Fortinet black logo

Fortinet FortiSIEM

Fortinet FortiSIEM v5.0.1

Copy Link
Copy Doc ID 0c6d85ca-7c5d-11ed-8e6d-fa163e15d75b:464

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM.
For more information, see the Data Ingestion Support section.
NOTE: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.0.0 (or later) from version 4.5.0. For more information, see the Reconfiguring 'FortiSIEM' Data Ingestion section.

For a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration, see the Best Practices - Working with FortiSOAR FortiSIEM Integration section.

Version information

Connector Version: 5.0.1

FortiSOAR™ Version Tested on: 7.3.0-2034

Fortinet FortiSIEM Version Tested on: 6.6.0.1633

Authored By: Fortinet

Certified: Yes

Release Notes for version 5.0.1

The following enhancements have been made to the Fortinet FortiSIEM connector in version 5.0.1:

  • Fixed an issue with data ingestion playbooks that prevented data ingestion from working when 'By Sample Incident ID' was selected on the 'Fetch Data' screen in the Data Ingestion Wizard. This issue prevented the Data Ingestion Wizard from retrieving a single incident from Fortinet FortiSIEM based on the incident ID you had specified.
  • Fixed an issue with response conversion for all lookup table actions.

Important Notes related to this release of the connector:

  • Only FortiSIEM releases 6.4.0 and later are supported by this connector.
  • You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.0.0 (or later) from version 4.5.0. For more information, see the Reconfiguring 'FortiSIEM' Data Ingestion section.
  • The FortiSIEM API does not support filtering incidents in the "List Incident" action based on severity and sub-category.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortisiem

Prerequisites to configuring the connector

  • You must have the URL of a Fortinet FortiSIEM server to which you will connect and perform automated operations and the credentials, such as the username and password, to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiSIEM server.

Minimum Permissions Required

  • The minimum privileges that require to be assigned to users who are going to use this connector and run actions on FortiSIEM are "Read" and "Update" access on Incidents and access to "Run Advanced Search Query".

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiSIEM connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Specify the username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Specify the password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Organization Specify the name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
Get Organization Details Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. get_organization
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the time range, and other filter criteria you have specified.
Note: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on severity and sub-category.
get_incidents
Investigation
Get Incident Details Retrieves details of an incident from the Fortinet FortiSIEM server based on the incident IDs you have specified. get_incident_details
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. get_associated_events
Investigation
Run Advanced Search Query Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. run_report
Investigation
Update Incident Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. update_incident
Investigation
Get Event Details Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. get_event_details
Investigation
Search Events Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. search_events
Investigation
Get Event Attributes Retrieves all event attributes from the Fortinet FortiSIEM server. get_incident_attributes
Investigation
Get Events Data By Query ID Retrieves data for events or incidents from the Fortinet FortiSIEM server based on the executed query ID you have specified. get_events_by_query_id
Investigation
Get Watch Lists Retrieves details for all watch lists or for specific watch lists based on input parameters you have specified. get_watch_lists
Investigation
Get Watch List Entries Count Returns the count of all watch list entries from all watch lists in Fortinet FortiSIEM. get_watch_list_entries_count
Investigation
Get Watch List Entry Retrieves the specific watch list entry from Fortinet FortiSIEM based on the watch list entry ID you have specified. get_watch_list_entry
Investigation
Add Watch List Entries To Watch List Adds watch list entries to one or more watch lists based on watch list ID and other input parameters you have specified. update_watch_list_group
Investigation
Create Watch List Creates a watch list in the FortiSIEM database. A watch list can contain one or more watch list entries. create_watch_list_group
Investigation
Update Watch List Entry Updates a watch list entry in the FortiSIEM database based on the watch list entry ID and other input parameters you have provided. update_watch_list_entry
Investigation
Delete Watch List Entry Deletes watch list entries from the FortiSIEM database based on the ID of the watch list entries you have specified. delete_watch_list_entry
Investigation
Delete Watch List Deletes watch lists from the FortiSIEM database based on the ID of the watch lists you have specified. delete_watch_list
Investigation
Create Lookup Table Creates the definition of a lookup table in the FortiSIEM server based on the name, column list, and other input parameters you have specified. create_lookup_table
Investigation
Get All Lookup Table Retrieves the list of all lookupTable definitions from the FortiSIEM server based on the input parameters you have specified. get_all_lookup_tables
Investigation
Delete Lookup Table Deletes the lookupTable definition from the FortiSIEM server based on the lookup table ID you have specified. delete_lookup_table
Investigation
Import Lookup Table Data Imports the data of a specific CSV file in FortiSOAR to a specific lookup table in FortiSIEM based on the File/Attachment IRI, lookup table ID, and other input parameters you have specified. import_lookup_table_data
Investigation
Check Import Task Status Checks the status of the import lookup table data task in FortiSIEM based on the lookup table ID and task ID you have specified. check_import_task_status
Investigation
Get Lookup Table Data Retrieves items of the specified lookup table from FortiSIEM based on the lookup table ID and other input parameters you have specified. get_lookup_table_data
Investigation
Update Lookup Table Data Updates items of a specified lookup table based on the lookup table ID, key, column data, and other input parameters you have specified. update_lookup_table_data
Investigation
Delete Lookup Table Data Delete items of the specified lookup table in FortiSIEM based on the lookup table ID and primary keys you have specified. delete_lookup_table_data
Investigation
Get All Resource Lists Retrieves a list of all resources from the Fortinet FortiSIEM server. get_all_resource_list
Investigation
Get Resource List Entries Retrieves a list of elements that belong to a specific resource list in FortiSIEM based on the resource group ID, resource type, and other input parameters you have specified. get_resource_list_entries
Investigation
Add Entries To Resource List Adds new elements to a specific resource list in FortiSIEM based on the resource group ID, resource data, and resource type you have specified. add_entries_to_resource_list
Investigation
Remove Entries From Resource List Deletes elements from a resource list in FortiSIEM based on the resource IDs and resource type you have specified. remove_entries_from_resource_list
Investigation

operation: Get All Devices

Input parameters

Parameter Description
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP Specify the IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"luns": "",
"name": "",
"status": "",
"version": "",
"accessIp": "",
"approved": "",
"storages": "",
"naturalId": "",
"unmanaged": "",
"components": "",
"deviceType": {
"model": "",
"vendor": "",
"version": "",
"category": "",
"jobWeight": ""
},
"interfaces": {
"networkinterface": {
"adminStatus": "",
"description": "",
"inSpeed": "",
"ipv4Addr": "",
"ipv4IsVirtual": "",
"ipv4Mask": "",
"isCritical": "",
"isMonitor": "",
"isTrunk": "",
"isWAN": "",
"macAddr": "",
"macIsVirtual": "",
"name": "",
"operStatus": "",
"outSpeed": "",
"snmpIndex": "",
"speed": "",
"type": ""
}
},
"processors": "",
"raidGroups": "",
"applications": "",
"discoverTime": "",
"organization": {
"@id": "",
"@name": ""
},
"updateMethod": "",
"ipToHostNames": "",
"storageGroups": "",
"creationMethod": "",
"description": "",
"discoverMethod": "",
"winMachineGuid": "",
"eventParserList": "",
"systemUpTime": "",
"softwarePatches": "",
"softwareServices": "",
"sanControllerPorts": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}

operation: List Incidents

Input parameters

Important: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on severity and sub-category.

