Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.
This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM.
For more information, see the Data Ingestion Support section.
NOTE: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.1.1 (or later) from a version earlier than 5.1.1. For more information, see the Reconfiguring FortiSIEM Data Ingestion section. You must reconfigure data ingestion after upgrading the connector even if your connector is on version 5.1.0 and you are upgrading the connector to version 5.1.1 (or later).
For a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration, see the Best Practices - Working with FortiSOAR FortiSIEM Integration section.
FortiSIEM 6.7.6 release contained some API changes that led to updates in connector actions. For details see the Fortinet FortiSIEM v5.1.0 connector document.
Connector Version: 5.1.1
FortiSOAR™ Version Tested on: 7.4.1-3167
Fortinet FortiSIEM Version Tested on: 6.7.6 and 7.0.0
Authored By: Fortinet
Certified: Yes
The following changes have been made to the Fortinet FortiSIEM Connector in version 5.1.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortisiem
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiSIEM connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Username | Specify the username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Password | Specify the password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Organization | Specify the name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get All Devices | Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
Get All Devices For Specified IP Address Range | Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. | get_devices Investigation |
Get Device Information | Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. | get_devices Investigation |
List Monitored Devices and Attributes | Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
List Monitored Organizations | Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. | get_domains Investigation |
Get Organization Details | Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. | get_organization Investigation |
List Incidents | Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the time range, and other filter criteria you have specified. NOTE: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on sub-categories. |
get_incidents Investigation |
Get Incident Details | Retrieves details of an incident from the Fortinet FortiSIEM server based on the incident IDs you have specified. | get_incident_details Investigation |
Comment Incident | Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. | incident_comment Investigation |
Clear Incident With Reason | Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. | clear_incident Investigation |
Get Events For Incident | Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. | get_associated_events Investigation |
Run Advanced Search Query | Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. | run_report Investigation |
Update Incident | Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. | update_incident Investigation |
Get Event Details | Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. | get_event_details Investigation |
Search Events | Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. | search_events Investigation |
Get Event Attributes | Retrieves all event attributes from the Fortinet FortiSIEM server. | get_incident_attributes Investigation |
Get Events Data By Query ID | Retrieves data for events or incidents from the Fortinet FortiSIEM server based on the executed query ID you have specified. | get_events_by_query_id Investigation |
Get Watch Lists | Retrieves details for all watch lists or for specific watch lists based on input parameters you have specified. | get_watch_lists Investigation |
Get Watch List Entries Count | Returns the count of all watch list entries from all watch lists in Fortinet FortiSIEM. | get_watch_list_entries_count Investigation |
Get Watch List Entry | Retrieves the specific watch list entry from Fortinet FortiSIEM based on the watch list entry ID you have specified. | get_watch_list_entry Investigation |
Add Watch List Entries To Watch List | Adds watch list entries to one or more watch lists based on watch list ID and other input parameters you have specified. | update_watch_list_group Investigation |
Create Watch List | Creates a watch list in the FortiSIEM database. A watch list can contain one or more watch list entries. | create_watch_list_group Investigation |
Update Watch List Entry | Updates a watch list entry in the FortiSIEM database based on the watch list entry ID and other input parameters you have provided. | update_watch_list_entry Investigation |
Delete Watch List Entry | Deletes watch list entries from the FortiSIEM database based on the ID of the watch list entries you have specified. | delete_watch_list_entry Investigation |
Delete Watch List | Deletes watch lists from the FortiSIEM database based on the ID of the watch lists you have specified. | delete_watch_list Investigation |
Create Lookup Table | Creates the definition of a lookup table in the FortiSIEM server based on the name, column list, and other input parameters you have specified. | create_lookup_table Investigation |
Get All Lookup Table | Retrieves the list of all lookupTable definitions from the FortiSIEM server based on the input parameters you have specified. | get_all_lookup_tables Investigation |
Delete Lookup Table | Deletes the lookupTable definition from the FortiSIEM server based on the lookup table ID you have specified. | delete_lookup_table Investigation |
Import Lookup Table Data | Imports the data of a specific CSV file in FortiSOAR to a specific lookup table in FortiSIEM based on the File/Attachment IRI, lookup table ID, and other input parameters you have specified. | import_lookup_table_data Investigation |
Check Import Task Status | Checks the status of the import lookup table data task in FortiSIEM based on the lookup table ID and task ID you have specified. | check_import_task_status Investigation |
Get Lookup Table Data | Retrieves items of the specified lookup table from FortiSIEM based on the lookup table ID and other input parameters you have specified. | get_lookup_table_data Investigation |
Update Lookup Table Data | Updates items of a specified lookup table based on the lookup table ID, key, column data, and other input parameters you have specified. | update_lookup_table_data Investigation |
Delete Lookup Table Data | Delete items of the specified lookup table in FortiSIEM based on the lookup table ID and primary keys you have specified. | delete_lookup_table_data Investigation |
Get All Resource Lists | Retrieves a list of all resources from the Fortinet FortiSIEM server. | get_all_resource_list Investigation |
Get Resource List Entries | Retrieves a list of elements that belong to a specific resource list in FortiSIEM based on the resource group ID, resource type, and other input parameters you have specified. | get_resource_list_entries Investigation |
Add Entries To Resource List | Adds new elements to a specific resource list in FortiSIEM based on the resource group ID, resource data, and resource type you have specified. | add_entries_to_resource_list Investigation |
Remove Entries From Resource List | Deletes elements from a resource list in FortiSIEM based on the resource IDs and resource type you have specified. | remove_entries_from_resource_list Investigation |
Parameter | Description |
---|---|
Organization | (Optional) Specify the name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}
Parameter | Description |
---|---|
Include IP SET | Specify the value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format. For example, enter, 192.168.20.1-192.168.20.100 |
Exclude IP SET | (Optional) Specify the value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format. |
Organization | (Optional) Specify the name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}
Parameter | Description |
---|---|
Device IP | Specify the IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server. |
Organization | (Optional) Specify the name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server. |
Output
The output contains the following populated JSON schema:
{
"device": {
"luns": "",
"name": "",
"status": "",
"version": "",
"accessIp": "",
"approved": "",
"storages": "",
"naturalId": "",
"unmanaged": "",
"components": "",
"deviceType": {
"model": "",
"vendor": "",
"version": "",
"category": "",
"jobWeight": ""
},
"interfaces": {
"networkinterface": {
"adminStatus": "",
"description": "",
"inSpeed": "",
"ipv4Addr": "",
"ipv4IsVirtual": "",
"ipv4Mask": "",
"isCritical": "",
"isMonitor": "",
"isTrunk": "",
"isWAN": "",
"macAddr": "",
"macIsVirtual": "",
"name": "",
"operStatus": "",
"outSpeed": "",
"snmpIndex": "",
"speed": "",
"type": ""
}
},
"processors": "",
"raidGroups": "",
"applications": "",
"discoverTime": "",
"organization": {
"@id": "",
"@name": ""
},
"updateMethod": "",
"ipToHostNames": "",
"storageGroups": "",
"creationMethod": "",
"description": "",
"discoverMethod": "",
"winMachineGuid": "",
"eventParserList": "",
"systemUpTime": "",
"softwarePatches": "",
"softwareServices": "",
"sanControllerPorts": ""
}
}
None.
The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}
None.
The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}
Important: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on sub-categories.
