Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.
This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. For more information, see the Data Ingestion Support section.
Connector Version: 4.0.0
FortiSOAR™ Version Tested on: 6.4.1-2133
Fortinet FortiSIEM Version Tested on: 5.3.1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiSIEM connector in version 4.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortisiem
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Username | Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Password | Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Organization | Name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Devices | Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
Get All Devices For Specified IP Address Range | Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. | get_devices Investigation |
Get Device Information | Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. | get_devices Investigation |
List Monitored Devices and Attributes | Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
List Monitored Organizations | Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. | get_domains Investigation |
Get Organization Details | Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. | get_organization Investigation |
List Incidents | Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the incident ID or search criteria you have specified. | get_incidents Investigation |
Comment Incident | Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. | incident_comment Investigation |
Clear Incident With Reason | Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. | clear_incident Investigation |
Change Severity | Changes the severity of a specific incident severity to LOW, MEDIUM or HIGH on the Fortinet FortiSIEM server based on the incident ID you have specified. | change_incident_severity Investigation |
Change Resolution | Changes the resolution of a specific incident True Positive or False Positive on the Fortinet FortiSIEM server based on the incident ID you have specified. | change_incident_resolution Investigation |
Get Events For Incident | Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. | get_associated_events Investigation |
Run Advanced Search Query | Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. | run_report Investigation |
Update Incident | Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. | update_incident Investigation |
Get Event Details | Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. | get_event_details Investigation |
Search Events | Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. | search_events Investigation |
Get Event Attributes | Retrieves all event attributes from the Fortinet FortiSIEM server. | get_incident_attributes Investigation |
Important: Fortinet FortiSIEM supports the "Change Severity" and "Change Resolution" actions from version 5.2.8 and later.
None.
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}
Parameter | Description |
---|---|
Include IP SET | Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format. For example, enter, 192.168.20.1-192.168.20.100 |
Exclude IP SET | (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}
Parameter | Description |
---|---|
Device IP | IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server. |
Organization | (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server. |
Output
The output contains the following populated JSON schema:
{
"device": {
"name": "",
"raidGroups": "",
"description": "",
"sanControllerPorts": "",
"storages": "",
"luns": "",
"eventParserList": "",
"systemUpTime": "",
"components": "",
"unmanaged": "",
"processors": "",
"applications": "",
"accessIp": "",
"approved": "",
"softwarePatches": "",
"ipToHostNames": "",
"organization": {
"@name": "",
"@id": ""
},
"storageGroups": "",
"softwareServices": "",
"interfaces": {
"networkinterface": {
"isTrunk": "",
"ipv4Addr": "",
"ipv4Mask": "",
"description": "",
"name": "",
"type": "",
"macAddr": "",
"isCritical": "",
"macIsVirtual": "",
"ipv4IsVirtual": "",
"inSpeed": "",
"speed": "",
"snmpIndex": "",
"isMonitor": "",
"adminStatus": "",
"outSpeed": "",
"operStatus": "",
"isWAN": ""
}
},
"deviceType": {
"model": "",
"version": "",
"category": "",
"jobWeight": "",
"vendor": ""
},
"updateMethod": "",
"discoverTime": "",
"discoverMethod": "",
"creationMethod": ""
}
}
None.
The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}
None.
The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. Important: If you enter the incident ID then all other parameters specified for this action get ignored. |
Search | Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, Organization, or Event Type. By default, this option is set as Incident Status.
