Fortinet black logo

Fortinet FortiSIEM

Fortinet FortiSIEM v4.4.0

Copy Link
Copy Doc ID 43b1cd80-fdc5-11ec-bb32-fa163e15d75b:318

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 4.4.0

FortiSOAR™ Version Tested on: 7.2.1-1021

Fortinet FortiSIEM Version Tested on: 6.5.0. 1511

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.4.0

Following enhancements have been made to the Fortinet FortiSIEM connector in version 4.4.0:

  • Added the following new actions and playbooks
    • Create Lookup Table
    • Get All Lookup Table
    • Delete Lookup Table
    • Import Lookup Table Data
    • Check Import Task Status
    • Get Lookup Table Data
    • Update Lookup Table Data
    • Delete Lookup Table Data

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortisiem

Prerequisites to configuring the connector

  • You must have the URL of a Fortinet FortiSIEM server to which you will connect and perform automated operations and the credentials, such as the username and password to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiSIEM server.

Minimum Permissions Required

  • The minimum privileges that require to be assigned to users who are going to use this connector and run actions on FortiSIEM are "Read" and "Update" access on Incidents and access to "Run Advanced Search Query".

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiSIEM connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Specify the username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Specify the password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Organization Specify the name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
Get Organization Details Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. get_organization
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the incident ID or search criteria you have specified. get_incidents
Investigation
Get Incident Details Retrieves details of an incident from the Fortinet FortiSIEM server based on the incident IDs you have specified. get_incident_details
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Change Severity Changes the severity of a specific incident severity to LOW, MEDIUM, or HIGH on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_severity
Investigation
Change Resolution Changes the resolution of a specific incident True Positive or False Positive on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_resolution
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. get_associated_events
Investigation
Run Advanced Search Query Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. run_report
Investigation
Update Incident Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. update_incident
Investigation
Get Event Details Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. get_event_details
Investigation
Search Events Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. search_events
Investigation
Get Event Attributes Retrieves all event attributes from the Fortinet FortiSIEM server. get_incident_attributes
Investigation
Get Events Data By Query ID Retrieves data for events or incidents from the Fortinet FortiSIEM server based on the executed query ID you have specified. get_events_by_query_id
Investigation
Get Watch Lists Retrieves details for all watch lists or for specific watch lists based on input parameters you have specified. get_watch_lists
Investigation
Get Watch List Entries Count Returns the count of all watch list entries from all watch lists in Fortinet FortiSIEM. get_watch_list_entries_count
Investigation
Get Watch List Entry Retrieves the specific watch list entry from Fortinet FortiSIEM based on the watch list entry ID you have specified. get_watch_list_entry
Investigation
Add Watch List Entries To Watch List Adds watch list entries to one or more watch lists based on watch list ID and other input parameters you have specified. update_watch_list_group
Investigation
Create Watch List Creates a watch list in the FortiSIEM database. A watch list can contain one or more watch list entries. create_watch_list_group
Investigation
Update Watch List Entry Updates a watch list entry in the FortiSIEM database based on the watch list entry ID and other input parameters you have provided. update_watch_list_entry
Investigation
Delete Watch List Entry Deletes watch list entries from the FortiSIEM database based on the ID of the watch list entries you have specified. delete_watch_list_entry
Investigation
Delete Watch List Deletes watch lists from the FortiSIEM database based on the ID of the watch lists you have specified. delete_watch_list
Investigation
Create Lookup Table Creates the definition of a lookupTable in the FortiSIEM server based on the name, column list, and other input parameters you have specified. create_lookup_table
Investigation
Get All Lookup Table Retrieves the list of all lookupTable definitions from the FortiSIEM server based on the input parameters you have specified. get_all_lookup_tables
Investigation
Delete Lookup Table Deletes the lookupTable definition from the FortiSIEM server based on the lookup table ID you have specified. delete_lookup_table
Investigation
Import Lookup Table Data Imports the data of a specific CSV file in FortiSOAR to a specific lookup table in FortiSIEM based on the File/Attachment IRI, lookup table ID, and other input parameters you have specified. import_lookup_table_data
Investigation
Check Import Task Status Checks the status of the import lookup table data task in FortiSIEM based on the lookup table ID and task ID you have specified. check_import_task_status
Investigation
Get Lookup Table Data Retrieves items of the specified lookup table from FortiSIEM based on the lookup table ID and other input parameters you have specified. get_lookup_table_data
Investigation
Update Lookup Table Data Updates items of a specified lookup table based on the lookup table ID, key, column data, and other input parameters you have specified. update_lookup_table_data
Investigation
Delete Lookup Table Data Delete items of the specified lookup table in FortiSIEM based on the lookup table ID and primary keys you have specified. delete_lookup_table_data
Investigation

Important: Fortinet FortiSIEM supports the "Change Severity" and "Change Resolution" actions from version 5.2.8 and later.

operation: Get All Devices

Input parameters

Parameter Description
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP Specify the IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"luns": "",
"name": "",
"status": "",
"version": "",
"accessIp": "",
"approved": "",
"storages": "",
"naturalId": "",
"unmanaged": "",
"components": "",
"deviceType": {
"model": "",
"vendor": "",
"version": "",
"category": "",
"jobWeight": ""
},
"interfaces": {
"networkinterface": {
"adminStatus": "",
"description": "",
"inSpeed": "",
"ipv4Addr": "",
"ipv4IsVirtual": "",
"ipv4Mask": "",
"isCritical": "",
"isMonitor": "",
"isTrunk": "",
"isWAN": "",
"macAddr": "",
"macIsVirtual": "",
"name": "",
"operStatus": "",
"outSpeed": "",
"snmpIndex": "",
"speed": "",
"type": ""
}
},
"processors": "",
"raidGroups": "",
"applications": "",
"discoverTime": "",
"organization": {
"@id": "",
"@name": ""
},
"updateMethod": "",
"ipToHostNames": "",
"storageGroups": "",
"creationMethod": "",
"description": "",
"discoverMethod": "",
"winMachineGuid": "",
"eventParserList": "",
"systemUpTime": "",
"softwarePatches": "",
"softwareServices": "",
"sanControllerPorts": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}

operation: List Incidents

Input parameters

Parameter Description
Incident ID(Deprecated) Specify the ID of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Important: This option is deprecated and will be available only till the next major version of the connector. To retrieve details of incidents using the Incident ID, use the 'Get Incident Details' operation.
Search

Specify the filter based on which you want to search and retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Incident Category, Incident Sub Category, Reporting Device, Severity, Host, IP, Organization, or Event Type.
By default, this option is set as Incident Status.

