Fortinet black logo

Fortinet FortiSIEM

Fortinet FortiSIEM v2.2.0

Copy Link
Copy Doc ID c92588ce-016b-45e7-9c58-01739cef4d2c:1

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions, with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

About the FortiSIEM app

If you want bidirectional integration between FortiSIEM and FortiSOAR™, then you can use the FortiSIEM app. The FortiSIEM app pushes incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed then the corresponding incidents are automatically cleared in FortiSIEM. To get the FortiSIEM app and the procedure on how to install and configure it, see the FortiSOAR™ - FortiSIEM Application section.

Version information

Connector Version: 2.2.0

FortiSOAR™ Version Tested on: 4.12.0-746

Fortinet FortiSIEM Version Tested on: 5.0.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.2.0

Following enhancements have been made to the Fortinet FortiSIEM connector in version 2.2.0:

  • Added the Organization parameter to the Get Device Information operation.
  • Added support for either explicitly adding an organization name or using a jinja expression for the Organization parameter in the List Incidents operation.
  • Added the From and To fields to the Absolute Time time selection option in case of the List Incidents operation, so that now you can use the calendar tool and specify the datetime.
  • Added the following new operations and playbooks:
    • List Report Templates
    • Get Report Template Details
    • Run Report

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fortinet-fortisiem

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of a Fortinet FortiSIEM server to which you will connect and perform automated operations and the credentials, such as the username and password to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Domain Domain that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the search criteria you have specified. get_incidents
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID you have specified. get_associated_events
Investigation
List Report Templates Retrieves the list of all report templates or a list of report templates from the Fortinet FortiSIEM server, based on the filter parameters that you have specified. get_report_templates
Investigation
Get Report Template Details Retrieves details of a specific report template from the Fortinet FortiSIEM server, based on the report ID you have specified. get_report_template_attributes
Investigation
Run Report Runs a report on the Fortinet FortiSIEM server, based on the conditions and other input parameters you have specified. run_report
Investigation

operation: Get All Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want for retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"discoverTime": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"components": "",
"version": "",
"organization": {
"@id": "",
"@name": ""
},
"storageGroups": "",
"unmanaged": "",
"processors": "",
"deviceType": {
"vendor": "",
"version": "",
"category": "",
"model": "",
"jobWeight": ""
},
"ipToHostNames": "",
"name": "",
"luns": "",
"updateMethod": "",
"softwarePatches": "",
"storages": "",
"applications": "",
"raidGroups": "",
"interfaces": "",
"softwareServices": "",
"creationMethod": "",
"sanControllerPorts": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: List Incidents

Input parameters

Parameter Description
Search Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, or Organization.
By default, this option is set as Incident Status.
Search Value Value of the search criteria based on what you have selected in the Search parameter.
For example, in the case of Incident Status, you must select the status of the incident (Active or Cleared) based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
OR
For example, if you select Host, then you must specify the hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Note: From version 2.2.0 of the Fortinet FortiSIEM connector, if you have selected Organization from the Search field, then you can either explicitly add the organization name or use a jinja expression to add the value of the Organization.
Time Selection (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
If you select Absolute Time, then you must specify the time range, for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
If you select Relative Time, the you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server.
For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves the list of incidents that have occurred in the last 2 hours from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"events": [
{
"attributes": {},
"id": "",
"receiveTime": "",
"nid": "",
"dataStr": "",
"index": "",
"eventType": "",
"custId": ""
}
],
"@queryId": "",
"@totalCount": "",
"@errorCode": "",
"@start": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"events": [
{
"attributes": {},
"id": "",
"receiveTime": "",
"nid": "",
"dataStr": "",
"index": "",
"eventType": "",
"custId": ""
}
],
"@queryId": "",
"@totalCount": "",
"@errorCode": "",
"@start": ""
}

operation: List Report Templates

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Parameter Description
Organization Name of the organization for which you want to retrieves a list of report templates from Fortinet FortiSIEM server.
Filter String Filter string based on which you want to retrieves a list of report templates from Fortinet FortiSIEM server.
Note: You can specify the report name or report description in this field.
For example, If you specify Top FortiSIEM Events, then this will return all report templates which match the report name with specified filter string.
Page Size Number of objects that you want this operation to return in the response.
By default, the page size is set to 50 items.
Page Number Page number from which you want to retrieve records.
By default, this is set as 0.
Exclude System Reports Select this option to exclude system reports from the list of reports templates that are being retrieved by this operation from the Fortinet FortiSIEM server.
Only Sync Reports Select this option to retrieve only those report templates from the Fortinet FortiSIEM server that can be synchronized to the report server.