Parameter Description
From (Optional) Specify the start DateTime to retrieve incidents from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime to retrieve the incidents from the Fortinet FortiSIEM server.
Incident Status Select one or more incident statuses based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can select either Active, Auto Cleared, Manually Cleared, System Cleared, or any combination of the options.
Incident Category (Optional) Specify the category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Incident Sub Category (Optional) Specify the sub-category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Incident Severity (Optional) Select one or more incident severities based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either High, Medium, Low, or any combination of the options.
Event Type (Optional) Specify the event type of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Other Filters

(Optional) Specify the parameters using which you want to filter the incidents retrieved from the Fortinet FortiSIEM server. For example,
{
"status": [0],
"eventType": ["PH_RULE_SERVER_CPU_WARN"],
"incidentRptIp": ["10.7.12.156"]
}

Number Of Items To Return In Response (Optional) The maximum number of incidents that you want this operation to return in the response.
By default, the page size is set to 500 items.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.
Order By (Optional) Field using which you want to sort incidents retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, incidentLastSeen DESC
Event Fields To Show In Response (Optional) Comma-separated list of event fields that you want to include in the list of incidents that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentClearedReason": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident IDs IDs of incidents, in the CSV or list format, whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}

operation: Get Organization Details

Input parameters

Parameter Description
Organization ID The ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID The ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID The ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Specify the text of the reason that you want to specify while clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID The ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 10 items.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": 0,
"custId": 2000,
"dataStr": {},
"eventType": "",
"attributes": {
"Count": "",
"Event ID": "",
"Source IP": "",
"Time skew": "",
"Event Type": "",
"Attack Name": "",
"Device Time": "",
"Relaying IP": "",
"Collector ID": "",
"Malware Name": "",
"Reporting IP": "",
"Raw Event Log": "",
"Destination IP": "",
"Event Severity": "",
"Organization ID": "",
"Reporting Model": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"Virus/Malware ID": "",
"Event Parser Name": "",
"Organization Name": "",
"Event Parse Status": "",
"Event Receive Time": "",
"Event Rule Trigger": "",
"Source TCP/UDP Port": "",
"Destination Host Name": "",
"System Event Category": "",
"Event Severity Category": "",
"Destination TCP/UDP Port": "",
"External Event Receive Protocol": ""
},
"rawMessage": "",
"receiveTime": "",
"eventAttributes": []
}

operation: Run Advanced Search Query

Input parameters

Parameter Description
Advanced Search Query Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)).
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr
Order By (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC
Time Range (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for reports that you want to run on the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for reports that are created in the last 2 hours on the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

No output schema is available at this time.

operation: Update Incident

Input parameters

Parameter Description
Incident ID Specify the ID of the incident you want to update on the Fortinet FortiSIEM server.
Comment Text Specify the text of the comment that you want to add to the specified incident you want to update on the Fortinet FortiSIEM server.
Incident Status (Optional) Select the incident status that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: Active, Auto Cleared, Manually Cleared, or System Cleared.
Incident Severity (Optional) Select the incident severity that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: HIGH, MEDIUM, or LOW.
Incident Resolution (Optional) Select the resolution that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive.
External Ticket Type (Optional) Select the external ticket type of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: High, Medium, or Low.
External Ticket ID (Optional) Specify the ID of the external ticket ID to update in the specified incident you want to update on the Fortinet FortiSIEM server.
External Ticket State (Optional) Select the external ticket state of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: New, Assigned, In Progress, or Closed.
External Assigned User (Optional) Specify the assigned user of the external ticket to update in the specified incident you want to update on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Get Event Details

Input parameters

Parameter Description
Event ID The ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server.
From (Optional) Specify the start DateTime from when you want to retrieve event details from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime till when you want to retrieve event details from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"hostIpAddr": "",
"hostName": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}

operation: Search Events

Input parameters

Parameter Description
Search Attributes Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
  • If you choose 'Destination Port', then in the Destination Port IN field, enter the value of the destination port for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Destination IP', then in the Destination IP IN field, enter a comma-separated list of destination IPs based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event ID', then in the Event ID IN field, enter the value of the event ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event Action', then from the Event Action IN drop-down list, choose the event action for which you want to search for events in the Fortinet FortiSIEM server. You can choose 1-Deny or 0-Permit.
  • If you choose 'Incident ID', then in the Incident ID IN field, enter the value of the Incident ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'File Name', then in the File Name CONTAINS field, enter the name of the file based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Host Name', then in the Host Name CONTAINS field, enter the name of the host using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Organization Name', then in the Organization Name CONTAINS field, enter the name of the organization based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Process Name', then in the Process Name CONTAINS field, enter the name of the process based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Post-NAT Source IP', then in the Post-NAT Source IP IN field, enter the Post-NAT source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Raw Event Log', then in the Raw Event Log CONTAINS field, enter the search attribute for the raw event based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Relay IP', then in the Relay IP IN field, enter the relay IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Reporting IP', then in the Reporting IP IN field, enter the reporting IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source IP', then in the Source IP IN field, enter the source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source Port', then in the Source Port IN field, enter the source port based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source MAC', then in the Source MAC CONTAINS field, enter the search attribute for the source MAC using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'User', then in the User CONTAINS field, enter the search attribute for the user based on which you want to search for events in the Fortinet FortiSIEM server.
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Time Range (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for events in the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for events in the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for events that occurred in the last 2 hours on the Fortinet FortiSIEM server and returns the response against the report from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"type": "",
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"osType": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"srcMACAddr": "",
"totBytes64": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"profileDetails": "",
"relayDevIpAddr": "",
"phEventCategory": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"masterSrcMACAddr": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Event Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}

operation: Get Events Data By Query ID

Input parameters

Parameter Description
Query ID The ID of the executed query based on which you want to retrieve data of events from the Fortinet FortiSIEM server. You can retrieve the Query ID from the output of actions such as 'List Incidents', 'Search Query', etc.
Number Of Items To Return In Response (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 50 items.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.

Output

The output contains a non-dictionary value.

operation: Get Watch Lists

Input parameters

Parameter Description
Get Watch List Data By

Select the parameters using which you want to retrieve watch list data from Fortinet FortiSIEM.

  • If you choose 'Get All Watch Lists', then data for all watch lists are retrieved from Fortinet FortiSIEM.
  • If you choose 'By Watch List ID', then in the Watch List ID field you must specify the ID of the watch list whose details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry Value', then in the Entry Value field you must specify the value of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry ID', then in the Watch List Entry ID field you must specify the ID of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.