  • If you choose 'Incident Status', then from the Incident Status field, choose the status of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose between Active, Auto Cleared, Manually Cleared, or System Cleared, or you can select all or any of the options. By default, this option is set as Active.
  • If you choose 'Incident Category', then in the Incident Category field, enter the category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Incident Sub Category', then in the Incident Sub Category field, enter the subcategory of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Severity', then in the Severity field, choose the severity of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either High, Medium, Low, or any combination of the options.
  • If you choose 'Host', then in the Hostname field, enter the value of the hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'IP', then in the IP Address field, enter the value of the IP address based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Reporting Device', then in the Reporting Device field, enter the value of the reporting device based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Organization', then in the Organization field, enter the value of organization based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Event Type', then in the Event Type field, enter the type of event based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Time Selection (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves the list of incidents that have occurred in the last 2 hours from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of incidents that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.
Event Fields To Show In Response (Optional) Fields that you want to include in the list of incidents that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"tagName": "",
"customer": "",
"procName": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"incidentId": "",
"phRecvTime": "",
"incidentSrc": "",
"activityName": "",
"attackTactic": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentTitle": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"incidentExtUser": "",
"phEventCategory": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"attackTechniqueId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"phSubIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident IDs IDs of incidents, in the CSV or list format, whose details you want to retrieve from the Fortinet FortiSIEM server.
Time Selection (Optional) Specify the time for which you want to retrieve the details of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
If you choose 'Relative Time'
  • Relative Time:(Optional) Specify the time duration for which you want to retrieve the incidents from the Fortinet FortiSIEM server. For example, if you choose Hours and provide 2 in the value, then this operation retrieves incidents that have occurred in the last 2 hours, from the Fortinet FortiSIEM server.
  • Last:
If you choose 'Absolute Time'
  • From:(Optional) Specify the start DateTime to retrieve the incidents from the Fortinet FortiSIEM server.
  • To:(Optional) Specify the end DateTime to retrieve the incidents from the Fortinet FortiSIEM server.
Event Fields To Show In Response (Optional) Fields that you want to include in the details of the incidents that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"tagName": "",
"customer": "",
"procName": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"destGeoOrg": "",
"destIpAddr": "",
"incidentId": "",
"phRecvTime": "",
"destGeoCity": "",
"incidentSrc": "",
"activityName": "",
"attackTactic": "",
"destGeoState": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentTitle": "",
"destGeoCountry": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"destGeoLatitude": "",
"incidentExtUser": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"attackTechniqueId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"phSubIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Organization Details

Input parameters

Parameter Description
Organization ID The ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID The ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID The ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Specify the text of the reason that you want to specify while clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Change Severity

Input parameters

Parameter Description
Incident ID The ID of the incident whose severity you want to update on the Fortinet FortiSIEM server.
Incident Severity The severity that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose from the following options: HIGH, MEDIUM, or LOW.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Change Resolution

Input parameters

Parameter Description
Incident ID The ID of the incident whose resolution you want to update on the Fortinet FortiSIEM server.
Incident Resolution The resolution that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID The ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.
From (Optional) Specify the start DateTime from when you want to retrieve associated events from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime till when you want to retrieve associated events from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default associated events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"fileName": "",
"procName": "",
"avgDurationMSec": "",
"maxDurationMSec": "",
"minDurationMSec": "",
"pktLossPct": "",
"hostIpAddr": "",
"hostName": "",
"lineNumber": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}

operation: Run Advanced Search Query

Input parameters

Parameter Description
Advanced Search Query Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)).
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr
Order By (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC
Time Range (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for reports that you want to run on the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for reports that are created in the last 2 hours on the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

No output schema is available at this time.

operation: Update Incident

Input parameters

Parameter Description
Incident ID The ID of the incident that you want to update on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.
Incident Status Status of the incident that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket Type Type of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket ID The ID of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket State State of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Assigned User External assigned that you want to update in the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Get Event Details

Input parameters

Parameter Description
Event ID The ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server.
From (Optional) Specify the start DateTime from when you want to retrieve event details from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime till when you want to retrieve event details from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"hostIpAddr": "",
"hostName": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}

operation: Search Events

Input parameters

Parameter Description
Search Attributes Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
  • If you choose 'Destination Port', then in the Destination Port IN field, enter the value of the destination port for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Destination IP', then in the Destination IP IN field, enter a comma-separated list of destination IPs based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event ID', then in the Event ID IN field, enter the value of the event ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event Action', then from the Event Action IN drop-down list, choose the event action for which you want to search for events in the Fortinet FortiSIEM server. You can choose 1-Deny or 0-Permit.
  • If you choose 'Incident ID', then in the Incident ID IN field, enter the value of the Incident ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'File Name', then in the File Name CONTAINS field, enter the name of the file based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Host Name', then in the Host Name CONTAINS field, enter the name of the host using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Organization Name', then in the Organization Name CONTAINS field, enter the name of the organization based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Process Name', then in the Process Name CONTAINS field, enter the name of the process based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Post-NAT Source IP', then in the Post-NAT Source IP IN field, enter the Post-NAT source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Raw Event Log', then in the Raw Event Log CONTAINS field, enter the search attribute for the raw event based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Relay IP', then in the Relay IP IN field, enter the relay IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Reporting IP', then in the Reporting IP IN field, enter the reporting IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source IP', then in the Source IP IN field, enter the source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source Port', then in the Source Port IN field, enter the source port based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source MAC', then in the Source MAC CONTAINS field, enter the search attribute for the source MAC using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'User', then in the User CONTAINS field, enter the search attribute for the user based on which you want to search for events in the Fortinet FortiSIEM server.
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Time Range (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for events in the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for events in the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for events that occurred in the last 2 hours on the Fortinet FortiSIEM server and returns the response against the report from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"type": "",
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"osType": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"srcMACAddr": "",
"totBytes64": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"profileDetails": "",
"relayDevIpAddr": "",
"phEventCategory": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"masterSrcMACAddr": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Event Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}