Parameter | Description |
---|---|
From | (Optional) Specify the start DateTime to retrieve incidents from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end DateTime to retrieve the incidents from the Fortinet FortiSIEM server. |
Incident Status |
(Optional) Select one or more incident statuses from the following options to filter incidents:
|
Incident Category |
(Optional) Select one or more incident categories from the following options to filter incidents:
|
Incident Sub Category | (Optional) Specify the sub-category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. |
Incident Severity |
(Optional) Select one or more incident severities from the following options to filter incidents:
|
Event Type | (Optional) Specify the event type of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. |
Other Filters |
(Optional) Specify the parameters in the JSON format using which you want to filter the incidents retrieved from the Fortinet FortiSIEM server. For example, { "status": [ 0 ], "eventType": [ "PH_RULE_SERVER_CPU_WARN" ], "incidentRptIp": [ "10.7.12.156" ] } |
Number Of Items To Return In Response or Size Per Page | (Optional) For FortiSIEM 6.7.6: This parameter defines the maximum number of items that this operation will return, per page, in the response. For versions other than FortiSIEM 6.7.6: This parameter defines the maximum number of items that this operation will return in the response. By default, this parameter is set to 500 items. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
Order By | (Optional) Specify the field using which to sort the incidents retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, incidentLastSeen DESC |
Event Fields To Show In Response | (Optional) Specify the comma-separated list of event fields that you want to include in the list of incidents that you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentClearedReason": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}
Parameter | Description |
---|---|
Incident IDs | Specify the IDs of incidents, in the CSV or list format, whose details you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}
Parameter | Description |
---|---|
Organization ID | Specify the ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server. |
Comment Text | Specify the text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident that you want to clear from the Fortinet FortiSIEM server. |
Reason | Specify the text of the reason that you want to specify while clearing the specified incident from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server. |
Time From | Select the start time range from when you want to search raw events for the given incident ID. NOTE: This parameter is supported only in the FortiSIEM 6.7.6 version. Also, note that the max interval between the 'Time To' and 'Time From' cannot exceed 24 hours. |
Time To | Select the end time range till when you want to search raw events for the given incident ID. NOTE: This parameter is supported only in the FortiSIEM 6.7.6 version. Also, note that the max interval between the 'Time To' and 'Time From' cannot exceed 24 hours. |
Number Of Items To Return In Response |
(Optional) The maximum number of events that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": 0,
"custId": 2000,
"dataStr": {},
"eventType": "",
"attributes": {
"Count": "",
"Event ID": "",
"Source IP": "",
"Time skew": "",
"Event Type": "",
"Attack Name": "",
"Device Time": "",
"Relaying IP": "",
"Collector ID": "",
"Malware Name": "",
"Reporting IP": "",
"Raw Event Log": "",
"Destination IP": "",
"Event Severity": "",
"Organization ID": "",
"Reporting Model": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"Virus/Malware ID": "",
"Event Parser Name": "",
"Organization Name": "",
"Event Parse Status": "",
"Event Receive Time": "",
"Event Rule Trigger": "",
"Source TCP/UDP Port": "",
"Destination Host Name": "",
"System Event Category": "",
"Event Severity Category": "",
"Destination TCP/UDP Port": "",
"External Event Receive Protocol": ""
},
"rawMessage": "",
"receiveTime": "",
"eventAttributes": []
}
Parameter | Description |
---|---|
Advanced Search Query | Specify the conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)) . |
Event Fields To Show In Response | Specify the comma-separated list of event fields that you want to include in the response retrieved from the FortiSIEM server. |
Order By | (Optional) Specify the field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC |
Time Range | (Optional) Specify the time duration to search for reports to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time. You can select from the following options:
|
Number Of Items To Return In Response |
(Optional) Specify the maximum number of events that you want this operation to return in the response. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
No output schema is available at this time.
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident you want to update on the Fortinet FortiSIEM server. |
Comment Text | Specify the text of the comment that you want to add to the specified incident you want to update on the Fortinet FortiSIEM server. |
Incident Status | (Optional) Select the incident status that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
Incident Severity | (Optional) Select the incident severity that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
Incident Resolution | (Optional) Select the resolution that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive. |
External Ticket Type | (Optional) Select the external ticket type of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
External Ticket ID | (Optional) Specify the ID of the external ticket ID to update in the specified incident you want to update on the Fortinet FortiSIEM server. |
External Ticket State |
(Optional) Select the external ticket state of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
External Assigned User | (Optional) Specify the assigned user of the external ticket to update in the specified incident you want to update on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Event ID | The ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server. |
Event Fields To Show In Response | Specify the comma-separated list of event fields that you want to include in the response retrieved from the FortiSIEM server. |
From | (Optional) Specify the start DateTime from when you want to retrieve event details from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end DateTime till when you want to retrieve event details from the Fortinet FortiSIEM server. Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"hostIpAddr": "",
"hostName": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}
Parameter | Description |
---|---|
Search Attributes | Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
|
Event Fields To Show In Response | Specify the comma-separated list of event fields that you want to include in the response retrieved from the FortiSIEM server. |
Time Range | (Optional) Specify the time duration to search for reports to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time. You can select from the following options:
|
Number Of Items To Return In Response |
(Optional) Specify the maximum number of events that you want this operation to return in the response. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"type": "",
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"osType": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"srcMACAddr": "",
"totBytes64": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"profileDetails": "",
"relayDevIpAddr": "",
"phEventCategory": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"masterSrcMACAddr": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}
None.
The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}
Parameter | Description |
---|---|
Query ID | Specify the ID of the executed query based on which you want to retrieve data of events from the Fortinet FortiSIEM server. You can retrieve the Query ID from the output of actions such as 'List Incidents', 'Search Query', etc. |
Number Of Items To Return In Response | (Optional) Specify the maximum number of items that you want this operation to return in the response. By default, the page size is set to 50 items. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Get Watch List Data By |
Select the parameters using which you want to retrieve watch list data from Fortinet FortiSIEM.
|
The output contains the following populated JSON schema: If you choose "Get All Watch Lists", "By Watch List ID" or "By Watch List Entry Value" as the "Get Watch List Data By", then the output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}
Output schema when you choose "Get Watch List Data By" as "By Watch List Entry ID":
{
"response": {
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
},
"status": ""
}
This is the default output schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}
None.