Output

The output contains the following populated JSON schema: If you choose "Get All Watch Lists", "By Watch List ID" or "By Watch List Entry Value" as the "Get Watch List Data By", then the output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

Output schema when you choose "Get Watch List Data By" as "By Watch List Entry ID":
{
"response": {
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
},
"status": ""
}

This is the default output schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Get Watch List Entries Count

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"entry_count": ""
}
}

operation: Get Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"id": "",
"count": "",
"state": "",
"ageOut": "",
"custId": "",
"lastSeen": "",
"firstSeen": "",
"naturalId": "",
"entryValue": "",
"description": "",
"expiredTime": "",
"triggeringRules": "",
"dataCreationType": ""
}
}

operation: Add Watch List Entries To Watch List

Input parameters

Parameter Description
Watch List ID The ID of the watch list to which you want to add watch list entries.
Other parameters JSON Array of watch list entry objects that you want to add to specific watch lists.
For example,
{
"inclusive": false,
"count": 10,
"custId": 1,
"triggeringRules": "Datastore Space Warning",
"entryValue": "PVVol_A001_A000356_POWER2",
"ageOut": "1d",
"lastSeen": 1613601369215,
"firstSeen": 1613601369215,
"disableAgeout": false,
"dataCreationType": "USER"
}

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Watch List

Input parameters

Parameter Description
Watch List JSON Object JSON Object of a watch list with a watch list entry that you want to create in the FortiSIEM database. For example,
{
'description': 'Servers, network or storage devices',
'displayName': 'Resource Issues Test4',
'type': 'DyWatchList',
'isCaseSensitive': false,
'dataCreationType': 'USER',
'topGroup': false,
'valuePattern': null,
'valueType': 'STRING',
'ageOut': '1d',
'custId': 1,
'entries':
[
{
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_5new',
'ageOut': '1d',
'count': 1,
'custId': 1,
'firstSeen': 1612901760000,
'lastSeen': 1612901760000,
'triggeringRules': 'Datastore Space Warning',
'dataCreationType': 'USER'
}
]
}

Where the displayName and type are the required fields.

Output

The output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Update Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to update in the FortiSIEM database.
Count (Optional) Specify the occurrence count of the watch list entry that you want to update in the FortiSIEM database.
Last Seen Time (Optional) Specify the value of the last seen time, i.e., the Unix timestamp, of the specific watch list that you want to update in the FortiSIEM database.
State From the State drop-down list select Active to set the specific watch list to the 'Active' state; select Inactive to set the specific watch list to the 'Inactive' state.
Other Parameters JSON Object of a watch list with a watch list entry that you want to update in the FortiSIEM database. For example,
{
'lastSeen': 1612901760002,
'dataCreationType': 'USER',
'firstSeen': 1612901760001,
'count': 100,
'custId': '1',
'triggeringRules': 'Datastore Space Warning',
'description': 'Testing again',
'id': 889400,
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_POWER23',
'expiredTime': 1612988160001,
'ageOut': '2d'
}

Output

The output contains the following populated JSON schema:
{
"response": {
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
},
"status": ""
}

operation: Delete Watch List Entry

Input parameters

Parameter Description
Watch List Entry IDs IDs of the watch list entries, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Delete Watch List

Input parameters

Parameter Description
Watch List IDs IDs of the watch lists, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Lookup Table

Input parameters

Parameter Description
Name Specify the name of the lookup table that you want to create in FortiSIEM.
Note: The table name must contain only alphabets and numbers.
Column List Specify the list of column definitions for the lookup table you want to create in FortiSIEM. For each column you must specify the following three values:
  • key - key indicating whether or not the column is a primary column
  • name- name of the column
  • type - type of column, which can be STRING, LONG, or DOUBLE.
    For example,
    [
    {"key": true, "name": "url", "type": "STRING"},
    {"key": false, "name": "wfCategoryID", "type": "LONG"}
    ]
Description (Optional) Specify the description of the lookup table that you want to create in FortiSIEM.
Organization Name (Optional) Specify the organization name to be assigned to the lookup table that you want to create in FortiSIEM. By default, this is set to the organization of the current user.

Output

The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}

operation: Get All Lookup Table

Input parameters

Parameter Description
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table definitions starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
],
"size": "",
"start": "",
"total": ""
}

operation: Delete Lookup Table

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup Table whose definitions you want to delete from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Import Lookup Table Data

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to import the CSV file present in FortiSOAR to the Fortinet FortiSIEM server lookup table. You can choose between Attachment ID and File IRI.

  • If you choose 'Attachment ID', then in the Attachment ID field specify the Attachment ID of the CSV file that you want to import into the specified lookup table in FortiSIEM.
  • If you choose 'File IRI', then in the File IRI field specify the CSV file that you want to import into the specified lookup table in FortiSIEM.
Lookup Table ID Specify the unique identifier representing the lookup table in FortiSIEM into which you want to import the CSV file in the Fortinet FortiSIEM server.
Mapping Specify the configuration that matches the position of columns in the CSV file to columns in the specified lookup table. The format of the mapping is as follows: {"":,"":}
For example, {"url":1, "wfCategoryID":2}
File Separator Specify the file separator for the specified CSV file. By default, this is set as the comma character(,)
File Quote Char Specify the file quote character for the specified CSV file. By default, this is set as the double quotation character(")
Skip Header Select this option to ignore the header of the specified CSV file.
Update Type Select the method of updating the data in the Fortinet FortiSIEM server. You can choose between Overwrite (default) or Append.

Output

The output contains the following populated JSON schema:
{
"taskId": ""
}

operation: Check Import Task Status

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table in the Fortinet FortiSIEM server for which you want to check the import task status.
Task ID Specify the task id of the importing data to the specified lookup table. You can retrieve the task ID from the response of the 'Import Lookup Table Data' action.

Output

The output contains the following populated JSON schema:
{
"actionResult": "",
"id": "",
"progress": "",
"status": ""
}

operation: Get Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table for which you want to retrieve items from the Fortinet FortiSIEM server.
Start (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table items starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.
Search Text (Optional) Specify the Search text using which you want to filter items of the specified lookup table in the Fortinet FortiSIEM server.
Sort By (Optional) Specify the lookup table columns using which you want to sort the search results retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified lookup table columns, i.e, descending (DESC) or ascending (ASC).

Output

The output contains the following populated JSON schema:
{
"data": [],
"size": "",
"start": "",
"total": ""
}

operation: Update Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to update in the Fortinet FortiSIEM server.
Key Specify the primary key of the item column and its value that you want to update in the specified lookup table. The format is <keyColumn_1>:<value>
For example, key={"url":"http://example.com"}
Column Data Specify the dictionary of column values you want to update in the specified lookup table.
For example, {"url": "www.test.com", "wfCategoryID": 30, "score": 0.50119}

Output

The output contains the following populated JSON schema:
{
"response": "",
"message": ""
}

operation: Delete Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to delete from the Fortinet FortiSIEM server.
Primary Keys Specify the list of primary keys of the item columns and their values that you want to delete from the specified lookup table. The format is:
[
{<keyColumn_1>:<value>,<keyColumn_2>:<value>}
]

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Get All Resource Lists

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}
],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}

operation: Get Resource List Entries

Input parameters

Parameter Description
Resource Group ID Specify the ID of the resource group from which you want to retrieve the specific element types. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups.
Resource Type Select the type of resource (element) that you want to retrieve from the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options: Malware IP, Malware Domains, Malware Urls, Malware Hash, or Malware Processes.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.
Number Of Items To Return In Response (Optional) The maximum number of entries that you want this operation to return in the response.
By default, the page size is set to 100 entries.

Output

The output contains the following populated JSON schema:
{
"headerData": {
"objectTypeName": "",
"columnNames": [],
"columnTypes": [],
"methodNames": [],
"columnWidths": [],
"columnActions": [],
"keys": [],
"attrKeys": []
},
"lightValueObjects": [
{
"objectId": "",
"custId": "",
"parentId": "",
"collectorId": "",
"data": [],
"extData": "",
"naturalId": "",
"aoSys": ""
}
],
"errCode": "",
"errObj": "",
"dataType": "",
"totalCount": ""
}

operation: Add Entries To Resource List

Input parameters

Parameter Description
Resource Group ID Specify the ID of the resource group to which you want to add the specified element. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups.
Resource Data Specify the resource (element) data in a key-value pair that you want to add to the specified resource group in the Fortinet FortiSIEM server. For example,
{
"singleIp": "3.3.3.3",
"enableDateFound": false,
"enableLastSeen": false,
"dateFound": null,
"lastSeen": null,
"name": "3.3.3.3",
"malwareType": "ip",
"severity": "low",
"highIp": "3.3.3.3",
"lowIp": "3.3.3.3",
"sysDefined": false,
"active": true,
"groupId": 15732450304
}
Resource Type Select the type of resource (element) that you want to add to the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options: Malware IP, Malware Domains, Malware Urls, Malware Hash, or Malware Processes.