operation: Get Events Data By Query ID

Input parameters

Parameter Description
Query ID The ID of the executed query based on which you want to retrieve data of events from the Fortinet FortiSIEM server. You can retrieve the Query ID from the output of actions such as 'List Incidents', 'Search Query', etc.
Number Of Items To Return In Response (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 50 items.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.

Output

The output contains a non-dictionary value.

operation: Get Watch Lists

Input parameters

Parameter Description
Get Watch List Data By

Select the parameters using which you want to retrieve watch list data from Fortinet FortiSIEM.

  • If you choose 'Get All Watch Lists', then data for all watch lists are retrieved from Fortinet FortiSIEM.
  • If you choose 'By Watch List ID', then in the Watch List ID field you must specify the ID of the watch list whose details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry Value', then in the Entry Value field you must specify the value of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry ID', then in the Watch List Entry ID field you must specify the ID of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.

Output

The output contains the following populated JSON schema: If you choose "Get All Watch Lists", "By Watch List ID" or "By Watch List Entry Value" as the "Get Watch List Data By", then the output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

Output schema when you choose "Get Watch List Data By" as "By Watch List Entry ID":
{
"response": {
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
},
"status": ""
}

This is the default output schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Get Watch List Entries Count

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"entry_count": ""
}
}

operation: Get Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to retrieve from Fortinet FortiSIEM.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"id": "",
"count": "",
"state": "",
"ageOut": "",
"custId": "",
"lastSeen": "",
"firstSeen": "",
"naturalId": "",
"entryValue": "",
"description": "",
"expiredTime": "",
"triggeringRules": "",
"dataCreationType": ""
}
}

operation: Add Watch List Entries To Watch List

Input parameters

Parameter Description
Watch List ID The ID of the watch list to which you want to add watch list entries.
Other parameters JSON Array of watch list entry objects that you want to add to specific watch lists.
For example,
{
"inclusive": false,
"count": 10,
"custId": 1,
"triggeringRules": "Datastore Space Warning",
"entryValue": "PVVol_A001_A000356_POWER2",
"ageOut": "1d",
"lastSeen": 1613601369215,
"firstSeen": 1613601369215,
"disableAgeout": false,
"dataCreationType": "USER"
}

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Watch List

Input parameters

Parameter Description
Watch List JSON Object JSON Object of a watch list with a watch list entry that you want to create in the FortiSIEM database. For example,
{
'description': 'Servers, network or storage devices',
'displayName': 'Resource Issues Test4',
'type': 'DyWatchList',
'isCaseSensitive': false,
'dataCreationType': 'USER',
'topGroup': false,
'valuePattern': null,
'valueType': 'STRING',
'ageOut': '1d',
'custId': 1,
'entries':
[
{
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_5new',
'ageOut': '1d',
'count': 1,
'custId': 1,
'firstSeen': 1612901760000,
'lastSeen': 1612901760000,
'triggeringRules': 'Datastore Space Warning',
'dataCreationType': 'USER'
}
]
}

Where the displayName and type are the required fields.

Output

The output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Update Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to update in the FortiSIEM database.
Count (Optional) Specify the occurrence count of the watch list entry that you want to update in the FortiSIEM database.
Last Seen Time (Optional) Specify the value of the last seen time, i.e., the Unix timestamp, of the specific watch list that you want to update in the FortiSIEM database.
State From the State drop-down list select Active to set the specific watch list to the 'Active' state; select Inactive to set the specific watch list to the 'Inactive' state.
Other Parameters JSON Object of a watch list with a watch list entry that you want to update in the FortiSIEM database. For example,
{
'lastSeen': 1612901760002,
'dataCreationType': 'USER',
'firstSeen': 1612901760001,
'count': 100,
'custId': '1',
'triggeringRules': 'Datastore Space Warning',
'description': 'Testing again',
'id': 889400,
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_POWER23',
'expiredTime': 1612988160001,
'ageOut': '2d'
}

Output

The output contains the following populated JSON schema:
{
"response": {
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
},
"status": ""
}

operation: Delete Watch List Entry

Input parameters

Parameter Description
Watch List Entry IDs IDs of the watch list entries, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [500000, 500001]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Delete Watch List

Input parameters

Parameter Description
Watch List IDs IDs of the watch lists, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [500000, 500001]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Lookup Table

Input parameters

Parameter Description
Name Specify the name of the lookup table that you want to create in FortiSIEM.
Note: The table name must contain only alphabets and numbers.
Column List Specify the list of column definitions for the lookup table you want to create in FortiSIEM. For each column you must specify the following three values:
  • key - key indicating whether or not the column is a primary column
  • name- name of the column
  • type - type of the column, which can be STRING, LONG, or DOUBLE.
    For example,
    [
    {"key": true, "name": "url", "type": "STRING"},
    {"key": false, "name": "wfCategoryID", "type": "LONG"}
    ]
Description (Optional) Specify the description of the lookup table that you want to create in FortiSIEM.
Organization Name (Optional) Specify the organization name to be assigned to the lookup table that you want to create in FortiSIEM. By default, this is set to the organization of the current user.