The output contains the following populated JSON schema:
{
"status": "",
"response": {
"entry_count": ""
}
}
Parameter | Description |
---|---|
Watch List Entry ID | Specify the ID of the watch list entry that you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"status": "",
"response": {
"id": "",
"count": "",
"state": "",
"ageOut": "",
"custId": "",
"lastSeen": "",
"firstSeen": "",
"naturalId": "",
"entryValue": "",
"description": "",
"expiredTime": "",
"triggeringRules": "",
"dataCreationType": ""
}
}
Parameter | Description |
---|---|
Watch List ID | Specify the ID of the watch list to which you want to add watch list entries. |
Other parameters | Specify a JSON Array of watch list entry objects that you want to add to specific watch lists. For example, { "inclusive": false, "count": 10, "custId": 1, "triggeringRules": "Datastore Space Warning", "entryValue": "PVVol_A001_A000356_POWER2", "ageOut": "1d", "lastSeen": 1613601369215, "firstSeen": 1613601369215, "disableAgeout": false, "dataCreationType": "USER" } |
The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}
Parameter | Description |
---|---|
Watch List JSON Object | Specify the JSON Object of a watch list with a watch list entry to create in the FortiSIEM database. For example:
{ "description":"Servers,networkorstoragedevices", "displayName":"ResourceIssuesTest4", "type":"DyWatchList", "isCaseSensitive":false, "dataCreationType":"USER", "topGroup":false, "valuePattern":null, "valueType":"STRING", "ageOut":"1d", "custId":1, "entries":[ { "inclusive":true, "entryValue":"PVVol_A001_A000356_5new", "ageOut":"1d", "count":1, "custId":1, "firstSeen":1612901760000, "lastSeen":1612901760000, "triggeringRules":"DatastoreSpaceWarning", "dataCreationType":"USER" } ] }NOTE: displayName and type are required fields. |
The output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}
Parameter | Description |
---|---|
Watch List Entry ID | Specify the ID of the watch list entry that you want to update in the FortiSIEM database. |
Count | (Optional) Specify the occurrence count of the watch list entry that you want to update in the FortiSIEM database. |
Last Seen Time | (Optional) Specify the value of the last seen time, i.e., the Unix timestamp, of the specific watch list that you want to update in the FortiSIEM database. |
State | From the State drop-down list select Active to set the specific watch list to the 'Active' state; select Inactive to set the specific watch list to the 'Inactive' state. |
Other Parameters | JSON Object of a watch list with a watch list entry that you want to update in the FortiSIEM database. For example
{ "lastSeen": 1612901760002, "dataCreationType": "USER", "firstSeen": 1612901760001, "count": 100, "custId": 1, "triggeringRules": "Datastore Space Warning", "description": "Testing again", "id": 889400, "inclusive": true, "entryValue": "PVVol_A001_A000356_POWER23", "expiredTime": 1612988160001, "ageOut": "2d" } |
The output contains the following populated JSON schema:
{
"response": {
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
},
"status": ""
}
Parameter | Description |
---|---|
Watch List Entry IDs | Specify the IDs of the watch list entries, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11] |
The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}
Parameter | Description |
---|---|
Watch List IDs | IDs of the watch lists, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11] |
The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}
Parameter | Description |
---|---|
Name | Specify the name of the lookup table that you want to create in FortiSIEM. NOTE: The table name must contain only alphabets and numbers. |
Column List | Specify the list of column definitions for the lookup table to create in FortiSIEM. For each column, you must specify the following three values:
[ { "key": true, "name": "url", "type": "STRING" }, { "key": false, "name": "wfCategoryID", "type": "LONG" } ] |
Description | (Optional) Specify the description of the lookup table that you want to create in FortiSIEM. |
Organization Name | (Optional) Specify the organization name to be assigned to the lookup table that you want to create in FortiSIEM. By default, this is set to the organization of the current user. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
Parameter | Description |
---|---|
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table definitions starting from the 10th position. By default, this is set as 0. |
Number Of Items To Return | (Optional) Specify the maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
],
"size": "",
"start": "",
"total": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup Table whose definitions you want to delete from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
File IRI/Attachment ID |
Select the method using which you want to import the CSV file present in FortiSOAR to the Fortinet FortiSIEM server lookup table. You can choose between Attachment ID and File IRI.
|
Lookup Table ID | Specify the unique identifier representing the lookup table in FortiSIEM into which you want to import the CSV file in the Fortinet FortiSIEM server. |
Mapping | Specify the configuration that matches the position of columns in the CSV file to columns in the specified lookup table. The format of the mapping is as follows: {"":,"":} . For example,
{ "url": 1, "wfCategoryID": 2 } |
File Separator | Specify the file separator for the specified CSV file. By default, this is set as the comma character(,) |
File Quote Char | Specify the file quote character for the specified CSV file. By default, this is set as the double quotation character(") |
Skip Header | Select this option to ignore the header of the specified CSV file. |
Update Type | Select the method of updating the data in the Fortinet FortiSIEM server. You can choose between Overwrite (default) or Append. |
The output contains the following populated JSON schema:
{
"taskId": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table in the Fortinet FortiSIEM server for which you want to check the import task status. |
Task ID | Specify the task id of the importing data to the specified lookup table. You can retrieve the task ID from the response of the "Import Lookup Table Data" action. |
The output contains the following populated JSON schema:
{
"actionResult": "",
"id": "",
"progress": "",
"status": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table for which you want to retrieve items from the Fortinet FortiSIEM server. |
Start | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table items starting from the 10th position. By default, this is set as 0. |
Number Of Items To Return | (Optional) Specify the maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000. |
Search Text | (Optional) Specify the Search text using which you want to filter items of the specified lookup table in the Fortinet FortiSIEM server. |
Sort By | (Optional) Specify the lookup table columns using which you want to sort the search results retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified lookup table columns, i.e., descending (DESC) or ascending (ASC). |
The output contains the following populated JSON schema:
{
"data": [],
"size": "",
"start": "",
"total": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table whose items you want to update in the Fortinet FortiSIEM server. |
Key | Specify the primary key of the item column and its value that you want to update in the specified lookup table. The format is <keyColumn_1>:<value> For example, key={"url":"http://example.com"} |
Column Data | Specify the dictionary of column values to update in the specified lookup table. For example,
{ "url": "www.test.com", "wfCategoryID": 30, "score": 0.50119 } |
The output contains the following populated JSON schema:
{
"response": "",
"message": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table whose items you want to delete from the Fortinet FortiSIEM server. |
Primary Keys | Specify the list of primary keys of the item columns and their values that you want to delete from the specified lookup table. The format is:
[ { "keyColumn_1": "value", "keyColumn_2": "value" } ] |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}
],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}
Parameter | Description |
---|---|
Resource Group ID | Specify the ID of the resource group from which you want to retrieve the specific element types. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups. |
Resource Type | Select the type of resource (element) that you want to retrieve from the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options:
|
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
Number Of Items To Return In Response | (Optional) Specify the maximum number of entries that you want this operation to return in the response. By default, this parameter is set to 100 entries. |
The output contains the following populated JSON schema:
{
"headerData": {
"objectTypeName": "",
"columnNames": [],
"columnTypes": [],
"methodNames": [],
"columnWidths": [],
"columnActions": [],
"keys": [],
"attrKeys": []
},
"lightValueObjects": [
{
"objectId": "",
"custId": "",
"parentId": "",
"collectorId": "",
"data": [],
"extData": "",
"naturalId": "",
"aoSys": ""
}
],
"errCode": "",
"errObj": "",
"dataType": "",
"totalCount": ""
}
Parameter | Description |
---|---|
Resource Group ID | Specify the ID of the resource group to which you want to add the specified element. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups. |
Resource Data | Specify the resource (element) data in a key-value pair that you want to add to the specified resource group in the Fortinet FortiSIEM server. For example,
{ "singleIp": "3.3.3.3", "enableDateFound": false, "enableLastSeen": false, "dateFound": null, "lastSeen": null, "name": "3.3.3.3", "malwareType": "ip", "severity": "low", "highIp": "3.3.3.3", "lowIp": "3.3.3.3", "sysDefined": false, "active": true, "groupId": 15732450304 } |
Resource Type | Select the type of resource (element) that you want to add to the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"lastModified": "",
"creationTime": "",
"custId": "",
"ownerId": "",
"collectorId": "",
"grpNid": "",
"id": "",
"naturalId": "",
"name": "",
"lowIp": "",
"highIp": "",
"description": "",
"sysDefined": "",
"active": "",
"malwareType": "",
"confidence": "",
"severity": "",
"country": "",
"asn": "",
"dateFound": "",
"lastSeen": "",
"org": "",
"groupId": "",
"naturalIdProperty": "",
"creationDate": "",
"lastModifiedDate": "",
"xmlId": "",
"systemEntity": ""
}
Parameter | Description |
---|---|
Resource IDs | Specify the IDs of the resources you want to delete from the Fortinet FortiSIEM server. |
Resource Type | Select the type of resource (element) that you want to delete from the Fortinet FortiSIEM server. You can choose from the following options:
|
The output contains a non-dictionary value.
The Sample - Fortinet FortiSIEM - 5.0.1
playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, Incidents in Fortinet FortiSIEM are mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
NOTE: To link MITRE techniques records to alerts that are being created using the Data Ingestion Wizard, use the MITRE ATT&CK Enrichment Framework and MITRE ATT&CK Threat Hunting Solution Packs.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming FortiSIEM Incidents to FortiSOAR™Alerts.
