Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.
This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions, with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.
If you want bidirectional integration between FortiSIEM and FortiSOAR™, then you can use the FortiSIEM app. The FortiSIEM app pushes incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed then the corresponding incidents are automatically cleared in FortiSIEM. To get the FortiSIEM app and the procedure on how to install and configure it, see the FortiSOAR™ - FortiSIEM Application section.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 4.12.0-746
Fortinet FortiSIEM Version Tested on: 5.0.1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiSIEM connector in version 2.1.0:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Username | Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Password | Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Domain | Domain that you will access on the Fortinet FortiSIEM server to perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Devices | Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
Get All Devices For Specified IP Address Range | Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. | get_devices Investigation |
Get Device Information | Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. | get_devices Investigation |
List Monitored Devices and Attributes | Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
List Monitored Organizations | Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. | get_domains Investigation |
List Incidents | Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the search criteria you have specified. | get_incidents Investigation |
Comment Incident | Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. | incident_comment Investigation |
Clear Incident With Reason | Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. | clear_incident Investigation |
Get Events For Incident | Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server based on the incident ID you have specified. | get_associated_events Investigation |
None.
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@name": "",
"@id": ""
},
"approved": "",
"discoverMethod": "",
"creationMethod": "",
"version": "",
"updateMethod": "",
"name": "",
"deviceType": {
"vendor": "",
"jobWeight": "",
"model": "",
"version": "",
"accessProtocols": ""
},
"accessIp": "",
"discoverTime": "",
"unmanaged": ""
}
]
}
}
Parameter | Description |
---|---|
Include IP SET | Value of IP addresses based on which you want for retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format. For example, enter, 192.168.20.1-192.168.20.100 |
Exclude IP SET | (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@name": "",
"@id": ""
},
"approved": "",
"discoverMethod": "",
"creationMethod": "",
"version": "",
"updateMethod": "",
"name": "",
"deviceType": {
"vendor": "",
"jobWeight": "",
"model": "",
"version": "",
"accessProtocols": ""
},
"accessIp": "",
"discoverTime": "",
"unmanaged": ""
}
]
}
}
Parameter | Description |
---|---|
Device IP | IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server. |
Output
The output contains the following populated JSON schema:
{
"device": {
"approved": "",
"discoverMethod": "",
"raidGroups": "",
"applications": "",
"ipToHostNames": "",
"storageGroups": "",
"unmanaged": "",
"storages": "",
"softwarePatches": "",
"updateMethod": "",
"accessIp": "",
"softwareServices": "",
"processors": "",
"sanControllerPorts": "",
"interfaces": "",
"name": "",
"components": "",
"creationMethod": "",
"version": "",
"organization": {
"@name": "",
"@id": ""
},
"deviceType": {
"vendor": "",
"jobWeight": "",
"model": "",
"version": "",
"category": ""
},
"discoverTime": "",
"luns": ""
}
}
None.
The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"organization": "",
"deviceType": "",
"accessIp": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceName": ""
}
}
}
}
None.
No output schema is available at this time.
Parameter | Description |
---|---|
Search | Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, or Organization. By default, this option is set as Incident Status. |
Search Value | Value of the search criteria based on what you have selected in the Search parameter. For example, in the case of Incident Status, you must select the status of the incident (Active or Cleared) based on which you want to retrieve incidents from the Fortinet FortiSIEM server. OR For example, if you select Host, then you must specify the hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server. |
Time Selection | (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time. For example, if you select Absolute Time, then you must specify the datetime. In the case of Relative Time, you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves a list of incidents that have occurred in the last 2 hours, from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"events":
[
{
"eventType":
"",
"id":
"",
"index":
"",
"nid":
"",
"receiveTime":
"",
"custId":
"",
"dataStr":
"",
"attributes":
{}
}
],
"@start": "",
"@errorCode": "",
"@queryId": ""
"@totalCount": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server. |
Comment Text | Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to clear from the Fortinet FortiSIEM server. |
Reason | Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"events":
[
{
"eventType":
"",
"id":
"",
"index":
"",
"nid":
"",
"receiveTime":
"",
"custId":
"",
"dataStr":
"",
"attributes":
{}
}
],
"@start": "",
"@errorCode": "",
"@queryId": ""
"@totalCount": ""
}
The Sample - Fortinet FortiSIEM - 2.1.0
playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The FortiSIEM app allows the bidirectional integration with the FortiSOAR™ UI. You can use the FortiSIEM app, to push incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed in FortiSOAR™ then the corresponding incidents are automatically cleared in FortiSIEM.