Output

The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}

operation: Get All Lookup Table

Input parameters

Parameter Description
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table definitions starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
],
"size": "",
"start": "",
"total": ""
}

operation: Delete Lookup Table

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup Table whose definitions you want to delete from the FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Import Lookup Table Data

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to import the CSV file present in FortiSOAR to the FortiSIEM lookup table. You can choose between Attachment ID and File IRI.

  • If you choose 'Attachment ID', then in the Attachment ID field specify the Attachment ID of the CSV file that you want to import into the specified lookup table in FortiSIEM.
  • If you choose 'File IRI', then in the File IRI field specify the CSV file that you want to import into the specified lookup table in FortiSIEM.
Lookup Table ID Specify the unique identifier representing the lookup table in FortiSIEM into which you want to import the CSV file in FortiSIEM.
Mapping Specify the configuration that matches the position of columns in the CSV file to columns in the specified lookup table. The format of the mapping is as follows: {"":,"":}
For example, {"url":1, "wfCategoryID":2}
File Separator Specify the file separator for the specified CSV file. By default, this is set as the comma character(,)
File Quote Char Specify the file quote character for the specified CSV file. By default, this is set as the double quotation character(")
Skip Header Select this option to ignore the header of the specified CSV file.
Update Type Select the method of updating the data in FortiSIEM. You can choose between Overwrite (default) or Append.

Output

The output contains the following populated JSON schema:
{
"taskId": ""
}

operation: Check Import Task Status

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table in FortiSIEM for which you want to check the import task status.
Task ID Specify the task id of the importing data to the specified lookup table. You can retrieve the task ID from the response of the 'Import Lookup Table Data' action.

Output

The output contains the following populated JSON schema:
{
"actionResult": "",
"id": "",
"progress": "",
"status": ""
}

operation: Get Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table for which you want to retrieve items from FortiSIEM.
Start (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table items starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.
Search Text (Optional) Specify the Search text using which you want to filter items of the specified lookup table in FortiSIEM.
Sort By (Optional) Specify the lookup table columns using which you want to sort the search results retrieved from FortiSIEM. You can also specify the sort direction of the specified lookup table columns, i.e, descending (DESC) or ascending (ASC).

Output

The output contains the following populated JSON schema:
{
"data": [],
"size": "",
"start": "",
"total": ""
}

operation: Update Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to update in FortiSIEM.
Key Specify the primary key of the item column and its value that you want to update in the specified lookup table. The format is <keyColumn_1>:<value>
For example, key={"url":"http://example.com"}
Column Data Specify the dictionary of column values you want to update in the specified lookup table.
For example, {"url": "www.test.com", "wfCategoryID": 30, "score": 0.50119}

Output

The output contains the following populated JSON schema:
{
"response": "",
"message": ""
}

operation: Delete Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to delete in FortiSIEM.
Primary Keys Specify the list of primary keys of the item columns and their values that you want to delete from the specified lookup table. The format is:
[
{<keyColumn_1>:<value>,<keyColumn_2>:<value>}
]

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

Included playbooks

The Sample - Fortinet FortiSIEM - 4.4.0 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

  • > FortiSIEM > Fetch
  • >> FortiSIEM > Fetch Associated events for Incident
  • >>FortiSIEM > Init Macros
  • Device: Get All Devices
  • Device: Get All Devices For Specified IP Address Range
  • Device: Get Device Information
  • Device: List Monitored Devices and Attributes
  • Event: Get Event Attribute
  • Event: Get Event Details
  • Event: Get Events For Incident
  • Event: Search Events
  • FortiSIEM > Ingest
  • Get Events Data By Query ID
  • Incident: Change Resolution
  • Incident: Change Severity
  • Incident: Clear Incident With Reason
  • Incident: Comment Incident
  • Incident: Get Incident Details
  • Incident: List Incidents
  • Incident: Update Incident
  • Lookup Table: Check Import Task Status
  • Lookup Table: Create Lookup Table
  • Lookup Table: Delete Lookup Table
  • Lookup Table: Delete Lookup Table Data
  • Lookup Table: Get All Lookup Table
  • Lookup Table: Get Lookup Table Data
  • Lookup Table: Import Lookup Table Data
  • Lookup Table: Update Lookup Table data
  • Organization: Get Organization Details
  • Organization: List Monitored Organizations
  • Run Advanced Search Query
  • Watch List: Add Watch List Entries To Watch List
  • Watch List: Create Watch List
  • Watch List: Delete Watch List
  • Watch List: Delete Watch List Entry
  • Watch List: Get Watch List Entries Count
  • Watch List: Get Watch List Entry
  • Watch List: Get Watch Lists
  • Watch List: Update Watch List Entry

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
NOTE: If you want to link MITRE techniques records to alerts that are being created using the Data Ingestion Wizard, you can use the MITRE ATT&CK Enrichment Framework and MITRE ATT&CK Threat Hunting Solution Packs.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiSIEM incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
    Users can choose to pull data from Fortinet FortiSIEM specifying either a "Time Range (minutes)", i.e., incidents that have been updated in FortiSIEM in the last X minutes, or an "Incident ID". When you are fetching data based on the "Time Range"; then you must specify the from and to dates for which you want to retrieve incidents from Fortinet FortiSIEM. When you are fetching data based on an "Incident ID", then you must specify the ID of the incident that you want to retrieve from Fortinet FortiSIEM. The fetched data is used to create a mapping between the FortiSIEM data and FortiSOAR™ alerts.
    You can also specify additional parameters such as the maximum number of events to be fetched per incident, filters such as status, category, subcategory, severity, etc., to be applied to incidents to be fetched, etc.
    Once you have completed specifying the configurations, click Fetch Data.