IMPORTANT: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.1.1 (or later) from a version earlier than 5.1.1. For more information, see the Reconfiguring FortiSIEM Data Ingestion section. You must reconfigure data ingestion after upgrading the connector even if your connector is on version 5.1.0 and you are upgrading the connector to version 5.1.1 (or later).
The Data Ingestion Wizard helps you configure the scheduled pulling of data from FortiSIEM into FortiSOAR™. It also helps you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiSIEM incident.
To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
Users can choose to pull data from Fortinet FortiSIEM by selecting either the last X minutes in which the incidents have been created or updated in FortiSIEM (By Updates in Last X Minutes) or by specifying an Incident ID (By Sample Incident ID) from the Fetch Mode drop-down list. When fetching data based on By Updates in Last X Minutes, specify the number of minutes from when to retrieve incidents that were created or updated in Fortinet FortiSIEM, in the Pull Incidents Creates/Updates In Last X Minutes field. When fetching data based on By Sample Incident ID, specify the ID of the incident to retrieve from Fortinet FortiSIEM, in the Incident ID field. When fetching data based on By Updates in Last X Minutes, you can apply additional parameters such as:
500
items.{ "status": [0], "eventType": ["PH_RULE_SERVER_CPU_WARN"], "incidentRptIp": [10.7.12.156"] }
On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the attackTactic parameter of a FortiSIEM incident to the Tactics parameter of a FortiSOAR™ alert, click the Tactics field and then click the attackTactic field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the FortiSOAR™ product documentation's Connectors Guide. Once you have completed the mapping of fields, click Save Mapping & Continue.
NOTE: The 'Field Mapping' was updated in the release 5.1.0 of the FortiSIEM connector as follows:
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™
On the Scheduling screen, from the Do to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression, for example, if you want to pull data from FortiSIEM every morning at 5 a.m., click Daily, in the hour box enter 5
, and in the minute box, enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
If you have upgraded your FortiSIEM connector to version 5.1.1 or later from a version earlier than 5.1.1, then you must reconfigure the 'FortiSIEM' Data Ingestion as follows:
Post-upgrade, if you want to use FortiSIEM v5.1.1 (or later) data ingestion, then you need to re-run the "Data Ingestion Wizard" to reconfigure FortiSIEM data ingestion. Open the Data Ingestion Wizard Start page and ensure that you click Let's Start by fetching some data button and not the "Let's start with last saved data" button. As the requirement is to reconfigure the data ingestion, you must not use the "Let's start with last saved data button", which is displayed if you had previously run ingestion using this connector. Run through all the pages of the Data Ingestion Wizard to completely re-configure your FortiSIEM connector.
Following is a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration:
Fortinet FortiSIEM is a highly scalable multi-tenant Security Information and Event Management (SIEM) solution that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.
This document provides information about the Fortinet FortiSIEM Connector, which facilitates automated interactions with your Fortinet FortiSIEM server using FortiSOAR™ playbooks. Add the Fortinet FortiSIEM Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving device information for all devices configured on the Fortinet FortiSIEM server and retrieving a list of monitored organizations from the Fortinet FortiSIEM server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM.
For more information, see the Data Ingestion Support section.
NOTE: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.1.1 (or later) from a version earlier than 5.1.1. For more information, see the Reconfiguring FortiSIEM Data Ingestion section. You must reconfigure data ingestion after upgrading the connector even if your connector is on version 5.1.0 and you are upgrading the connector to version 5.1.1 (or later).
For a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration, see the Best Practices - Working with FortiSOAR FortiSIEM Integration section.
FortiSIEM 6.7.6 release contained some API changes that led to updates in connector actions. For details see the Fortinet FortiSIEM v5.1.0 connector document.
Connector Version: 5.1.1
FortiSOAR™ Version Tested on: 7.4.1-3167
Fortinet FortiSIEM Version Tested on: 6.7.6 and 7.0.0
Authored By: Fortinet
Certified: Yes
The following changes have been made to the Fortinet FortiSIEM Connector in version 5.1.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortisiem
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiSIEM connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Username | Specify the username used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Password | Specify the password used to access the Fortinet FortiSIEM server to which you will connect and perform the automated operations. |
Organization | Specify the name of the organization that you will access on the Fortinet FortiSIEM server to perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get All Devices | Retrieves a short description for all devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
Get All Devices For Specified IP Address Range | Retrieves a short description for devices that are configured on the Fortinet FortiSIEM server, based on the IP address range that you have specified. | get_devices Investigation |
Get Device Information | Retrieves details of a specific device that is configured on the Fortinet FortiSIEM server, based on the Device IP that you have specified. | get_devices Investigation |
List Monitored Devices and Attributes | Retrieves a list and attributes of all monitored devices that are configured on the Fortinet FortiSIEM server. | get_devices Investigation |
List Monitored Organizations | Retrieves a list and details of all monitored organizations that are configured on the Fortinet FortiSIEM server. | get_domains Investigation |
Get Organization Details | Retrieves the details of a specific organization from the Fortinet FortiSIEM server based on the organization ID that you have specified. | get_organization Investigation |
List Incidents | Retrieves a list and details of incidents from the Fortinet FortiSIEM server based on the time range, and other filter criteria you have specified. NOTE: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on sub-categories. |
get_incidents Investigation |
Get Incident Details | Retrieves details of an incident from the Fortinet FortiSIEM server based on the incident IDs you have specified. | get_incident_details Investigation |
Comment Incident | Adds a comment to a specific incident on the Fortinet FortiSIEM server based on the incident ID you have specified. | incident_comment Investigation |
Clear Incident With Reason | Clears an incident with the reason you have specified on the Fortinet FortiSIEM server based on the incident ID you have specified. | clear_incident Investigation |
Get Events For Incident | Retrieves all associated events for a specified incident from the Fortinet FortiSIEM server, based on the incident ID and other input parameters you have specified. | get_associated_events Investigation |
Run Advanced Search Query | Runs an advanced search query on the Fortinet FortiSIEM server, based on the search conditions and other input parameters you have specified. | run_report Investigation |
Update Incident | Updates the attributes of a specific incident on the Fortinet FortiSIEM server based on the incident ID and other input parameters you have specified. | update_incident Investigation |