Output

The output contains the following populated JSON schema:
{
"lastModified": "",
"creationTime": "",
"custId": "",
"ownerId": "",
"collectorId": "",
"grpNid": "",
"id": "",
"naturalId": "",
"name": "",
"lowIp": "",
"highIp": "",
"description": "",
"sysDefined": "",
"active": "",
"malwareType": "",
"confidence": "",
"severity": "",
"country": "",
"asn": "",
"dateFound": "",
"lastSeen": "",
"org": "",
"groupId": "",
"naturalIdProperty": "",
"creationDate": "",
"lastModifiedDate": "",
"xmlId": "",
"systemEntity": ""
}

operation: Remove Entries From Resource List

Input parameters

Parameter Description
Resource IDs Specify the IDs of the resources you want to delete from the Fortinet FortiSIEM server.
Resource Type Select the type of resource (element) that you want to delete from the Fortinet FortiSIEM server. You can choose from the following options: Malware IP, Malware Domains, Malware Urls, Malware Hash, or Malware Processes.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Fortinet FortiSIEM - 5.0.1 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

  • Device: Get All Devices
  • Device: Get All Devices For Specified IP Address Range
  • Device: Get Device Information
  • Device: List Monitored Devices and Attributes
  • Event: Get Event Attribute
  • Event: Get Event Details
  • Event: Get Events For Incident
  • Event: Search Events
  • > FortiSIEM > Fetch
  • >> FortiSIEM > Fetch Associated events for Incident
  • FortiSIEM > Ingest
  • Get Events Data By Query ID
  • Incident: Clear Incident With Reason
  • Incident: Comment Incident
  • Incident: Get Incident Details
  • Incident: List Incidents
  • Incident: Update Incident
  • Lookup Table: Check Import Task Status
  • Lookup Table: Create Lookup Table
  • Lookup Table: Delete Lookup Table
  • Lookup Table: Delete Lookup Table Data
  • Lookup Table: Get All Lookup Table
  • Lookup Table: Get Lookup Table Data
  • Lookup Table: Import Lookup Table Data
  • Lookup Table: Update Lookup Table Data
  • Organization: Get Organization Details
  • Organization: List Monitored Organizations
  • Resource List: Add Entries To Resource List
  • Resource List: Get All Resource Lists
  • Resource List: Get Resource List Entries
  • Resource List: Remove Entries From Resource List
  • Run Advanced Search Query
  • Watch List: Add Watch List Entries To Watch List
  • Watch List: Create Watch List
  • Watch List: Delete Watch List
  • Watch List: Delete Watch List Entry
  • Watch List: Get Watch List Entries Count
  • Watch List: Get Watch List Entry
  • Watch List: Get Watch Lists
  • Watch List: Update Watch List Entry

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

NOTE: If you want to link MITRE techniques records to alerts that are being created using the Data Ingestion Wizard, you can use the MITRE ATT&CK Enrichment Framework and MITRE ATT&CK Threat Hunting Solution Packs.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".

IMPORTANT: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.0.0 (or later) from version 4.5.0. For more information, see the Reconfiguring 'FortiSIEM' Data Ingestion section.

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiSIEM incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
    Users can choose to pull data from Fortinet FortiSIEM specifying either the last X minutes in which the incidents have been created or updated in FortiSIEM (By Updates in Last X Minutes) or an "Incident ID" (By Sample Incident ID). When you are fetching data based on By Updates in Last X Minutes, then in the Pull Incidents Creates/Updates In Last X Minutes field, specify the number of minutes from when you want to retrieve incidents that were created or updated in Fortinet FortiSIEM. When you are fetching data based on By Sample Incident ID, then in the Incident ID field, specify the ID of the incident that you want to retrieve from Fortinet FortiSIEM. When you choose the By Updates in Last X Minutes method to fetch data, you can also apply additional parameters such as the maximum events to be fetched, the maximum number of events to be fetched per incident, filters such as incident status, incident category, incident severity, event type, etc., to be applied to incidents to be retrieved from Fortinet FortiSIEM. Optionally, in the Other Filters field, you can specify parameters using which you want to filter the incidents retrieved from the Fortinet FortiSIEM server. For example,
    {
    "status": [0],
    "eventType": ["PH_RULE_SERVER_CPU_WARN"],
    "incidentRptIp": ["10.7.12.156"]
    }

    The fetched data is used to create a mapping between the FortiSIEM data and FortiSOAR™ alerts. Once you have completed specifying the configurations, click Fetch Data.

    If you are configuring data ingestion for MSSP systems, and if you have checked the Configure Multi-Tenant Mappings checkbox, then in the Organization Mapping field, ensure that you map the organization name defined in FortiSIEM as a tenant in FortiSOAR™:

    NOTE: If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.
  3. On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the customer parameter of a FortiSIEM incident to the Username parameter of a FortiSOAR™ alert, click the Username field and then click the customer field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Reconfiguring 'FortiSIEM' Data Ingestion

If you have upgraded your FortiSIEM connector to version 5.0.0 or later from version 4.5.0, then you must reconfigure the 'FortiSIEM' Data Ingestion.

Use FortiSIEM v5.0.0 (and later) Data Ingestion: Post-upgrade, if you want to use FortiSIEM v5.0.0 (or later) data ingestion, then you need to re-run the "Data Ingestion Wizard" to reconfigure FortiSIEM data ingestion, i.e., Open the 'Configurations' page of the FortiSIEM connector and click Configure Data Ingestion to re-run the "Data Ingestion Wizard"

Use FortiSIEM v4.5.0 Data Ingestion: If you want to use FortiSIEM v4.5.0 data ingestion, then you can reconfigure 'FortiSIEM' Data Ingestion using either of the following methods:

  • Before upgrading the connector, open the data ingestion playbooks and re-save the connector step.
    OR
  • If you have not performed the above pre-upgrade step, then post-upgrade, export the data ingestion playbooks of the previous version, edit the 'playbooks.json' file to update the 'version' of the FortiSIEM connector from version 5.0.1 or 5.0.0 to the previous version of the connector, and then re-import the playbooks.json file.

Best Practices - Working with FortiSOAR FortiSIEM Integration

Following is a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration:

  • As the number of incidents in FortiSIEM might be very high, it is suggested to only pull the incidents that are of importance and need to be worked upon. For example, incidents of certain types and certain severity. The ingestion experience allows the configuration of these filters to meet the right requirements.
  • It is strongly suggested to use the ‘Maximum Events To Pull Per Incident' parameter to limit and only fetch required/latest events per incident.
  • It is recommended to tune the ‘Maximum Incidents To Pull’ parameter to limit the incidents fetched per iteration. Tune this parameter based on your scheduler time and the average number of incidents being pulled (with some buffer for peaks).
  • Various performance improvements are done with each important release of the connector, and hence it is suggested to upgrade to the latest version of the integration. Before upgrading, we strongly recommend reading the Release notes and the connector documentation to understand the upgrade requirements/precursors/compatibility.
  • There are important API enhancements/support from FortiSIEM that are incorporated from v5.0.0 (and later) of the connector. Hence, upgrades from earlier versions (for example, from 4.5.0 -> 5.0.0) requires to be well-planned. This has been documented in the Reconfiguring FortiSIEM Data Ingestion section.
Previous
Next

About the connector

Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.

