FortiAnalyzer is the NOC-SOC security analysis tool built with an operations perspective. FortiAnalyzer (FAZ) supports analytics-powered use cases to provide better detection against breaches.
This document provides information about the Fortinet FortiAnalyzer Connector, which facilitates automated interactions with your Fortinet FortiAnalyzer server using FortiSOAR™ playbooks. Add the Fortinet FortiAnalyzer Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as creating and updating incidents on Fortinet FortiAnalyzer and retrieving user and endpoint information from Fortinet FortiAnalyzer.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Fortinet FortiAnalyzer. Currently, events in Fortinet FortiAnalyzer are mapped to alerts in FortiSOAR™. For more information, see the Data Ingestion Support section.
Connector Version: 3.2.0
FortiSOAR™ Version Tested on: 7.4.1-3167
FortiAnalyzer Version Tested on: v7.4.0 GA
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiAnalyzer Connector in version 3.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortianalyzer
You can also create a new user in Fortinet Analyzer and you can use this newly-created user in the connector configuration.
IMPORTANT: The Fortinet Analyzer API v7.0.0 onwards, requires the Superuser permission for Multiple ADOM Support. Therefore, from Fortinet Analyzer release 7.0.0 onwards, operations will fail when users with Standard profile try to run operations with multiple ADOM support.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiAnalyzer connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Username | The username used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Password | The password used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| ADOM Name | The administrative domain (ADOM) name of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. NOTE: Separate multiple ADOM names with a comma. Do not use spaces to separate the ADOM names. |
| Port | Port number used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. By default, this is set to 10405. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Incident | Creates a new incident record in Fortinet FortiAnalyzer based on the incident reporter, affected endpoint, ADOM name, and other input parameters you have specified. | create_incident Investigation |
| Get Incident | Retrieves all incidents or a specific incident from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | list_incidents Investigation |
| Update Incident | Updates incident fields like severity, category, status, etc. corresponding to a specific incident in Fortinet FortiAnalyzer based on the incident ID, ADOM name and other input parameters you have specified. | update_incident_details Investigation |
| Get Events For Incident | Retrieves all events associated with a specified incident in Fortinet FortiAnalyzer based on the incident ID, ADOM name, and other input parameters you have specified. | get_events_for_incident Investigation |
| Get Executed Report List | Retrieves a list of all executed reports that have been generated or are in the pending state from Fortinet FortiAnalyzer based on the ADOM name, time frame, and other input parameters you have specified. | get_reports Investigation |
| Get Report Schedule List | Retrieves a list of all report schedules from Fortinet FortiAnalyzer based on the ADOM name you have specified. | get_schedules Investigation |
| Run Report | Runs a report on the Fortinet FortiAnalyzer based on the report ID, schedule ID, and ADOM name you have specified. | run_report Investigation |
| Get Report File | Retrieves a specific generated report file from Fortinet FortiAnalyzer based on the report ID and ADOM name you have specified and adds that report file to FortiSOAR as an Attachment. | get_generated_report Investigation |
| Get User Information | Retrieves information for all users or specific users from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | get_users Investigation |
| Get Endpoint Information | Retrieves information for all endpoints or specific endpoints from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | get_endpoints Investigation |
| List Log Fields | Retrieves all log fields from Fortinet FortiAnalyzer based on the device and log type, ADOM name, and other input parameters you have specified. | list_log_fields Investigation |
| Get Log-File Content | Retrieves the content of a specified log file from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified. | get_log_file_content Investigation |
| Log Search over Log-File | Runs a log search task for a single log file from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified. | log_search_over_log_file Investigation |
| Get Log-File State | Retrieves the state of a log file from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified. | get_log_file_state Investigation |
| Start Log Search Request | Starts a new task to search for logs in Fortinet FortiAnalyzer based on the device ID, device name, ADOM name, and other input parameters you have specified. | start_log_search_request Investigation |
| Start bulk device log Search Request | Starts a new task to search for logs in Fortinet FortiAnalyzer based on the All device Type, and other input parameters you have specified. | start_bulk_device_log_search_request Investigation |
| Fetch Log Search Result by Task ID | Starts a new task to retrieve the log search results from Fortinet FortiAnalyzer based on the task ID, ADOM name, and other input parameters you have specified. | fetch_log_search_result_by_task_id Investigation |
| Get Event | Retrieves all the events or a specific event from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | get_alerts Investigation |
| Get Event Logs | Retrieves the logs associated with a specific event from Fortinet FortiAnalyzer based on the FAZ event ID, ADOM name, and other input parameters you have specified. | get_alert_event_logs Investigation |
| Add Incident Attachment | Adds new attachment to incident in FortiAnalyzer based on the incident ID and other input parameters you have specified. | add_attachment Investigation |
| Get Incident Assets | Retrieves a list of assets affected by the specified incident from FortiAnalyzer based on the incident ID, ADOM name, and other parameters you have specified. | get_incident_assets Investigation |
| Get Incident Attachments | Retrieves all attachments (i.e. Comments, Events, Report, Indicators etc.) associated with the specified incident from FortiAnalyzer based on the incident ID, ADOM name, and input other parameters you have specified. | get_attachments_for_incident Investigation |
| Update Incident Attachment | Updates incident attachment fields associated with a specific incident in FortiAnalyzer based on the incident ID, ADOM name, and other input parameters you have specified | update_attachment Investigation |
| Get ADOMs | Retrieves all ADOMs from Fortinet FortiAnalyzer based on the ADOM name you have specified. | get_adoms Investigation |
| Add a Primary Device | Adds a primary device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, and other input parameters you have specified. | add_primary_device Investigation |
| Add a Secondary Device | Adds a secondary device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, primary device name, and primary device serial number you have specified. | add_secondary_device Investigation |
| Add a New Device | Adds a new device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, ADOM name, and other input parameters you have specified. | add_new_device Investigation |
| Get Devices | Retrieves all devices from the Fortinet FortiAnalyzer device manager database based on the ADOM name you have specified. | get_devices Investigation |
| Get Log Status | Retrieves the last log time and log rate per device[vdom] from Fortinet FortiAnalyzer. This operation retrieves the log status for all devices or the log status for particular devices based on the device ID and ADOM name you have specified. | get_log_status Investigation |
| Get Device Information | Retrieves device information from Fortinet FortiAnalyzer based on the device name and ADOM name you have specified. | get_device_info Investigation |
| Authorize Device | Authorizes the device in Fortinet FortiAnalyzer based on the device name, serial number, ADOM name, and other input parameters you have specified. | authorize_device Investigation |
| Delete a Device | Deletes a specific device from Fortinet FortiAnalyzer based on the device name and ADOM name you have specified. | delete_device Investigation |
| Get Event for Multiple ADOMs | Retrieves all events or specific event for multiple ADOMs from FortiAnalyzer based on the input parameters you have specified. | get_alerts_for_multiple_adoms Investigation |
| Count Events for Multiple ADOMs | Retrieves the count of events from multiple ADOMs in FortiAnalyzer based on the group by and other input parameters you have specified. | count_alerts_for_multiple_adoms Investigation |
| Get Incident for Multiple ADOMs | Retrieves all incidents or a specific incident for multiple ADOMs from Fortinet FortiAnalyzer based on the input parameters you have specified. | list_incidents_for_multiple_adoms Investigation |
| Count Incidents for Multiple ADOMs | Retrieves the count of events from multiple ADOMs in FortiAnalyzer based on the input parameters you have specified. | count_incidents_for_multiple_adoms Investigation |
| Parameter | Description |
|---|---|
| Incident Reporter | Specify the name of the incident reporter for the incident being created in Fortinet FortiAnalyzer. |
| Affected Endpoint | Specify the details of the endpoints affected by the incident being created in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to create the incident in Fortinet FortiAnalyzer. |
| Assigned To | (Optional) Specify the name of person to assign the incident being created in Fortinet FortiAnalyzer. |
| Category | (Optional) Specify the category in which to create the incident in Fortinet FortiAnalyzer. You can specify one of the following:
|
| Severity | (Optional) Select the severity level to assign to the incident being created in Fortinet FortiAnalyzer. You can choose from the following options:
|
| Status | (Optional) Select the status to assign to the incident being created in Fortinet FortiAnalyzer. You can choose from the following options:
|
| End User ID | (Optional) Specify the ID of the end user to assign to the incident being created in Fortinet FortiAnalyzer. |
| Description | (Optional) Specify the description of the incident being created in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Specify additional fields in JSON format to add to the incident being created in Fortinet FortiAnalyzer. For example,
{
"epid":123
}
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": "",
"revision": "",
"attach_revision": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the incident from Fortinet FortiAnalyzer. |
| Incident IDs | Specify the list of incident IDs to retrieve the incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Status | Select the status of the incident to filter retrieved incidents from Fortinet FortiAnalyzer. You can choose from the following options:
|
| Filter | Specify the filter query to filter incidents being retrieved from Fortinet FortiAnalyzer. For example, status='analysis' and severity='low' |