Output

The output contains the following populated JSON schema:
{
"collectorId": "",
"objectId": "",
"parentId": "",
"aoSys": "",
"type": "",
"description": "",
"naturalId": "",
"name": "",
"custId": "",
"extData": ""
}

operation: Get Report Template Details

Input parameters

Parameter Description
Report ID ID of the report template for which you want to retrieve details from Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"Name": "",
"Description": "",
"SelectClause": "",
"groupby": "",
"@id": "",
"@custId": "",
"conditions": "",
"OrderByClause": "",
"SyncOrgs": ""
}

operation: Run Report

Input parameters

Parameter Description
Display Fields /Select Clause Fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Conditions Conditions based on which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute based on which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server.
Order By (Optional) Attribute based on which you want to order the search results for the report that you want to run on the Fortinet FortiSIEM server.
Report Time Range (Optional) Specify the time for which you want to search for reports on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
If you select Absolute Time, then you must specify the time range, for which you want to search for reports from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
If you select Relative Time, then you have to specify the time duration based on which you want to search for reports from the Fortinet FortiSIEM server.

Output

No output schema is available at this time.

Included playbooks

The Sample - Fortinet FortiSIEM - 2.2.0 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

  • Clear Incident With Reason
  • Comment Incident
  • Get All Devices
  • Get All Devices For Specified IP Address Range
  • Get Device Information
  • Get Events For Incident
  • Get Report Template Details
  • List Incidents
  • List Monitored Devices and Attributes
  • List Monitored Organizations
  • List Report Templates
  • Run Report

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

FortiSOAR™ - FortiSIEM Application

The FortiSIEM app allows the bidirectional integration with the FortiSOAR™ UI. You can use the FortiSIEM app, to push incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed in FortiSOAR™ then the corresponding incidents are automatically cleared in FortiSIEM.

Version Information:

Applies to: FortiSIEM version 5.1.2.

FortiSIEM Application Version: 1.1.0

FortiSOAR™ Version Tested on: 4.11.1-468

Compatibility with Fortinet FortiSIEM Connector Versions: 2.0.0 and later

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the FortiSIEM application in version 1.1.0:

  • Added the ability for users to map various parameters between FortiSOAR™ and FortiSIEM.
  • Added the support for the FortiSIEM application to work with FortiSOAR™ systems that have multitenancy configured.

Prerequisites:

  • Ensure that the field Source Data in the Alerts module is named as sourcedata as shown in the following image:
    This field is required to be set as above so that the incident data from FortiSIEM can be added to this field in the JSON format.
  • Ensure that the field Closed By in the Alerts module is named as closedby, the Field Type is set as Lookup (One to Many or One to One), and its related module is set as People, as shown in the following image:
    Ensure that the Closed By field is set as above and is populated while closing the alert since the details of the user who closes the alert can be synched back into the External User field in the FortiSIEM incident.

FortiSIEM App: Installation and Configuration

Installing the FortiSIEM App

  1. Download and copy the install-fortisiem-app_1_1_0.sh script that has been attached to this article and save it to an appropriate location on your FortiSIEM system.
    Important: After you have downloaded the install-fortisiem-app_1_1_0.sh script, verify the MD5 of the install-fortisiem-app_1_1_0.sh script file. The MD5 of this file must be: ee1313e73fe8869cf9ce14f2b206e8cd
  2. SSH to your FortiSIEM system as a root user.
  3. Change the permission of the install-fortisiem-app.sh script to an executable:
    chmod +x install-fortisiem-app_1_1_0.sh
  4. To install the FortiSIEM app, run the install-fortisiem-app.sh script.
    Note: After you have run the install-fortisiem-app_1_1_0.sh script, you will require to wait for a few minutes before you can log into FortiSIEM as some of the services are restarted. A few minutes are required to start all the services.