    If you are configuring data ingestion for MSSP systems, and if you have checked the Configure Multi-Tenant Mappings checkbox, then ensure that you map the organization name defined in FortiSIEM as a tenant in FortiSOAR™:

    If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.
  3. On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventName parameter of a FortiSIEM incident to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the eventName field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
    Important: While configuring data ingestion in version 5.1.1, picklists do not map correctly. For example, the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
    {{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
    This issue has been resolved in FortiSOAR™ Version 6.0.0.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from FortiSIEM every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Previous
Next

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 4.4.0

FortiSOAR™ Version Tested on: 7.2.1-1021

Fortinet FortiSIEM Version Tested on: 6.5.0. 1511

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.4.0

Following enhancements have been made to the Fortinet FortiSIEM connector in version 4.4.0:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortisiem

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiSIEM connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Specify the username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Specify the password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Organization Specify the name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
Get Organization Details Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. get_organization
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the incident ID or search criteria you have specified. get_incidents
Investigation
Get Incident Details Retrieves details of an incident from the Fortinet FortiSIEM server based on the incident IDs you have specified. get_incident_details
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Change Severity Changes the severity of a specific incident severity to LOW, MEDIUM, or HIGH on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_severity
Investigation
Change Resolution Changes the resolution of a specific incident True Positive or False Positive on the Fortinet FortiSIEM server based on the incident ID you have specified. change_incident_resolution
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. get_associated_events
Investigation
Run Advanced Search Query Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. run_report
Investigation
Update Incident Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. update_incident
Investigation
Get Event Details Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. get_event_details
Investigation
Search Events Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. search_events
Investigation
Get Event Attributes Retrieves all event attributes from the Fortinet FortiSIEM server. get_incident_attributes
Investigation
Get Events Data By Query ID Retrieves data for events or incidents from the Fortinet FortiSIEM server based on the executed query ID you have specified. get_events_by_query_id
Investigation
Get Watch Lists Retrieves details for all watch lists or for specific watch lists based on input parameters you have specified. get_watch_lists
Investigation
Get Watch List Entries Count Returns the count of all watch list entries from all watch lists in Fortinet FortiSIEM. get_watch_list_entries_count
Investigation
Get Watch List Entry Retrieves the specific watch list entry from Fortinet FortiSIEM based on the watch list entry ID you have specified. get_watch_list_entry
Investigation
Add Watch List Entries To Watch List Adds watch list entries to one or more watch lists based on watch list ID and other input parameters you have specified. update_watch_list_group
Investigation
Create Watch List Creates a watch list in the FortiSIEM database. A watch list can contain one or more watch list entries. create_watch_list_group
Investigation
Update Watch List Entry Updates a watch list entry in the FortiSIEM database based on the watch list entry ID and other input parameters you have provided. update_watch_list_entry
Investigation
Delete Watch List Entry Deletes watch list entries from the FortiSIEM database based on the ID of the watch list entries you have specified. delete_watch_list_entry
Investigation
Delete Watch List Deletes watch lists from the FortiSIEM database based on the ID of the watch lists you have specified. delete_watch_list
Investigation
Create Lookup Table Creates the definition of a lookupTable in the FortiSIEM server based on the name, column list, and other input parameters you have specified. create_lookup_table
Investigation
Get All Lookup Table Retrieves the list of all lookupTable definitions from the FortiSIEM server based on the input parameters you have specified. get_all_lookup_tables
Investigation
Delete Lookup Table Deletes the lookupTable definition from the FortiSIEM server based on the lookup table ID you have specified. delete_lookup_table
Investigation
Import Lookup Table Data Imports the data of a specific CSV file in FortiSOAR to a specific lookup table in FortiSIEM based on the File/Attachment IRI, lookup table ID, and other input parameters you have specified. import_lookup_table_data
Investigation
Check Import Task Status Checks the status of the import lookup table data task in FortiSIEM based on the lookup table ID and task ID you have specified. check_import_task_status
Investigation
Get Lookup Table Data Retrieves items of the specified lookup table from FortiSIEM based on the lookup table ID and other input parameters you have specified. get_lookup_table_data
Investigation
Update Lookup Table Data Updates items of a specified lookup table based on the lookup table ID, key, column data, and other input parameters you have specified. update_lookup_table_data
Investigation
Delete Lookup Table Data Delete items of the specified lookup table in FortiSIEM based on the lookup table ID and primary keys you have specified. delete_lookup_table_data
Investigation

Important: Fortinet FortiSIEM supports the "Change Severity" and "Change Resolution" actions from version 5.2.8 and later.

operation: Get All Devices

Input parameters

Parameter Description
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP Specify the IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"luns": "",
"name": "",
"status": "",
"version": "",
"accessIp": "",
"approved": "",
"storages": "",
"naturalId": "",
"unmanaged": "",
"components": "",
"deviceType": {
"model": "",
"vendor": "",
"version": "",
"category": "",
"jobWeight": ""
},
"interfaces": {
"networkinterface": {
"adminStatus": "",
"description": "",
"inSpeed": "",
"ipv4Addr": "",
"ipv4IsVirtual": "",
"ipv4Mask": "",
"isCritical": "",
"isMonitor": "",
"isTrunk": "",
"isWAN": "",
"macAddr": "",
"macIsVirtual": "",
"name": "",
"operStatus": "",
"outSpeed": "",
"snmpIndex": "",
"speed": "",
"type": ""
}
},
"processors": "",
"raidGroups": "",
"applications": "",
"discoverTime": "",
"organization": {
"@id": "",
"@name": ""
},
"updateMethod": "",
"ipToHostNames": "",
"storageGroups": "",
"creationMethod": "",
"description": "",
"discoverMethod": "",
"winMachineGuid": "",
"eventParserList": "",
"systemUpTime": "",
"softwarePatches": "",
"softwareServices": "",
"sanControllerPorts": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}

operation: List Incidents

Input parameters

Parameter Description
Incident ID(Deprecated) Specify the ID of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Important: This option is deprecated and will be available only till the next major version of the connector. To retrieve details of incidents using the Incident ID, use the 'Get Incident Details' operation.
Search

Specify the filter based on which you want to search and retrieve incidents from the Fortinet FortiSIEM server. You can choose from the following options: Incident Status, Incident Category, Incident Sub Category, Reporting Device, Severity, Host, IP, Organization, or Event Type.
By default, this option is set as Incident Status.