Applies to: FortiSIEM version 5.1.2.
FortiSIEM Application Version: 1.1.0
FortiSOAR™ Version Tested on: 4.11.1-468
Compatibility with Fortinet FortiSIEM Connector Versions: 2.0.0 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the FortiSIEM application in version 1.1.0:
sourcedata as shown in the following image:
This field is required to be set as above so that the incident data from FortiSIEM can be added to this field in the JSON format.closedby
, the Field Type is set as Lookup (One to Many or One to One), and its related module is set as People, as shown in the following image:install-fortisiem-app_1_1_0.sh
script that has been attached to this article and save it to an appropriate location on your FortiSIEM system.chmod +x install-fortisiem-app_1_1_0.sh
install-fortisiem-app.sh
script.install-fortisiem-app_1_1_0.sh
script, you will require to wait for a few minutes before you can log into FortiSIEM as some of the services are restarted. A few minutes are required to start all the services.Integrations Policy
screen as shown in the following image:
Integrations Policy
screen, click the Add button, which will display a form as shown in the following image:Integrations Policy
form fill in the following details for Outbound integration:
CyberSponse
.com.accelops.phoenix.cybersponse.CybersponseIntegrationServiceImpl
Integrations Policy
form and entering all the required details. Ensure that you select the same vendor and instance as you have specified in step 4, i.e., while configuring your outbound integration.After you have completed creating your outbound and inbound integration policies, you must configure the outbound/inbound integrations as follows:
Incident Notification Policy
screen, click New, which will display a form as shown in the following image:Notification Policy
form select the Invoke an integration policy checkbox, and select the Outbound integration policy that you have created.Integrations Policy Schedules
screen as shown in the following image:Integrations Policy Schedules
screen.In version 1.1.0 of the FortiSIEM app, you can map various parameters between FortiSOAR™ and FortiSIEM.
You can map these parameters in the cybersponse-app.properties
file that is located at /opt/glassfish3/glassfish/domains/domain1/config/cybersponse-app.properties
.
Brief description of the various parameters follows:
cyops.closed.state = Closed
cyops.open.state = Open
cyops.alert.closedby = closedby
This is the parameter that contains the name of the field defined in alert module in FortiSOAR™. This parameter is described in the "Prerequisites" section.
cyops.field_mapping.fortiSiemSource = source
This is the parameter that contains the name of the field that you want to map as the source field in FortiSOAR™. You can change the name of this parameter if required.
cyops.field_mapping.fortiSiemSource.value = "FortiSIEM"
This is the parameter that contains the value you want to populate in the source field in FortiSOAR™. By default, the value of the parameter is set to "FortiSIEM".
fortisiem.organisation.name = cybersponse
This is the parameter that contains the name of the organisation that you want to update in the incident in FortiSIEM. By default, this parameter is set to cybersponse.
cyops.field_mapping.tenant = tenant
This is the parameter that contains the name of the Tenant field defined in FortiSOAR™. This parameter is applicable only for multitenancy.
cyops.field_mapping.IncidentId= sourceId
This is the parameter that contains the name of the field where you want to populate in the IncidentID field of FortiSIEM in FortiSOAR™. You can change the name of this parameter if required.
fortisiem.module_mapping.severity=HIGH:alerts,MEDIUM:alerts,LOW:alerts
This is the parameter that contains the Severity mapping based on which you will push the incidents from FortiSIEM to different modules in FortiSOAR™. By default, incidents with severity high, medium, and low are all pushed to the alerts module in FortiSOAR™.
To enable the FortiSIEM app work with FortiSOAR™ systems that have multitenancy configured, you require to add the IRIs of your tenants (in corresponding External Company IDs)
in the Org Mapping field, of the Outbound Integration Policy on your FortiSIEM system, along with the other details that are specified in the configuration for the Outbound integration:
install-fortisiem-app_1_1_0.sh
Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.