|
Time Selection | (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
|
Number Of Items To Return In Response |
(Optional) Maximum number of incidents that you want this operation to return in the response. |
Offset | (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"data": {
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"user": "",
"count": "",
"customer": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"destIpAddr": "",
"incidentId": "",
"phRecvTime": "",
"incidentSrc": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"incidentExtUser": "",
"phEventCategory": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"phSubIncidentCategory": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
},
"status": "",
"message": "",
"operation": ""
}
Parameter | Description |
---|---|
Organization ID | ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server. |
Comment Text | Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to clear from the Fortinet FortiSIEM server. |
Reason | Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose severity you want to update on the Fortinet FortiSIEM server. |
Incident Severity | Severity that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose from the following options: HIGH, MEDIUM, or LOW. |
The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose resolution you want to update on the Fortinet FortiSIEM server. |
Incident Resolution | Resolution that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive. |
The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server. |
From | (Optional) Specify the start datetime from when you want to retrieve associated events from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end datetime till when you want to retrieve associated events from the Fortinet FortiSIEM server. Important: If you do not specify the From and To parameters for this operation, then by default associated events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server. |
Number Of Items To Return In Response |
(Optional) Maximum number of events that you want this operation to return in the response. |
Offset | (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"custId": "",
"dataStr": "",
"attributes": {
"timeSkewSec": "",
"eventType": "",
"eventRuleTrigger": "",
"eventSeverity": "",
"deviceTime": "",
"phRecvTime": "",
"relayDevIpAddr": "",
"reptDevIpAddr": "",
"reptDevName": "",
"customer": "",
"rawEventMsg": "",
"eventId": "",
"phEventCategory": "",
"count": "",
"eventName": "",
"eventParsedOk": "",
"fileName": "",
"procName": "",
"eventSeverityCat": "",
"avgDurationMSec": "",
"maxDurationMSec": "",
"reptVendor": "",
"minDurationMSec": "",
"reptModel": "",
"pktLossPct": "",
"hostIpAddr": "",
"collectorId": "",
"hostName": "",
"lineNumber": "",
"parserName": ""
},
"eventType": "",
"id": "",
"index": "",
"nid": "",
"receiveTime": ""
}
Parameter | Description |
---|---|
Advanced Search Query | Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)) . |
Event Fields To Show In Response | Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server. |
Group By | (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr |
Order By | (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC |
Time Range | (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
|
Number Of Items To Return In Response |
(Optional) Maximum number of events that you want this operation to return in the response. |
Offset | (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
No output schema is available at this time.
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update on the Fortinet FortiSIEM server. |
Comment Text | Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
Incident Status | Status of the incident that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Ticket Type | Type of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Ticket ID | ID of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Ticket State | State of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Assigned User | External assigned that you want to update in the specified incident on the Fortinet FortiSIEM server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Event ID | ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server. |
From | (Optional) Specify the start datetime from when you want to retrieve event details from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end datetime till when you want to retrieve event details from the Fortinet FortiSIEM server. Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"dataStr": "",
"index": "",
"custId": "",
"receiveTime": "",
"attributes": {
"eventSeverity": "",
"relayDevIpAddr": "",
"reptDevName": "",
"reptModel": "",
"eventParsedOk": "",
"phRecvTime": "",
"count": "",
"hostIpAddr": "",
"hostName": "",
"reptDevIpAddr": "",
"parserName": "",
"customer": "",
"eventId": "",
"eventRuleTrigger": "",
"procName": "",
"collectorId": "",
"eventName": "",
"eventType": "",
"rawEventMsg": "",
"phEventCategory": "",
"eventSeverityCat": "",
"reptVendor": ""
},
"nid": "",
"id": "",
"eventType": ""
}
Parameter | Description |
---|---|
Search Attributes | Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
|
Event Fields To Show In Response | Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server. |
Time Range | (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
|
Number Of Items To Return In Response |
(Optional) Maximum number of events that you want this operation to return in the response. |
Offset | (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"eventId": "",
"customer": "",
"destName": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"destIpAddr": "",
"parserName": "",
"phRecvTime": "",
"reptVendor": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"reptDevName": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"relayDevIpAddr": "",
"phEventCategory": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}
None.
The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}
The Sample - Fortinet FortiSIEM - 4.0.0
playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiSIEM incident.
If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.
On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventName parameter of a FortiSIEM incident to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the eventName field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
Important: While configuring data ingestion in version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
{{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
This issue has been resolved in FortiSOAR™ Version 6.0.0.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every 5 minutes, click Every X Minute and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from FortiSIEM every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.
This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. For more information, see the Data Ingestion Support section.
Connector Version: 4.0.0
FortiSOAR™ Version Tested on: 6.4.1-2133
Fortinet FortiSIEM Version Tested on: 5.3.1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiSIEM connector in version 4.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-fortinet-fortisiem
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Username | Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Password | Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Organization | Name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Devices | Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
Get All Devices For Specified IP Address Range | Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. | get_devices Investigation |
Get Device Information | Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. | get_devices Investigation |
List Monitored Devices and Attributes | Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
List Monitored Organizations | Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. | get_domains Investigation |
Get Organization Details | Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. | get_organization Investigation |
List Incidents | Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the incident ID or search criteria you have specified. | get_incidents Investigation |
Comment Incident | Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. | incident_comment Investigation |
Clear Incident With Reason | Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. | clear_incident Investigation |
Change Severity | Changes the severity of a specific incident severity to LOW, MEDIUM or HIGH on the Fortinet FortiSIEM server based on the incident ID you have specified. | change_incident_severity Investigation |
Change Resolution | Changes the resolution of a specific incident True Positive or False Positive on the Fortinet FortiSIEM server based on the incident ID you have specified. | change_incident_resolution Investigation |
Get Events For Incident | Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. | get_associated_events Investigation |
Run Advanced Search Query | Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. | run_report Investigation |
Update Incident | Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. | update_incident Investigation |
Get Event Details | Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. | get_event_details Investigation |
Search Events | Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. | search_events Investigation |
Get Event Attributes | Retrieves all event attributes from the Fortinet FortiSIEM server. | get_incident_attributes Investigation |
Important: Fortinet FortiSIEM supports the "Change Severity" and "Change Resolution" actions from version 5.2.8 and later.
None.
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}
Parameter | Description |
---|---|
Include IP SET | Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format. For example, enter, 192.168.20.1-192.168.20.100 |
Exclude IP SET | (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}
Parameter | Description |
---|---|
Device IP | IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server. |
Organization | (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server. |
Output
The output contains the following populated JSON schema:
{
"device": {
"name": "",
"raidGroups": "",
"description": "",
"sanControllerPorts": "",
"storages": "",
"luns": "",
"eventParserList": "",
"systemUpTime": "",
"components": "",
"unmanaged": "",
"processors": "",
"applications": "",
"accessIp": "",
"approved": "",
"softwarePatches": "",
"ipToHostNames": "",
"organization": {
"@name": "",
"@id": ""
},
"storageGroups": "",
"softwareServices": "",
"interfaces": {
"networkinterface": {
"isTrunk": "",
"ipv4Addr": "",
"ipv4Mask": "",
"description": "",
"name": "",
"type": "",
"macAddr": "",
"isCritical": "",
"macIsVirtual": "",
"ipv4IsVirtual": "",
"inSpeed": "",
"speed": "",
"snmpIndex": "",
"isMonitor": "",
"adminStatus": "",
"outSpeed": "",
"operStatus": "",
"isWAN": ""
}
},
"deviceType": {
"model": "",
"version": "",
"category": "",
"jobWeight": "",
"vendor": ""
},
"updateMethod": "",
"discoverTime": "",
"discoverMethod": "",
"creationMethod": ""
}
}
None.
The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}
None.
The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. Important: If you enter the incident ID then all other parameters specified for this action get ignored. |
Search | Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, Organization, or Event Type. By default, this option is set as Incident Status.
|
Time Selection | (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
|
Number Of Items To Return In Response |
(Optional) Maximum number of incidents that you want this operation to return in the response. |
Offset | (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"data": {
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"user": "",
"count": "",
"customer": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"destIpAddr": "",
"incidentId": "",
"phRecvTime": "",
"incidentSrc": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"incidentExtUser": "",
"phEventCategory": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"phSubIncidentCategory": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
},
"status": "",
"message": "",
"operation": ""
}
Parameter | Description |
---|---|
Organization ID | ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server. |
Comment Text | Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to clear from the Fortinet FortiSIEM server. |
Reason | Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose severity you want to update on the Fortinet FortiSIEM server. |
Incident Severity | Severity that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose from the following options: HIGH, MEDIUM, or LOW. |
The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident whose resolution you want to update on the Fortinet FortiSIEM server. |
Incident Resolution | Resolution that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive. |
The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}
Parameter | Description |
---|---|
Incident ID | ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server. |
From | (Optional) Specify the start datetime from when you want to retrieve associated events from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end datetime till when you want to retrieve associated events from the Fortinet FortiSIEM server. Important: If you do not specify the From and To parameters for this operation, then by default associated events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server. |
Number Of Items To Return In Response |
(Optional) Maximum number of events that you want this operation to return in the response. |
Offset | (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"custId": "",
"dataStr": "",
"attributes": {
"timeSkewSec": "",
"eventType": "",
"eventRuleTrigger": "",
"eventSeverity": "",
"deviceTime": "",
"phRecvTime": "",
"relayDevIpAddr": "",
"reptDevIpAddr": "",
"reptDevName": "",
"customer": "",
"rawEventMsg": "",
"eventId": "",
"phEventCategory": "",
"count": "",
"eventName": "",
"eventParsedOk": "",
"fileName": "",
"procName": "",
"eventSeverityCat": "",
"avgDurationMSec": "",
"maxDurationMSec": "",
"reptVendor": "",
"minDurationMSec": "",
"reptModel": "",
"pktLossPct": "",
"hostIpAddr": "",
"collectorId": "",
"hostName": "",
"lineNumber": "",
"parserName": ""
},
"eventType": "",
"id": "",
"index": "",
"nid": "",
"receiveTime": ""
}
Parameter | Description |
---|---|
Advanced Search Query | Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)) . |
Event Fields To Show In Response | Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server. |
Group By | (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr |
Order By | (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC |
Time Range | (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
|
Number Of Items To Return In Response |
(Optional) Maximum number of events that you want this operation to return in the response. |
Offset | (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
No output schema is available at this time.
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update on the Fortinet FortiSIEM server. |
Comment Text | Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
Incident Status | Status of the incident that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Ticket Type | Type of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Ticket ID | ID of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Ticket State | State of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server. |
External Assigned User | External assigned that you want to update in the specified incident on the Fortinet FortiSIEM server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Event ID | ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server. |
From | (Optional) Specify the start datetime from when you want to retrieve event details from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end datetime till when you want to retrieve event details from the Fortinet FortiSIEM server. Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"dataStr": "",
"index": "",
"custId": "",
"receiveTime": "",
"attributes": {
"eventSeverity": "",
"relayDevIpAddr": "",
"reptDevName": "",
"reptModel": "",
"eventParsedOk": "",
"phRecvTime": "",
"count": "",
"hostIpAddr": "",
"hostName": "",
"reptDevIpAddr": "",
"parserName": "",
"customer": "",
"eventId": "",
"eventRuleTrigger": "",
"procName": "",
"collectorId": "",
"eventName": "",
"eventType": "",
"rawEventMsg": "",
"phEventCategory": "",
"eventSeverityCat": "",
"reptVendor": ""
},
"nid": "",
"id": "",
"eventType": ""
}
Parameter | Description |
---|---|
Search Attributes | Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
|
Event Fields To Show In Response | Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server. |
Time Range | (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
|
Number Of Items To Return In Response |
(Optional) Maximum number of events that you want this operation to return in the response. |
Offset | (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"eventId": "",
"customer": "",
"destName": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"destIpAddr": "",
"parserName": "",
"phRecvTime": "",
"reptVendor": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"reptDevName": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"relayDevIpAddr": "",
"phEventCategory": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}
None.
The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}
The Sample - Fortinet FortiSIEM - 4.0.0
playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiSIEM incident.
If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.
On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventName parameter of a FortiSIEM incident to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the eventName field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
Important: While configuring data ingestion in version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
{{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
This issue has been resolved in FortiSOAR™ Version 6.0.0.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every 5 minutes, click Every X Minute and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from FortiSIEM every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.