  • If you choose 'Incident Status', then from the Incident Status field, choose the status of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose between Active, Auto Cleared, Manually Cleared, or System Cleared, or you can select all or any of the options. By default, this option is set as Active.
  • If you choose 'Incident Category', then in the Incident Category field, enter the category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Incident Sub Category', then in the Incident Sub Category field, enter the subcategory of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Severity', then in the Severity field, choose the severity of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either High, Medium, Low, or any combination of the options.
  • If you choose 'Host', then in the Hostname field, enter the value of the hostname based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'IP', then in the IP Address field, enter the value of the IP address based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Reporting Device', then in the Reporting Device field, enter the value of the reporting device based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Organization', then in the Organization field, enter the value of organization based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
  • If you choose 'Event Type', then in the Event Type field, enter the type of event based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Time Selection (Optional) Specify the time for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to retrieve the list of incidents from the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation retrieves the list of incidents that have occurred in the last 2 hours from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of incidents that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.
Event Fields To Show In Response (Optional) Fields that you want to include in the list of incidents that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"tagName": "",
"customer": "",
"procName": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"incidentId": "",
"phRecvTime": "",
"incidentSrc": "",
"activityName": "",
"attackTactic": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentTitle": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"incidentExtUser": "",
"phEventCategory": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"attackTechniqueId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"phSubIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident IDs IDs of incidents, in the CSV or list format, whose details you want to retrieve from the Fortinet FortiSIEM server.
Time Selection (Optional) Specify the time for which you want to retrieve the details of incidents from the Fortinet FortiSIEM server. By default, this is set as Relative Time.
If you choose 'Relative Time'
  • Relative Time:(Optional) Specify the time duration for which you want to retrieve the incidents from the Fortinet FortiSIEM server. For example, if you choose Hours and provide 2 in the value, then this operation retrieves incidents that have occurred in the last 2 hours, from the Fortinet FortiSIEM server.
  • Last:
If you choose 'Absolute Time'
  • From:(Optional) Specify the start DateTime to retrieve the incidents from the Fortinet FortiSIEM server.
  • To:(Optional) Specify the end DateTime to retrieve the incidents from the Fortinet FortiSIEM server.
Event Fields To Show In Response (Optional) Fields that you want to include in the details of the incidents that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"count": "",
"tagName": "",
"customer": "",
"procName": "",
"eventName": "",
"eventType": "",
"srcIpAddr": "",
"bizService": "",
"destGeoOrg": "",
"destIpAddr": "",
"incidentId": "",
"phRecvTime": "",
"destGeoCity": "",
"incidentSrc": "",
"activityName": "",
"attackTactic": "",
"destGeoState": "",
"incidentReso": "",
"eventSeverity": "",
"incidentRptIp": "",
"incidentTitle": "",
"destGeoCountry": "",
"incidentDetail": "",
"incidentStatus": "",
"incidentTarget": "",
"destGeoLatitude": "",
"incidentExtUser": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventSeverityCat": "",
"incidentComments": "",
"incidentLastSeen": "",
"incidentTicketId": "",
"attackTechniqueId": "",
"incidentFirstSeen": "",
"incidentViewUsers": "",
"phIncidentImpacts": "",
"incidentNotiStatus": "",
"incidentRptDevName": "",
"incidentTicketUser": "",
"incidentViewStatus": "",
"phIncidentCategory": "",
"phSubIncidentCategory": "",
"incidentClearedTime": "",
"incidentClearedUser": "",
"incidentExtTicketId": "",
"incidentRptDevStatus": "",
"incidentTicketStatus": "",
"incidentClearedReason": "",
"incidentExtTicketType": "",
"incidentExtClearedTime": "",
"incidentExtTicketState": "",
"incidentNotiRecipients": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Organization Details

Input parameters

Parameter Description
Organization ID The ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID The ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID The ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Specify the text of the reason that you want to specify while clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Change Severity

Input parameters

Parameter Description
Incident ID The ID of the incident whose severity you want to update on the Fortinet FortiSIEM server.
Incident Severity The severity that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose from the following options: HIGH, MEDIUM, or LOW.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Change Resolution

Input parameters

Parameter Description
Incident ID The ID of the incident whose resolution you want to update on the Fortinet FortiSIEM server.
Incident Resolution The resolution that you want to set for the specified incident on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive.

Output

The output contains the following populated JSON schema:
{
"incident_id": [],
"message": ""
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID The ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.
From (Optional) Specify the start DateTime from when you want to retrieve associated events from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime till when you want to retrieve associated events from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default associated events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"fileName": "",
"procName": "",
"avgDurationMSec": "",
"maxDurationMSec": "",
"minDurationMSec": "",
"pktLossPct": "",
"hostIpAddr": "",
"hostName": "",
"lineNumber": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}

operation: Run Advanced Search Query

Input parameters

Parameter Description
Advanced Search Query Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)).
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr
Order By (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC
Time Range (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for reports that you want to run on the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for reports that are created in the last 2 hours on the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

No output schema is available at this time.

operation: Update Incident

Input parameters

Parameter Description
Incident ID The ID of the incident that you want to update on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.
Incident Status Status of the incident that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket Type Type of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket ID The ID of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Ticket State State of the external ticket that you want to update in the specified incident on the Fortinet FortiSIEM server.
External Assigned User External assigned that you want to update in the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Get Event Details

