Fortinet black logo

Fortinet FortiSIEM

Fortinet FortiSIEM v4.0.0

Copy Link
Copy Doc ID 79060fd1-c01e-11ea-8b7d-00505692583a:43

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 4.0.0

FortiSOAR™ Version Tested on: 6.4.1-2133

Fortinet FortiSIEM Version Tested on: 5.3.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.0.0

Following enhancements have been made to the Fortinet FortiSIEM connector in version 4.0.0:

  • Added the following new operations and playbooks:
    • Search Events
    • Get Event Attributes
  • Renamed the 'Run Report' operation to 'Run Advanced Search Query' and updated as follows:
    • Removed the 'Report Name' parameter.
    • Renamed the 'Report Time Range' parameter to 'Time Range'.
    • Added the following new parameters: 'Advanced Search Query', 'Event Fields To Show In Response', 'Group By', 'Order By', 'Number Of Items To Return In Response', and 'Offset'.
  • Updated the 'List Incidents' operation as follows:
    • Added a new option named 'Event Type' in the 'Search' parameter.
    • Added the following new parameters: 'Number Of Items To Return In Response' and 'Offset'
  • Updated the 'Get Events For Incident' operation as follows:
    • Renamed the 'Page Size' parameter to 'Number Of Items To Return In Response'.
    • Renamed the 'Page Number' parameter to 'Offset'.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortisiem

Prerequisites to configuring the connector

  • You must have the URL of a Fortinet FortiSIEM server to which you will connect and perform automated operations and the credentials, such as the username and password to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
  • The minimum privileges that require to be assigned to users who are going to use this connector and run actions on FortiSIEM are "Read" and "Update" access on Incidents and access to "Run Advanced Search Query".

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter Description
Server URL URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Organization Name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
Get Organization Details Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. get_organization
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the incident ID or search criteria you have specified. get_incidents
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Change Severity Changes the severity of a specific incident severity to LOW, MEDIUM or HIGH on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_severity
Investigation
Change Resolution Changes the resolution of a specific incident True Positive or False Positive on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_resolution
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. get_associated_events
Investigation
Run Advanced Search Query Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. run_report
Investigation
Update Incident Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. update_incident
Investigation
Get Event Details Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. get_event_details
Investigation
Search Events Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. search_events
Investigation
Get Event Attributes Retrieves all event attributes from the Fortinet FortiSIEM server. get_incident_attributes
Investigation

Important: Fortinet FortiSIEM supports the "Change Severity" and "Change Resolution" actions from version 5.2.8 and later.

operation: Get All Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"name": "",
"raidGroups": "",
"description": "",
"sanControllerPorts": "",
"storages": "",
"luns": "",
"eventParserList": "",
"systemUpTime": "",
"components": "",
"unmanaged": "",
"processors": "",
"applications": "",
"accessIp": "",
"approved": "",
"softwarePatches": "",
"ipToHostNames": "",
"organization": {
"@name": "",
"@id": ""
},
"storageGroups": "",
"softwareServices": "",
"interfaces": {
"networkinterface": {
"isTrunk": "",
"ipv4Addr": "",
"ipv4Mask": "",
"description": "",
"name": "",
"type": "",
"macAddr": "",
"isCritical": "",
"macIsVirtual": "",
"ipv4IsVirtual": "",
"inSpeed": "",
"speed": "",
"snmpIndex": "",
"isMonitor": "",
"adminStatus": "",
"outSpeed": "",
"operStatus": "",
"isWAN": ""
}
},
"deviceType": {
"model": "",
"version": "",
"category": "",
"jobWeight": "",
"vendor": ""
},
"updateMethod": "",
"discoverTime": "",
"discoverMethod": "",
"creationMethod": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}

operation: List Incidents

Input parameters

Parameter Description
Incident ID ID of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Important: If you enter the incident ID then all other parameters specified for this action get ignored.
Search Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, Organization, or Event Type.
By default, this option is set as Incident Status.
  • If you choose 'Incident Status', then in the Incident Status field, choose the status of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either Active, Cleared, or you can select both the options. By default, this option is set as Active.
  • If you choose 'Severity', then in the Severity field, choose the severity of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either High, Medium, Low, or any combination of the options.
  • If you choose 'Host', then in the Hostname field, enter the value of hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'IP', then in the IP Address field, enter the value of IP address based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Organization', then in the Organization field, enter the value of organization based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Event Type', then in the Event Type field, enter the type of event based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Time Selection (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves the list of incidents that have occurred in the last 2 hours from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of incidents that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"data": {
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"user": "",
"count": "",
"customer": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"destIpAddr": "",
"incidentId": "",
"phRecvTime": "",
"incidentSrc": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"incidentExtUser": "",
"phEventCategory": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"phSubIncidentCategory": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
},
"status": "",
"message": "",
"operation": ""
}

operation: Get Organization Details

Input parameters

Parameter Description
Organization ID ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Change Severity