Get Event Details | Retrieves details of a specific event from the Fortinet FortiSIEM server based on the event ID you have specified and optionally the date range you have specified. | get_event_details Investigation |
Search Events | Searches for events in the Fortinet FortiSIEM server based on search attributes and other input parameters you have specified. | search_events Investigation |
Get Event Attributes | Retrieves all event attributes from the Fortinet FortiSIEM server. | get_incident_attributes Investigation |
Get Events Data By Query ID | Retrieves data for events or incidents from the Fortinet FortiSIEM server based on the executed query ID you have specified. | get_events_by_query_id Investigation |
Get Watch Lists | Retrieves details for all watch lists or for specific watch lists based on input parameters you have specified. | get_watch_lists Investigation |
Get Watch List Entries Count | Returns the count of all watch list entries from all watch lists in Fortinet FortiSIEM. | get_watch_list_entries_count Investigation |
Get Watch List Entry | Retrieves the specific watch list entry from Fortinet FortiSIEM based on the watch list entry ID you have specified. | get_watch_list_entry Investigation |
Add Watch List Entries To Watch List | Adds watch list entries to one or more watch lists based on watch list ID and other input parameters you have specified. | update_watch_list_group Investigation |
Create Watch List | Creates a watch list in the FortiSIEM database. A watch list can contain one or more watch list entries. | create_watch_list_group Investigation |
Update Watch List Entry | Updates a watch list entry in the FortiSIEM database based on the watch list entry ID and other input parameters you have provided. | update_watch_list_entry Investigation |
Delete Watch List Entry | Deletes watch list entries from the FortiSIEM database based on the ID of the watch list entries you have specified. | delete_watch_list_entry Investigation |
Delete Watch List | Deletes watch lists from the FortiSIEM database based on the ID of the watch lists you have specified. | delete_watch_list Investigation |
Create Lookup Table | Creates the definition of a lookup table in the FortiSIEM server based on the name, column list, and other input parameters you have specified. | create_lookup_table Investigation |
Get All Lookup Table | Retrieves the list of all lookupTable definitions from the FortiSIEM server based on the input parameters you have specified. | get_all_lookup_tables Investigation |
Delete Lookup Table | Deletes the lookupTable definition from the FortiSIEM server based on the lookup table ID you have specified. | delete_lookup_table Investigation |
Import Lookup Table Data | Imports the data of a specific CSV file in FortiSOAR to a specific lookup table in FortiSIEM based on the File/Attachment IRI, lookup table ID, and other input parameters you have specified. | import_lookup_table_data Investigation |
Check Import Task Status | Checks the status of the import lookup table data task in FortiSIEM based on the lookup table ID and task ID you have specified. | check_import_task_status Investigation |
Get Lookup Table Data | Retrieves items of the specified lookup table from FortiSIEM based on the lookup table ID and other input parameters you have specified. | get_lookup_table_data Investigation |
Update Lookup Table Data | Updates items of a specified lookup table based on the lookup table ID, key, column data, and other input parameters you have specified. | update_lookup_table_data Investigation |
Delete Lookup Table Data | Delete items of the specified lookup table in FortiSIEM based on the lookup table ID and primary keys you have specified. | delete_lookup_table_data Investigation |
Get All Resource Lists | Retrieves a list of all resources from the Fortinet FortiSIEM server. | get_all_resource_list Investigation |
Get Resource List Entries | Retrieves a list of elements that belong to a specific resource list in FortiSIEM based on the resource group ID, resource type, and other input parameters you have specified. | get_resource_list_entries Investigation |
Add Entries To Resource List | Adds new elements to a specific resource list in FortiSIEM based on the resource group ID, resource data, and resource type you have specified. | add_entries_to_resource_list Investigation |
Remove Entries From Resource List | Deletes elements from a resource list in FortiSIEM based on the resource IDs and resource type you have specified. | remove_entries_from_resource_list Investigation |
Parameter | Description |
---|---|
Organization | (Optional) Specify the name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}
Parameter | Description |
---|---|
Include IP SET | Specify the value of IP addresses based on which you want to retrieve device information from the Fortinet FortiSIEM server. You must provide the value of this field as a range or in the .csv format. For example, enter, 192.168.20.1-192.168.20.100 |
Exclude IP SET | (Optional) Specify the value of the range of IP addresses that you want to exclude from this search operation. You must provide the value of this field as a range or in the .csv format. |
Organization | (Optional) Specify the name of the organization using which you want to filter the devices retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"devices": {
"device": [
{
"name": "",
"accessIp": "",
"approved": "",
"creationMethod": "",
"discoverMethod": "",
"discoverTime": "",
"naturalId": "",
"unmanaged": "",
"updateMethod": "",
"version": "",
"deviceType": {
"accessProtocols": "",
"jobWeight": "",
"model": "",
"vendor": "",
"version": ""
},
"organization": {
"@id": "",
"@name": ""
}
}
]
}
}
Parameter | Description |
---|---|
Device IP | Specify the IP address of the device for which you want to retrieve details from the Fortinet FortiSIEM server. |
Organization | (Optional) Specify the name of the organization for which you want to retrieve details of the device from the Fortinet FortiSIEM server. |
Output
The output contains the following populated JSON schema:
{
"device": {
"luns": "",
"name": "",
"status": "",
"version": "",
"accessIp": "",
"approved": "",
"storages": "",
"naturalId": "",
"unmanaged": "",
"components": "",
"deviceType": {
"model": "",
"vendor": "",
"version": "",
"category": "",
"jobWeight": ""
},
"interfaces": {
"networkinterface": {
"adminStatus": "",
"description": "",
"inSpeed": "",
"ipv4Addr": "",
"ipv4IsVirtual": "",
"ipv4Mask": "",
"isCritical": "",
"isMonitor": "",
"isTrunk": "",
"isWAN": "",
"macAddr": "",
"macIsVirtual": "",
"name": "",
"operStatus": "",
"outSpeed": "",
"snmpIndex": "",
"speed": "",
"type": ""
}
},
"processors": "",
"raidGroups": "",
"applications": "",
"discoverTime": "",
"organization": {
"@id": "",
"@name": ""
},
"updateMethod": "",
"ipToHostNames": "",
"storageGroups": "",
"creationMethod": "",
"description": "",
"discoverMethod": "",
"winMachineGuid": "",
"eventParserList": "",
"systemUpTime": "",
"softwarePatches": "",
"softwareServices": "",
"sanControllerPorts": ""
}
}
None.
The output contains the following populated JSON schema:
{
"monitoredDevices": {
"eventPullingDevices": "",
"perfMonDevices": {
"device": {
"deviceName": "",
"monitors": {
"monitor": [
{
"method": "",
"category": ""
}
]
},
"deviceType": "",
"organization": "",
"accessIp": ""
}
}
}
}
None.
The output contains the following populated JSON schema:
{
"disabled": "",
"@lastModified": "",
"name": "",
"initialized": "",
"collectors": {
"collector": []
},
"@xmlId": "",
"custProperties": "",
"@ownerId": "",
"@id": "",
"domainId": "",
"@entityVersion": "",
"@custId": "",
"@creationTime": ""
}
Important: The FortiSIEM API does not support filtering incidents in the "List Incident" action based on sub-categories.