This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions, with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.
If you want bidirectional integration between FortiSIEM and FortiSOAR™, then you can use the FortiSIEM app. The FortiSIEM app pushes incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed then the corresponding incidents are automatically cleared in FortiSIEM. To get the FortiSIEM app and the procedure on how to install and configure it, see the FortiSOAR™ - FortiSIEM Application section.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 4.12.0-746
Fortinet FortiSIEM Version Tested on: 5.0.1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiSIEM connector in version 2.1.0:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Username | Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Password | Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Domain | Domain that you will access on the Fortinet FortiSIEM server to perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Devices | Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
Get All Devices For Specified IP Address Range | Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. | get_devices Investigation |
Get Device Information | Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. | get_devices Investigation |
List Monitored Devices and Attributes | Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
List Monitored Organizations | Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. | get_domains Investigation |
List Incidents | Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the search criteria you have specified. | get_incidents Investigation |
Comment Incident | Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. | incident_comment Investigation |
Clear Incident With Reason | Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. | clear_incident Investigation |
Get Events For Incident | Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server based on the incident ID you have specified. | get_associated_events Investigation |
None.
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@name": "",
"@id": ""
},
"approved": "",
"discoverMethod": "",
"creationMethod": "",
"version": "",
"updateMethod": "",
"name": "",
"deviceType": {
"vendor": "",
"jobWeight": "",
"model": "",
"version": "",
"accessProtocols": ""
},
"accessIp": "",
"discoverTime": "",
"unmanaged": ""
}
]
}
}
Parameter | Description |
---|---|
Include IP SET | Value of IP addresses based on which you want for retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format. For example, enter, 192.168.20.1-192.168.20.100 |
Exclude IP SET | (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@name": "",
"@id": ""
},
"approved": "",
"discoverMethod": "",
"creationMethod": "",
"version": "",
"updateMethod": "",
"name": "",
"deviceType": {
"vendor": "",
"jobWeight": "",
"model": "",
"version": "",
"accessProtocols": ""
},
"accessIp": "",
"discoverTime": "",
"unmanaged": ""
}
]
}
}
Parameter | Description |
---|---|
Device IP | IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server. |
Output
The output contains the following populated JSON schema:
{
"device": {
"approved": "",
"discoverMethod": "",
"raidGroups": "",
"applications": "",
"ipToHostNames": "",
"storageGroups": "",
"unmanaged": "",
"storages": "",
"softwarePatches": "",
"updateMethod": "",
"accessIp": "",
"softwareServices": "",
"processors": "",
"sanControllerPorts": "",
"interfaces": "",
"name": "",
"components": "",
"creationMethod": "",
"version": "",
"organization": {
"@name": "",
"@id": ""
},
"deviceType": {
"vendor": "",
"jobWeight": "",
"model": "",
"version": "",
"category": ""
},
"discoverTime": "",
"luns": ""
}
}
None.
The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"organization": "",
"deviceType": "",
"accessIp": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceName": ""
}
}
}
}
None.
No output schema is available at this time.
Parameter | Description |
---|---|
Search | Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, or Organization. By default, this option is set as Incident Status. |
Search Value | Value of the search criteria based on what you have selected in the Search parameter. For example, in the case of Incident Status, you must select the status of the incident (Active or Cleared) based on which you want to retrieve incidents from the Fortinet FortiSIEM server. OR For example, if you select Host, then you must specify the hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server. |
Time Selection | (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time. For example, if you select Absolute Time, then you must specify the datetime. In the case of Relative Time, you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves a list of incidents that have occurred in the last 2 hours, from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"events":
[
{
"eventType":
"",
"id":
"",
"index":
"",
"nid":
"",
"receiveTime":
"",
"custId":
"",
"dataStr":
"",
"attributes":
{}
}
],
"@start": "",
"@errorCode": "",
"@queryId": ""
"@totalCount": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server. |
Comment Text | Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to clear from the Fortinet FortiSIEM server. |
Reason | Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"events":
[
{
"eventType":
"",
"id":
"",
"index":
"",
"nid":
"",
"receiveTime":
"",
"custId":
"",
"dataStr":
"",
"attributes":
{}
}
],
"@start": "",
"@errorCode": "",
"@queryId": ""
"@totalCount": ""
}
The Sample - Fortinet FortiSIEM - 2.1.0
playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The FortiSIEM app allows the bidirectional integration with the FortiSOAR™ UI. You can use the FortiSIEM app, to push incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed in FortiSOAR™ then the corresponding incidents are automatically cleared in FortiSIEM.