| Detail Level | Specify the level of detail to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options:
|
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the incidents by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_lastupdate": "",
"attach_revision": "",
"category": "",
"createtime": "",
"description": "",
"endpoint": "",
"epid": "",
"euid": "",
"incid": "",
"lastupdate": "",
"lastuser": "",
"refinfo": "",
"reporter": "",
"revision": "",
"severity": "",
"status": "",
"epcount": "",
"eucount": "",
"report_src": "",
"assigned_to": "",
"remedy_time": "",
"report_srcid": "",
"remedy_action": "",
"report_detail": "",
"remedy_approver": "",
"remedy_executor": "",
"incident_reporter": ""
}
]
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident to update in Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to update the incident in Fortinet FortiAnalyzer. |
| Assigned To | (Optional) Specify the name of person to assign the incident being updated in Fortinet FortiAnalyzer. |
| Category | (Optional) Specify the category in which to update the incident in Fortinet FortiAnalyzer.You can specify one of the following:
|
| Status | (Optional) Select the status to assign to the incident being updated in Fortinet FortiAnalyzer. You can choose from the following options:
|
| Affected Endpoint | Specify the details of the endpoints affected by the incident being updated in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| Severity | (Optional) Select the severity level to assign to the incident being updated in Fortinet FortiAnalyzer. You can choose from the following options:
|
| End User ID | (Optional) Specify the ID of the end user to assign to the incident being updated in Fortinet FortiAnalyzer. |
| Description | (Optional) Specify the description of the incident being updated in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Specify additional fields in JSON format to add to the incident being updated in Fortinet FortiAnalyzer. For example,
{
"epid":123
}
|
The output contains the following populated JSON schema:
{
"result": {
"incid": "",
"revision": "",
"attach_revision": "",
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose associated events to retrieve from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve events associated with the incident from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"attachid": "",
"incid": "",
"attachtype": "",
"data": "",
"tags": "",
"attachsrc": "",
"user_tags": "",
"attachsrcid": "",
"attachsrctrigger": "",
"createtime": "",
"lastupdate": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the incident ID whose associated affected assets are to be retrieved from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server to get incident assets from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"seqid": "",
"incid": "",
"srctype": "",
"srcinfo": "",
"ctime": "",
"epid": "",
"mac": "",
"epip": "",
"osname": "",
"alerttime": "",
"osversion": "",
"euid": "",
"epname": "",
"euname": ""
}
],
"status": ""
}
}
| Parameter | Description |
|---|---|
| State | Specify the state of the executed report to retrieve from Fortinet FortiAnalyzer. The supported states are:
|
| Start Time | Specify the start date and time from when to retrieve the list of executed reports from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the reports. |
| End Time | Specify the end date and time till when to retrieve the list of executed reports from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the reports. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the list of executed reports from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"name": "",
"devtype": "",
"timezone": "",
"schedule_color": "",
"title": "",
"device": {
"data": "",
"count": ""
},
"tid": "",
"date": "",
"adminuser": "",
"profileid": "",
"start": "",
"timestamp-start": "",
"end": "",
"timestamp-end": "",
"timezone-desc": "",
"period-start": "",
"period-end": "",
"state": "",
"progress-percent": "",
"format": []
}
],
"count": "",
"revision": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve report schedules from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"data": [
{
"admin-user": "",
"auto-hcache": "",
"date-format": "",
"description": "",
"dev-type": "",
"device-list-type": "",
"devices": [
{
"devices-name": "",
"interfaces": ""
}
],
"display-device-by": "",
"display-table-contents": "",
"email-report-per-device": "",
"filter": "",
"filter-logic": "",
"data-accuracy": "",
"filter-type": "",
"is-template": "",
"include-coverpage": "",
"include-other": "",
"language": "",
"ldap-query": "",
"ldap-server": "",
"ldap-user-case-change": "",
"max-reports": "",
"name": "",
"tz": "",
"obfuscate-user": "",
"orientation": "",
"output-format": "",
"output-profile": "",
"period-last-n": "",
"period-opt": "",
"print-report-filters": "",
"report-layout": [
{
"layout-id": ""
}
],
"report-per-device": "",
"resolve-hostname": "",
"soc-cust-filters": "",
"schedule-color": "",
"soc-def-filters": "",
"cached-filtering": "",
"schedule-frequency": "",
"schedule-type": "",
"soc-filtering": "",
"address-filter": [
{
"id": "",
"grp-name": "",
"obj-name": "",
"address-type": "",
"include-option": ""
}
],
"schedule-valid-end": [],
"schedule-valid-start": [],
"status": "",
"time-period": "",
"week-start": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Schedule | Specify the name or ID of the schedule to run the report.
NOTE: You can get the name or ID of the schedule using the Get Report Schedule List action. |
| Report ID | Specify the ID of the report to run on Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to run the report in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"tid": ""
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Task ID | Specify the task ID of the generated report to retrieve from Fortinet FortiAnalyzer and upload the report file as an Attachment in FortiSOAR. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the generated report from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"checksum": "",
"data": "",
"length": "",
"name": "",
"tid": "",
"data-type": ""
},
"jsonrpc": "",
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve user information from Fortinet FortiAnalyzer. |
| Fetch Users Type | Select whether you want this operation to fetch only specific users or all users. You can choose from the following options:
|
| Filter | Specify the filter query to filter user information being fetched from Fortinet FortiAnalyzer. For example, euuuid='c0a74c48-2367-11ea-aedf-00090f000409' and euname='localhost' |
| Detail Level | Select the level of detail to retrieve for the users from Fortinet FortiAnalyzer. You can choose from the following options:
|
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 1000000 records to retrieve. Default value is 100000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the users by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"euid": "",
"euuuid": "",
"euname": "",
"title": "",
"firstname": "",
"lastname": "",
"gender": "",
"birthday": "",
"socialid": {
"data": []
},
"authtype": "",
"eugroup": "",
"homeaddr": "",
"employeeid": "",
"firstseen": "",
"lastseen": "",
"workaddr": "",
"workphone": "",
"workemail": "",
"phone": "",
"email": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve endpoint information from Fortinet FortiAnalyzer. |
| Fetch Endpoint Type | Select whether you want this operation to fetch only specific endpoints or all endpoints. You can choose from the following options:
|
| Filter | Specify the filter query to filter endpoints being fetched from Fortinet FortiAnalyzer. For example, epname='10.0.10.3' and detectkey='10.0.10.3' |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the endpoints by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"lastseen": "",
"epid": "",
"epname": "",
"epdevtype": "",
"osname": "",
"osversion": "",
"fctuid": "",
"adomoid": "",
"detecttype": "",
"detectkey": "",
"devid": "",
"vd": "",
"macip": [
{
"mac": "",
"epip": "",
"lastseen": ""
}
]
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Device Type | Specify the list of device types to retrieve log fields from Fortinet FortiAnalyzer. You can add device types such as FortiGate, FortiClient, FortiMail, FortiWeb, FortiSandbox, FortiDDos, and FortiDeceptor. |
| Log Type | Select the log type to filter logs being retrieved from Fortinet FortiAnalyzer. You can choose from following options:
|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve log fields from Fortinet FortiAnalyzer. |
| Subtype | Specify the subtype of the log to filter logs retrieved from Fortinet FortiAnalyzer. For example, logdev, system, fazsys, logging, logfile, dvm, etc. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
],
"private-field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
],
"data": [
{
"field": [
{
"desc": "",
"name": "",
"type": "",
"logfldgrp": "",
"defaultshow": ""
}
],
"index": "",
"logtype": "",
"private-field": [
{
"desc": "",
"name": "",
"type": "",
"logfldgrp": "",
"defaultshow": ""
}
]
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID | Specify the ID of the device hosting the log file whose content is to be retrieved from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Specify the name of the log file whose content is to be retrieved from Fortinet FortiAnalyzer. |
| VDOM | Specify the name of the VDOM to filter the log files whose content is to be retrieved from Fortinet FortiAnalyzer. For example, root |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve log file content from Fortinet FortiAnalyzer. |
| Data Type | Specify the type of returned data of log file whose content is to be retrieved from Fortinet FortiAnalyzer. For example 'text/gzip/base64, csv/gzip/base64', etc. Default is base64. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Length | (Optional) Specify the length in bytes, of the file content, that this operation should return. By default, this is set to 1048576, the minimum supported value is 1, and the maximum supported value is 52428800. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"checksum": "",
"data": "",
"data-type": "",
"length": "",
"log-count": "",
"offset": "",
"logfile-orig-size": ""
},
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
| Parameter | Description |
|---|---|
| Device ID | Specify the ID of the device hosting the log file based on which to search for the log file in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Specify the name of the log file to search in Fortinet FortiAnalyzer. |
| VDOM | Specify the name of the VDOM based on which to search the log file content in Fortinet FortiAnalyzer. For example, root. |
| Log Type | Specify the type of log to search in Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to search the log file content in Fortinet FortiAnalyzer. |
| Case Sensitive | Select this option to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Filter | Specify the filter query to filter logs to be searched in Fortinet FortiAnalyzer. For example, subtype='forward' and srcname='LAN-FSW-GUEST'. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Limit | (Optional) Specify the maximum count of log records that this operation should return. By default, this is set to 50, the minimum supported value is 1, and the maximum supported value is 500. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"logver": "",
"idseq": "",
"itime": "",
"devid": "",
"vd": "",
"app": "",
"date": "",
"time": "",
"logid": "",
"type": "",
"appid": "",
"subtype": "",
"transip": "",
"countapp": "",
"level": "",
"eventtime": "",
"tz": "",
"srcip": "",
"srcname": "",
"msg": "",
"url": "",
"hostname": "",
"direction": "",
"eventtype": "",
"scertcname": "",
"scertissuer": "",
"incidentserialno": "",
"srcport": "",
"srcintf": "",
"srcintfrole": "",
"dstip": "",
"dstport": "",
"dstintf": "",
"dstintfrole": "",
"srcuuid": "",
"dstuuid": "",
"sessionid": "",
"srcfamily": "",
"proto": "",
"action": "",
"policyid": "",
"policytype": "",
"poluuid": "",
"service": "",
"dstcountry": "",
"srccountry": "",
"trandisp": "",
"duration": "",
"sentbyte": "",
"rcvdbyte": "",
"sentpkt": "",
"rcvdpkt": "",
"appcat": "",
"srchwvendor": "",
"osname": "",
"mastersrcmac": "",
"srcmac": "",
"applist": "",
"apprisk": "",
"srcserver": "",
"transport": "",
"utmaction": "",
"offset_idx": "",
"policyname": "",
"dtime": "",
"itime_t": "",
"devname": "",
"devtype": ""
}
],
"return-lines": "",
"total-count": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the state of a log file from Fortinet FortiAnalyzer. |
| Device ID | Specify the ID of the device hosting the log file whose state to retrieve from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Specify the name of the log file whose state to retrieve from Fortinet FortiAnalyzer. |
| VDOM | Specify the name of the VDOM to filter log files and retrieve the log file state from Fortinet FortiAnalyzer. For example, root. |
| Start Time | (Optional) Specify the start date and time from when to retrieve the state of log files from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
| End Time | (Optional) Specify the end date and time till when to retrieve the state of log files from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"device-file-list": [
{
"device-id": "",
"device-name": "",
"endtime": "",
"starttime": "",
"vdom-file-list": [
{
"endtime": "",
"logfile-list": {
"rlog": {
"files": [
{
"fsize": "",
"endtime": "",
"filename": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
},
"elog": {
"files": [
{
"endtime": "",
"filename": "",
"fsize": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
},
"tlog": {
"files": [
{
"fsize": "",
"endtime": "",
"filename": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
}
},
"starttime": "",
"vdom-name": ""
}
]
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID | Specify the ID of the device hosting the log file based on which to start the search for logs in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Device Name | Specify the name of the device based on which to start the search for logs from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Start Time | (Optional) Specify the start date and time from when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| End Time | (Optional) Specify the end date and time till when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| Log Type | Select the log type to filter logs being searched in Fortinet FortiAnalyzer. You can choose from following options:
|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to search for logs in Fortinet FortiAnalyzer. |
| Filter | Specify the filter query to filter logs to be searched in Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Case Sensitive | Select this option to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Time Order | Select the order to sort the results retrieved from the Fortinet FortiAnalyzer. You choose from following options:
|
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"tid": ""
}
}
| Parameter | Description |
|---|---|
| All Device Type | Specify the name of the All Device type. For example: All_FortiGate, All_FortiMail, All_FortiWeb, All_FortiManager, All_Syslog, All_FortiClient, All_FortiCache, All_FortiProxy, All_FortiAnalyzer, All_FortiSandbox, All_FortiAuthenticator, All_FortiDDoS |
| Start Time | (Optional) Specify the start date and time from when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| End Time | (Optional) Specify the end date and time till when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| Log Type | Select the log type to filter logs being searched in Fortinet FortiAnalyzer. You can choose from following options:
|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to search for logs in Fortinet FortiAnalyzer. |
| Filter | Specify the filter query to filter logs to be searched in Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Case Sensitive | Select this option to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Time Order | Select the order to sort the results retrieved from the Fortinet FortiAnalyzer. You choose from following options:
|
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"tid": ""
}
}
| Parameter | Description |
|---|---|
| Task ID | Specify the ID of the task log search to retrieve the log search result from Fortinet FortiAnalyzer. For example, 193200136. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the log search result from Fortinet FortiAnalyzer. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 500 records to retrieve. Default value is 50. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"app": "",
"appcat": "",
"date": "",
"devid": "",
"devname": "",
"devtype": "",
"dstcountry": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"duration": "",
"itime": "",
"itime_t": "",
"level": "",
"logid": "",
"logver": "",
"mastersrcmac": "",
"osname": "",
"policyid": "",
"proto": "",
"rcvdbyte": "",
"rcvdpkt": "",
"sentbyte": "",
"sentpkt": "",
"service": "",
"sessionid": "",
"srccountry": "",
"srcintf": "",
"srcip": "",
"srcmac": "",
"srcname": "",
"srcport": "",
"subtype": "",
"time": "",
"trandisp": "",
"transip": "",
"transport": "",
"type": "",
"vd": ""
}
],
"percentage": "",
"return-lines": "",
"status": {
"code": "",
"message": ""
},
"tid": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve alert events from Fortinet FortiAnalyzer. |
| Start Time | Specify the start date and time from when to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | Specify the end date and time till when to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Alert IDs | Specify a list of alert IDs, i.e., the FAZ event IDs, based on which to fetch events from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361 |
| Filter | Specify the filter query to search for events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"ack_flag": "",
"addi_info": "",
"alert_id": "",
"count": "",
"ctime": "",
"dev_name": "",
"devid": "",
"ackflag": "",
"alertid": "",
"devname": "",
"devtype": "",
"logtype": "",
"subject": "",
"filterid": "",
"groupby1": "",
"groupby2": "",
"logcount": "",
"readflag": "",
"epid": "",
"csf": "",
"tag": "",
"epip": "",
"vdom": "",
"epname": "",
"euid": "",
"euname": "",
"event_info": "",
"event_name": "",
"event_status": "",
"event_type": "",
"last_occurrence": "",
"last_update": "",
"read_flag": "",
"severity": "",
"alerttime": "",
"eventtype": "",
"extrainfo": "",
"filterkey": "",
"multiflag": "",
"updatetime": "",
"eventstatus": "",
"filtercksum": "",
"lastlogtime": "",
"triggername": "",
"firstlogtime": "",
"handler_type": "",
"alert_part_info": {
"ruleid": "",
"devtype": "",
"logtype": "",
"subtype": "",
"hdlrhash": "",
"rulename": "",
"selector": "",
"handlerid": "",
"handlername": ""
},
"automation_stitch": "",
"trigger_name": "",
"vd_name": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Alert ID | Specify a list of alert IDs, i.e., FortiAnalyzer event IDs, based on which to retrieve event logs from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve event logs from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Time Order | Specify the order to sort the results retrieved from the Fortinet FortiAnalyzer. You choose from following options:
|
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"alert_log_seqnum": "",
"cat": "",
"catdesc": "",
"crlevel": "",
"crscore": "",
"devid": "",
"devname": "",
"direction": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"epid": "",
"euid": "",
"eventtype": "",
"fctuid": "",
"hostname": "",
"id": "",
"itime": "",
"level": "",
"logid": "",
"logver": "",
"method": "",
"msg": "",
"policyid": "",
"profile": "",
"proto": "",
"rcvdbyte": "",
"reqtype": "",
"sentbyte": "",
"service": "",
"sessionid": "",
"srcintf": "",
"srcip": "",
"srcport": "",
"subtype": "",
"type": "",
"unauthuser": "",
"url": "",
"vd": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose associated affected assets to retrieve from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve assets affected by the incident from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"seqid": "",
"incid": "",
"srctype": "",
"srcinfo": "",
"ctime": "",
"epid": "",
"mac": "",
"epip": "",
"osname": "",
"alerttime": "",
"osversion": "",
"euid": "",
"epname": "",
"euname": ""
}
],
"status": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident to add attachments in Fortinet FortiAnalyzer. |
| Data | Specify the attachment data, in JSON format, for the incident attachment, to add in Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server for the incident attachment, to add in Fortinet FortiAnalyzer. |
| Attachment Type | Specify the attachment type for the incident attachment, to add in Fortinet FortiAnalyzer. Following values are supported:
|
| Attachment Source | (Optional) Specify the attachment source for the incident attachment, to add in Fortinet FortiAnalyzer. You can specify one of the following options:
|
| Attachment Source ID | (Optional) Specify the ID of the attachment source for the incident attachment, to add in Fortinet FortiAnalyzer.
|
| Attachment Source Trigger | (Optional) Specify the attachment trigger information for the incident attachment, to add in Fortinet FortiAnalyzer. |
| Last User | (Optional) Specify the name of the user who last updated the incident attachment to add in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"attachids": []
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident to retrieve its associated attachments from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve attachments associated with the incident from Fortinet FortiAnalyzer. |
| Attachment Type | Specify the attachment type based on which to fetch the attachment for the specified incident. Following values are supported:
|
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"attachid": "",
"tags": "",
"attachsrc": "",
"user_tags": "",
"attachsrcid": "",
"attachsrctrigger": "",
"attachtype": "",
"createtime": "",
"data": "",
"incid": "",
"lastupdate": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Attachment ID | Specify the ID of the attachment to update in Fortinet FortiAnalyzer. |
| Data | Specify the attachment data in, JSON format, for the incident attachment, to update in Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server for the incident attachment, to update in Fortinet FortiAnalyzer. |
| Attachment Source | (Optional) Specify the attachment source for the incident attachment, to update in Fortinet FortiAnalyzer. You can specify one of the following options:
|
| Attachment Source ID | (Optional) Specify the ID of the attachment source for the incident attachment, to update in Fortinet FortiAnalyzer.
|
| Attachment Source Trigger | (Optional) Specify the attachment trigger information for the incident attachment, to update in Fortinet FortiAnalyzer. |
| Last User | (Optional) Specify the name of the user who last updated the incident attachment to update in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"oid": "",
"name": "",
"desc": "",
"state": "",
"mode": "",
"os_ver": "",
"mr": "",
"flags": "",
"mig_os_ver": "",
"mig_mr": "",
"obj_customize": "",
"tab_status": "",
"logview_customize": "",
"restricted_prds": "",
"log_db_retention_hours": "",
"log_file_retention_hours": "",
"log_disk_quota": "",
"log_disk_quota_split_ratio": "",
"log_disk_quota_alert_thres": "",
"uuid": "",
"create_time": "",
"workspace_mode": "",
"tz": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_DEV |
| IP Address | Specify the IP address of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Specify the serial number of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000166969 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to add a primary device to the Fortinet FortiAnalyzer device manager database. |
| OS Version | (Optional) Specify the OS version of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"version": "",
"mgmt_uuid": "",
"vm_lic_overdue_since": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Secondary Device Name | Specify the name of the secondary device to add to the Fortinet FortiAnalyzer device manager database. For example, Secondary Device Name: Branch_Dev_01 |
| Secondary Device Serial Number | Specify the serial number of the secondary device to add to the Fortinet FortiAnalyzer device manager database. Secondary Device Serial Number: XXVM02TM20007936 |
| Primary Device Name | Specify the name of the primary device under which to add the secondary device in the Fortinet FortiAnalyzer device manager database. Primary Device Name: Enterprise_DEV |
| Primary Device Serial Number | Specify the serial number of the primary device under which to add the secondary device in the Fortinet FortiAnalyzer device manager database. Primary Device Serial Number: XXVM010000166969 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to add a secondary device to the Fortinet FortiAnalyzer device manager database. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_Dev |
| IP Address | Specify the IP address of the device to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Specify the serial number of the device to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000212677 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to add a device to the Fortinet FortiAnalyzer device manager database. |
| OS Version | (Optional) Specify the OS version of the device to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mgmt_uuid": "",
"vm_lic_overdue_since": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve devices from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"adm_pass": [
"",
""
],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"first_tunnel_up": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"mgmt_uuid": "",
"auto_mgmt": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"onboard_rule": "",
"eip": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": "",
"vdom_type": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_lic_overdue_since": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve log status from Fortinet FortiAnalyzer. |
| Device ID | (Optional) Specify the device ID based on which to fetch the log status and the log rate per device from Fortinet FortiAnalyzer. Device ID: XXVM02TM20007478 |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"vdoms": [
{
"vdom": "",
"last-log-time": "",
"last-log-timestamp": "",
"lograte": ""
}
],
"devs": [
{
"devid": "",
"is-ha": "",
"vdoms": [
{
"vdom": "",
"lograte": "",
"log-db-size": "",
"logstat-info": "",
"adom-quota-MB": "",
"last-log-time": "",
"log-disk-size": "",
"last-log-timestamp": ""
}
],
"status": "",
"devname": "",
"logging-mode": "",
"logstat-info": "",
"encrypted-logging": "",
"encrypted-forwarding": ""
}
],
"log-interval-dev-no-logging-upload": "",
"log-interval-dev-no-logging-realtime": "",
"devid": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device whose information to retrieve from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve device information from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"adm_pass": [],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"onboard_rule": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgmt_uuid": "",
"mgt_vdom": "",
"auto_mgmt": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"first_tunnel_up": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"vm_lic_overdue_since": "",
"psk": "",
"role": "",
"sn": "",
"eip": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"vdom_type": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device to authorize in Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| Serial Number | Specify the serial number of the device to authorize in Fortinet FortiAnalyzer. For example, Serial Number: XXVM010000212677 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to authorize the device in Fortinet FortiAnalyzer. |
| OS Version | Specify the OS version of the device to authorize in Fortinet FortiAnalyzer. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"faz.perm": "",
"flags": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mgmt_uuid": "",
"vm_lic_overdue_since": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device to delete from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to delete a device from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
NOTE: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Start Time | Specify the start date and time from when to retrieve the alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | Specify the end date and time till when to retrieve the alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Alert IDs | Specify the list of alert IDs, i.e., the FAZ event IDs, based on which to fetch events from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361 |
| Filter | Specify the filter query to search for alert events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"alerttime": "",
"logcount": "",
"alertid": "",
"adom": "",
"epid": "",
"epname": "",
"subject": "",
"euid": "",
"euname": "",
"devname": "",
"logtype": "",
"devtype": "",
"devid": "",
"vdom": "",
"groupby1": "",
"triggername": "",
"tag": "",
"eventtype": "",
"severity": "",
"extrainfo": "",
"ackflag": "",
"readflag": "",
"filterkey": "",
"firstlogtime": "",
"multiflag": "",
"lastlogtime": "",
"updatetime": "",
"filtercksum": "",
"filterid": "",
"csf": "",
"epip": "",
"groupby2": "",
"eventstatus": "",
"handler_type": "",
"alert_part_info": {
"ruleid": "",
"devtype": "",
"logtype": "",
"subtype": "",
"hdlrhash": "",
"rulename": "",
"selector": "",
"handlerid": "",
"handlername": ""
},
"automation_stitch": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Group By | Specify the group-by field to count the events retrieved from Fortinet FortiAnalyzer. For example, dev_name |
| Start Time | Specify the start date and time from when to retrieve the count of alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | Specify the end date and time till when to retrieve the count of alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Filter | Specify the filter query to search for the alert events and retrieve their counts from Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"severity": "",
"count": ""
}
]
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident IDs | Specify the list of incident IDs based on which to fetch incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Status | Specify the status of the incident to filter incidents to be fetched from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Filter | Specify the filter query to filter incidents to be fetched from Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Detail Level | Specify the level of detail to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default), or Extended. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the users by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"incid": "",
"epid": "",
"endpoint": "",
"euid": "",
"category": "",
"severity": "",
"status": "",
"description": "",
"reporter": "",
"createtime": "",
"lastupdate": "",
"lastuser": "",
"revision": "",
"attach_lastupdate": "",
"attach_revision": "",
"refinfo": "",
"report_src": "",
"report_srcid": "",
"report_detail": "",
"assigned_to": "",
"remedy_action": "",
"remedy_executor": "",
"remedy_approver": "",
"remedy_time": "",
"adom": "",
"epcount": "",
"eucount": "",
"incident_reporter": ""
}
],
"detail-level": "",
"status": {
"code": "",
"message": ""
}
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident IDs | Specify the list of incident IDs to count the incidents retrieved from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Filter | Specify the filter query to search for the incidents and retrieve their counts from Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"count": ""
}
],
"detail-level": "",
"status": {
"code": "",
"message": ""
}
}
}
The Sample - Fortinet FortiAnalyzer - 3.2.0 playbook collection comes bundled with the Fortinet FortiAnalyzer connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiAnalyzer connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events and their related logs from Fortinet FortiAnalyzer. Currently, events and their related logs ingested from Fortinet FortiAnalyzer is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Fortinet FortiAnalyzer events and their related logs to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Fortinet FortiAnalyzer into FortiSOAR™. It also lets you pull some sample data from Fortinet FortiAnalyzer using which you can define the mapping of data between Fortinet FortiAnalyzer and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Fortinet FortiAnalyzer events and their related logs.
To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiAnalyzer connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Fortinet FortiAnalyzer data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch events and their related logs from Fortinet FortiAnalyzer.
Users can pull events and their related logs from Fortinet FortiAnalyzer by specifying a query to pull events from Fortinet FortiAnalyzer using supported keys such as alertid, devid, and severity
You can also specify additional parameters such as Maximum Records To Be Fetched, Maximum Logs To Be Fetched For Each Event, and Pull Sample Events in the Last X Minutes based on which to pull events from Fortinet FortiAnalyzer.
The Configure Multi-Tenant Mapping checkbox is added to help map the ADOM specified in FortiAnalyzer with a tenant in FortiSOAR™.
The fetched data is used to create a mapping between the events and their related logs from Fortinet FortiAnalyzer and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested event in Fortinet FortiAnalyzer to the fields of an Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the eventtype parameter of an ingested events and their related logs from Fortinet FortiAnalyzer to the type parameter of a FortiSOAR™ Alert, click the Type field and then click the eventtype field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Fortinet FortiAnalyzer, so that the content gets pulled from the Fortinet FortiAnalyzer integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, to pull data from Fortinet FortiAnalyzer every 5 minutes, click Every X Minute, and in the minute box enter */5. This means that the events and their related logs will be pulled from Fortinet FortiAnalyzer every 5 minutes:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
FortiAnalyzer is the NOC-SOC security analysis tool built with an operations perspective. FortiAnalyzer (FAZ) supports analytics-powered use cases to provide better detection against breaches.
This document provides information about the Fortinet FortiAnalyzer Connector, which facilitates automated interactions with your Fortinet FortiAnalyzer server using FortiSOAR™ playbooks. Add the Fortinet FortiAnalyzer Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as creating and updating incidents on Fortinet FortiAnalyzer and retrieving user and endpoint information from Fortinet FortiAnalyzer.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Fortinet FortiAnalyzer. Currently, events in Fortinet FortiAnalyzer are mapped to alerts in FortiSOAR™. For more information, see the Data Ingestion Support section.
Connector Version: 3.2.0
FortiSOAR™ Version Tested on: 7.4.1-3167
FortiAnalyzer Version Tested on: v7.4.0 GA
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiAnalyzer Connector in version 3.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortianalyzer
You can also create a new user in Fortinet Analyzer and you can use this newly-created user in the connector configuration.
IMPORTANT: The Fortinet Analyzer API v7.0.0 onwards, requires the Superuser permission for Multiple ADOM Support. Therefore, from Fortinet Analyzer release 7.0.0 onwards, operations will fail when users with Standard profile try to run operations with multiple ADOM support.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiAnalyzer connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Username | The username used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| Password | The password used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. |
| ADOM Name | The administrative domain (ADOM) name of the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. NOTE: Separate multiple ADOM names with a comma. Do not use spaces to separate the ADOM names. |
| Port | Port number used to access the Fortinet FortiAnalyzer server to which you will connect and perform the automated operations. By default, this is set to 10405. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Incident | Creates a new incident record in Fortinet FortiAnalyzer based on the incident reporter, affected endpoint, ADOM name, and other input parameters you have specified. | create_incident Investigation |
| Get Incident | Retrieves all incidents or a specific incident from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | list_incidents Investigation |
| Update Incident | Updates incident fields like severity, category, status, etc. corresponding to a specific incident in Fortinet FortiAnalyzer based on the incident ID, ADOM name and other input parameters you have specified. | update_incident_details Investigation |
| Get Events For Incident | Retrieves all events associated with a specified incident in Fortinet FortiAnalyzer based on the incident ID, ADOM name, and other input parameters you have specified. | get_events_for_incident Investigation |
| Get Executed Report List | Retrieves a list of all executed reports that have been generated or are in the pending state from Fortinet FortiAnalyzer based on the ADOM name, time frame, and other input parameters you have specified. | get_reports Investigation |
| Get Report Schedule List | Retrieves a list of all report schedules from Fortinet FortiAnalyzer based on the ADOM name you have specified. | get_schedules Investigation |
| Run Report | Runs a report on the Fortinet FortiAnalyzer based on the report ID, schedule ID, and ADOM name you have specified. | run_report Investigation |
| Get Report File | Retrieves a specific generated report file from Fortinet FortiAnalyzer based on the report ID and ADOM name you have specified and adds that report file to FortiSOAR as an Attachment. | get_generated_report Investigation |
| Get User Information | Retrieves information for all users or specific users from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | get_users Investigation |
| Get Endpoint Information | Retrieves information for all endpoints or specific endpoints from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | get_endpoints Investigation |
| List Log Fields | Retrieves all log fields from Fortinet FortiAnalyzer based on the device and log type, ADOM name, and other input parameters you have specified. | list_log_fields Investigation |
| Get Log-File Content | Retrieves the content of a specified log file from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified. | get_log_file_content Investigation |
| Log Search over Log-File | Runs a log search task for a single log file from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified. | log_search_over_log_file Investigation |
| Get Log-File State | Retrieves the state of a log file from Fortinet FortiAnalyzer based on the device ID, filename, ADOM name, and other input parameters you have specified. | get_log_file_state Investigation |
| Start Log Search Request | Starts a new task to search for logs in Fortinet FortiAnalyzer based on the device ID, device name, ADOM name, and other input parameters you have specified. | start_log_search_request Investigation |
| Start bulk device log Search Request | Starts a new task to search for logs in Fortinet FortiAnalyzer based on the All device Type, and other input parameters you have specified. | start_bulk_device_log_search_request Investigation |
| Fetch Log Search Result by Task ID | Starts a new task to retrieve the log search results from Fortinet FortiAnalyzer based on the task ID, ADOM name, and other input parameters you have specified. | fetch_log_search_result_by_task_id Investigation |
| Get Event | Retrieves all the events or a specific event from Fortinet FortiAnalyzer based on the ADOM name and other input parameters you have specified. | get_alerts Investigation |
| Get Event Logs | Retrieves the logs associated with a specific event from Fortinet FortiAnalyzer based on the FAZ event ID, ADOM name, and other input parameters you have specified. | get_alert_event_logs Investigation |
| Add Incident Attachment | Adds new attachment to incident in FortiAnalyzer based on the incident ID and other input parameters you have specified. | add_attachment Investigation |
| Get Incident Assets | Retrieves a list of assets affected by the specified incident from FortiAnalyzer based on the incident ID, ADOM name, and other parameters you have specified. | get_incident_assets Investigation |
| Get Incident Attachments | Retrieves all attachments (i.e. Comments, Events, Report, Indicators etc.) associated with the specified incident from FortiAnalyzer based on the incident ID, ADOM name, and input other parameters you have specified. | get_attachments_for_incident Investigation |
| Update Incident Attachment | Updates incident attachment fields associated with a specific incident in FortiAnalyzer based on the incident ID, ADOM name, and other input parameters you have specified | update_attachment Investigation |
| Get ADOMs | Retrieves all ADOMs from Fortinet FortiAnalyzer based on the ADOM name you have specified. | get_adoms Investigation |
| Add a Primary Device | Adds a primary device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, and other input parameters you have specified. | add_primary_device Investigation |
| Add a Secondary Device | Adds a secondary device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, primary device name, and primary device serial number you have specified. | add_secondary_device Investigation |
| Add a New Device | Adds a new device to the Fortinet FortiAnalyzer device manager database based on the device name, IP address, serial number, ADOM name, and other input parameters you have specified. | add_new_device Investigation |
| Get Devices | Retrieves all devices from the Fortinet FortiAnalyzer device manager database based on the ADOM name you have specified. | get_devices Investigation |
| Get Log Status | Retrieves the last log time and log rate per device[vdom] from Fortinet FortiAnalyzer. This operation retrieves the log status for all devices or the log status for particular devices based on the device ID and ADOM name you have specified. | get_log_status Investigation |
| Get Device Information | Retrieves device information from Fortinet FortiAnalyzer based on the device name and ADOM name you have specified. | get_device_info Investigation |
| Authorize Device | Authorizes the device in Fortinet FortiAnalyzer based on the device name, serial number, ADOM name, and other input parameters you have specified. | authorize_device Investigation |
| Delete a Device | Deletes a specific device from Fortinet FortiAnalyzer based on the device name and ADOM name you have specified. | delete_device Investigation |
| Get Event for Multiple ADOMs | Retrieves all events or specific event for multiple ADOMs from FortiAnalyzer based on the input parameters you have specified. | get_alerts_for_multiple_adoms Investigation |
| Count Events for Multiple ADOMs | Retrieves the count of events from multiple ADOMs in FortiAnalyzer based on the group by and other input parameters you have specified. | count_alerts_for_multiple_adoms Investigation |
| Get Incident for Multiple ADOMs | Retrieves all incidents or a specific incident for multiple ADOMs from Fortinet FortiAnalyzer based on the input parameters you have specified. | list_incidents_for_multiple_adoms Investigation |
| Count Incidents for Multiple ADOMs | Retrieves the count of events from multiple ADOMs in FortiAnalyzer based on the input parameters you have specified. | count_incidents_for_multiple_adoms Investigation |
| Parameter | Description |
|---|---|
| Incident Reporter | Specify the name of the incident reporter for the incident being created in Fortinet FortiAnalyzer. |
| Affected Endpoint | Specify the details of the endpoints affected by the incident being created in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to create the incident in Fortinet FortiAnalyzer. |
| Assigned To | (Optional) Specify the name of person to assign the incident being created in Fortinet FortiAnalyzer. |
| Category | (Optional) Specify the category in which to create the incident in Fortinet FortiAnalyzer. You can specify one of the following:
|
| Severity | (Optional) Select the severity level to assign to the incident being created in Fortinet FortiAnalyzer. You can choose from the following options:
|
| Status | (Optional) Select the status to assign to the incident being created in Fortinet FortiAnalyzer. You can choose from the following options:
|
| End User ID | (Optional) Specify the ID of the end user to assign to the incident being created in Fortinet FortiAnalyzer. |
| Description | (Optional) Specify the description of the incident being created in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Specify additional fields in JSON format to add to the incident being created in Fortinet FortiAnalyzer. For example,
{
"epid":123
}
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": "",
"revision": "",
"attach_revision": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the incident from Fortinet FortiAnalyzer. |
| Incident IDs | Specify the list of incident IDs to retrieve the incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Status | Select the status of the incident to filter retrieved incidents from Fortinet FortiAnalyzer. You can choose from the following options:
|
| Filter | Specify the filter query to filter incidents being retrieved from Fortinet FortiAnalyzer. For example, status='analysis' and severity='low' |
| Detail Level | Specify the level of detail to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options:
|
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the incidents by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_lastupdate": "",
"attach_revision": "",
"category": "",
"createtime": "",
"description": "",
"endpoint": "",
"epid": "",
"euid": "",
"incid": "",
"lastupdate": "",
"lastuser": "",
"refinfo": "",
"reporter": "",
"revision": "",
"severity": "",
"status": "",
"epcount": "",
"eucount": "",
"report_src": "",
"assigned_to": "",
"remedy_time": "",
"report_srcid": "",
"remedy_action": "",
"report_detail": "",
"remedy_approver": "",
"remedy_executor": "",
"incident_reporter": ""
}
]
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident to update in Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to update the incident in Fortinet FortiAnalyzer. |
| Assigned To | (Optional) Specify the name of person to assign the incident being updated in Fortinet FortiAnalyzer. |
| Category | (Optional) Specify the category in which to update the incident in Fortinet FortiAnalyzer.You can specify one of the following:
|
| Status | (Optional) Select the status to assign to the incident being updated in Fortinet FortiAnalyzer. You can choose from the following options:
|
| Affected Endpoint | Specify the details of the endpoints affected by the incident being updated in Fortinet FortiAnalyzer. For example, 10.XXX.YY.Z/32 (10.XXX.YY.Z) or 10.XXX.YY.Z/32 (Charlie Laptop). |
| Severity | (Optional) Select the severity level to assign to the incident being updated in Fortinet FortiAnalyzer. You can choose from the following options:
|
| End User ID | (Optional) Specify the ID of the end user to assign to the incident being updated in Fortinet FortiAnalyzer. |
| Description | (Optional) Specify the description of the incident being updated in Fortinet FortiAnalyzer. |
| Other Fields | (Optional) Specify additional fields in JSON format to add to the incident being updated in Fortinet FortiAnalyzer. For example,
{
"epid":123
}
|
The output contains the following populated JSON schema:
{
"result": {
"incid": "",
"revision": "",
"attach_revision": "",
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose associated events to retrieve from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve events associated with the incident from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"attachid": "",
"incid": "",
"attachtype": "",
"data": "",
"tags": "",
"attachsrc": "",
"user_tags": "",
"attachsrcid": "",
"attachsrctrigger": "",
"createtime": "",
"lastupdate": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the incident ID whose associated affected assets are to be retrieved from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server to get incident assets from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"seqid": "",
"incid": "",
"srctype": "",
"srcinfo": "",
"ctime": "",
"epid": "",
"mac": "",
"epip": "",
"osname": "",
"alerttime": "",
"osversion": "",
"euid": "",
"epname": "",
"euname": ""
}
],
"status": ""
}
}
| Parameter | Description |
|---|---|
| State | Specify the state of the executed report to retrieve from Fortinet FortiAnalyzer. The supported states are:
|
| Start Time | Specify the start date and time from when to retrieve the list of executed reports from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the reports. |
| End Time | Specify the end date and time till when to retrieve the list of executed reports from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the reports. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the list of executed reports from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"name": "",
"devtype": "",
"timezone": "",
"schedule_color": "",
"title": "",
"device": {
"data": "",
"count": ""
},
"tid": "",
"date": "",
"adminuser": "",
"profileid": "",
"start": "",
"timestamp-start": "",
"end": "",
"timestamp-end": "",
"timezone-desc": "",
"period-start": "",
"period-end": "",
"state": "",
"progress-percent": "",
"format": []
}
],
"count": "",
"revision": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve report schedules from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"data": [
{
"admin-user": "",
"auto-hcache": "",
"date-format": "",
"description": "",
"dev-type": "",
"device-list-type": "",
"devices": [
{
"devices-name": "",
"interfaces": ""
}
],
"display-device-by": "",
"display-table-contents": "",
"email-report-per-device": "",
"filter": "",
"filter-logic": "",
"data-accuracy": "",
"filter-type": "",
"is-template": "",
"include-coverpage": "",
"include-other": "",
"language": "",
"ldap-query": "",
"ldap-server": "",
"ldap-user-case-change": "",
"max-reports": "",
"name": "",
"tz": "",
"obfuscate-user": "",
"orientation": "",
"output-format": "",
"output-profile": "",
"period-last-n": "",
"period-opt": "",
"print-report-filters": "",
"report-layout": [
{
"layout-id": ""
}
],
"report-per-device": "",
"resolve-hostname": "",
"soc-cust-filters": "",
"schedule-color": "",
"soc-def-filters": "",
"cached-filtering": "",
"schedule-frequency": "",
"schedule-type": "",
"soc-filtering": "",
"address-filter": [
{
"id": "",
"grp-name": "",
"obj-name": "",
"address-type": "",
"include-option": ""
}
],
"schedule-valid-end": [],
"schedule-valid-start": [],
"status": "",
"time-period": "",
"week-start": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Schedule | Specify the name or ID of the schedule to run the report.
NOTE: You can get the name or ID of the schedule using the Get Report Schedule List action. |
| Report ID | Specify the ID of the report to run on Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to run the report in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"tid": ""
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Task ID | Specify the task ID of the generated report to retrieve from Fortinet FortiAnalyzer and upload the report file as an Attachment in FortiSOAR. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the generated report from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"checksum": "",
"data": "",
"length": "",
"name": "",
"tid": "",
"data-type": ""
},
"jsonrpc": "",
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve user information from Fortinet FortiAnalyzer. |
| Fetch Users Type | Select whether you want this operation to fetch only specific users or all users. You can choose from the following options:
|
| Filter | Specify the filter query to filter user information being fetched from Fortinet FortiAnalyzer. For example, euuuid='c0a74c48-2367-11ea-aedf-00090f000409' and euname='localhost' |
| Detail Level | Select the level of detail to retrieve for the users from Fortinet FortiAnalyzer. You can choose from the following options:
|
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 1000000 records to retrieve. Default value is 100000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the users by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"euid": "",
"euuuid": "",
"euname": "",
"title": "",
"firstname": "",
"lastname": "",
"gender": "",
"birthday": "",
"socialid": {
"data": []
},
"authtype": "",
"eugroup": "",
"homeaddr": "",
"employeeid": "",
"firstseen": "",
"lastseen": "",
"workaddr": "",
"workphone": "",
"workemail": "",
"phone": "",
"email": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve endpoint information from Fortinet FortiAnalyzer. |
| Fetch Endpoint Type | Select whether you want this operation to fetch only specific endpoints or all endpoints. You can choose from the following options:
|
| Filter | Specify the filter query to filter endpoints being fetched from Fortinet FortiAnalyzer. For example, epname='10.0.10.3' and detectkey='10.0.10.3' |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This parameter is useful to get a subset of records, say incidents starting from the 10th incident. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the endpoints by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"lastseen": "",
"epid": "",
"epname": "",
"epdevtype": "",
"osname": "",
"osversion": "",
"fctuid": "",
"adomoid": "",
"detecttype": "",
"detectkey": "",
"devid": "",
"vd": "",
"macip": [
{
"mac": "",
"epip": "",
"lastseen": ""
}
]
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Device Type | Specify the list of device types to retrieve log fields from Fortinet FortiAnalyzer. You can add device types such as FortiGate, FortiClient, FortiMail, FortiWeb, FortiSandbox, FortiDDos, and FortiDeceptor. |
| Log Type | Select the log type to filter logs being retrieved from Fortinet FortiAnalyzer. You can choose from following options:
|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve log fields from Fortinet FortiAnalyzer. |
| Subtype | Specify the subtype of the log to filter logs retrieved from Fortinet FortiAnalyzer. For example, logdev, system, fazsys, logging, logfile, dvm, etc. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
],
"private-field": [
{
"defaultshow": "",
"desc": "",
"logfldgrp": "",
"name": "",
"type": ""
}
],
"data": [
{
"field": [
{
"desc": "",
"name": "",
"type": "",
"logfldgrp": "",
"defaultshow": ""
}
],
"index": "",
"logtype": "",
"private-field": [
{
"desc": "",
"name": "",
"type": "",
"logfldgrp": "",
"defaultshow": ""
}
]
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID | Specify the ID of the device hosting the log file whose content is to be retrieved from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Specify the name of the log file whose content is to be retrieved from Fortinet FortiAnalyzer. |
| VDOM | Specify the name of the VDOM to filter the log files whose content is to be retrieved from Fortinet FortiAnalyzer. For example, root |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve log file content from Fortinet FortiAnalyzer. |
| Data Type | Specify the type of returned data of log file whose content is to be retrieved from Fortinet FortiAnalyzer. For example 'text/gzip/base64, csv/gzip/base64', etc. Default is base64. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Length | (Optional) Specify the length in bytes, of the file content, that this operation should return. By default, this is set to 1048576, the minimum supported value is 1, and the maximum supported value is 52428800. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"checksum": "",
"data": "",
"data-type": "",
"length": "",
"log-count": "",
"offset": "",
"logfile-orig-size": ""
},
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
| Parameter | Description |
|---|---|
| Device ID | Specify the ID of the device hosting the log file based on which to search for the log file in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Specify the name of the log file to search in Fortinet FortiAnalyzer. |
| VDOM | Specify the name of the VDOM based on which to search the log file content in Fortinet FortiAnalyzer. For example, root. |
| Log Type | Specify the type of log to search in Fortinet FortiAnalyzer. You can choose from options such as, Event, Traffic, FCT Event, Email Filter, Virus, etc. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to search the log file content in Fortinet FortiAnalyzer. |
| Case Sensitive | Select this option to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Filter | Specify the filter query to filter logs to be searched in Fortinet FortiAnalyzer. For example, subtype='forward' and srcname='LAN-FSW-GUEST'. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Limit | (Optional) Specify the maximum count of log records that this operation should return. By default, this is set to 50, the minimum supported value is 1, and the maximum supported value is 500. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"logver": "",
"idseq": "",
"itime": "",
"devid": "",
"vd": "",
"app": "",
"date": "",
"time": "",
"logid": "",
"type": "",
"appid": "",
"subtype": "",
"transip": "",
"countapp": "",
"level": "",
"eventtime": "",
"tz": "",
"srcip": "",
"srcname": "",
"msg": "",
"url": "",
"hostname": "",
"direction": "",
"eventtype": "",
"scertcname": "",
"scertissuer": "",
"incidentserialno": "",
"srcport": "",
"srcintf": "",
"srcintfrole": "",
"dstip": "",
"dstport": "",
"dstintf": "",
"dstintfrole": "",
"srcuuid": "",
"dstuuid": "",
"sessionid": "",
"srcfamily": "",
"proto": "",
"action": "",
"policyid": "",
"policytype": "",
"poluuid": "",
"service": "",
"dstcountry": "",
"srccountry": "",
"trandisp": "",
"duration": "",
"sentbyte": "",
"rcvdbyte": "",
"sentpkt": "",
"rcvdpkt": "",
"appcat": "",
"srchwvendor": "",
"osname": "",
"mastersrcmac": "",
"srcmac": "",
"applist": "",
"apprisk": "",
"srcserver": "",
"transport": "",
"utmaction": "",
"offset_idx": "",
"policyname": "",
"dtime": "",
"itime_t": "",
"devname": "",
"devtype": ""
}
],
"return-lines": "",
"total-count": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the state of a log file from Fortinet FortiAnalyzer. |
| Device ID | Specify the ID of the device hosting the log file whose state to retrieve from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Filename | Specify the name of the log file whose state to retrieve from Fortinet FortiAnalyzer. |
| VDOM | Specify the name of the VDOM to filter log files and retrieve the log file state from Fortinet FortiAnalyzer. For example, root. |
| Start Time | (Optional) Specify the start date and time from when to retrieve the state of log files from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
| End Time | (Optional) Specify the end date and time till when to retrieve the state of log files from Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log file state. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"device-file-list": [
{
"device-id": "",
"device-name": "",
"endtime": "",
"starttime": "",
"vdom-file-list": [
{
"endtime": "",
"logfile-list": {
"rlog": {
"files": [
{
"fsize": "",
"endtime": "",
"filename": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
},
"elog": {
"files": [
{
"endtime": "",
"filename": "",
"fsize": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
},
"tlog": {
"files": [
{
"fsize": "",
"endtime": "",
"filename": "",
"starttime": ""
}
],
"logtype": {
"id": "",
"key": "",
"name": ""
}
}
},
"starttime": "",
"vdom-name": ""
}
]
}
]
}
}
| Parameter | Description |
|---|---|
| Device ID | Specify the ID of the device hosting the log file based on which to start the search for logs in Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Device Name | Specify the name of the device based on which to start the search for logs from Fortinet FortiAnalyzer. For example, FG10CH3G11601364. |
| Start Time | (Optional) Specify the start date and time from when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| End Time | (Optional) Specify the end date and time till when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| Log Type | Select the log type to filter logs being searched in Fortinet FortiAnalyzer. You can choose from following options:
|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to search for logs in Fortinet FortiAnalyzer. |
| Filter | Specify the filter query to filter logs to be searched in Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Case Sensitive | Select this option to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Time Order | Select the order to sort the results retrieved from the Fortinet FortiAnalyzer. You choose from following options:
|
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"tid": ""
}
}
| Parameter | Description |
|---|---|
| All Device Type | Specify the name of the All Device type. For example: All_FortiGate, All_FortiMail, All_FortiWeb, All_FortiManager, All_Syslog, All_FortiClient, All_FortiCache, All_FortiProxy, All_FortiAnalyzer, All_FortiSandbox, All_FortiAuthenticator, All_FortiDDoS |
| Start Time | (Optional) Specify the start date and time from when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| End Time | (Optional) Specify the end date and time till when to search for logs in Fortinet FortiAnalyzer.
NOTE: If the timezone information is not specified then the Fortinet FortiAnalyzer's timezone is considered for starting the log search request. |
| Log Type | Select the log type to filter logs being searched in Fortinet FortiAnalyzer. You can choose from following options:
|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to search for logs in Fortinet FortiAnalyzer. |
| Filter | Specify the filter query to filter logs to be searched in Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Case Sensitive | Select this option to perform a case-sensitive search of the log file in from Fortinet FortiAnalyzer. |
| Time Order | Select the order to sort the results retrieved from the Fortinet FortiAnalyzer. You choose from following options:
|
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"tid": ""
}
}
| Parameter | Description |
|---|---|
| Task ID | Specify the ID of the task log search to retrieve the log search result from Fortinet FortiAnalyzer. For example, 193200136. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve the log search result from Fortinet FortiAnalyzer. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 500 records to retrieve. Default value is 50. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"app": "",
"appcat": "",
"date": "",
"devid": "",
"devname": "",
"devtype": "",
"dstcountry": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"duration": "",
"itime": "",
"itime_t": "",
"level": "",
"logid": "",
"logver": "",
"mastersrcmac": "",
"osname": "",
"policyid": "",
"proto": "",
"rcvdbyte": "",
"rcvdpkt": "",
"sentbyte": "",
"sentpkt": "",
"service": "",
"sessionid": "",
"srccountry": "",
"srcintf": "",
"srcip": "",
"srcmac": "",
"srcname": "",
"srcport": "",
"subtype": "",
"time": "",
"trandisp": "",
"transip": "",
"transport": "",
"type": "",
"vd": ""
}
],
"percentage": "",
"return-lines": "",
"status": {
"code": "",
"message": ""
},
"tid": ""
}
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve alert events from Fortinet FortiAnalyzer. |
| Start Time | Specify the start date and time from when to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | Specify the end date and time till when to retrieve the events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Alert IDs | Specify a list of alert IDs, i.e., the FAZ event IDs, based on which to fetch events from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361 |
| Filter | Specify the filter query to search for events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"ack_flag": "",
"addi_info": "",
"alert_id": "",
"count": "",
"ctime": "",
"dev_name": "",
"devid": "",
"ackflag": "",
"alertid": "",
"devname": "",
"devtype": "",
"logtype": "",
"subject": "",
"filterid": "",
"groupby1": "",
"groupby2": "",
"logcount": "",
"readflag": "",
"epid": "",
"csf": "",
"tag": "",
"epip": "",
"vdom": "",
"epname": "",
"euid": "",
"euname": "",
"event_info": "",
"event_name": "",
"event_status": "",
"event_type": "",
"last_occurrence": "",
"last_update": "",
"read_flag": "",
"severity": "",
"alerttime": "",
"eventtype": "",
"extrainfo": "",
"filterkey": "",
"multiflag": "",
"updatetime": "",
"eventstatus": "",
"filtercksum": "",
"lastlogtime": "",
"triggername": "",
"firstlogtime": "",
"handler_type": "",
"alert_part_info": {
"ruleid": "",
"devtype": "",
"logtype": "",
"subtype": "",
"hdlrhash": "",
"rulename": "",
"selector": "",
"handlerid": "",
"handlername": ""
},
"automation_stitch": "",
"trigger_name": "",
"vd_name": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Alert ID | Specify a list of alert IDs, i.e., FortiAnalyzer event IDs, based on which to retrieve event logs from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve event logs from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Time Order | Specify the order to sort the results retrieved from the Fortinet FortiAnalyzer. You choose from following options:
|
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"action": "",
"alert_log_seqnum": "",
"cat": "",
"catdesc": "",
"crlevel": "",
"crscore": "",
"devid": "",
"devname": "",
"direction": "",
"dstintf": "",
"dstip": "",
"dstport": "",
"dtime": "",
"epid": "",
"euid": "",
"eventtype": "",
"fctuid": "",
"hostname": "",
"id": "",
"itime": "",
"level": "",
"logid": "",
"logver": "",
"method": "",
"msg": "",
"policyid": "",
"profile": "",
"proto": "",
"rcvdbyte": "",
"reqtype": "",
"sentbyte": "",
"service": "",
"sessionid": "",
"srcintf": "",
"srcip": "",
"srcport": "",
"subtype": "",
"type": "",
"unauthuser": "",
"url": "",
"vd": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident whose associated affected assets to retrieve from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve assets affected by the incident from Fortinet FortiAnalyzer. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"seqid": "",
"incid": "",
"srctype": "",
"srcinfo": "",
"ctime": "",
"epid": "",
"mac": "",
"epip": "",
"osname": "",
"alerttime": "",
"osversion": "",
"euid": "",
"epname": "",
"euname": ""
}
],
"status": ""
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident to add attachments in Fortinet FortiAnalyzer. |
| Data | Specify the attachment data, in JSON format, for the incident attachment, to add in Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server for the incident attachment, to add in Fortinet FortiAnalyzer. |
| Attachment Type | Specify the attachment type for the incident attachment, to add in Fortinet FortiAnalyzer. Following values are supported:
|
| Attachment Source | (Optional) Specify the attachment source for the incident attachment, to add in Fortinet FortiAnalyzer. You can specify one of the following options:
|
| Attachment Source ID | (Optional) Specify the ID of the attachment source for the incident attachment, to add in Fortinet FortiAnalyzer.
|
| Attachment Source Trigger | (Optional) Specify the attachment trigger information for the incident attachment, to add in Fortinet FortiAnalyzer. |
| Last User | (Optional) Specify the name of the user who last updated the incident attachment to add in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"attachids": []
},
"jsonrpc": "",
"id": ""
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the ID of the incident to retrieve its associated attachments from Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve attachments associated with the incident from Fortinet FortiAnalyzer. |
| Attachment Type | Specify the attachment type based on which to fetch the attachment for the specified incident. Following values are supported:
|
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 50. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"id": "",
"jsonrpc": "",
"result": {
"data": [
{
"attachid": "",
"tags": "",
"attachsrc": "",
"user_tags": "",
"attachsrcid": "",
"attachsrctrigger": "",
"attachtype": "",
"createtime": "",
"data": "",
"incid": "",
"lastupdate": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"code": "",
"message": ""
}
}
}
| Parameter | Description |
|---|---|
| Attachment ID | Specify the ID of the attachment to update in Fortinet FortiAnalyzer. |
| Data | Specify the attachment data in, JSON format, for the incident attachment, to update in Fortinet FortiAnalyzer. |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server for the incident attachment, to update in Fortinet FortiAnalyzer. |
| Attachment Source | (Optional) Specify the attachment source for the incident attachment, to update in Fortinet FortiAnalyzer. You can specify one of the following options:
|
| Attachment Source ID | (Optional) Specify the ID of the attachment source for the incident attachment, to update in Fortinet FortiAnalyzer.
|
| Attachment Source Trigger | (Optional) Specify the attachment trigger information for the incident attachment, to update in Fortinet FortiAnalyzer. |
| Last User | (Optional) Specify the name of the user who last updated the incident attachment to update in Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"result": {
"status": {
"code": "",
"message": ""
}
},
"jsonrpc": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"oid": "",
"name": "",
"desc": "",
"state": "",
"mode": "",
"os_ver": "",
"mr": "",
"flags": "",
"mig_os_ver": "",
"mig_mr": "",
"obj_customize": "",
"tab_status": "",
"logview_customize": "",
"restricted_prds": "",
"log_db_retention_hours": "",
"log_file_retention_hours": "",
"log_disk_quota": "",
"log_disk_quota_split_ratio": "",
"log_disk_quota_alert_thres": "",
"uuid": "",
"create_time": "",
"workspace_mode": "",
"tz": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_DEV |
| IP Address | Specify the IP address of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Specify the serial number of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000166969 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to add a primary device to the Fortinet FortiAnalyzer device manager database. |
| OS Version | (Optional) Specify the OS version of the primary device to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"version": "",
"mgmt_uuid": "",
"vm_lic_overdue_since": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Secondary Device Name | Specify the name of the secondary device to add to the Fortinet FortiAnalyzer device manager database. For example, Secondary Device Name: Branch_Dev_01 |
| Secondary Device Serial Number | Specify the serial number of the secondary device to add to the Fortinet FortiAnalyzer device manager database. Secondary Device Serial Number: XXVM02TM20007936 |
| Primary Device Name | Specify the name of the primary device under which to add the secondary device in the Fortinet FortiAnalyzer device manager database. Primary Device Name: Enterprise_DEV |
| Primary Device Serial Number | Specify the serial number of the primary device under which to add the secondary device in the Fortinet FortiAnalyzer device manager database. Primary Device Serial Number: XXVM010000166969 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to add a secondary device to the Fortinet FortiAnalyzer device manager database. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device to add to the Fortinet FortiAnalyzer device manager database. For example, Device Name: Enterprise_Dev |
| IP Address | Specify the IP address of the device to add to the Fortinet FortiAnalyzer device manager database. For example, xx.xx.xx.xx |
| Serial Number | Specify the serial number of the device to add to the Fortinet FortiAnalyzer device manager database. For example, Serial Number: XXVM010000212677 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to add a device to the Fortinet FortiAnalyzer device manager database. |
| OS Version | (Optional) Specify the OS version of the device to add to the Fortinet FortiAnalyzer device manager database. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"flags": "",
"ip": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mgmt_uuid": "",
"vm_lic_overdue_since": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve devices from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"adm_pass": [
"",
""
],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"first_tunnel_up": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgt_vdom": "",
"mgmt_uuid": "",
"auto_mgmt": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"onboard_rule": "",
"eip": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"psk": "",
"role": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": "",
"vdom_type": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_lic_overdue_since": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
}
],
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve log status from Fortinet FortiAnalyzer. |
| Device ID | (Optional) Specify the device ID based on which to fetch the log status and the log rate per device from Fortinet FortiAnalyzer. Device ID: XXVM02TM20007478 |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"vdoms": [
{
"vdom": "",
"last-log-time": "",
"last-log-timestamp": "",
"lograte": ""
}
],
"devs": [
{
"devid": "",
"is-ha": "",
"vdoms": [
{
"vdom": "",
"lograte": "",
"log-db-size": "",
"logstat-info": "",
"adom-quota-MB": "",
"last-log-time": "",
"log-disk-size": "",
"last-log-timestamp": ""
}
],
"status": "",
"devname": "",
"logging-mode": "",
"logstat-info": "",
"encrypted-logging": "",
"encrypted-forwarding": ""
}
],
"log-interval-dev-no-logging-upload": "",
"log-interval-dev-no-logging-realtime": "",
"devid": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device whose information to retrieve from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to retrieve device information from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"adm_pass": [],
"adm_usr": "",
"app_ver": "",
"av_ver": "",
"beta": "",
"branch_pt": "",
"build": "",
"checksum": "",
"conf_status": "",
"conn_mode": "",
"conn_status": "",
"db_status": "",
"desc": "",
"dev_status": "",
"fap_cnt": "",
"faz.full_act": "",
"faz.perm": "",
"faz.quota": "",
"faz.used": "",
"fex_cnt": "",
"flags": "",
"foslic_cpu": "",
"foslic_dr_site": "",
"foslic_inst_time": "",
"foslic_last_sync": "",
"foslic_ram": "",
"foslic_type": "",
"foslic_utm": "",
"fsw_cnt": "",
"ha_group_id": "",
"ha_group_name": "",
"ha_mode": "",
"ha_slave": "",
"hdisk_size": "",
"hostname": "",
"hw_rev_major": "",
"hw_rev_minor": "",
"hyperscale": "",
"ip": "",
"ips_ext": "",
"ips_ver": "",
"last_checked": "",
"last_resync": "",
"latitude": "",
"lic_flags": "",
"lic_region": "",
"location_from": "",
"logdisk_size": "",
"onboard_rule": "",
"longitude": "",
"maxvdom": "",
"mgmt.__data[0]": "",
"mgmt.__data[1]": "",
"mgmt.__data[2]": "",
"mgmt.__data[3]": "",
"mgmt.__data[4]": "",
"mgmt.__data[5]": "",
"mgmt.__data[6]": "",
"mgmt.__data[7]": "",
"mgmt_id": "",
"mgmt_if": "",
"mgmt_mode": "",
"mgmt_uuid": "",
"mgt_vdom": "",
"auto_mgmt": "",
"module_sn": "",
"mr": "",
"name": "",
"node_flags": "",
"nsxt_service_name": "",
"oid": "",
"opts": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_str": "",
"prefer_img_ver": "",
"first_tunnel_up": "",
"prio": "",
"private_key": "",
"private_key_status": "",
"vm_lic_overdue_since": "",
"psk": "",
"role": "",
"sn": "",
"eip": "",
"source": "",
"tab_status": "",
"tunnel_cookie": "",
"tunnel_ip": "",
"vdom": [
{
"comments": "",
"devid": "",
"ext_flags": "",
"vdom_type": "",
"flags": "",
"name": "",
"node_flags": "",
"oid": "",
"opmode": "",
"rtm_prof_id": "",
"status": "",
"tab_status": "",
"vpn_id": ""
}
],
"version": "",
"vm_cpu": "",
"vm_cpu_limit": "",
"vm_lic_expire": "",
"vm_mem": "",
"vm_mem_limit": "",
"vm_status": ""
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device to authorize in Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| Serial Number | Specify the serial number of the device to authorize in Fortinet FortiAnalyzer. For example, Serial Number: XXVM010000212677 |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to authorize the device in Fortinet FortiAnalyzer. |
| OS Version | Specify the OS version of the device to authorize in Fortinet FortiAnalyzer. For example, 6.0 |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"device": {
"beta": "",
"conn_mode": "",
"dev_status": "",
"faz.perm": "",
"flags": "",
"maxvdom": "",
"mgmt_id": "",
"mgmt_mode": "",
"mgmt_uuid": "",
"vm_lic_overdue_since": "",
"mr": "",
"name": "",
"oid": "",
"os_type": "",
"os_ver": "",
"patch": "",
"platform_id": "",
"platform_str": "",
"sn": "",
"source": "",
"tab_status": "",
"tunnel_ip": "",
"version": "",
"vm.lic_type": "",
"vm_lic_expire": ""
}
},
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
| Parameter | Description |
|---|---|
| Device Name | Specify the name of the device to delete from Fortinet FortiAnalyzer. For example, Device Name: Enterprise_Dev |
| ADOM Name | Specify the administrative domain (ADOM) name of the Fortinet FortiAnalyzer server based on which to delete a device from Fortinet FortiAnalyzer. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"url": ""
}
]
}
NOTE: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Start Time | Specify the start date and time from when to retrieve the alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | Specify the end date and time till when to retrieve the alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Alert IDs | Specify the list of alert IDs, i.e., the FAZ event IDs, based on which to fetch events from Fortinet FortiAnalyzer. For example, 202008201000003361,202008201000003362 or 202008201000003361 |
| Filter | Specify the filter query to search for alert events in Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"alerttime": "",
"logcount": "",
"alertid": "",
"adom": "",
"epid": "",
"epname": "",
"subject": "",
"euid": "",
"euname": "",
"devname": "",
"logtype": "",
"devtype": "",
"devid": "",
"vdom": "",
"groupby1": "",
"triggername": "",
"tag": "",
"eventtype": "",
"severity": "",
"extrainfo": "",
"ackflag": "",
"readflag": "",
"filterkey": "",
"firstlogtime": "",
"multiflag": "",
"lastlogtime": "",
"updatetime": "",
"filtercksum": "",
"filterid": "",
"csf": "",
"epip": "",
"groupby2": "",
"eventstatus": "",
"handler_type": "",
"alert_part_info": {
"ruleid": "",
"devtype": "",
"logtype": "",
"subtype": "",
"hdlrhash": "",
"rulename": "",
"selector": "",
"handlerid": "",
"handlername": ""
},
"automation_stitch": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Group By | Specify the group-by field to count the events retrieved from Fortinet FortiAnalyzer. For example, dev_name |
| Start Time | Specify the start date and time from when to retrieve the count of alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| End Time | Specify the end date and time till when to retrieve the count of alert events from Fortinet FortiAnalyzer. Note: If you do not specify the timezone information, then the Fortinet FortiAnalyzer's timezone is considered for retrieving the log alert events. |
| Filter | Specify the filter query to search for the alert events and retrieve their counts from Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"severity": "",
"count": ""
}
]
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident IDs | Specify the list of incident IDs based on which to fetch incidents from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Status | Specify the status of the incident to filter incidents to be fetched from Fortinet FortiAnalyzer. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
| Filter | Specify the filter query to filter incidents to be fetched from Fortinet FortiAnalyzer. For example, status='draft' and severity='low' |
| Detail Level | Specify the level of detail to retrieve for the incidents from Fortinet FortiAnalyzer. You can choose from the following options: Basic, Standard(default), or Extended. |
| Limit | Specify the maximum number of records that this operation should return. You can specify a minimum of 1 and a maximum value of 2000 records to retrieve. Default value is 1000. |
| Offset | Specify the count of records to skip when retrieving records using this operation. This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation starts from the 10th record and return the list. By default, this is set to 0 and the minimum supported value is 0. |
| Sort | Select this checkbox to sort the users by a field and order the results. Once selected, specify the following parameters:
|
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"incid": "",
"epid": "",
"endpoint": "",
"euid": "",
"category": "",
"severity": "",
"status": "",
"description": "",
"reporter": "",
"createtime": "",
"lastupdate": "",
"lastuser": "",
"revision": "",
"attach_lastupdate": "",
"attach_revision": "",
"refinfo": "",
"report_src": "",
"report_srcid": "",
"report_detail": "",
"assigned_to": "",
"remedy_action": "",
"remedy_executor": "",
"remedy_approver": "",
"remedy_time": "",
"adom": "",
"epcount": "",
"eucount": "",
"incident_reporter": ""
}
],
"detail-level": "",
"status": {
"code": "",
"message": ""
}
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Incident IDs | Specify the list of incident IDs to count the incidents retrieved from Fortinet FortiAnalyzer. For example, IN00000002,IN00000005 or IN00000002 |
| Filter | Specify the filter query to search for the incidents and retrieve their counts from Fortinet FortiAnalyzer. For example, eventtype='traffic' and severity='medium' |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"data": [
{
"count": ""
}
],
"detail-level": "",
"status": {
"code": "",
"message": ""
}
}
}
The Sample - Fortinet FortiAnalyzer - 3.2.0 playbook collection comes bundled with the Fortinet FortiAnalyzer connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiAnalyzer connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events and their related logs from Fortinet FortiAnalyzer. Currently, events and their related logs ingested from Fortinet FortiAnalyzer is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Fortinet FortiAnalyzer events and their related logs to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Fortinet FortiAnalyzer into FortiSOAR™. It also lets you pull some sample data from Fortinet FortiAnalyzer using which you can define the mapping of data between Fortinet FortiAnalyzer and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Fortinet FortiAnalyzer events and their related logs.
To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiAnalyzer connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Fortinet FortiAnalyzer data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch events and their related logs from Fortinet FortiAnalyzer.
Users can pull events and their related logs from Fortinet FortiAnalyzer by specifying a query to pull events from Fortinet FortiAnalyzer using supported keys such as alertid, devid, and severity
You can also specify additional parameters such as Maximum Records To Be Fetched, Maximum Logs To Be Fetched For Each Event, and Pull Sample Events in the Last X Minutes based on which to pull events from Fortinet FortiAnalyzer.
The Configure Multi-Tenant Mapping checkbox is added to help map the ADOM specified in FortiAnalyzer with a tenant in FortiSOAR™.
The fetched data is used to create a mapping between the events and their related logs from Fortinet FortiAnalyzer and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested event in Fortinet FortiAnalyzer to the fields of an Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the eventtype parameter of an ingested events and their related logs from Fortinet FortiAnalyzer to the type parameter of a FortiSOAR™ Alert, click the Type field and then click the eventtype field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Fortinet FortiAnalyzer, so that the content gets pulled from the Fortinet FortiAnalyzer integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, to pull data from Fortinet FortiAnalyzer every 5 minutes, click Every X Minute, and in the minute box enter */5. This means that the events and their related logs will be pulled from Fortinet FortiAnalyzer every 5 minutes:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.