Parameter | Description |
---|---|
From | (Optional) Specify the start DateTime to retrieve incidents from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end DateTime to retrieve the incidents from the Fortinet FortiSIEM server. |
Incident Status |
(Optional) Select one or more incident statuses from the following options to filter incidents:
|
Incident Category |
(Optional) Select one or more incident categories from the following options to filter incidents:
|
Incident Sub Category | (Optional) Specify the sub-category of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. |
Incident Severity |
(Optional) Select one or more incident severities from the following options to filter incidents:
|
Event Type | (Optional) Specify the event type of the incident based on which you want to retrieve incidents from the Fortinet FortiSIEM server. |
Other Filters |
(Optional) Specify the parameters in the JSON format using which you want to filter the incidents retrieved from the Fortinet FortiSIEM server. For example, { "status": [ 0 ], "eventType": [ "PH_RULE_SERVER_CPU_WARN" ], "incidentRptIp": [ "10.7.12.156" ] } |
Number Of Items To Return In Response or Size Per Page | (Optional) For FortiSIEM 6.7.6: This parameter defines the maximum number of items that this operation will return, per page, in the response. For versions other than FortiSIEM 6.7.6: This parameter defines the maximum number of items that this operation will return in the response. By default, this parameter is set to 500 items. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
Order By | (Optional) Specify the field using which to sort the incidents retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, incidentLastSeen DESC |
Event Fields To Show In Response | (Optional) Specify the comma-separated list of event fields that you want to include in the list of incidents that you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentClearedReason": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}
Parameter | Description |
---|---|
Incident IDs | Specify the IDs of incidents, in the CSV or list format, whose details you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"total": "",
"size": "",
"data": [
{
"incidentTitle": "",
"eventSeverity": "",
"incidentFirstSeen": "",
"incidentReso": "",
"incidentRptIp": "",
"incidentLastSeen": "",
"incidentSrc": "",
"count": "",
"attackTechnique": "",
"eventType": "",
"phIncidentCategory": "",
"incidentClearedTime": "",
"incidentTarget": "",
"attackTactic": "",
"phSubIncidentCategory": "",
"eventSeverityCat": "",
"incidentDetail": "",
"incidentRptDevName": "",
"eventName": "",
"incidentId": "",
"incidentStatus": "",
"customer": ""
}
],
"start": ""
}
Parameter | Description |
---|---|
Organization ID | Specify the ID of the organization whose details you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"@custId": "",
"@creationTime": "",
"@entityVersion": "",
"@id": "",
"@lastModified": "",
"name": "",
"domainId": "",
"@xmlId": "",
"@ownerId": "",
"initialized": "",
"disabled": ""
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident in which you want to add the comment on the Fortinet FortiSIEM server. |
Comment Text | Specify the text of the comment that you want to add to the specified incident on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident that you want to clear from the Fortinet FortiSIEM server. |
Reason | Specify the text of the reason that you want to specify while clearing the specified incident from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": []
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident for which you want to retrieve all associated events from the Fortinet FortiSIEM server. |
Time From | Select the start time range from when you want to search raw events for the given incident ID. NOTE: This parameter is supported only in the FortiSIEM 6.7.6 version. Also, note that the max interval between the 'Time To' and 'Time From' cannot exceed 24 hours. |
Time To | Select the end time range till when you want to search raw events for the given incident ID. NOTE: This parameter is supported only in the FortiSIEM 6.7.6 version. Also, note that the max interval between the 'Time To' and 'Time From' cannot exceed 24 hours. |
Number Of Items To Return In Response |
(Optional) The maximum number of events that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": 0,
"custId": 2000,
"dataStr": {},
"eventType": "",
"attributes": {
"Count": "",
"Event ID": "",
"Source IP": "",
"Time skew": "",
"Event Type": "",
"Attack Name": "",
"Device Time": "",
"Relaying IP": "",
"Collector ID": "",
"Malware Name": "",
"Reporting IP": "",
"Raw Event Log": "",
"Destination IP": "",
"Event Severity": "",
"Organization ID": "",
"Reporting Model": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"Virus/Malware ID": "",
"Event Parser Name": "",
"Organization Name": "",
"Event Parse Status": "",
"Event Receive Time": "",
"Event Rule Trigger": "",
"Source TCP/UDP Port": "",
"Destination Host Name": "",
"System Event Category": "",
"Event Severity Category": "",
"Destination TCP/UDP Port": "",
"External Event Receive Protocol": ""
},
"rawMessage": "",
"receiveTime": "",
"eventAttributes": []
}
Parameter | Description |
---|---|
Advanced Search Query | Specify the conditions using which you want to process the search results for the report that you want to run on the Fortinet FortiSIEM server. For example, (incidentDetail CONTAIN "jobName" AND phEventCategory = 1) AND (phCustId IN (1)) . |
Event Fields To Show In Response | Specify the comma-separated list of event fields that you want to include in the response retrieved from the FortiSIEM server. |
Order By | (Optional) Specify the field using which you want to sort the search results for the report that you want to run on the Fortinet FortiSIEM server. You can also specify the sort direction of the specified field. For example, phRecvTime DESC |
Time Range | (Optional) Specify the time duration to search for reports to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time. You can select from the following options:
|
Number Of Items To Return In Response |
(Optional) Specify the maximum number of events that you want this operation to return in the response. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
No output schema is available at this time.
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident you want to update on the Fortinet FortiSIEM server. |
Comment Text | Specify the text of the comment that you want to add to the specified incident you want to update on the Fortinet FortiSIEM server. |
Incident Status | (Optional) Select the incident status that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
Incident Severity | (Optional) Select the incident severity that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
Incident Resolution | (Optional) Select the resolution that you want to assign to the specified incident you want to update on the Fortinet FortiSIEM server. You can choose between True Positive or False Positive. |
External Ticket Type | (Optional) Select the external ticket type of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
External Ticket ID | (Optional) Specify the ID of the external ticket ID to update in the specified incident you want to update on the Fortinet FortiSIEM server. |
External Ticket State |
(Optional) Select the external ticket state of the specified incident you want to update on the Fortinet FortiSIEM server. You can select one of the following options:
|
External Assigned User | (Optional) Specify the assigned user of the external ticket to update in the specified incident you want to update on the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"message": "",
"incident_id": ""
}
Parameter | Description |
---|---|
Event ID | The ID of the event whose details you want to retrieve from the Fortinet FortiSIEM server. |
Event Fields To Show In Response | Specify the comma-separated list of event fields that you want to include in the response retrieved from the FortiSIEM server. |
From | (Optional) Specify the start DateTime from when you want to retrieve event details from the Fortinet FortiSIEM server. |
To | (Optional) Specify the end DateTime till when you want to retrieve event details from the Fortinet FortiSIEM server. Important: If you do not specify the From and To parameters for this operation, then by default events for the last 2 weeks will be retrieved from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destGeoOrg": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"totBytes64": "",
"collectorId": "",
"destGeoCity": "",
"eventAction": "",
"rawEventMsg": "",
"hostIpAddr": "",
"hostName": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destGeoState": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"destGeoCountry": "",
"profileDetails": "",
"relayDevIpAddr": "",
"destGeoLatitude": "",
"phEventCategory": "",
"destGeoLongitude": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": "",
"destGeoCountryCodeStr": ""
},
"receiveTime": ""
}
Parameter | Description |
---|---|
Search Attributes | Select attribute types using which you want to search for events in the Fortinet FortiSIEM server. You can choose one or more search attributes from the following options: Destination Port, Destination IP, Event ID, Event Action, Incident ID, File Name, Host Name, Organization Name, Process Name, Post-NAT Source IP, Raw Event Log, Relay IP, Reporting Ip, Source IP, Source Port, Source MAC, or User
|
Event Fields To Show In Response | Specify the comma-separated list of event fields that you want to include in the response retrieved from the FortiSIEM server. |
Time Range | (Optional) Specify the time duration to search for reports to run on the Fortinet FortiSIEM server. By default, this is set as Relative Time. You can select from the following options:
|
Number Of Items To Return In Response |
(Optional) Specify the maximum number of events that you want this operation to return in the response. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of events, say events starting from the 10th event. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"@start": "",
"events": [
{
"id": "",
"nid": "",
"index": "",
"custId": "",
"dataStr": "",
"eventType": "",
"attributes": {
"type": "",
"uuid": "",
"vdom": "",
"count": "",
"fwRule": "",
"osType": "",
"eventId": "",
"ipProto": "",
"srcName": "",
"subtype": "",
"customer": "",
"destName": "",
"fwAction": "",
"logLevel": "",
"memberID": "",
"totFlows": "",
"trandisp": "",
"eventName": "",
"eventType": "",
"reptModel": "",
"sessionId": "",
"srcIpAddr": "",
"srcIpPort": "",
"totPkts64": "",
"destIpAddr": "",
"destIpPort": "",
"deviceTime": "",
"parserName": "",
"phRecvTime": "",
"recvPkts64": "",
"reptVendor": "",
"sentPkts64": "",
"srcMACAddr": "",
"totBytes64": "",
"collectorId": "",
"eventAction": "",
"rawEventMsg": "",
"recvBytes64": "",
"reptDevName": "",
"sentBytes64": "",
"serviceName": "",
"srcIntfName": "",
"timeSkewSec": "",
"appGroupName": "",
"destIntfName": "",
"durationMSec": "",
"eventParsedOk": "",
"eventSeverity": "",
"reptDevIpAddr": "",
"profileDetails": "",
"relayDevIpAddr": "",
"phEventCategory": "",
"eventRuleTrigger": "",
"eventSeverityCat": "",
"masterSrcMACAddr": "",
"postNATSrcIpAddr": "",
"postNATSrcIpPort": "",
"extEventRecvProto": ""
},
"receiveTime": ""
}
],
"@queryId": "",
"@errorCode": "",
"@totalCount": ""
}
None.