This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM.
For more information, see the Data Ingestion Support section.
NOTE: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.0.0 (or later) from version 4.5.0. For more information, see the Reconfiguring 'FortiSIEM' Data Ingestion section.

For a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration, see the Best Practices - Working with FortiSOAR FortiSIEM Integration section.

Version information

Connector Version: 5.0.1

FortiSOAR™ Version Tested on: 7.3.0-2034

Fortinet FortiSIEM Version Tested on: 6.6.0.1633

Authored By: Fortinet

Certified: Yes

Release Notes for version 5.0.1

The following enhancements have been made to the Fortinet FortiSIEM connector in version 5.0.1:

Important Notes related to this release of the connector:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortisiem

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiSIEM connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Username Specify the username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Password Specify the password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations.
Organization Specify the name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get All Devices Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
Get All Devices For Specified IP Address Range Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. get_devices
Investigation
Get Device Information Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. get_devices
Investigation
List Monitored Devices and Attributes Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. get_devices
Investigation
List Monitored Organizations Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. get_domains
Investigation
Get Organization Details Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. get_organization
Investigation
List Incidents Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the time range, and other filter criteria you have specified.
Note: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on severity and sub-category.
get_incidents
Investigation
Get Incident Details Retrieves details of an incident from the Fortinet FortiSIEM server based on the incident IDs you have specified. get_incident_details
Investigation
Comment Incident Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. incident_comment
Investigation
Clear Incident With Reason Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. clear_incident
Investigation
Get Events For Incident Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. get_associated_events
Investigation
Run Advanced Search Query Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. run_report
Investigation
Update Incident Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. update_incident
Investigation
Get Event Details Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. get_event_details
Investigation
Search Events Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. search_events
Investigation
Get Event Attributes Retrieves all event attributes from the Fortinet FortiSIEM server. get_incident_attributes
Investigation
Get Events Data By Query ID Retrieves data for events or incidents from the Fortinet FortiSIEM server based on the executed query ID you have specified. get_events_by_query_id
Investigation
Get Watch Lists Retrieves details for all watch lists or for specific watch lists based on input parameters you have specified. get_watch_lists
Investigation
Get Watch List Entries Count Returns the count of all watch list entries from all watch lists in Fortinet FortiSIEM. get_watch_list_entries_count
Investigation
Get Watch List Entry Retrieves the specific watch list entry from Fortinet FortiSIEM based on the watch list entry ID you have specified. get_watch_list_entry
Investigation
Add Watch List Entries To Watch List Adds watch list entries to one or more watch lists based on watch list ID and other input parameters you have specified. update_watch_list_group
Investigation
Create Watch List Creates a watch list in the FortiSIEM database. A watch list can contain one or more watch list entries. create_watch_list_group
Investigation
Update Watch List Entry Updates a watch list entry in the FortiSIEM database based on the watch list entry ID and other input parameters you have provided. update_watch_list_entry
Investigation
Delete Watch List Entry Deletes watch list entries from the FortiSIEM database based on the ID of the watch list entries you have specified. delete_watch_list_entry
Investigation
Delete Watch List Deletes watch lists from the FortiSIEM database based on the ID of the watch lists you have specified. delete_watch_list
Investigation
Create Lookup Table Creates the definition of a lookup table in the FortiSIEM server based on the name, column list, and other input parameters you have specified. create_lookup_table
Investigation
Get All Lookup Table Retrieves the list of all lookupTable definitions from the FortiSIEM server based on the input parameters you have specified. get_all_lookup_tables
Investigation
Delete Lookup Table Deletes the lookupTable definition from the FortiSIEM server based on the lookup table ID you have specified. delete_lookup_table
Investigation
Import Lookup Table Data Imports the data of a specific CSV file in FortiSOAR to a specific lookup table in FortiSIEM based on the File/Attachment IRI, lookup table ID, and other input parameters you have specified. import_lookup_table_data
Investigation
Check Import Task Status Checks the status of the import lookup table data task in FortiSIEM based on the lookup table ID and task ID you have specified. check_import_task_status
Investigation
Get Lookup Table Data Retrieves items of the specified lookup table from FortiSIEM based on the lookup table ID and other input parameters you have specified. get_lookup_table_data
Investigation
Update Lookup Table Data Updates items of a specified lookup table based on the lookup table ID, key, column data, and other input parameters you have specified. update_lookup_table_data
Investigation
Delete Lookup Table Data Delete items of the specified lookup table in FortiSIEM based on the lookup table ID and primary keys you have specified. delete_lookup_table_data
Investigation
Get All Resource Lists Retrieves a list of all resources from the Fortinet FortiSIEM server. get_all_resource_list
Investigation
Get Resource List Entries Retrieves a list of elements that belong to a specific resource list in FortiSIEM based on the resource group ID, resource type, and other input parameters you have specified. get_resource_list_entries
Investigation
Add Entries To Resource List Adds new elements to a specific resource list in FortiSIEM based on the resource group ID, resource data, and resource type you have specified. add_entries_to_resource_list
Investigation
Remove Entries From Resource List Deletes elements from a resource list in FortiSIEM based on the resource IDs and resource type you have specified. remove_entries_from_resource_list
Investigation

operation: Get All Devices

Input parameters

Parameter Description
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get All Devices For Specified IP Address Range

Input parameters

Parameter Description
Include IP SET Value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format.
For example, enter, 192.168.20.1-192.168.20.100
Exclude IP SET (Optional) Value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format.
Organization (Optional) Name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}

operation: Get Device Information

Input parameters

Parameter Description
Device IP Specify the IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server.
Organization (Optional) Name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"device": {
"luns": "",
"name": "",
"status": "",
"version": "",
"accessIp": "",
"approved": "",
"storages": "",
"naturalId": "",
"unmanaged": "",
"components": "",
"deviceType": {
"model": "",
"vendor": "",
"version": "",
"category": "",
"jobWeight": ""
},
"interfaces": {
"networkinterface": {
"adminStatus": "",
"description": "",
"inSpeed": "",
"ipv4Addr": "",
"ipv4IsVirtual": "",
"ipv4Mask": "",
"isCritical": "",
"isMonitor": "",
"isTrunk": "",
"isWAN": "",
"macAddr": "",
"macIsVirtual": "",
"name": "",
"operStatus": "",
"outSpeed": "",
"snmpIndex": "",
"speed": "",
"type": ""
}
},
"processors": "",
"raidGroups": "",
"applications": "",
"discoverTime": "",
"organization": {
"@id": "",
"@name": ""
},
"updateMethod": "",
"ipToHostNames": "",
"storageGroups": "",
"creationMethod": "",
"description": "",
"discoverMethod": "",
"winMachineGuid": "",
"eventParserList": "",
"systemUpTime": "",
"softwarePatches": "",
"softwareServices": "",
"sanControllerPorts": ""
}
}

operation: List Monitored Devices and Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}

operation: List Monitored Organizations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}

operation: List Incidents

Input parameters

Important: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on severity and sub-category.