Configuring the FortiSIEM App

  1. Login to your FortiSIEM system.
  2. Click the Admin tab and then select the General Setting option from the left navigation and click the Integrations tab, which will display the Integrations Policyscreen as shown in the following image:

  3. On the Integrations Policy screen, click the Add button, which will display a form as shown in the following image:
  4. In the Integrations Policy form fill in the following details for Outbound integration:
    1. From the Type drop-down list, select Incident.
    2. From the Direction drop-down list, select Outbound for outbound integration.
    3. In the Vendor field, type CyberSponse.
    4. In the Instance field, type the name of the instance that you are trying to connect to and identify.
    5. In the Plugin Name field, type com.accelops.phoenix.cybersponse.CybersponseIntegrationServiceImpl
    6. In the Host/URL field, type the URL/IP of your FortiSOAR™ instance
    7. In the Username field, type the username that you use to login to your FortiSOAR™ instance.
    8. In the Password field, type the password that you use to login to your FortiSOAR™ instance.
    9. In the Max Incidents field, specify the maximum number of items that can be synched to the external system at one time.
    10. From the Run for drop-down list, select the organization(s) for which you want to run this integration.
    11. To save this outbound integration policy, click Save.
  5. Similarly, you require to create an Inbound integration policy, by selecting Inbound from the Direction drop-down list in the Integrations Policy form and entering all the required details. Ensure that you select the same vendor and instance as you have specified in step 4, i.e., while configuring your outbound integration.

Configuring the outbound/inbound integrations

After you have completed creating your outbound and inbound integration policies, you must configure the outbound/inbound integrations as follows:

Configuring Outbound integrations:

  1. Login to your FortiSIEM system.
  2. Click the Analytics tab and then select the Incident Notification Policy option from the left navigation.
  3. On the Incident Notification Policy screen, click New, which will display a form as shown in the following image:
  4. In the Notification Policy form select the Invoke an integration policy checkbox, and select the Outbound integration policy that you have created.
  5. Select all other parameters based on your requirements and click on Save.
    This configures your outbound integration.

Configuring Inbound integrations:

  1. Login to your FortiSIEM system.
  2. Click the Admin tab and then select the General Setting option from the left navigation and click the Integrations > Schedule, which will display the Integrations Policy Schedules screen as shown in the following image:
  3. Click the Add button, and you will be able to view a list of all the inbound Integrations policy that you have configured.
  4. Select the appropriate inbound integration policy, and specify the schedule for selected inbound integration.
  5. Click OK to schedule the inbound integration and the frequency of polling the external ticket status.

Disabling the configured outbound and inbound integration on the FortiSIEM App

  1. To disable the outbound flow of incidents from FortiSIEM, do the following:
    1. Login to your FortiSIEM system.
    2. Click the Analytics tab and then select the Incident Notification Policy option from the left navigation.
    3. Select the configured policy and click Edit, which will display the policy screen.
    4. On the policy screen, clear the Enable checkbox and click Save to disable your outbound integration.
  2. To disable the inbound synchronization of incidents between FortiSOAR™ and FortiSIEM, do the following:
    1. Login to your FortiSIEM system.
    2. Click the Admin tab and then select the General Setting option from the left navigation and click the Integrations > Schedule, which will display the Integrations Policy Schedules screen.
    3. Select the policy that you want to remove from the Integration Policy column and click Delete to disable your inbound scheduler.

FortiSIEM App: Additional Configurations

Configuring various parameters

In version 1.1.0 of the FortiSIEM app, you can map various parameters between FortiSOAR™ and FortiSIEM.

You can map these parameters in the cybersponse-app.properties file that is located at /opt/glassfish3/glassfish/domains/domain1/config/cybersponse-app.properties.

Brief description of the various parameters follows:

  • cyops.closed.state = Closed
    This is the parameter that contains the name of the picklist in FortiSOAR™ based on which the incident is cleared in FortiSIEM. By default, this parameter is set to Closed.
  • cyops.open.state = Open
    This is the parameter that contains the name of the picklist in FortiSOAR™ based on which the incident status is set to Open in FortiSIEM. By default, this parameter is set to Open.
  • cyops.alert.closedby = closedby

    This is the parameter that contains the name of the field defined in alert module in FortiSOAR™. This parameter is described in the "Prerequisites" section.

  • cyops.field_mapping.fortiSiemSource = source

    This is the parameter that contains the name of the field that you want to map as the source field in FortiSOAR™. You can change the name of this parameter if required.