The output contains the following populated JSON schema:
{
"FQDN": "",
"Type": "",
"UUID": "",
"User": "",
"VM IP": "",
"Domain": "",
"Host IP": "",
"ICMP Id": "",
"IP Port": "",
"Message": "",
"User Id": "",
"Agent ID": "",
"Checksum": "",
"Computer": "",
"Duration": "",
"Event ID": "",
"Host MAC": "",
"URI Stem": "",
"Disk Name": "",
"File Name": "",
"File Path": "",
"Host City": "",
"Host Name": "",
"Host VLAN": "",
"ICMP Code": "",
"ICMP Type": "",
"Rule Name": "",
"Server IP": "",
"TCP flags": "",
"URI Query": "",
"WLAN SSID": "",
"Event Name": "",
"Event Type": "",
"File Owner": "",
"Host Model": "",
"Host State": "",
"IP Version": "",
"Image File": "",
"Sent Bytes": "",
"Source IP ": "",
"Source MAC": "",
"Source TOS": "",
"User Group": "",
"VPN Status": "",
"Attack Name": "",
"Device Port": "",
"Device Time": "",
"Employee ID": "",
"Host Vendor": "",
"IP Protocol": "",
"Incident ID": "",
"Mail Sender": "",
"New Host IP": "",
"Object Name": "",
"Relaying IP": "",
"Server Name": "",
"Source City": "",
"Source VLAN": "",
"Target User": "",
"Total Bytes": "",
"Collector ID": "",
"Collector IP": "",
"DHCP Gateway": "",
"Event Action": ": ",
"Event Source": "",
"Host Country": "",
"Mail Subject": "",
"Malware Name": "",
"Malware Type": "",
"Process Name": "",
"Reporting IP": ": ",
"Sent Packets": "",
"Source State": "",
"VM Host Name": "",
"Win Logon Id": "",
"ARP Source IP": "",
"Connection Id": "",
"DNS Server IP": "",
"IPS Sensor Id": "",
"Mail Receiver": "",
"Object Handle": "",
"Raw Event Log": "",
"Software Name": "",
"Target Domain": "",
"Total Packets": "",
"VPN Conn Type": "",
"WLAN Radio Id": "",
"ARP Source MAC": "",
"Account Number": "",
"Auth Server IP": "",
"Collector Name": "",
"DNS Query Type": "",
"Destination IP": "",
"Event Severity": "",
"Hash Algorithm": "",
"Incident Title": "",
"Malware Action": "",
"OS Object Type": "",
"Received Bytes": "",
"Recv Auth Fail": "",
"Reporting City": "",
"Sent TCP flags": "",
"Snort Event ID": "",
"Source Country": "",
"TCP Connection": "",
"UDP Connection": "",
"Win Logon Type": "",
"DHCP Server MAC": "",
"Destination MAC": "",
"Destination TOS": "",
"Firewall Action": "",
"HTTP User Agent": "",
"Host Virtual IP": "",
"ICMP Connection": "",
"Incident Source": "",
"Incident Target": "",
"Organization ID": "",
"Relaying Device": "",
"Reporting Model": "",
"Reporting State": "",
"Target Computer": "",
"Target Host MAC": "",
"VPN Tunnel Name": "",
"WLAN Channel Id": "",
"WLAN User count": "",
"Application Name": "",
"Application Port": "",
"Auth Server Name": "",
"Destination City": "",
"Destination VLAN": "",
"Event Occur Time": "",
"Firewall Session": "",
"Operating System": "",
"Received Packets": "",
"Reporting Device": "",
"Reporting Vendor": "",
"Source Host Name": "",
"DHCP Request Type": "",
"Destination State": "",
"Event Description": "",
"Host Organization": "",
"Incident Category": "",
"Informational URL": "",
"Organization Name": "",
"Reporting Country": "",
"Target User Group": "",
"ARP Destination IP": "",
"Event Parse Status": "",
"Event Receive Time": "",
"IP Type of Service": "",
"Object Access Type": "",
"Post-NAT Source IP": "",
"Previous Source IP": "",
"Recv Packet Errors": "",
"Sent Packet Errors": "",
"Source Device Port": "",
"Vulnerability Name": "",
"Vulnerability Type": "",
"ARP Destination MAC": "",
"Destination Country": "",
"Host Interface Name": "",
"Recv Interface Util": "",
"Sent Interface Util": "",
"Source Organization": "",
"Source TCP/UDP Port": "",
"Vulnerability Score": "",
"Win Logon Fail Code": "",
"False Positive Check": "",
"IDS Database Version": "",
"Post-NAT Source Port": "",
"Source Firewall Zone": "",
"Vulnerability CVE Id": "",
"Business Service Name": "",
"Destination Host Name": "",
"IPS Event Risk Rating": "",
"Incident Reporting IP": "",
"Network Access Device": "",
"Recv Packet Error Pct": "",
"Sent Packet Error Pct": "",
"Source Interface Name": "",
"System Event Category": "",
"Pre-NAT Destination IP": "",
"Reporting Organization": "",
"Virus Database Version": "",
"Destination Device Port": "",
"Event Severity Category": "",
"IPS Event Threat Rating": ": ",
"Post-NAT Destination IP": "",
"Destination Organization": "",
"Destination Service Name": "",
"Destination TCP/UDP Port": "",
"Network Access Device IP": "",
"Operating System Version": "",
"Pre-NAT Destination Port": "",
"Destination Firewall Zone": "",
"Palo Alto Firewall Action": "",
"Destination Interface Name": "",
"Extension Database Version": "",
"Network Access Device Port": "",
"Source Interface SNMP Index": "",
"Firewall Session Utilization": "",
"Post-NAT Destination Ip Port": "",
"Previous Source TCP/UDP Port": "",
"Command and Control Host Name": "",
"Wireless Attack Signature Name": "",
"Incident Trigger Attribute List": "",
"Source Autonomous System Number": "",
"Command and Control TCP/UDP Port": "",
"Destination Interface SNMP Index": "",
"Destination Autonomous System Number": "",
"Anti-Virus Extension Database Version": ""
}
Parameter | Description |
---|---|
Query ID | Specify the ID of the executed query based on which you want to retrieve data of events from the Fortinet FortiSIEM server. You can retrieve the Query ID from the output of actions such as 'List Incidents', 'Search Query', etc. |
Number Of Items To Return In Response | (Optional) Specify the maximum number of items that you want this operation to return in the response. By default, the page size is set to 50 items. |
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Get Watch List Data By |
Select the parameters using which you want to retrieve watch list data from Fortinet FortiSIEM.
|
The output contains the following populated JSON schema: If you choose "Get All Watch Lists", "By Watch List ID" or "By Watch List Entry Value" as the "Get Watch List Data By", then the output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}
Output schema when you choose "Get Watch List Data By" as "By Watch List Entry ID":
{
"response": {
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
},
"status": ""
}
This is the default output schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}
None.