Parameter Description
From (Optional) Specify the start DateTime to retrieve incidents from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime to retrieve the incidents from the Fortinet FortiSIEM server.
Incident Status Select one or more incident statuses based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can select either Active, Auto Cleared, Manually Cleared, System Cleared, or any combination of the options.
Incident Category (Optional) Specify the category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Incident Sub Category (Optional) Specify the sub-category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Incident Severity (Optional) Select one or more incident severities based on which you want to retrieve incidents from the Fortinet FortiSIEM server. You can choose either High, Medium, Low, or any combination of the options.
Event Type (Optional) Specify the event type of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server.
Other Filters

(Optional) Specify the parameters using which you want to filter the incidents retrieved from the Fortinet FortiSIEM server. For example,
{
"status": [0],
"eventType": ["PH_RULE_SERVER_CPU_WARN"],
"incidentRptIp": ["10.7.12.156"]
}

Number Of Items To Return In Response (Optional) The maximum number of incidents that you want this operation to return in the response.
By default, the page size is set to 500 items.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.
Order By (Optional) Field using which you want to sort incidents retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, incidentLastSeen DESC
Event Fields To Show In Response (Optional) Comma-separated list of event fields that you want to include in the list of incidents that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentClearedReason": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident IDs IDs of incidents, in the CSV or list format, whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}

operation: Get Organization Details

Input parameters

Parameter Description
Organization ID The ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}

operation: Comment Incident

Input parameters

Parameter Description
Incident ID The ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server.
Comment Text Text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Clear Incident With Reason

Input parameters

Parameter Description
Incident ID The ID of the incident that you want to clear from the Fortinet FortiSIEM server.
Reason Specify the text of the reason that you want to specify while clearing the specified incident from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}

operation: Get Events For Incident

Input parameters

Parameter Description
Incident ID The ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 10 items.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": 0,
"custId": 2000,
"dataStr": {},
"eventType": "",
"attributes": {
"Count": "",
"Event ID": "",
"Source IP": "",
"Time skew": "",
"Event Type": "",
"Attack Name": "",
"Device Time": "",
"Relaying IP": "",
"Collector ID": "",
"Malware Name": "",
"Reporting IP": "",
"Raw Event Log": "",
"Destination IP": "",
"Event Severity": "",
"Organization ID": "",
"Reporting Model": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"Virus/Malware ID": "",
"Event Parser Name": "",
"Organization Name": "",
"Event Parse Status": "",
"Event Receive Time": "",
"Event Rule Trigger": "",
"Source TCP/UDP Port": "",
"Destination Host Name": "",
"System Event Category": "",
"Event Severity Category": "",
"Destination TCP/UDP Port": "",
"External Event Receive Protocol": ""
},
"rawMessage": "",
"receiveTime": "",
"eventAttributes": []
}

operation: Run Advanced Search Query

Input parameters

Parameter Description
Advanced Search Query Conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)).
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Group By (Optional) Attribute using which you want to group the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, reptDevIpAddr
Order By (Optional) Field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC
Time Range (Optional) Specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for reports that you want to run on the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for reports that you want to run on the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for reports that are created in the last 2 hours on the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

No output schema is available at this time.

operation: Update Incident

Input parameters

Parameter Description
Incident ID Specify the ID of the incident you want to update on the Fortinet FortiSIEM server.
Comment Text Specify the text of the comment that you want to add to the specified incident you want to update on the Fortinet FortiSIEM server.
Incident Status (Optional) Select the incident status that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: Active, Auto Cleared, Manually Cleared, or System Cleared.
Incident Severity (Optional) Select the incident severity that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: HIGH, MEDIUM, or LOW.
Incident Resolution (Optional) Select the resolution that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive.
External Ticket Type (Optional) Select the external ticket type of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: High, Medium, or Low.
External Ticket ID (Optional) Specify the ID of the external ticket ID to update in the specified incident you want to update on the Fortinet FortiSIEM server.
External Ticket State (Optional) Select the external ticket state of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options: New, Assigned, In Progress, or Closed.
External Assigned User (Optional) Specify the assigned user of the external ticket to update in the specified incident you want to update on the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}

operation: Get Event Details

Input parameters

Parameter Description
Event ID The ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server.
From (Optional) Specify the start DateTime from when you want to retrieve event details from the Fortinet FortiSIEM server.
To (Optional) Specify the end DateTime till when you want to retrieve event details from the Fortinet FortiSIEM server.
Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"hostIpAddr": "",
"hostName": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}

operation: Search Events

Input parameters

Parameter Description
Search Attributes Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
  • If you choose 'Destination Port', then in the Destination Port IN field, enter the value of the destination port for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Destination IP', then in the Destination IP IN field, enter a comma-separated list of destination IPs based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event ID', then in the Event ID IN field, enter the value of the event ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Event Action', then from the Event Action IN drop-down list, choose the event action for which you want to search for events in the Fortinet FortiSIEM server. You can choose 1-Deny or 0-Permit.
  • If you choose 'Incident ID', then in the Incident ID IN field, enter the value of the Incident ID for which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'File Name', then in the File Name CONTAINS field, enter the name of the file based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Host Name', then in the Host Name CONTAINS field, enter the name of the host using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Organization Name', then in the Organization Name CONTAINS field, enter the name of the organization based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Process Name', then in the Process Name CONTAINS field, enter the name of the process based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Post-NAT Source IP', then in the Post-NAT Source IP IN field, enter the Post-NAT source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Raw Event Log', then in the Raw Event Log CONTAINS field, enter the search attribute for the raw event based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Relay IP', then in the Relay IP IN field, enter the relay IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Reporting IP', then in the Reporting IP IN field, enter the reporting IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source IP', then in the Source IP IN field, enter the source IP based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source Port', then in the Source Port IN field, enter the source port based on which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'Source MAC', then in the Source MAC CONTAINS field, enter the search attribute for the source MAC using which you want to search for events in the Fortinet FortiSIEM server.
  • If you choose 'User', then in the User CONTAINS field, enter the search attribute for the user based on which you want to search for events in the Fortinet FortiSIEM server.
Event Fields To Show In Response Comma-separated list of event fields that you want to display in the report summary for the report that you want to run on the Fortinet FortiSIEM server.
Time Range (Optional) Specify the time duration for which you want to search for events in the Fortinet FortiSIEM server. By default, this is set as Relative Time.
  • If you select Absolute Time, then you must specify the time range, for which you want to search for events in the Fortinet FortiSIEM server, in the From and To fields using the calendar tool.
  • If you select Relative Time, then you have to specify the time duration for which you want to search for events in the Fortinet FortiSIEM server.
    For example, if you choose Hours from the Relative Time drop-down list and provide the value 2 in the Last field, then this operation searches for events that occurred in the last 2 hours on the Fortinet FortiSIEM server and returns the response against the report from the Fortinet FortiSIEM server.
Number Of Items To Return In Response

(Optional) The maximum number of events that you want this operation to return in the response.
By default, the page size is set to 50 items.

Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0.

Output

The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"type": "",
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"osType": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"srcMACAddr": "",
"totBytes64": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"profileDetails": "",
"relayDevIpAddr": "",
"phEventCategory": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"masterSrcMACAddr": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}

operation: Get Event Attributes

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}

operation: Get Events Data By Query ID

Input parameters

Parameter Description
Query ID The ID of the executed query based on which you want to retrieve data of events from the Fortinet FortiSIEM server. You can retrieve the Query ID from the output of actions such as 'List Incidents', 'Search Query', etc.
Number Of Items To Return In Response (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 50 items.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.