  • cyops.field_mapping.fortiSiemSource.value = "FortiSIEM"

    This is the parameter that contains the value you want to populate in the source field in FortiSOAR™. By default, the value of the parameter is set to "FortiSIEM".

  • fortisiem.organisation.name = cybersponse

    This is the parameter that contains the name of the organisation that you want to update in the incident in FortiSIEM. By default, this parameter is set to cybersponse.

  • cyops.field_mapping.tenant = tenant

    This is the parameter that contains the name of the Tenant field defined in FortiSOAR™. This parameter is applicable only for multitenancy.

  • cyops.field_mapping.IncidentId= sourceId

    This is the parameter that contains the name of the field where you want to populate in the IncidentID field of FortiSIEM in FortiSOAR™. You can change the name of this parameter if required.

  • fortisiem.module_mapping.severity=HIGH:alerts,MEDIUM:alerts,LOW:alerts

    This is the parameter that contains the Severity mapping based on which you will push the incidents from FortiSIEM to different modules in FortiSOAR™. By default, incidents with severity high, medium, and low are all pushed to the alerts module in FortiSOAR™.

Configuring the FortiSIEM App to work with FortiSOAR™ systems that have multitenancy configured

To enable the FortiSIEM app work with FortiSOAR™ systems that have multitenancy configured, you require to add the IRIs of your tenants (in corresponding External Company IDs) in the Org Mapping field, of the Outbound Integration Policy on your FortiSIEM system, along with the other details that are specified in the configuration for the Outbound integration:

FortiSIEM App: Known Issues

  • If you clear an incident in FortiSIEM the same is not reflected in FortiSOAR™. This is because currently the FortiSIEM app only synchronizes open tickets from FortiSIEM.

install-fortisiem-app_1_1_0.sh

Previous
Next

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions, with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

About the FortiSIEM app

If you want bidirectional integration between FortiSIEM and FortiSOAR™, then you can use the FortiSIEM app. The FortiSIEM app pushes incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed then the corresponding incidents are automatically cleared in FortiSIEM. To get the FortiSIEM app and the procedure on how to install and configure it, see the FortiSOAR™ - FortiSIEM Application section.

Version information

Connector Version: 2.2.0

FortiSOAR™ Version Tested on: 4.12.0-746

Fortinet FortiSIEM Version Tested on: 5.0.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.2.0

Following enhancements have been made to the Fortinet FortiSIEM connector in version 2.2.0:

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-fortinet-fortisiem

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Domain Domain that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the search criteria you have specified. get_incidents
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID you have specified. get_associated_events
Investigation
List Report Templates Retrieves the list of all report templates or a list of report templates from the Fortinet FortiSIEM server, based on the filter parameters that you have specified. get_report_templates
Investigation
Get Report Template Details Retrieves details of a specific report template from the Fortinet FortiSIEM server, based on the report ID you have specified. get_report_template_attributes
Investigation
Run Report Runs a report on the Fortinet FortiSIEM server, based on the conditions and other input parameters you have specified. run_report
Investigation

operation: Get All Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want for retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"discoverTime": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"components": "",
"version": "",
"organization": {
"@id": "",
"@name": ""
},
"storageGroups": "",
"unmanaged": "",
"processors": "",
"deviceType": {
"vendor": "",
"version": "",
"category": "",
"model": "",
"jobWeight": ""
},
"ipToHostNames": "",
"name": "",
"luns": "",
"updateMethod": "",
"softwarePatches": "",
"storages": "",
"applications": "",
"raidGroups": "",
"interfaces": "",
"softwareServices": "",
"creationMethod": "",
"sanControllerPorts": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: List Incidents

Input parameters

Parameter Description
Search Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, or Organization.
By default, this option is set as Incident Status.
Search Value Value of the search criteria based on what you have selected in the Search parameter.
For example, in the case of Incident Status, you must select the status of the incident (Active or Cleared) based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
OR
For example, if you select Host, then you must specify the hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Note: From version 2.2.0 of the Fortinet FortiSIEM connector, if you have selected Organization from the Search field, then you can either explicitly add the organization name or use a jinja expression to add the value of the Organization.
Time Selection (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
If you select Absolute Time, then you must specify the time range, for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
If you select Relative Time, the you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server.
For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves the list of incidents that have occurred in the last 2 hours from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"events": [
{
"attributes": {},
"id": "",
"receiveTime": "",
"nid": "",
"dataStr": "",
"index": "",
"eventType": "",
"custId": ""
}
],
"@queryId": "",
"@totalCount": "",
"@errorCode": "",
"@start": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"events": [
{
"attributes": {},
"id": "",
"receiveTime": "",
"nid": "",
"dataStr": "",
"index": "",
"eventType": "",
"custId": ""
}
],
"@queryId": "",
"@totalCount": "",
"@errorCode": "",
"@start": ""
}

operation: List Report Templates

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Parameter Description
Organization Name of the organization for which you want to retrieves a list of report templates from Fortinet FortiSIEM server.
Filter String Filter string based on which you want to retrieves a list of report templates from Fortinet FortiSIEM server.
Note: You can specify the report name or report description in this field.
For example, If you specify Top FortiSIEM Events, then this will return all report templates which match the report name with specified filter string.
Page Size Number of objects that you want this operation to return in the response.
By default, the page size is set to 50 items.
Page Number Page number from which you want to retrieve records.
By default, this is set as 0.
Exclude System Reports Select this option to exclude system reports from the list of reports templates that are being retrieved by this operation from the Fortinet FortiSIEM server.
Only Sync Reports Select this option to retrieve only those report templates from the Fortinet FortiSIEM server that can be synchronized to the report server.

Output

The output contains the following populated JSON schema:
{
"collectorId": "",
"objectId": "",
"parentId": "",
"aoSys": "",
"type": "",
"description": "",
"naturalId": "",
"name": "",
"custId": "",
"extData": ""
}

operation: Get Report Template Details

Input parameters

Parameter Description
Report ID ID of the report template for which you want to retrieve details from Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"Name": "",
"Description": "",
"SelectClause": "",
"groupby": "",
"@id": "",
"@custId": "",
"conditions": "",
"OrderByClause": "",
"SyncOrgs": ""
}

operation: Run Report

Input parameters

Parameter Description
Display Fields /Select Clause Fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Conditions Conditions based on which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute based on which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server.
Order By (Optional) Attribute based on which you want to order the search results for the report that you want to run on the Fortinet FortiSIEM server.
Report Time Range (Optional) Specify the time for which you want to search for reports on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
If you select Absolute Time, then you must specify the time range, for which you want to search for reports from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
If you select Relative Time, then you have to specify the time duration based on which you want to search for reports from the Fortinet FortiSIEM server.

Output

No output schema is available at this time.

Included playbooks

The Sample - Fortinet FortiSIEM - 2.2.0 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

FortiSOAR™ - FortiSIEM Application

The FortiSIEM app allows the bidirectional integration with the FortiSOAR™ UI. You can use the FortiSIEM app, to push incidents generated in FortiSIEM to an external FortiSOAR™ system as Alerts, and when these alerts are closed in FortiSOAR™ then the corresponding incidents are automatically cleared in FortiSIEM.

Version Information:

Applies to: FortiSIEM version 5.1.2.

FortiSIEM Application Version: 1.1.0

FortiSOAR™ Version Tested on: 4.11.1-468

Compatibility with Fortinet FortiSIEM Connector Versions: 2.0.0 and later

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the FortiSIEM application in version 1.1.0:

Prerequisites:

FortiSIEM App: Installation and Configuration

Installing the FortiSIEM App

  1. Download and copy the install-fortisiem-app_1_1_0.sh script that has been attached to this article and save it to an appropriate location on your FortiSIEM system.
    Important: After you have downloaded the install-fortisiem-app_1_1_0.sh script, verify the MD5 of the install-fortisiem-app_1_1_0.sh script file. The MD5 of this file must be: ee1313e73fe8869cf9ce14f2b206e8cd
  2. SSH to your FortiSIEM system as a root user.
  3. Change the permission of the install-fortisiem-app.sh script to an executable:
    chmod +x install-fortisiem-app_1_1_0.sh
  4. To install the FortiSIEM app, run the install-fortisiem-app.sh script.
    Note: After you have run the install-fortisiem-app_1_1_0.sh script, you will require to wait for a few minutes before you can log into FortiSIEM as some of the services are restarted. A few minutes are required to start all the services.

Configuring the FortiSIEM App

  1. Login to your FortiSIEM system.
  2. Click the Admin tab and then select the General Setting option from the left navigation and click the Integrations tab, which will display the Integrations Policyscreen as shown in the following image:

  3. On the Integrations Policy screen, click the Add button, which will display a form as shown in the following image:
  4. In the Integrations Policy form fill in the following details for Outbound integration:
    1. From the Type drop-down list, select Incident.
    2. From the Direction drop-down list, select Outbound for outbound integration.
    3. In the Vendor field, type CyberSponse.
    4. In the Instance field, type the name of the instance that you are trying to connect to and identify.
    5. In the Plugin Name field, type com.accelops.phoenix.cybersponse.CybersponseIntegrationServiceImpl
    6. In the Host/URL field, type the URL/IP of your FortiSOAR™ instance
    7. In the Username field, type the username that you use to login to your FortiSOAR™ instance.
    8. In the Password field, type the password that you use to login to your FortiSOAR™ instance.
    9. In the Max Incidents field, specify the maximum number of items that can be synched to the external system at one time.
    10. From the Run for drop-down list, select the organization(s) for which you want to run this integration.
    11. To save this outbound integration policy, click Save.
  5. Similarly, you require to create an Inbound integration policy, by selecting Inbound from the Direction drop-down list in the Integrations Policy form and entering all the required details. Ensure that you select the same vendor and instance as you have specified in step 4, i.e., while configuring your outbound integration.

Configuring the outbound/inbound integrations

After you have completed creating your outbound and inbound integration policies, you must configure the outbound/inbound integrations as follows:

Configuring Outbound integrations:

  1. Login to your FortiSIEM system.
  2. Click the Analytics tab and then select the Incident Notification Policy option from the left navigation.
  3. On the Incident Notification Policy screen, click New, which will display a form as shown in the following image:
  4. In the Notification Policy form select the Invoke an integration policy checkbox, and select the Outbound integration policy that you have created.
  5. Select all other parameters based on your requirements and click on Save.
    This configures your outbound integration.

Configuring Inbound integrations:

  1. Login to your FortiSIEM system.
  2. Click the Admin tab and then select the General Setting option from the left navigation and click the Integrations > Schedule, which will display the Integrations Policy Schedules screen as shown in the following image:
  3. Click the Add button, and you will be able to view a list of all the inbound Integrations policy that you have configured.
  4. Select the appropriate inbound integration policy, and specify the schedule for selected inbound integration.
  5. Click OK to schedule the inbound integration and the frequency of polling the external ticket status.

Disabling the configured outbound and inbound integration on the FortiSIEM App

  1. To disable the outbound flow of incidents from FortiSIEM, do the following:
    1. Login to your FortiSIEM system.
    2. Click the Analytics tab and then select the Incident Notification Policy option from the left navigation.
    3. Select the configured policy and click Edit, which will display the policy screen.
    4. On the policy screen, clear the Enable checkbox and click Save to disable your outbound integration.
  2. To disable the inbound synchronization of incidents between FortiSOAR™ and FortiSIEM, do the following:
    1. Login to your FortiSIEM system.
    2. Click the Admin tab and then select the General Setting option from the left navigation and click the Integrations > Schedule, which will display the Integrations Policy Schedules screen.
    3. Select the policy that you want to remove from the Integration Policy column and click Delete to disable your inbound scheduler.

FortiSIEM App: Additional Configurations

Configuring various parameters

In version 1.1.0 of the FortiSIEM app, you can map various parameters between FortiSOAR™ and FortiSIEM.

You can map these parameters in the cybersponse-app.properties file that is located at /opt/glassfish3/glassfish/domains/domain1/config/cybersponse-app.properties.

Brief description of the various parameters follows:

Configuring the FortiSIEM App to work with FortiSOAR™ systems that have multitenancy configured

To enable the FortiSIEM app work with FortiSOAR™ systems that have multitenancy configured, you require to add the IRIs of your tenants (in corresponding External Company IDs) in the Org Mapping field, of the Outbound Integration Policy on your FortiSIEM system, along with the other details that are specified in the configuration for the Outbound integration:

FortiSIEM App: Known Issues

install-fortisiem-app_1_1_0.sh

Previous
Next