Input parameters

Parameter Description
Event ID The ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server.
From (Optional) Specify the start DateTime from when you want to retrieve event details from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime till when you want to retrieve event details from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"hostIpAddr": "",
"hostName": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}

operation: Search Events

Input parameters

Parameter Description
Search Attributes Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
  • If you choose 'Destination Port', then in the Destination Port IN field, enter the value of the destination port for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Destination IP', then in the Destination IP IN field, enter a comma-separated list of destination IPs based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event ID', then in the Event ID IN field, enter the value of the event ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event Action', then from the Event Action IN drop-down list, choose the event action for which you want to search for events in the Fortinet FortiSIEM server. You can choose 1-Deny or 0-Permit.
  • If you choose 'Incident ID', then in the Incident ID IN field, enter the value of the Incident ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'File Name', then in the File Name CONTAINS field, enter the name of the file based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Host Name', then in the Host Name CONTAINS field, enter the name of the host using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Organization Name', then in the Organization Name CONTAINS field, enter the name of the organization based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Process Name', then in the Process Name CONTAINS field, enter the name of the process based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Post-NAT Source IP', then in the Post-NAT Source IP IN field, enter the Post-NAT source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Raw Event Log', then in the Raw Event Log CONTAINS field, enter the search attribute for the raw event based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Relay IP', then in the Relay IP IN field, enter the relay IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Reporting IP', then in the Reporting IP IN field, enter the reporting IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source IP', then in the Source IP IN field, enter the source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source Port', then in the Source Port IN field, enter the source port based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source MAC', then in the Source MAC CONTAINS field, enter the search attribute for the source MAC using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'User', then in the User CONTAINS field, enter the search attribute for the user based on which you want to search for events in the Fortinet FortiSIEM server.
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Time Range (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for events in the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for events in the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for events that occurred in the last 2 hours on the Fortinet FortiSIEM server and returns the response against the report from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"type": "",
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"osType": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"srcMACAddr": "",
"totBytes64": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"profileDetails": "",
"relayDevIpAddr": "",
"phEventCategory": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"masterSrcMACAddr": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Event Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}

operation: Get Events Data By Query ID

Input parameters

Parameter Description
Query ID The ID of the executed query based on which you want to retrieve data of events from the Fortinet FortiSIEM server. You can retrieve the Query ID from the output of actions such as 'List Incidents', 'Search Query', etc.
Number Of Items To Return In Response (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 50 items.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.

Output

The output contains a non-dictionary value.

operation: Get Watch Lists

Input parameters

Parameter Description
Get Watch List Data By

Select the parameters using which you want to retrieve watch list data from Fortinet FortiSIEM.

  • If you choose 'Get All Watch Lists', then data for all watch lists are retrieved from Fortinet FortiSIEM.
  • If you choose 'By Watch List ID', then in the Watch List ID field you must specify the ID of the watch list whose details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry Value', then in the Entry Value field you must specify the value of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry ID', then in the Watch List Entry ID field you must specify the ID of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.

Output

The output contains the following populated JSON schema: If you choose "Get All Watch Lists", "By Watch List ID" or "By Watch List Entry Value" as the "Get Watch List Data By", then the output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

Output schema when you choose "Get Watch List Data By" as "By Watch List Entry ID":
{
"response": {
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
},
"status": ""
}

This is the default output schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Get Watch List Entries Count

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"entry_count": ""
}
}

operation: Get Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to retrieve from Fortinet FortiSIEM.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"id": "",
"count": "",
"state": "",
"ageOut": "",
"custId": "",
"lastSeen": "",
"firstSeen": "",
"naturalId": "",
"entryValue": "",
"description": "",
"expiredTime": "",
"triggeringRules": "",
"dataCreationType": ""
}
}

operation: Add Watch List Entries To Watch List

Input parameters

Parameter Description
Watch List ID The ID of the watch list to which you want to add watch list entries.
Other parameters JSON Array of watch list entry objects that you want to add to specific watch lists.
For example,
{
"inclusive": false,
"count": 10,
"custId": 1,
"triggeringRules": "Datastore Space Warning",
"entryValue": "PVVol_A001_A000356_POWER2",
"ageOut": "1d",
"lastSeen": 1613601369215,
"firstSeen": 1613601369215,
"disableAgeout": false,
"dataCreationType": "USER"
}

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Watch List

Input parameters

Parameter Description
Watch List JSON Object JSON Object of a watch list with a watch list entry that you want to create in the FortiSIEM database. For example,
{
'description': 'Servers, network or storage devices',
'displayName': 'Resource Issues Test4',
'type': 'DyWatchList',
'isCaseSensitive': false,
'dataCreationType': 'USER',
'topGroup': false,
'valuePattern': null,
'valueType': 'STRING',
'ageOut': '1d',
'custId': 1,
'entries':
[
{
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_5new',
'ageOut': '1d',
'count': 1,
'custId': 1,
'firstSeen': 1612901760000,
'lastSeen': 1612901760000,
'triggeringRules': 'Datastore Space Warning',
'dataCreationType': 'USER'
}
]
}

Where the displayName and type are the required fields.

Output

The output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Update Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to update in the FortiSIEM database.
Count (Optional) Specify the occurrence count of the watch list entry that you want to update in the FortiSIEM database.
Last Seen Time (Optional) Specify the value of the last seen time, i.e., the Unix timestamp, of the specific watch list that you want to update in the FortiSIEM database.
State From the State drop-down list select Active to set the specific watch list to the 'Active' state; select Inactive to set the specific watch list to the 'Inactive' state.
Other Parameters JSON Object of a watch list with a watch list entry that you want to update in the FortiSIEM database. For example,
{
'lastSeen': 1612901760002,
'dataCreationType': 'USER',
'firstSeen': 1612901760001,
'count': 100,
'custId': '1',
'triggeringRules': 'Datastore Space Warning',
'description': 'Testing again',
'id': 889400,
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_POWER23',
'expiredTime': 1612988160001,
'ageOut': '2d'
}