Output

The output contains a non-dictionary value.

operation: Get Watch Lists

Input parameters

Parameter Description
Get Watch List Data By

Select the parameters using which you want to retrieve watch list data from Fortinet FortiSIEM.

  • If you choose 'Get All Watch Lists', then data for all watch lists are retrieved from Fortinet FortiSIEM.
  • If you choose 'By Watch List ID', then in the Watch List ID field you must specify the ID of the watch list whose details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry Value', then in the Entry Value field you must specify the value of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.
  • If you choose 'By Watch List Entry ID', then in the Watch List Entry ID field you must specify the ID of the watch list entry whose watch list details you want to retrieve from Fortinet FortiSIEM.

Output

The output contains the following populated JSON schema: If you choose "Get All Watch Lists", "By Watch List ID" or "By Watch List Entry Value" as the "Get Watch List Data By", then the output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

Output schema when you choose "Get Watch List Data By" as "By Watch List Entry ID":
{
"response": {
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
},
"status": ""
}

This is the default output schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Get Watch List Entries Count

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"entry_count": ""
}
}

operation: Get Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to retrieve from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"status": "",
"response": {
"id": "",
"count": "",
"state": "",
"ageOut": "",
"custId": "",
"lastSeen": "",
"firstSeen": "",
"naturalId": "",
"entryValue": "",
"description": "",
"expiredTime": "",
"triggeringRules": "",
"dataCreationType": ""
}
}

operation: Add Watch List Entries To Watch List

Input parameters

Parameter Description
Watch List ID The ID of the watch list to which you want to add watch list entries.
Other parameters JSON Array of watch list entry objects that you want to add to specific watch lists.
For example,
{
"inclusive": false,
"count": 10,
"custId": 1,
"triggeringRules": "Datastore Space Warning",
"entryValue": "PVVol_A001_A000356_POWER2",
"ageOut": "1d",
"lastSeen": 1613601369215,
"firstSeen": 1613601369215,
"disableAgeout": false,
"dataCreationType": "USER"
}

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Watch List

Input parameters

Parameter Description
Watch List JSON Object JSON Object of a watch list with a watch list entry that you want to create in the FortiSIEM database. For example,
{
'description': 'Servers, network or storage devices',
'displayName': 'Resource Issues Test4',
'type': 'DyWatchList',
'isCaseSensitive': false,
'dataCreationType': 'USER',
'topGroup': false,
'valuePattern': null,
'valueType': 'STRING',
'ageOut': '1d',
'custId': 1,
'entries':
[
{
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_5new',
'ageOut': '1d',
'count': 1,
'custId': 1,
'firstSeen': 1612901760000,
'lastSeen': 1612901760000,
'triggeringRules': 'Datastore Space Warning',
'dataCreationType': 'USER'
}
]
}

Where the displayName and type are the required fields.

Output

The output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}

operation: Update Watch List Entry

Input parameters

Parameter Description
Watch List Entry ID The ID of the watch list entry that you want to update in the FortiSIEM database.
Count (Optional) Specify the occurrence count of the watch list entry that you want to update in the FortiSIEM database.
Last Seen Time (Optional) Specify the value of the last seen time, i.e., the Unix timestamp, of the specific watch list that you want to update in the FortiSIEM database.
State From the State drop-down list select Active to set the specific watch list to the 'Active' state; select Inactive to set the specific watch list to the 'Inactive' state.
Other Parameters JSON Object of a watch list with a watch list entry that you want to update in the FortiSIEM database. For example,
{
'lastSeen': 1612901760002,
'dataCreationType': 'USER',
'firstSeen': 1612901760001,
'count': 100,
'custId': '1',
'triggeringRules': 'Datastore Space Warning',
'description': 'Testing again',
'id': 889400,
'inclusive': true,
'entryValue': 'PVVol_A001_A000356_POWER23',
'expiredTime': 1612988160001,
'ageOut': '2d'
}

Output

The output contains the following populated JSON schema:
{
"response": {
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
},
"status": ""
}

operation: Delete Watch List Entry

Input parameters

Parameter Description
Watch List Entry IDs IDs of the watch list entries, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Delete Watch List

Input parameters

Parameter Description
Watch List IDs IDs of the watch lists, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11]

Output

The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}

operation: Create Lookup Table

Input parameters

Parameter Description
Name Specify the name of the lookup table that you want to create in FortiSIEM.
Note: The table name must contain only alphabets and numbers.
Column List Specify the list of column definitions for the lookup table you want to create in FortiSIEM. For each column you must specify the following three values:
  • key - key indicating whether or not the column is a primary column
  • name- name of the column
  • type - type of column, which can be STRING, LONG, or DOUBLE.
    For example,
    [
    {"key": true, "name": "url", "type": "STRING"},
    {"key": false, "name": "wfCategoryID", "type": "LONG"}
    ]
Description (Optional) Specify the description of the lookup table that you want to create in FortiSIEM.
Organization Name (Optional) Specify the organization name to be assigned to the lookup table that you want to create in FortiSIEM. By default, this is set to the organization of the current user.

Output

The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}

operation: Get All Lookup Table

Input parameters

Parameter Description
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table definitions starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
],
"size": "",
"start": "",
"total": ""
}

operation: Delete Lookup Table

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup Table whose definitions you want to delete from the Fortinet FortiSIEM server.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Import Lookup Table Data

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to import the CSV file present in FortiSOAR to the Fortinet FortiSIEM server lookup table. You can choose between Attachment ID and File IRI.

  • If you choose 'Attachment ID', then in the Attachment ID field specify the Attachment ID of the CSV file that you want to import into the specified lookup table in FortiSIEM.
  • If you choose 'File IRI', then in the File IRI field specify the CSV file that you want to import into the specified lookup table in FortiSIEM.
Lookup Table ID Specify the unique identifier representing the lookup table in FortiSIEM into which you want to import the CSV file in the Fortinet FortiSIEM server.
Mapping Specify the configuration that matches the position of columns in the CSV file to columns in the specified lookup table. The format of the mapping is as follows: {"":,"":}
For example, {"url":1, "wfCategoryID":2}
File Separator Specify the file separator for the specified CSV file. By default, this is set as the comma character(,)
File Quote Char Specify the file quote character for the specified CSV file. By default, this is set as the double quotation character(")
Skip Header Select this option to ignore the header of the specified CSV file.
Update Type Select the method of updating the data in the Fortinet FortiSIEM server. You can choose between Overwrite (default) or Append.

Output

The output contains the following populated JSON schema:
{
"taskId": ""
}

operation: Check Import Task Status

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table in the Fortinet FortiSIEM server for which you want to check the import task status.
Task ID Specify the task id of the importing data to the specified lookup table. You can retrieve the task ID from the response of the 'Import Lookup Table Data' action.

Output

The output contains the following populated JSON schema:
{
"actionResult": "",
"id": "",
"progress": "",
"status": ""
}

operation: Get Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table for which you want to retrieve items from the Fortinet FortiSIEM server.
Start (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table items starting from the 10th position. By default, this is set as 0.
Number Of Items To Return (Optional) The maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000.
Search Text (Optional) Specify the Search text using which you want to filter items of the specified lookup table in the Fortinet FortiSIEM server.
Sort By (Optional) Specify the lookup table columns using which you want to sort the search results retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified lookup table columns, i.e, descending (DESC) or ascending (ASC).