Input parameters

Parameter Description
Incident ID ID of the incident whose severity you want to update on the Fortinet FortiSIEM server.
Incident Severity Severity that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose from the following options: HIGH, MEDIUM, or LOW.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Change Resolution

Input parameters

Parameter Description
Incident ID ID of the incident whose resolution you want to update on the Fortinet FortiSIEM server.
Incident Resolution Resolution that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.
From (Optional) Specify the start datetime from when you want to retrieve associated events from the Fortinet FortiSIEM server.
To (Optional) Specify the end datetime till when you want to retrieve associated events from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default associated events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"custId": "",
"dataStr": "",
"attributes": {
"timeSkewSec": "",
"eventType": "",
"eventRuleTrigger": "",
"eventSeverity": "",
"deviceTime": "",
"phRecvTime": "",
"relayDevIpAddr": "",
"reptDevIpAddr": "",
"reptDevName": "",
"customer": "",
"rawEventMsg": "",
"eventId": "",
"phEventCategory": "",
"count": "",
"eventName": "",
"eventParsedOk": "",
"fileName": "",
"procName": "",
"eventSeverityCat": "",
"avgDurationMSec": "",
"maxDurationMSec": "",
"reptVendor": "",
"minDurationMSec": "",
"reptModel": "",
"pktLossPct": "",
"hostIpAddr": "",
"collectorId": "",
"hostName": "",
"lineNumber": "",
"parserName": ""
},
"eventType": "",
"id": "",
"index": "",
"nid": "",
"receiveTime": ""
}

operation: Run Advanced Search Query

Input parameters

Parameter Description
Advanced Search Query Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)).
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr
Order By (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC
Time Range (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for reports that you want to run on the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for reports that are created in the last 2 hours on the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

No output schema is available at this time.

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.
Incident Status Status of the incident that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket Type Type of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket ID ID of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket State State of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Assigned User External assigned that you want to update in the specified incident on the Fortinet FortiSIEM server.

Output

The output contains a non-dictionary value.

operation: Get Event Details

Input parameters

Parameter Description
Event ID ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server.
From (Optional) Specify the start datetime from when you want to retrieve event details from the Fortinet FortiSIEM server.
To (Optional) Specify the end datetime till when you want to retrieve event details from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"dataStr": "",
"index": "",
"custId": "",
"receiveTime": "",
"attributes": {
"eventSeverity": "",
"relayDevIpAddr": "",
"reptDevName": "",
"reptModel": "",
"eventParsedOk": "",
"phRecvTime": "",
"count": "",
"hostIpAddr": "",
"hostName": "",
"reptDevIpAddr": "",
"parserName": "",
"customer": "",
"eventId": "",
"eventRuleTrigger": "",
"procName": "",
"collectorId": "",
"eventName": "",
"eventType": "",
"rawEventMsg": "",
"phEventCategory": "",
"eventSeverityCat": "",
"reptVendor": ""
},
"nid": "",
"id": "",
"eventType": ""
}

operation: Search Events

Input parameters

Parameter Description
Search Attributes Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
  • If you choose 'Destination Port', then in the Destination Port IN field, enter the value of the destination port for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Destination IP', then in the Destination IP IN field, enter a comma-separated list of destination IPs based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event ID', then in the Event ID IN field, enter the value of the event ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event Action', then from the Event Action IN drop-down list, choose the event action for which you want to search for events in the Fortinet FortiSIEM server. You can choose 1-Deny or 0-Permit.
  • If you choose 'Incident ID', then in the Incident ID IN field, enter the value of the Incident ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'File Name', then in the File Name CONTAINS field, enter the name of the file based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Host Name', then in the Host Name CONTAINS field, enter the name of the host using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Organization Name', then in the Organization Name CONTAINS field, enter the name of the organization based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Process Name', then in the Process Name CONTAINS field, enter the name of the process based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Post-NAT Source IP', then in the Post-NAT Source IP IN field, enter the Post-NAT source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Raw Event Log', then in the Raw Event Log CONTAINS field, enter search attribute for the raw event based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Relay IP', then in the Relay IP IN field, enter the relay IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Reporting IP', then in the Reporting IP IN field, enter the reporting IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source IP', then in the Source IP IN field, enter the source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source Port', then in the Source Port IN field, enter the source port based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source MAC', then in the Source MAC CONTAINS field, enter the search attribute for the source MAC using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'User', then in the User CONTAINS field, enter the search attribute for the user based on which you want to search for events in the Fortinet FortiSIEM server.
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Time Range (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for events in the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for events in the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for events that occurred in the last 2 hours on the Fortinet FortiSIEM server and returns the response against the report from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"eventId": "",
"customer": "",
"destName": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"destIpAddr": "",
"parserName": "",
"phRecvTime": "",
"reptVendor": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"reptDevName": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"relayDevIpAddr": "",
"phEventCategory": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Event Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}

Included playbooks

The Sample - Fortinet FortiSIEM - 4.0.0 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

  • Device: Get All Devices
  • Device: Get All Devices For Specified IP Address Range
  • Device: Get Device Information
  • Device: List Monitored Devices and Attributes
  • Event: Get Events For Incident
  • Event: Get Event Details
  • Event: Get Events For Incidents
  • Event: Search Events
  • > FortiSIEM > Fetch
  • >> FortiSIEM > Fetch Associated Events for Incident
  • FortiSIEM > Ingest
  • Incident: Change Resolution
  • Incident: Change Severity
  • Incident: Clear Incident With Reason
  • Incident: Comment Incident
  • Incident: List Incidents
  • Incident: Update Incident
  • Organization: Get Organization Details
  • Organization: List Monitored Organizations
  • Run Advanced Search Query

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiSIEM incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
    Users can choose to pull data from Fortinet FortiSIEM specifying either a "Time Range (minutes)", i.e., incidents that have been updated in FortiSIEM in the last X minutes or an "Incident ID". The fetched data is used to create a mapping between the FortiSIEM data and FortiSOAR™ alerts.
    You can also specify additional parameters the maximum number of incidents to be fetched, filters to apply to incidents to be fetched, etc, when you are fetching data based on the "Time Range"; and the from and to dates, which are used to specify the date range for which you want to retrieve incidents from Fortinet FortiSIEM, when you are fetching data based on an "Incident ID".
    Once you have completed specifying the configurations, click Fetch Data.

    If you are configuring data ingestion for MSSP systems, and if you have checked the Configure Multi-Tenant Mappings checkbox, then ensure that you map the organization name defined in FortiSIEM as a tenant in FortiSOAR™:


    If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.

  3. On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventName parameter of a FortiSIEM incident to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the eventName field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
    Important: While configuring data ingestion in version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
    {{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
    This issue has been resolved in FortiSOAR™ Version 6.0.0.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from FortiSIEM every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Previous
Next

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 4.0.0

FortiSOAR™ Version Tested on: 6.4.1-2133

Fortinet FortiSIEM Version Tested on: 5.3.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.0.0

Following enhancements have been made to the Fortinet FortiSIEM connector in version 4.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortisiem

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiSIEM connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter Description
Server URL URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Organization Name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
Get Organization Details Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. get_organization
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the incident ID or search criteria you have specified. get_incidents
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Change Severity Changes the severity of a specific incident severity to LOW, MEDIUM or HIGH on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_severity
Investigation
Change Resolution Changes the resolution of a specific incident True Positive or False Positive on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_resolution
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. get_associated_events
Investigation
Run Advanced Search Query Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. run_report
Investigation
Update Incident Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. update_incident
Investigation
Get Event Details Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. get_event_details
Investigation
Search Events Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. search_events
Investigation
Get Event Attributes Retrieves all event attributes from the Fortinet FortiSIEM server. get_incident_attributes
Investigation

Important: Fortinet FortiSIEM supports the "Change Severity" and "Change Resolution" actions from version 5.2.8 and later.

operation: Get All Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"organization": {
"@id": "",
"@name": ""
},
"discoverTime": "",
"unmanaged": "",
"accessIp": "",
"approved": "",
"discoverMethod": "",
"name": "",
"deviceType": {
"version": "",
"vendor": "",
"accessProtocols": "",
"jobWeight": "",
"model": ""
},
"creationMethod": "",
"version": "",
"updateMethod": ""
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"name": "",
"raidGroups": "",
"description": "",
"sanControllerPorts": "",
"storages": "",
"luns": "",
"eventParserList": "",
"systemUpTime": "",
"components": "",
"unmanaged": "",
"processors": "",
"applications": "",
"accessIp": "",
"approved": "",
"softwarePatches": "",
"ipToHostNames": "",
"organization": {
"@name": "",
"@id": ""
},
"storageGroups": "",
"softwareServices": "",
"interfaces": {
"networkinterface": {
"isTrunk": "",
"ipv4Addr": "",
"ipv4Mask": "",
"description": "",
"name": "",
"type": "",
"macAddr": "",
"isCritical": "",
"macIsVirtual": "",
"ipv4IsVirtual": "",
"inSpeed": "",
"speed": "",
"snmpIndex": "",
"isMonitor": "",
"adminStatus": "",
"outSpeed": "",
"operStatus": "",
"isWAN": ""
}
},
"deviceType": {
"model": "",
"version": "",
"category": "",
"jobWeight": "",
"vendor": ""
},
"updateMethod": "",
"discoverTime": "",
"discoverMethod": "",
"creationMethod": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}

operation: List Incidents

Input parameters

Parameter Description
Incident ID ID of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Important: If you enter the incident ID then all other parameters specified for this action get ignored.
Search Search criteria based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Severity, Host, IP, Organization, or Event Type.
By default, this option is set as Incident Status.
  • If you choose 'Incident Status', then in the Incident Status field, choose the status of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either Active, Cleared, or you can select both the options. By default, this option is set as Active.
  • If you choose 'Severity', then in the Severity field, choose the severity of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either High, Medium, Low, or any combination of the options.
  • If you choose 'Host', then in the Hostname field, enter the value of hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'IP', then in the IP Address field, enter the value of IP address based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Organization', then in the Organization field, enter the value of organization based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Event Type', then in the Event Type field, enter the type of event based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Time Selection (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves the list of incidents that have occurred in the last 2 hours from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of incidents that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"data": {
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"user": "",
"count": "",
"customer": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"destIpAddr": "",
"incidentId": "",
"phRecvTime": "",
"incidentSrc": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"incidentExtUser": "",
"phEventCategory": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"phSubIncidentCategory": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
},
"status": "",
"message": "",
"operation": ""
}

operation: Get Organization Details

Input parameters

Parameter Description
Organization ID ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Text of the reason that you want to provide which clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Change Severity

Input parameters

Parameter Description
Incident ID ID of the incident whose severity you want to update on the Fortinet FortiSIEM server.
Incident Severity Severity that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose from the following options: HIGH, MEDIUM, or LOW.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Change Resolution

Input parameters

Parameter Description
Incident ID ID of the incident whose resolution you want to update on the Fortinet FortiSIEM server.
Incident Resolution Resolution that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.
From (Optional) Specify the start datetime from when you want to retrieve associated events from the Fortinet FortiSIEM server.
To (Optional) Specify the end datetime till when you want to retrieve associated events from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default associated events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"custId": "",
"dataStr": "",
"attributes": {
"timeSkewSec": "",
"eventType": "",
"eventRuleTrigger": "",
"eventSeverity": "",
"deviceTime": "",
"phRecvTime": "",
"relayDevIpAddr": "",
"reptDevIpAddr": "",
"reptDevName": "",
"customer": "",
"rawEventMsg": "",
"eventId": "",
"phEventCategory": "",
"count": "",
"eventName": "",
"eventParsedOk": "",
"fileName": "",
"procName": "",
"eventSeverityCat": "",
"avgDurationMSec": "",
"maxDurationMSec": "",
"reptVendor": "",
"minDurationMSec": "",
"reptModel": "",
"pktLossPct": "",
"hostIpAddr": "",
"collectorId": "",
"hostName": "",
"lineNumber": "",
"parserName": ""
},
"eventType": "",
"id": "",
"index": "",
"nid": "",
"receiveTime": ""
}

operation: Run Advanced Search Query

Input parameters

Parameter Description
Advanced Search Query Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)).
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr
Order By (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC
Time Range (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for reports that you want to run on the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for reports that are created in the last 2 hours on the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

No output schema is available at this time.

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.
Incident Status Status of the incident that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket Type Type of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket ID ID of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket State State of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Assigned User External assigned that you want to update in the specified incident on the Fortinet FortiSIEM server.

Output

The output contains a non-dictionary value.

operation: Get Event Details

Input parameters

Parameter Description
Event ID ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server.
From (Optional) Specify the start datetime from when you want to retrieve event details from the Fortinet FortiSIEM server.
To (Optional) Specify the end datetime till when you want to retrieve event details from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"dataStr": "",
"index": "",
"custId": "",
"receiveTime": "",
"attributes": {
"eventSeverity": "",
"relayDevIpAddr": "",
"reptDevName": "",
"reptModel": "",
"eventParsedOk": "",
"phRecvTime": "",
"count": "",
"hostIpAddr": "",
"hostName": "",
"reptDevIpAddr": "",
"parserName": "",
"customer": "",
"eventId": "",
"eventRuleTrigger": "",
"procName": "",
"collectorId": "",
"eventName": "",
"eventType": "",
"rawEventMsg": "",
"phEventCategory": "",
"eventSeverityCat": "",
"reptVendor": ""
},
"nid": "",
"id": "",
"eventType": ""
}

operation: Search Events

Input parameters

Parameter Description
Search Attributes Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
  • If you choose 'Destination Port', then in the Destination Port IN field, enter the value of the destination port for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Destination IP', then in the Destination IP IN field, enter a comma-separated list of destination IPs based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event ID', then in the Event ID IN field, enter the value of the event ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event Action', then from the Event Action IN drop-down list, choose the event action for which you want to search for events in the Fortinet FortiSIEM server. You can choose 1-Deny or 0-Permit.
  • If you choose 'Incident ID', then in the Incident ID IN field, enter the value of the Incident ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'File Name', then in the File Name CONTAINS field, enter the name of the file based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Host Name', then in the Host Name CONTAINS field, enter the name of the host using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Organization Name', then in the Organization Name CONTAINS field, enter the name of the organization based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Process Name', then in the Process Name CONTAINS field, enter the name of the process based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Post-NAT Source IP', then in the Post-NAT Source IP IN field, enter the Post-NAT source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Raw Event Log', then in the Raw Event Log CONTAINS field, enter search attribute for the raw event based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Relay IP', then in the Relay IP IN field, enter the relay IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Reporting IP', then in the Reporting IP IN field, enter the reporting IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source IP', then in the Source IP IN field, enter the source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source Port', then in the Source Port IN field, enter the source port based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source MAC', then in the Source MAC CONTAINS field, enter the search attribute for the source MAC using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'User', then in the User CONTAINS field, enter the search attribute for the user based on which you want to search for events in the Fortinet FortiSIEM server.
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Time Range (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for events in the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for events in the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for events that occurred in the last 2 hours on the Fortinet FortiSIEM server and returns the response against the report from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) Maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional)Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"eventId": "",
"customer": "",
"destName": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"destIpAddr": "",
"parserName": "",
"phRecvTime": "",
"reptVendor": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"reptDevName": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"relayDevIpAddr": "",
"phEventCategory": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Event Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}

Included playbooks

The Sample - Fortinet FortiSIEM - 4.0.0 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiSIEM incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
    Users can choose to pull data from Fortinet FortiSIEM specifying either a "Time Range (minutes)", i.e., incidents that have been updated in FortiSIEM in the last X minutes or an "Incident ID". The fetched data is used to create a mapping between the FortiSIEM data and FortiSOAR™ alerts.
    You can also specify additional parameters the maximum number of incidents to be fetched, filters to apply to incidents to be fetched, etc, when you are fetching data based on the "Time Range"; and the from and to dates, which are used to specify the date range for which you want to retrieve incidents from Fortinet FortiSIEM, when you are fetching data based on an "Incident ID".
    Once you have completed specifying the configurations, click Fetch Data.

    If you are configuring data ingestion for MSSP systems, and if you have checked the Configure Multi-Tenant Mappings checkbox, then ensure that you map the organization name defined in FortiSIEM as a tenant in FortiSOAR™:


    If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.

  3. On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventName parameter of a FortiSIEM incident to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the eventName field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
    Important: While configuring data ingestion in version 5.1.1, picklists do not map correctly. For example the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
    {{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
    This issue has been resolved in FortiSOAR™ Version 6.0.0.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from FortiSIEM every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Previous
Next