Mapping screen, map the fields of a FAZ event to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventtype parameter of a FAZ event to the type parameter of a FortiSOAR™ alert, click the Type field and then click the eventtype field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FAZ, so that the content gets pulled from the FAZ integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FAZ every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., events will be pulled from FAZ every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.
Data ingestion in the Fortinet FortiAnalyzer connector v1.1.0 pulls "Incidents" from FAZ and in v1.2.0 and later, it pulls "Events". If you want to pull both Incidents and Events, then you need to create two configurations as follows:
