About the connector

FortiAnalyzer is the NOC-SOC security analysis tool built with an operations perspective. FortiAnalyzer (FAZ) supports analytics-powered use cases to provide better detection against breaches.

This document provides information about the Fortinet FortiAnalyzer Connector, which facilitates automated interactions with your Fortinet FortiAnalyzer server using FortiSOAR™ playbooks. Add the Fortinet FortiAnalyzer Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as creating and updating incidents on Fortinet FortiAnalyzer and retrieving user and endpoint information from Fortinet FortiAnalyzer.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Fortinet FortiAnalyzer. Currently, "events" in Fortinet FortiAnalyzer are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 3.0.0

FortiSOAR™ Version Tested on: 7.0.2-664

FortiAnalyzer Version Tested on: v7.2.0 GA build1124

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.0.0

The following enhancements have been made to the Fortinet FortiAnalyzer connector in version 3.0.0:

• Added the following new operations and playbooks:
  • Get Event for Multiple ADOMs
  • Count Events for Multiple ADOMs
  • Get Incident for Multiple ADOMs
  • Count Incidents for Multiple ADOMs
    Important: Multiple ADOM support is added only for the above newly added operations and not for older operations.
• Added an ADOM mapping field in the data ingestion wizard to map FortiAnalyzer ADOMs to FortiSOAR tenants.
• Updated the data ingestion playbooks for multiple ADOMs changes and to handle pulling of large data.
• Fixed an issue with the timezone. Now, the timezone will be passed in only the UTC format.
• Fixed an issue with ADOM names so that now commas only are supported as separators. Extra spaces between ADOM names will not be allowed.

Installing the connector

Use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortianalyzer

Prerequisites to configuring the connector

• You must have the URL of the Fortinet FortiAnalyzer server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
• Multiple ADOMs are supported only with Fortinet FortiAnalyzer version 7.0.2. Therefore, if you want to use Multiple ADOMs, you must have access to Fortinet FortiAnalyzer whose release is 7.0.2 or later.
• The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiAnalyzer server.
• The minimum privileges that require to be assigned to users who are going to use this connector and run actions on Fortinet FortiAnalyzer are users with a "Standard" or "Superuser" profile that has "Read" and "Write" access to JSON API.
  
  You can also create a new user in Fortinet Analyzer and you can use this newly-created user in the connector configuration.
  IMPORTANT: The Fortinet Analyzer API from Fortinet Analyzer release 7.0.0 onwards, for 'Multiple ADOM Support', requires the 'Superuser' permission. Therefore, from Fortinet Analyzer release 7.0.0 onwards, operations will fail when users who are assigned the 'Standard' permission try to run operations with multiple ADOM support.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiAnalyzer connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	URL of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations.
Username	The username used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations.
Password	The password used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations.
ADOM Name	The administrative domain name of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. Note: If you are adding multiple ADOM names then you must separate them with commas. Extra spaces between ADOM names are not allowed.
Port	Port number used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. By default, this is set to 10405.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations.

Function	Description	Annotation and Category
Create Incident	Creates a new incident record in Fortinet FortiAnalyzer based on the incident reporter, affected endpoint, ADOM name, and other input parameters you have specified.	create_incident Investigation
Get Incident	Retrieves all incidents or a specific incident from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified.	list_incidents Investigation
Update Incident	Updates incident fields like severity, category, status, etc. corresponding to a specific incident in Fortinet FortiAnalyzer based on the incident ID, ADOM name and other input parameters you have specified.	update_incident_details Investigation
Get Events For Incident	Retrieves all events associated with a specified incident in Fortinet FortiAnalyzer based on the incident ID, ADOM name, and other input parameters you have specified.	get_events_for_incident Investigation
Get Executed Report List	Retrieves a list of all executed reports that have been generated or are in the pending state from Fortinet FortiAnalyzer based on the ADOM name, time frame, and other input parameters you have specified.	get_reports Investigation
Get Report Schedule List	Retrieves a list of all report schedules from Fortinet FortiAnalyzer based on the ADOM name you have specified.	get_schedules Investigation
Run Report	Runs a report on the Fortinet FortiAnalyzer based on the report ID, schedule ID, and ADOM name you have specified.	run_report Investigation
Get Report File	Retrieves a specific generated report file from Fortinet FortiAnalyzer based on the report ID and ADOM name you have specified and adds that report file to FortiSOAR as an 'Attachment'	get_generated_report Investigation
Get User Info	Retrieves information for all users or specific users from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified.	get_users Investigation
Get Endpoint Info	Retrieves information for all endpoints or specific endpoints from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified.	get_endpoints Investigation
List Log Fields	Retrieves all log fields from Fortinet FortiAnalyzer based on the device and log type, ADOM name, and other input parameters you have specified.	list_log_fields Investigation
Get Log-File Content	Retrieves the content of a specified logfile from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified.	get_log_file_content Investigation
Log Search over Log-File	Runs a log search task for a single logfile from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified.	log_search_over_log_file Investigation
Get Log-File State	Retrieves the state of a log file from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified.	get_log_file_state Investigation
Start Log Search Request	Starts a new task to search for logs in Fortinet FortiAnalyzer based on the device ID, device name, ADOM name, and other input parameters you have specified.	start_log_search_request Investigation
Fetch Log Search Result by Task ID	Starts a new task to retrieve the log search results from Fortinet FortiAnalyzer based on the task ID, ADOM name, and other input parameters you have specified.	fetch_log_search_result_by_task_id Investigation
Get Event	Retrieves all the events or a specific event from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified.	get_alerts Investigation
Get Event Logs	Retrieves the logs associated with a specific event from Fortinet FortiAnalyzer based on the FAZ event ID, ADOM name, and other input parameters you have specified.	get_alert_event_logs Investigation
Get Incident Assets	Retrieves a list of assets affected by the specified incident from FortiAnalyzer based on the incident ID, ADOM name, and other parameters you have specified.	get_incident_assets Investigation
Get Incident Attachments	Retrieves all attachments (i.e. Comments, Events, Report, Indicators etc.) associated with the specified incident from FortiAnalyzer based on the incident ID, ADOM name, and input other parameters you have specified.	get_attachments_for_incident Investigation
Update Incident Attachment	Updates incident attachment fields associated with a specific incident in FortiAnalyzer based on the incident ID, ADOM name, and other input parameters you have specified	update_attachment Investigation
Get ADOMs	Retrieves all ADOMs from Fortinet FortiAnalyzer based on the ADOM name you have specified.	get_adoms Investigation
Add a Master Device	Adds a master device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, ADOM name, and other input parameters you have specified.	add_master_device Investigation
Add a Slave Device	Adds a slave device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, master device name, master device serial number, and ADOM name you have specified.	add_slave_device Investigation
Add a New Device	Adds a new device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, ADOM name, and other input parameters you have specified.	add_new_device Investigation
Get Devices	Retrieves all devices from the Fortinet FortiAnalyzer device manager database based on the ADOM name you have specified.	get_devices Investigation
Get Log Status	Retrieves the last log time and log rate per device[vdom] from Fortinet FortiAnalyzer. This operation retrieves the log status for all devices or the log status for particular devices based on the device ID and ADOM name you have specified.	get_log_status Investigation
Get Device Information	Retrieves device information from Fortinet FortiAnalyzer based on the device name and ADOM name you have specified.	get_device_info Investigation
Authorize Device	Authorizes the device in Fortinet FortiAnalyzer based on the device name, serial number, ADOM name, and other input parameters you have specified.	authorize_device Investigation
Delete a Device	Deletes a specific device from Fortinet FortiAnalyzer based on the device name and ADOM name you have specified.	delete_device Investigation
Get Event for Multiple ADOMs	Retrieves all events or specific event for multiple ADOMs from FortiAnalyzer based on the input parameters you have specified.	get_alerts_for_multiple_adoms Investigation
Count Events for Multiple ADOMs	Retrieves the count of events from multiple ADOMs in FortiAnalyzer based on the group by and other input parameters you have specified.	count_alerts_for_multiple_adoms Investigation
Get Incident for Multiple ADOMs	Retrieves all incidents or a specific incident for multiple ADOMs from Fortinet FortiAnalyzer based on the input parameters you have specified.	list_incidents_for_multiple_adoms Investigation
Count Incidents for Multiple ADOMs	Retrieves the count of events from multiple ADOMs in FortiAnalyzer based on the input parameters you have specified.	count_incidents_for_multiple_adoms Investigation

operation: Create Incident

Input parameters

Parameter	Description
Incident Reporter	Name of reporter of the incident that you want to create in Fortinet FortiAnalyzer.
Affected Endpoint	Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop).
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to create the incident in Fortinet FortiAnalyzer.
Assigned To	(Optional) Name of person to which you want to assign the incident that you want to create in Fortinet FortiAnalyzer.
Category	(Optional) Category in which you want to create the incident in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity	(Optional) Severity level that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low.
Status	(Optional) Status that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
End User ID	(Optional) ID of the end user that you want to assign to the incident, which you want to create in Fortinet FortiAnalyzer.
Description	(Optional) Description of the incident that you want to create in Fortinet FortiAnalyzer.
Other Fields	(Optional) Additional fields in the JSON format that you want to add to the incident, which you want to create in Fortinet FortiAnalyzer. For example, {"epid":123}

Output

The output contains the following populated JSON schema:
{
"result": {
"incid": ""
},
"jsonrpc": "",
"id": ""
}

operation: Get Incident

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve the incident from Fortinet FortiAnalyzer.
Incident IDs	List of incident IDs based on which you want to retrieve incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002
Status	Status of the incident using which you want to filter incidents to be retrieved from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Filter	Query filter using which you want to filter incidents to be retrieved from Fortinet FortiAnalyzer. For example, status='analysis' and severity='low'
Detail Level	Level of detail that you want to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default), or Extended.
Limit	Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0 and the minimum supported value is "0".
Sort	Select this checkbox if you want to sort the incidents by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters: Sort by Field: Name of the field on which you want to sort the result. Sort by Order: Sorting order of the result, choose between ASC (ascending) or DESC (descending).

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"severity": "",
"category": "",
"incid": "",
"euid": "",
"description": "",
"endpoint": "",
"refinfo": "",
"attach_revision": "",
"epid": "",
"createtime": "",
"status": "",
"attach_lastupdate": "",
"lastuser": "",
"revision": "",
"reporter": "",
"lastupdate": ""
}
],
"status": {
"code": "",
"message": ""
},
"detail-level": ""
},
"id": ""
}

operation: Update Incident

Input parameters

Parameter	Description
Incident ID	ID of the incident that you want to update in Fortinet FortiAnalyzer.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to update the incident in Fortinet FortiAnalyzer.
Assigned To	(Optional) Name of person to which you want to assign the incident that you want to update in Fortinet FortiAnalyzer.
Category	(Optional) Category that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Status	(Optional) Status that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Affected Endpoint	(Optional) Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop).
Severity	(Optional) Severity level that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer. You can choose from the following options: High, Medium, or Low.
End User ID	(Optional) ID of the end user that you want to assign to the incident, which you want to update in Fortinet FortiAnalyzer.
Description	(Optional) Description of the incident that you want to update in Fortinet FortiAnalyzer.
Other Fields	(Optional) Additional fields in the JSON format that you want to modify in the incident, which you want to update in Fortinet FortiAnalyzer. For example, {"epid":123}

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"status": {
"code": "",
"message": ""
}
},
"id": ""
}

operation: Get Events For Incident

Input parameters

Parameter	Description
Incident ID	ID of the incident whose associated events you want to retrieve from Fortinet FortiAnalyzer.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve events associated with the incident from Fortinet FortiAnalyzer.
Limit	Maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say events starting from the 10th event. By default, this is set as 0 and the minimum supported value is "0".

Output

The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"createtime": "",
"data": "",
"incid": "",
"lastuser": "",
"attachid": "",
"lastupdate": "",
"revision": "",
"attachtype": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}

operation: Get Executed Report List

Input parameters

Parameter	Description
State	State of the executed report that you want to retrieve from Fortinet FortiAnalyzer. The states that are supported are: pending-running or generated.
Start Time	Starting DateTime from when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports.
End Time	Ending DateTime till when you want to retrieve from Fortinet FortiAnalyzer. Note: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone considered for retrieving the reports.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve the list of executed reports from Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"result": {
"count": "",
"revision": "",
"data": [
{
"devtype": "",
"state": "",
"profileid": "",
"date": "",
"title": "",
"timestamp-end": "",
"adminuser": "",
"schedule_color": "",
"format": [],
"tid": "",
"progress-percent": "",
"name": "",
"period-end": "",
"end": "",
"timestamp-start": "",
"start": "",
"period-start": ""
}
]
},
"jsonrpc": "",
"id": ""
}

operation: Get Report Schedule List

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve report schedules from Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
},
"data": [
{
"report-per-device": "",
"week-start": "",
"date-format": "",
"include-other": "",
"period-last-n": "",
"period-opt": "",
"display-device-by": "",
"schedule-valid-end": [],
"devices": [
{
"devices-name": ""
}
],
"schedule-color": "",
"filter": "",
"admin-user": "",
"filter-type": "",
"report-layout": [
{
"layout-id": ""
}
],
"email-report-per-device": "",
"language": "",
"ldap-user-case-change": "",
"orientation": "",
"name": "",
"time-period": "",
"print-report-filters": "",
"schedule-type": "",
"ldap-server": "",
"auto-hcache": "",
"display-table-contents": "",
"filter-logic": "",
"obfuscate-user": "",
"device-list-type": "",
"include-coverpage": "",
"output-format": "",
"schedule-valid-start": [],
"resolve-hostname": "",
"ldap-query": "",
"schedule-frequency": "",
"output-profile": "",
"dev-type": "",
"max-reports": "",
"status": ""
}
]
},
"jsonrpc": "",
"id": ""
}

operation: Run Report

Input parameters

Parameter	Description
Schedule	Name or ID of the schedule using which you want to run the report. Note: You can get the name or ID of the schedule using the "Get Report Schedule List" action.
Report ID	ID of the report that you want to run on Fortinet FortiAnalyzer.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to run the report in Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": ""
},
"id": ""
}

operation: Get Report File

Input parameters

Parameter	Description
Task ID	Task ID of the generated report that you want to retrieve from Fortinet FortiAnalyzer and adds that report file as an 'Attachment' in FortiSOAR.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve the generated report from Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"tid": "",
"length": "",
"name": "",
"data-type": "",
"checksum": "",
"data": ""
},
"id": ""
}

operation: Get User Info

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve user information from Fortinet FortiAnalyzer.
User IDs	List of user IDs based on which you want to fetch user information from Fortinet FortiAnalyzer. For example, 1043,1055 or 1043.
Filter	Query filter using which you want to filter users to be fetched from Fortinet FortiAnalyzer. For example, euuuid='c0a74c48-2367-11ea-aedf-00090f000409' and euname='localhost'
Detail Level	Level of detail that you want to retrieve for the users from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default) or Extended.
Limit	Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000".
Offset	Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say users starting from the 10th user. By default, this is set as 0 and the minimum supported value is "0".
Sort	Select this checkbox if you want to sort the users by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters: Sort by Field: Name of the field on which you want to sort the result. Sort by Order: Sorting order of the result, choose between ASC (ascending) or DESC (descending).

Output

The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"workphone": "",
"socialid": {
"data": []
},
"gender": "",
"authtype": "",
"euname": "",
"euuuid": "",
"euid": "",
"title": "",
"eugroup": "",
"employeeid": "",
"email": "",
"lastseen": "",
"workemail": "",
"firstseen": "",
"phone": "",
"firstname": "",
"birthday": "",
"homeaddr": "",
"lastname": "",
"workaddr": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}

operation: Get Endpoint Info

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve endpoint information from Fortinet FortiAnalyzer.
Endpoint IDs	List of endpoint IDs based on which you want to fetch endpoint information from Fortinet FortiAnalyzer. For example, 1047,1077 or 1077. The list of endpoint ID's. e.g. 1047,1077 or 1077
Filter	Query filter using which you want to filter endpoints to be fetched from Fortinet FortiAnalyzer. For example, epname='10.0.10.3' and detectkey='10.0.10.3'
Limit	Maximum number of records that this operation should return. Values supported are: Default "100000", Minimum "1" and Maximum "1000000".
Offset	Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say endpoint starting from the 10th endpoint. By default, this is set as 0 and the minimum supported value is "0".
Sort	Select this checkbox if you want to sort the endpoints by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters: Sort by Field: Name of the field on which you want to sort the result. Sort by Order: Sorting order of the result, choose between ASC (ascending) or DESC (descending).

Output

The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"epname": "",
"fctuid": "",
"detecttype": "",
"osname": "",
"detectkey": "",
"macip": [
{
"lastseen": "",
"epip": "",
"mac": ""
}
],
"lastseen": "",
"adomoid": "",
"epid": "",
"epdevtype": "",
"osversion": "",
"vd": "",
"devid": ""
}
],
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}

operation: List Log Fields

Input parameters

Parameter	Description
Device Type	List of device types using which you want to retrieve log fields from Fortinet FortiAnalyzer. You can add device types such as FortiGate, FortiClient, FortiMail, FortiWeb, FortiSandbox, FortiDDos, FortiDeceptor, etc.
Log Type	Type of log using which you want to filter logs to be retrieved from Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve log fields from Fortinet FortiAnalyzer.
Subtype	Subtype of the log using which you want to filter logs to be retrieved from Fortinet FortiAnalyzer. For example, logdev, system, fazsys, logging, logfile, dvm, etc.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
],
"private-field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
]
}
}

operation: Get Log-File Content

Input parameters

Parameter	Description
Device ID	ID of the device hosting the log file whose content you want to retrieve from Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Filename	Name of the log file whose content you want to retrieve from Fortinet FortiAnalyzer.
VDOM	Name of the VDOM using which you want to filter log files and retrieve the log file content from Fortinet FortiAnalyzer. For example, root
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve log file content from Fortinet FortiAnalyzer.
Data Type	Type of returned data of log file whose content you want to retrieve from Fortinet FortiAnalyzer. e.g. 'text/gzip/base64, csv/gzip/base64', etc. Default is base64.
Offset	(Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0.
Length	(Optional) Length in bytes, of the file content, that this operation should return. Values supported are: Default is set to 1048576, Minimum Value is set to 1, and Maximum Value is set to 52428800.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"checksum": "",
"data": "",
"data-type": "",
"length": "",
"log-count": "",
"offset": "",
"logfile-orig-size": ""
}
}

operation: Log Search over Log-File

Input parameters

Parameter	Description
Device ID	ID of the device hosting the log file based on which you want to search for the log file in Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Filename	Name of the log file that you want to search in Fortinet FortiAnalyzer.
VDOM	Name of the VDOM based on which you want to search the log file content in Fortinet FortiAnalyzer. For example, root.
Log Type	Type of log that you want to search in Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to search the log file content in Fortinet FortiAnalyzer.
Case Sensitive	Select this option if you want to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer.
Filter	Query filter using which you want to filter logs to be searched in Fortinet FortiAnalyzer. For example, subtype='forward' and srcname='LAN-FSW-GUEST'.
Offset	(Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0.
Limit	(Optional) Maximum number of log records that this operation should return. Values supported are: Default is set to 50, Minimum Value is set to 1, and Maximum Value is set to 500.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"logver": "",
"idseq": "",
"itime": "",
"devid": "",
"vd": "",
"date": "",
"time": "",
"logid": "",
"type": "",
"subtype": "",
"level": "",
"eventtime": "",
"tz": "",
"srcip": "",
"srcname": "",
"srcport": "",
"srcintf": "",
"srcintfrole": "",
"dstip": "",
"dstport": "",
"dstintf": "",
"dstintfrole": "",
"srcuuid": "",
"dstuuid": "",
"sessionid": "",
"proto": "",
"action": "",
"policyid": "",
"policytype": "",
"poluuid": "",
"service": "",
"dstcountry": "",
"srccountry": "",
"trandisp": "",
"duration": "",
"sentbyte": "",
"rcvdbyte": "",
"sentpkt": "",
"rcvdpkt": "",
"appcat": "",
"srchwvendor": "",
"osname": "",
"mastersrcmac": "",
"srcmac": "",
"srcserver": "",
"dtime": "",
"itime_t": "",
"devname": ""
}
],
"return-lines": "",
"total-count": ""
}
}

operation: Get Log-File State

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve the state of a log file from Fortinet FortiAnalyzer.
Device ID	ID of the device hosting the log file whose state you want to retrieve from Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Filename	Name of the log file whose state you want to retrieve from Fortinet FortiAnalyzer.
VDOM	Name of the VDOM using which you want to filter log files and retrieve the log file state from Fortinet FortiAnalyzer. For example, root.
Start Time	(Optional) Start DateTime from when you want to retrieve the state of log files from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state.
End Time	(Optional) Start DateTime till when you want to retrieve the state of log files from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"device-file-list": [
{
"device-id": "",
"device-name": "",
"endtime": "",
"starttime": "",
"vdom-file-list": [
{
"endtime": "",
"logfile-list": {
"elog": {
"files": [
{
"endtime": "",
"filename": "",
"fsize": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
}
},
"starttime": "",
"vdom-name": ""
}
]
}
]
}
}

operation: Start Log Search Request

Input parameters

Parameter	Description
Device ID	ID of the device hosting the log file based on which you want to start the search for logs in Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Device Name	Name of the device based on which you want to start the search for logs from Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Start Time	(Optional) Start DateTime from when you want to search for logs from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request.
End Time	(Optional) End DateTime till when you want to search for logs from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request.
Log Type	Type of log using which you want to filter logs to be searched in Fortinet FortiAnalyzer. You can choose from options such as Event, Traffic, FCT Event, Email Filter, Virus, etc.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to search for logs in Fortinet FortiAnalyzer.
Filter	Query filter using which you want to filter logs to be searched in Fortinet FortiAnalyzer. For example, status='draft' and severity='low'
Case Sensitive	Select this option if you want to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer.
Time Order	Order to sort the results retrieved from the Fortinet FortiAnalyzer. You can choose between ASC or DESC.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"tid": ""
}
}

operation: Fetch Log Search Result by Task ID

Input parameters

Parameter	Description
Task ID	ID of the task log search using which you want to retrieve the log search result from Fortinet FortiAnalyzer. For example, 193200136.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve the log search result from Fortinet FortiAnalyzer.
Offset	(Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0.
Limit	(Optional) Maximum number of log records that this operation should return. Values supported are: Default is set to 50, Minimum Value is set to 1, and Maximum Value is set to 500.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"app": "",
"appcat": "",
"date": "",
"devid": "",
"devname": "",
"devtype": "",
"dstcountry": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"duration": "",
"itime": "",
"itime_t": "",
"level": "",
"logid": "",
"logver": "",
"mastersrcmac": "",
"osname": "",
"policyid": "",
"proto": "",
"rcvdbyte": "",
"rcvdpkt": "",
"sentbyte": "",
"sentpkt": "",
"service": "",
"sessionid": "",
"srccountry": "",
"srcintf": "",
"srcip": "",
"srcmac": "",
"srcname": "",
"srcport": "",
"subtype": "",
"time": "",
"trandisp": "",
"transip": "",
"transport": "",
"type": "",
"vd": ""
}
],
"percentage": "",
"return-lines": "",
"status": {
"code": "",
"message": ""
},
"tid": ""
}
}

operation: Get Event

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve alert events from Fortinet FortiAnalyzer.
Start Time	Start DateTime from when you want to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events.
End Time	End DateTime till when you want to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events.
Alert IDs	List of alert IDs, i.e., the FAZ event IDs, based on which you want to fetch events from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361
Device ID	ID of the device based on which you want to search for events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Device Name	Name of the device based on which you want to search for events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Filter	Query filter using which you want to search for events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium'
Limit	Maximum number of events that this operation should return. Values supported are: Default is set to 1000, Minimum Value is set to 1, and Maximum Value is set to 2000.
Offset	Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"ack_flag": "",
"addi_info": "",
"alert_id": "",
"count": "",
"ctime": "",
"dev_name": "",
"devid": "",
"epid": "",
"epname": "",
"euid": "",
"euname": "",
"event_info": "",
"event_name": "",
"event_status": "",
"event_type": "",
"last_occurrence": "",
"last_update": "",
"read_flag": "",
"severity": "",
"trigger_name": "",
"vd_name": ""
}
]
}
}

operation: Get Event Logs

Input parameters

Parameter	Description
Alert ID	List of alert IDs, i.e., FAZ event IDs, based on which you want to retrieve event logs from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve event logs from Fortinet FortiAnalyzer.
Limit	Maximum number of event logs that this operation should return. Values supported are: Default is set to 1000, Minimum Value is set to 1, and Maximum Value is set to 2000.
Offset	(Optional) Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0.
Time Order	Order to sort the results retrieved from the Fortinet FortiAnalyzer. You can choose between ASC or DESC.