Output

The output contains the following populated JSON schema:
{
"response": {
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
},
"status": ""
}

operation: Delete Watch List Entry

Input parameters

Parameter Description
Watch List Entry IDs IDs of the watch list entries, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [500000, 500001]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Delete Watch List

Input parameters

Parameter Description
Watch List IDs IDs of the watch lists, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [500000, 500001]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Lookup Table

Input parameters

Parameter Description
Name Specify the name of the lookup table that you want to create in FortiSIEM.
Note: The table name must contain only alphabets and numbers.
Column List Specify the list of column definitions for the lookup table you want to create in FortiSIEM. For each column you must specify the following three values:
  • key - key indicating whether or not the column is a primary column
  • name- name of the column
  • type - type of the column, which can be STRING, LONG, or DOUBLE.
    For example,
    [
    {"key": true, "name": "url", "type": "STRING"},
    {"key": false, "name": "wfCategoryID", "type": "LONG"}
    ]
Description (Optional) Specify the description of the lookup table that you want to create in FortiSIEM.
Organization Name (Optional) Specify the organization name to be assigned to the lookup table that you want to create in FortiSIEM. By default, this is set to the organization of the current user.

Output

The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}

operation: Get All Lookup Table

Input parameters

Parameter Description
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table definitions starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
],
"size": "",
"start": "",
"total": ""
}

operation: Delete Lookup Table

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup Table whose definitions you want to delete from the FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Import Lookup Table Data

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to import the CSV file present in FortiSOAR to the FortiSIEM lookup table. You can choose between Attachment ID and File IRI.

  • If you choose 'Attachment ID', then in the Attachment ID field specify the Attachment ID of the CSV file that you want to import into the specified lookup table in FortiSIEM.
  • If you choose 'File IRI', then in the File IRI field specify the CSV file that you want to import into the specified lookup table in FortiSIEM.
Lookup Table ID Specify the unique identifier representing the lookup table in FortiSIEM into which you want to import the CSV file in FortiSIEM.
Mapping Specify the configuration that matches the position of columns in the CSV file to columns in the specified lookup table. The format of the mapping is as follows: {"":,"":}
For example, {"url":1, "wfCategoryID":2}
File Separator Specify the file separator for the specified CSV file. By default, this is set as the comma character(,)
File Quote Char Specify the file quote character for the specified CSV file. By default, this is set as the double quotation character(")
Skip Header Select this option to ignore the header of the specified CSV file.
Update Type Select the method of updating the data in FortiSIEM. You can choose between Overwrite (default) or Append.

Output

The output contains the following populated JSON schema:
{
"taskId": ""
}

operation: Check Import Task Status

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table in FortiSIEM for which you want to check the import task status.
Task ID Specify the task id of the importing data to the specified lookup table. You can retrieve the task ID from the response of the 'Import Lookup Table Data' action.

Output

The output contains the following populated JSON schema:
{
"actionResult": "",
"id": "",
"progress": "",
"status": ""
}

operation: Get Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table for which you want to retrieve items from FortiSIEM.
Start (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table items starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.
Search Text (Optional) Specify the Search text using which you want to filter items of the specified lookup table in FortiSIEM.
Sort By (Optional) Specify the lookup table columns using which you want to sort the search results retrieved from FortiSIEM. You can also specify the sort direction of the specified lookup table columns, i.e, descending (DESC) or ascending (ASC).

Output

The output contains the following populated JSON schema:
{
"data": [],
"size": "",
"start": "",
"total": ""
}

operation: Update Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to update in FortiSIEM.
Key Specify the primary key of the item column and its value that you want to update in the specified lookup table. The format is <keyColumn_1>:<value>
For example, key={"url":"http://example.com"}
Column Data Specify the dictionary of column values you want to update in the specified lookup table.
For example, {"url": "www.test.com", "wfCategoryID": 30, "score": 0.50119}

Output

The output contains the following populated JSON schema:
{
"response": "",
"message": ""
}

operation: Delete Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to delete in FortiSIEM.
Primary Keys Specify the list of primary keys of the item columns and their values that you want to delete from the specified lookup table. The format is:
[
{<keyColumn_1>:<value>,<keyColumn_2>:<value>}
]

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

Included playbooks

The Sample - Fortinet FortiSIEM - 4.4.0 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
NOTE: If you want to link MITRE techniques records to alerts that are being created using the Data Ingestion Wizard, you can use the MITRE ATT&CK Enrichment Framework and MITRE ATT&CK Threat Hunting Solution Packs.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiSIEM incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
    Users can choose to pull data from Fortinet FortiSIEM specifying either a "Time Range (minutes)", i.e., incidents that have been updated in FortiSIEM in the last X minutes, or an "Incident ID". When you are fetching data based on the "Time Range"; then you must specify the from and to dates for which you want to retrieve incidents from Fortinet FortiSIEM. When you are fetching data based on an "Incident ID", then you must specify the ID of the incident that you want to retrieve from Fortinet FortiSIEM. The fetched data is used to create a mapping between the FortiSIEM data and FortiSOAR™ alerts.
    You can also specify additional parameters such as the maximum number of events to be fetched per incident, filters such as status, category, subcategory, severity, etc., to be applied to incidents to be fetched, etc.
    Once you have completed specifying the configurations, click Fetch Data.

    If you are configuring data ingestion for MSSP systems, and if you have checked the Configure Multi-Tenant Mappings checkbox, then ensure that you map the organization name defined in FortiSIEM as a tenant in FortiSOAR™:

    If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.
  3. On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the eventName parameter of a FortiSIEM incident to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the eventName field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
    Important: While configuring data ingestion in version 5.1.1, picklists do not map correctly. For example, the Severity picklist. To ensure that picklists map correctly, enter the following (considering the severity picklist) in the picklist field:
    {{vars.item.incident_data.attributes.eventSeverityCat | resolveRange(vars.alerts_severity_map)}}
    This issue has been resolved in FortiSOAR™ Version 6.0.0.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from FortiSIEM every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Previous
Next