Output

The output contains the following populated JSON schema:
{
"data": [],
"size": "",
"start": "",
"total": ""
}

operation: Update Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to update in the Fortinet FortiSIEM server.
Key Specify the primary key of the item column and its value that you want to update in the specified lookup table. The format is <keyColumn_1>:<value>
For example, key={"url":"http://example.com"}
Column Data Specify the dictionary of column values you want to update in the specified lookup table.
For example, {"url": "www.test.com", "wfCategoryID": 30, "score": 0.50119}

Output

The output contains the following populated JSON schema:
{
"response": "",
"message": ""
}

operation: Delete Lookup Table Data

Input parameters

Parameter Description
Lookup Table ID Specify the unique identifier representing the lookup table whose items you want to delete from the Fortinet FortiSIEM server.
Primary Keys Specify the list of primary keys of the item columns and their values that you want to delete from the specified lookup table. The format is:
[
{<keyColumn_1>:<value>,<keyColumn_2>:<value>}
]

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Get All Resource Lists

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}
],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}

operation: Get Resource List Entries

Input parameters

Parameter Description
Resource Group ID Specify the ID of the resource group from which you want to retrieve the specific element types. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups.
Resource Type Select the type of resource (element) that you want to retrieve from the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options: Malware IP, Malware Domains, Malware Urls, Malware Hash, or Malware Processes.
Offset (Optional) Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0.
Number Of Items To Return In Response (Optional) The maximum number of entries that you want this operation to return in the response.
By default, the page size is set to 100 entries.

Output

The output contains the following populated JSON schema:
{
"headerData": {
"objectTypeName": "",
"columnNames": [],
"columnTypes": [],
"methodNames": [],
"columnWidths": [],
"columnActions": [],
"keys": [],
"attrKeys": []
},
"lightValueObjects": [
{
"objectId": "",
"custId": "",
"parentId": "",
"collectorId": "",
"data": [],
"extData": "",
"naturalId": "",
"aoSys": ""
}
],
"errCode": "",
"errObj": "",
"dataType": "",
"totalCount": ""
}

operation: Add Entries To Resource List

Input parameters

Parameter Description
Resource Group ID Specify the ID of the resource group to which you want to add the specified element. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups.
Resource Data Specify the resource (element) data in a key-value pair that you want to add to the specified resource group in the Fortinet FortiSIEM server. For example,
{
"singleIp": "3.3.3.3",
"enableDateFound": false,
"enableLastSeen": false,
"dateFound": null,
"lastSeen": null,
"name": "3.3.3.3",
"malwareType": "ip",
"severity": "low",
"highIp": "3.3.3.3",
"lowIp": "3.3.3.3",
"sysDefined": false,
"active": true,
"groupId": 15732450304
}
Resource Type Select the type of resource (element) that you want to add to the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options: Malware IP, Malware Domains, Malware Urls, Malware Hash, or Malware Processes.

Output

The output contains the following populated JSON schema:
{
"lastModified": "",
"creationTime": "",
"custId": "",
"ownerId": "",
"collectorId": "",
"grpNid": "",
"id": "",
"naturalId": "",
"name": "",
"lowIp": "",
"highIp": "",
"description": "",
"sysDefined": "",
"active": "",
"malwareType": "",
"confidence": "",
"severity": "",
"country": "",
"asn": "",
"dateFound": "",
"lastSeen": "",
"org": "",
"groupId": "",
"naturalIdProperty": "",
"creationDate": "",
"lastModifiedDate": "",
"xmlId": "",
"systemEntity": ""
}

operation: Remove Entries From Resource List

Input parameters

Parameter Description
Resource IDs Specify the IDs of the resources you want to delete from the Fortinet FortiSIEM server.
Resource Type Select the type of resource (element) that you want to delete from the Fortinet FortiSIEM server. You can choose from the following options: Malware IP, Malware Domains, Malware Urls, Malware Hash, or Malware Processes.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Fortinet FortiSIEM - 5.0.1 playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, "incidents" in Fortinet FortiSIEM are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

NOTE: If you want to link MITRE techniques records to alerts that are being created using the Data Ingestion Wizard, you can use the MITRE ATT&CK Enrichment Framework and MITRE ATT&CK Threat Hunting Solution Packs.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiSIEM "Incidents" to FortiSOAR™ "Alerts".

IMPORTANT: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.0.0 (or later) from version 4.5.0. For more information, see the Reconfiguring 'FortiSIEM' Data Ingestion section.

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from FortiSIEM into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiSIEM incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
    Users can choose to pull data from Fortinet FortiSIEM specifying either the last X minutes in which the incidents have been created or updated in FortiSIEM (By Updates in Last X Minutes) or an "Incident ID" (By Sample Incident ID). When you are fetching data based on By Updates in Last X Minutes, then in the Pull Incidents Creates/Updates In Last X Minutes field, specify the number of minutes from when you want to retrieve incidents that were created or updated in Fortinet FortiSIEM. When you are fetching data based on By Sample Incident ID, then in the Incident ID field, specify the ID of the incident that you want to retrieve from Fortinet FortiSIEM. When you choose the By Updates in Last X Minutes method to fetch data, you can also apply additional parameters such as the maximum events to be fetched, the maximum number of events to be fetched per incident, filters such as incident status, incident category, incident severity, event type, etc., to be applied to incidents to be retrieved from Fortinet FortiSIEM. Optionally, in the Other Filters field, you can specify parameters using which you want to filter the incidents retrieved from the Fortinet FortiSIEM server. For example,
    {
    "status": [0],
    "eventType": ["PH_RULE_SERVER_CPU_WARN"],
    "incidentRptIp": ["10.7.12.156"]
    }

    The fetched data is used to create a mapping between the FortiSIEM data and FortiSOAR™ alerts. Once you have completed specifying the configurations, click Fetch Data.

    If you are configuring data ingestion for MSSP systems, and if you have checked the Configure Multi-Tenant Mappings checkbox, then in the Organization Mapping field, ensure that you map the organization name defined in FortiSIEM as a tenant in FortiSOAR™:

    NOTE: If you have not mapped or wrongly mapped an organization, then the incident record will be created as a "Self" entry.
  3. On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the customer parameter of a FortiSIEM incident to the Username parameter of a FortiSOAR™ alert, click the Username field and then click the customer field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiSIEM every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Reconfiguring 'FortiSIEM' Data Ingestion

If you have upgraded your FortiSIEM connector to version 5.0.0 or later from version 4.5.0, then you must reconfigure the 'FortiSIEM' Data Ingestion.

Use FortiSIEM v5.0.0 (and later) Data Ingestion: Post-upgrade, if you want to use FortiSIEM v5.0.0 (or later) data ingestion, then you need to re-run the "Data Ingestion Wizard" to reconfigure FortiSIEM data ingestion, i.e., Open the 'Configurations' page of the FortiSIEM connector and click Configure Data Ingestion to re-run the "Data Ingestion Wizard"

Use FortiSIEM v4.5.0 Data Ingestion: If you want to use FortiSIEM v4.5.0 data ingestion, then you can reconfigure 'FortiSIEM' Data Ingestion using either of the following methods:

Best Practices - Working with FortiSOAR FortiSIEM Integration

Following is a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration:

Previous
Next