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"alert_log_seqnum": "",
"cat": "",
"catdesc": "",
"crlevel": "",
"crscore": "",
"devid": "",
"devname": "",
"direction": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"epid": "",
"euid": "",
"eventtype": "",
"fctuid": "",
"hostname": "",
"id": "",
"itime": "",
"level": "",
"logid": "",
"logver": "",
"method": "",
"msg": "",
"policyid": "",
"profile": "",
"proto": "",
"rcvdbyte": "",
"reqtype": "",
"sentbyte": "",
"service": "",
"sessionid": "",
"srcintf": "",
"srcip": "",
"srcport": "",
"subtype": "",
"type": "",
"unauthuser": "",
"url": "",
"vd": ""
}
]
}
}

operation: Get Incident Assets

Input parameters

Parameter	Description
Incident ID	ID of the incident whose associated affected assets you want to retrieve from Fortinet FortiAnalyzer.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve assets affected by the incident from Fortinet FortiAnalyzer.
Limit	Maximum number of records that this operation should return. Values supported are: Default: 50 Min: 1 Max: 2000
Offset	Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say assets starting from the 10th asset. By default, this is set as 0 and the minimum supported value is "0".

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"seqid": "",
"incid": "",
"srctype": "",
"srcinfo": "",
"ctime": "",
"epid": "",
"euid": "",
"epname": "",
"euname": ""
}
],
"status": ""
}
}

operation: Get Incident Attachments

Input parameters

Parameter	Description
Incident ID	ID of the incident whose associated attachments you want to retrieve from Fortinet FortiAnalyzer.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve attachments associated with the incident from Fortinet FortiAnalyzer.
Attachment Type	The attachment type based on which you want to fetch the attachment for the specified incident. Values supported are: alertevent, sysnote, note, file, report, history, and logsearchfilter.
Limit	Maximum number of records that this operation should return. Values supported are: Default: 50 Min: 1 Max: 2000
Offset	Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say attachments starting from the 10th attachment. By default, this is set as 0 and the minimum supported value is "0".

Output

The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"attachid": "",
"attachtype": "",
"createtime": "",
"data": "",
"incid": "",
"lastupdate": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}

operation: Update Incident Attachment

Input parameters

Parameter	Description
Attachment ID	ID of the attachment that you want to update in Fortinet FortiAnalyzer.
Data	The attachment data in the 'json' format that you want to update in Fortinet FortiAnalyzer.
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want update the attachment in Fortinet FortiAnalyzer.
Attachment Source	(Optional) Attachment source that you want to update in the incident attachment, which you want to update in Fortinet FortiAnalyzer. You can specify one of the following options: manual or playbook.
Attachment Source ID	(Optional) ID of the attachment source, i.e., 'user name' if you have specified the manual type attachment source or 'playbook UUID' if you have specified the playbook type attachment source for the incident attachment that you want to update in Fortinet FortiAnalyzer.
Attachment Source Trigger	(Optional) Attachment Trigger information that you want to update in the incident attachment in Fortinet FortiAnalyzer.
Last User	(Optional) Name of the user name who updated the incident attachment that you want to update in Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}

operation: Get ADOMs

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"oid": "",
"name": "",
"desc": "",
"state": "",
"mode": "",
"os_ver": "",
"mr": "",
"flags": "",
"mig_os_ver": "",
"mig_mr": "",
"obj_customize": "",
"tab_status": "",
"logview_customize": "",
"restricted_prds": "",
"log_db_retention_hours": "",
"log_file_retention_hours": "",
"log_disk_quota": "",
"log_disk_quota_split_ratio": "",
"log_disk_quota_alert_thres": "",
"uuid": "",
"create_time": "",
"workspace_mode": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Add a Master Device

Input parameters

Parameter	Description
Device Name	Name of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_DEV
IP Address	IP address of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx
Serial Number	Serial number of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000166969
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to add a master device to the Fortinet FortiAnalyzer device manager database.
OS Version	(Optional) OS version of the master device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Add a Slave Device

Input parameters

Parameter	Description
Slave Device Name	Name of the slave device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Slave Device Name: Branch_Dev_01
Slave Device Serial Number	Serial number of the slave device that you want to add to the Fortinet FortiAnalyzer device manager database. Slave Device Serial Number: XXVM02TM20007936
Master Device Name	Name of the master device under which you want to add the slave device in the Fortinet FortiAnalyzer device manager database. Master Device Name: Enterprise_DEV
Master Device Serial Number	Serial number of the master device under which you want to add the slave device in the Fortinet FortiAnalyzer device manager database. Master Device Serial Number: XXVM010000166969
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to add a slave device to the Fortinet FortiAnalyzer device manager database.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Add a New Device

Input parameters

Parameter	Description
Device Name	Name of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_Dev
IP Address	IP address of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx
Serial Number	Serial number of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000212677
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to add a device to the Fortinet FortiAnalyzer device manager database.
OS Version	(Optional) OS version of the device that you want to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Get Devices

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve devices from Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"adm_pass": [
"",
""
],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Get Log Status

Input parameters

Parameter	Description
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve log status from Fortinet FortiAnalyzer.
Device ID	(Optional) Device ID based on which you want to fetch the log status and the log rate per device from Fortinet FortiAnalyzer. Device ID: XXVM02TM20007478

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"vdoms": [
{
"vdom": "",
"last-log-time": "",
"last-log-timestamp": "",
"lograte": ""
}
],
"devid": ""
}
]
}
}

operation: Get Device Information

Input parameters

Parameter	Description
Device Name	Name of the device whose information you want to retrieve from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to retrieve device information from Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"adm_pass": [],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Authorize Device

Input parameters

Parameter	Description
Device Name	Name of the device that you want to authorize in Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev
Serial Number	Serial number of the device that you want to authorize in Fortinet FortiAnalyzer. For example, Serial Number: XXVM010000212677
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to authorize the device in Fortinet FortiAnalyzer.
OS Version	(Optional) OS version of the device that you want to authorize in Fortinet FortiAnalyzer. For example, 6.0

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"faz.perm": "",
"flags": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Delete a Device

Input parameters

Parameter	Description
Device Name	Name of the device that you want to delete from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev
ADOM Name	Administrative domain name of the Fortinet FortiAnalyzer server based on which you want to delete a device from Fortinet FortiAnalyzer.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}

operation: Get Event for Multiple ADOMs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Start Time	Start DateTime from when you want to retrieve the alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events.
End Time	End DateTime till when you want to retrieve the alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events.
Alert IDs	List of alert IDs, i.e., the FAZ event IDs, based on which you want to fetch events from Fortinet FortiAnalyzer. For example,?202008201000003361,202008201000003362 or 202008201000003361
Device ID	ID of the device based on which you want to search for alert events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Device Name	Name of the device based on which you want to search for alert events in Fortinet FortiAnalyzer. For example, FG10CH3G11601364.
Filter	Query filter using which you want to search for alert events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium'
Limit	Maximum number of events that this operation should return. Values supported are: Default is set to 1000, Minimum Value is set to 1, and Maximum Value is set to 2000.
Offset	Index of the first item that this operation should return. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list. Values supported are: Default is set to 0 and Minimum Value is set to 0.

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"alerttime": "",
"logcount": "",
"alertid": "",
"adom": "",
"epid": "",
"epname": "",
"subject": "",
"euid": "",
"euname": "",
"devname": "",
"logtype": "",
"devtype": "",
"devid": "",
"vdom": "",
"groupby1": "",
"triggername": "",
"tag": "",
"eventtype": "",
"severity": "",
"extrainfo": "",
"ackflag": "",
"readflag": "",
"filterkey": "",
"firstlogtime": "",
"multiflag": "",
"lastlogtime": "",
"updatetime": "",
"filtercksum": "",
"filterid": ""
}
]
}
}

operation: Count Events for Multiple ADOMs

Input parameters

Parameter	Description
Group By	Specify the group-by field using which you want to count the events retrieved from Fortinet FortiAnalyzer. For example, dev_name
Start Time	Start DateTime from when you want to retrieve the count of alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events.
End Time	End DateTime till when you want to retrieve the count of alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events.
Filter	Query filter using which you want to search for the alert events and retrieve their counts from Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium'

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"severity": "",
"count": ""
}
]
}
}

operation: Get Incident for Multiple ADOMs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Incident IDs	List of incident IDs based on which you want to fetch incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002
Status	Status of the incident using which you want to filter incidents to be fetched from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Filter	Query filter using which you want to filter incidents to be fetched from Fortinet FortiAnalyzer. For example, status='draft' and severity='low'
Detail Level	Level of detail that you want to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default), or Extended.
Limit	Maximum number of records that this operation should return. Values supported are: Default: 50 Min: 1 Max: 2000
Offset	Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0 and the minimum supported value is 0.
Sort	Select this checkbox if you want to sort the incidents by a field and order the results. If you select this checkbox, i.e., set it as "true", then specify the following parameters: Sort by Field: Name of the field on which you want to sort the result. Sort by Order: Sorting order of the result, choose between ASC (ascending) or DESC (descending).

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"incid": "",
"epid": "",
"endpoint": "",
"euid": "",
"category": "",
"severity": "",
"status": "",
"description": "",
"reporter": "",
"createtime": "",
"lastupdate": "",
"lastuser": "",
"revision": "",
"attach_lastupdate": "",
"attach_revision": "",
"refinfo": "",
"report_src": "",
"report_srcid": "",
"report_detail": "",
"assigned_to": "",
"remedy_action": "",
"remedy_executor": "",
"remedy_approver": "",
"remedy_time": "",
"adom": "",
"epcount": "",
"eucount": ""
}
],
"detail-level": "",
"status": {
"code": "",
"message": ""
}
}
}

operation: Count Incidents for Multiple ADOMs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Incident IDs	List of incident IDs using which you want to count the incidents retrieved from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002
Filter	Query filter using which you want to search for the incidents and retrieve their counts from Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium'

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"count": ""
}
],
"detail-level": "",
"status": {
"code": "",
"message": ""
}
}
}

Included playbooks

The Sample - Fortinet FortiAnalyzer - 3.0.0 playbook collection comes bundled with the Fortinet FortiAnalyzer connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiAnalyzer connector.

• Add a Master Device
• Add a New Device
• Add a Slave Device
• Authorize Device
• Count Events for Multiple ADOMs
• Count Incidents for Multiple ADOMs
• Create Incident
• Delete a Device
• Fetch Log Search Result by Task ID
• > FortiAnalyzer > Fetch Event
• > FortiAnalyzer > Fetch Incident
• >> FortiAnalyzer > Init Macros
• > FortiAnalyzer > Parent > Fetch
• FortiAnalyzer > Parent > Ingest
• FortiAnalyzer > Post Create Alert > Fetch Events
• FortiAnalyzer > Post Create Alert > Fetch Logs
• Get ADOMs
• Get Device Information
• Get Devices
• Get Endpoint Info
• Get Event
• Get Event Logs
• Get Event for Multiple ADOMs
• Get Events For Incident
• Get Executed Report List
• Get Incident
• Get Incident Assets
• Get Incident Attachments
• Get Incident for Multiple ADOMs
• Get Log-File Content
• Get Log-File State
• Get Report File
• Get Report Schedule List
• Get User Info
• List Log Fields
• Log Search over Log-File
• Run Report
• Start Log Search Request
• Update Incident
• Update Incident Attachment

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events and their related logs from FAZ. Currently, "events" in FAZ are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FAZ "Events" to FortiSOAR™ "Alerts".

Important: If you have updated the connector from version 1.5.0 to 2.0.0 or later, and you have configured data ingestion to pull incidents, then the existing data ingestion will work and will continue to pull incidents till you delete the data ingestion playbooks; however, you cannot re-configure the data ingestion, i.e., update the Incident IDs used to pull incidents from FortiAnalyzer.

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from FAZ into FortiSOAR™. It also lets you pull some sample data from FAZ using which you can define the mapping of data between FAZ and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FAZ event.

1. To begin configuring data ingestion, click Configure Data Ingestion on the FAZ connector’s "Configurations" page.
   Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.
   
   Sample data is required to create a field mapping between FAZ data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
2. On the Fetch Data screen, provide the configurations required to fetch FAZ data.
   You can pull events from FAZ by specifying a query using which you want to pull events from FAZ. Supported keys are 'alertid', 'devid', 'severity', etc. You can also specify additional parameters such as the maximum number of events to be fetched, the maximum logs to be fetched for each event, and the last X minutes based on which you want to pull events from FAZ. In version 3.0.0 of the FortiAnalyzer connector, a new checkbox "Configure Multi-Tenant Mapping" is added to enable you to map the ADOM that you have specified in FortiAnalyzer with a tenant in FortiSOAR.
   
   The fetched data is used to create a mapping between the FAZ data and FortiSOAR™ alerts. Once you have completed specifying the configurations, click Fetch Data.

3. On the Field Mapping screen, map the fields of a FAZ event to the fields of an alert present in FortiSOAR™.
   To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventtype parameter of a FAZ event to the type parameter of a FortiSOAR™ alert, click the Type field and then click the eventtype field to populate its keys:
   
   For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.

4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FAZ, so that the content gets pulled from the FAZ integration into FortiSOAR™.
   On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
   In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FAZ every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., events will be pulled from FAZ every 5 minutes.
   Once you have completed scheduling, click Save Settings & Continue.

5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.

Limitations of the Fortinet FortiAnalyzer connector

• The "Sort" function does not work for the connector actions when you set the "Detail Level" for the results as 'Extended'. The "Sort" function works fine when you set the "Detail Level" for the results as 'Basic' or 'Standard'.
• The "Get Report Schedule List" and "Run Report" actions do not work for FortiAnalyzer’s standard user for all ADOMs.
• There are some limitations from the Fortinet FortiAnalyzer API itself, due to which you might face the following issues while using the Fortinet FortiAnalyzer connector:
  • The log file downloaded using the "Get Log-File Content" action is in the 'base64' format, which is not in a readable format. The log file gets added to the "Attachments" in FortiSOAR™. The file content is not in a readable format, even if you try using the 'text/gzip/base64' data type.
  • The "Get Event Logs" action does not return records as per the specified limit. The playbook returns '25' records as output even if you have specified any other number such as, '5' records. This issue also affects the data ingestion process of pulling logs for events based on the 'Limit' parameter.
  • The "List Log Fields" action does not work for the FortiDDos and FortiDeceptor device types and for some subtypes such as 'default'.