Applies to: FortiSIEM version 5.1.2.
FortiSIEM Application Version: 1.1.0
FortiSOAR™ Version Tested on: 4.11.1-468
Compatibility with Fortinet FortiSIEM Connector Versions: 2.0.0 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the FortiSIEM application in version 1.1.0:
sourcedata as shown in the following image:
This field is required to be set as above so that the incident data from FortiSIEM can be added to this field in the JSON format.closedby
, the Field Type is set as Lookup (One to Many or One to One), and its related module is set as People, as shown in the following image:install-fortisiem-app_1_1_0.sh
script that has been attached to this article and save it to an appropriate location on your FortiSIEM system.chmod +x install-fortisiem-app_1_1_0.sh
install-fortisiem-app.sh
script.install-fortisiem-app_1_1_0.sh
script, you will require to wait for a few minutes before you can log into FortiSIEM as some of the services are restarted. A few minutes are required to start all the services.Integrations Policy
screen as shown in the following image:
Integrations Policy
screen, click the Add button, which will display a form as shown in the following image:Integrations Policy
form fill in the following details for Outbound integration:
CyberSponse
.com.accelops.phoenix.cybersponse.CybersponseIntegrationServiceImpl
Integrations Policy
form and entering all the required details. Ensure that you select the same vendor and instance as you have specified in step 4, i.e., while configuring your outbound integration.After you have completed creating your outbound and inbound integration policies, you must configure the outbound/inbound integrations as follows:
Incident Notification Policy
screen, click New, which will display a form as shown in the following image:Notification Policy
form select the Invoke an integration policy checkbox, and select the Outbound integration policy that you have created.Integrations Policy Schedules
screen as shown in the following image:Integrations Policy Schedules
screen.In version 1.1.0 of the FortiSIEM app, you can map various parameters between FortiSOAR™ and FortiSIEM.
You can map these parameters in the cybersponse-app.properties
file that is located at /opt/glassfish3/glassfish/domains/domain1/config/cybersponse-app.properties
.
Brief description of the various parameters follows:
cyops.closed.state = Closed
cyops.open.state = Open
cyops.alert.closedby = closedby
This is the parameter that contains the name of the field defined in alert module in FortiSOAR™. This parameter is described in the "Prerequisites" section.
cyops.field_mapping.fortiSiemSource = source
This is the parameter that contains the name of the field that you want to map as the source field in FortiSOAR™. You can change the name of this parameter if required.
cyops.field_mapping.fortiSiemSource.value = "FortiSIEM"
This is the parameter that contains the value you want to populate in the source field in FortiSOAR™. By default, the value of the parameter is set to "FortiSIEM".
fortisiem.organisation.name = cybersponse
This is the parameter that contains the name of the organisation that you want to update in the incident in FortiSIEM. By default, this parameter is set to cybersponse.
cyops.field_mapping.tenant = tenant
This is the parameter that contains the name of the Tenant field defined in FortiSOAR™. This parameter is applicable only for multitenancy.
cyops.field_mapping.IncidentId= sourceId
This is the parameter that contains the name of the field where you want to populate in the IncidentID field of FortiSIEM in FortiSOAR™. You can change the name of this parameter if required.
fortisiem.module_mapping.severity=HIGH:alerts,MEDIUM:alerts,LOW:alerts
This is the parameter that contains the Severity mapping based on which you will push the incidents from FortiSIEM to different modules in FortiSOAR™. By default, incidents with severity high, medium, and low are all pushed to the alerts module in FortiSOAR™.
To enable the FortiSIEM app work with FortiSOAR™ systems that have multitenancy configured, you require to add the IRIs of your tenants (in corresponding External Company IDs)
in the Org Mapping field, of the Outbound Integration Policy on your FortiSIEM system, along with the other details that are specified in the configuration for the Outbound integration:
install-fortisiem-app_1_1_0.sh