The output contains the following populated JSON schema:
{
"status": "",
"response": {
"entry_count": ""
}
}
Parameter | Description |
---|---|
Watch List Entry ID | Specify the ID of the watch list entry that you want to retrieve from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"status": "",
"response": {
"id": "",
"count": "",
"state": "",
"ageOut": "",
"custId": "",
"lastSeen": "",
"firstSeen": "",
"naturalId": "",
"entryValue": "",
"description": "",
"expiredTime": "",
"triggeringRules": "",
"dataCreationType": ""
}
}
Parameter | Description |
---|---|
Watch List ID | Specify the ID of the watch list to which you want to add watch list entries. |
Other parameters | Specify a JSON Array of watch list entry objects that you want to add to specific watch lists. For example, { "inclusive": false, "count": 10, "custId": 1, "triggeringRules": "Datastore Space Warning", "entryValue": "PVVol_A001_A000356_POWER2", "ageOut": "1d", "lastSeen": 1613601369215, "firstSeen": 1613601369215, "disableAgeout": false, "dataCreationType": "USER" } |
The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}
Parameter | Description |
---|---|
Watch List JSON Object | Specify the JSON Object of a watch list with a watch list entry to create in the FortiSIEM database. For example:
{ "description":"Servers,networkorstoragedevices", "displayName":"ResourceIssuesTest4", "type":"DyWatchList", "isCaseSensitive":false, "dataCreationType":"USER", "topGroup":false, "valuePattern":null, "valueType":"STRING", "ageOut":"1d", "custId":1, "entries":[ { "inclusive":true, "entryValue":"PVVol_A001_A000356_5new", "ageOut":"1d", "count":1, "custId":1, "firstSeen":1612901760000, "lastSeen":1612901760000, "triggeringRules":"DatastoreSpaceWarning", "dataCreationType":"USER" } ] }NOTE: displayName and type are required fields. |
The output contains the following populated JSON schema:
{
"response": [
{
"isCaseSensitive": "",
"naturalId": "",
"displayName": "",
"description": "",
"valuePattern": "",
"ageOut": "",
"topGroup": "",
"entries": [
{
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
}
],
"dataCreationType": "",
"valueType": "",
"custId": "",
"name": "",
"id": ""
}
],
"status": ""
}
Parameter | Description |
---|---|
Watch List Entry ID | Specify the ID of the watch list entry that you want to update in the FortiSIEM database. |
Count | (Optional) Specify the occurrence count of the watch list entry that you want to update in the FortiSIEM database. |
Last Seen Time | (Optional) Specify the value of the last seen time, i.e., the Unix timestamp, of the specific watch list that you want to update in the FortiSIEM database. |
State | From the State drop-down list select Active to set the specific watch list to the 'Active' state; select Inactive to set the specific watch list to the 'Inactive' state. |
Other Parameters | JSON Object of a watch list with a watch list entry that you want to update in the FortiSIEM database. For example
{ "lastSeen": 1612901760002, "dataCreationType": "USER", "firstSeen": 1612901760001, "count": 100, "custId": 1, "triggeringRules": "Datastore Space Warning", "description": "Testing again", "id": 889400, "inclusive": true, "entryValue": "PVVol_A001_A000356_POWER23", "expiredTime": 1612988160001, "ageOut": "2d" } |
The output contains the following populated JSON schema:
{
"response": {
"naturalId": "",
"firstSeen": "",
"count": "",
"triggeringRules": "",
"description": "",
"entryValue": "",
"expiredTime": "",
"ageOut": "",
"lastSeen": "",
"dataCreationType": "",
"custId": "",
"id": "",
"state": ""
},
"status": ""
}
Parameter | Description |
---|---|
Watch List Entry IDs | Specify the IDs of the watch list entries, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11] |
The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}
Parameter | Description |
---|---|
Watch List IDs | IDs of the watch lists, in the CSV or list format, that you want to delete from the FortiSIEM database. For example, [5.0.10, 5.0.11] |
The output contains the following populated JSON schema:
{
"response": "",
"status": ""
}
Parameter | Description |
---|---|
Name | Specify the name of the lookup table that you want to create in FortiSIEM. NOTE: The table name must contain only alphabets and numbers. |
Column List | Specify the list of column definitions for the lookup table to create in FortiSIEM. For each column, you must specify the following three values:
[ { "key": true, "name": "url", "type": "STRING" }, { "key": false, "name": "wfCategoryID", "type": "LONG" } ] |
Description | (Optional) Specify the description of the lookup table that you want to create in FortiSIEM. |
Organization Name | (Optional) Specify the organization name to be assigned to the lookup table that you want to create in FortiSIEM. By default, this is set to the organization of the current user. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
Parameter | Description |
---|---|
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table definitions starting from the 10th position. By default, this is set as 0. |
Number Of Items To Return | (Optional) Specify the maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000. |
The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"columnList": [
{
"key": "",
"name": "",
"type": ""
}
],
"description": "",
"lastUpdated": "",
"organizationName": ""
}
],
"size": "",
"start": "",
"total": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup Table whose definitions you want to delete from the Fortinet FortiSIEM server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
File IRI/Attachment ID |
Select the method using which you want to import the CSV file present in FortiSOAR to the Fortinet FortiSIEM server lookup table. You can choose between Attachment ID and File IRI.
|
Lookup Table ID | Specify the unique identifier representing the lookup table in FortiSIEM into which you want to import the CSV file in the Fortinet FortiSIEM server. |
Mapping | Specify the configuration that matches the position of columns in the CSV file to columns in the specified lookup table. The format of the mapping is as follows: {"":,"":} . For example,
{ "url": 1, "wfCategoryID": 2 } |
File Separator | Specify the file separator for the specified CSV file. By default, this is set as the comma character(,) |
File Quote Char | Specify the file quote character for the specified CSV file. By default, this is set as the double quotation character(") |
Skip Header | Select this option to ignore the header of the specified CSV file. |
Update Type | Select the method of updating the data in the Fortinet FortiSIEM server. You can choose between Overwrite (default) or Append. |
The output contains the following populated JSON schema:
{
"taskId": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table in the Fortinet FortiSIEM server for which you want to check the import task status. |
Task ID | Specify the task id of the importing data to the specified lookup table. You can retrieve the task ID from the response of the "Import Lookup Table Data" action. |
The output contains the following populated JSON schema:
{
"actionResult": "",
"id": "",
"progress": "",
"status": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table for which you want to retrieve items from the Fortinet FortiSIEM server. |
Start | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say lookup table items starting from the 10th position. By default, this is set as 0. |
Number Of Items To Return | (Optional) Specify the maximum number of items that you want this operation to return in the response. By default, the page size is set to 25 items, and the maximum is set at 1000. |
Search Text | (Optional) Specify the Search text using which you want to filter items of the specified lookup table in the Fortinet FortiSIEM server. |
Sort By | (Optional) Specify the lookup table columns using which you want to sort the search results retrieved from the Fortinet FortiSIEM server. You can also specify the sort direction of the specified lookup table columns, i.e., descending (DESC) or ascending (ASC). |
The output contains the following populated JSON schema:
{
"data": [],
"size": "",
"start": "",
"total": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table whose items you want to update in the Fortinet FortiSIEM server. |
Key | Specify the primary key of the item column and its value that you want to update in the specified lookup table. The format is <keyColumn_1>:<value> For example, key={"url":"http://example.com"} |
Column Data | Specify the dictionary of column values to update in the specified lookup table. For example,
{ "url": "www.test.com", "wfCategoryID": 30, "score": 0.50119 } |
The output contains the following populated JSON schema:
{
"response": "",
"message": ""
}
Parameter | Description |
---|---|
Lookup Table ID | Specify the unique identifier representing the lookup table whose items you want to delete from the Fortinet FortiSIEM server. |
Primary Keys | Specify the list of primary keys of the item columns and their values that you want to delete from the specified lookup table. The format is:
[ { "keyColumn_1": "value", "keyColumn_2": "value" } ] |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [
{
"id": "",
"pid": "",
"version": "",
"displayName": "",
"description": "",
"groupType": {
"name": "",
"displayName": ""
},
"naturalId": "",
"children": [],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}
],
"retiredChildren": [],
"itemIds": "",
"systemGroup": "",
"custId": "",
"groupConfig": "",
"valueType": "",
"dataCreationType": "",
"fullPathName": "",
"valuePattern": "",
"topGroup": "",
"displayOrder": "",
"dashboardStatus": "",
"myDashboard": "",
"myWidgetDashboard": "",
"myBizServiceDashboard": "",
"mySummaryDashboard": "",
"myLinkUsageDashboard": "",
"superGlobal": "",
"rootOfMyDashboard": "",
"myIdentityLocationDashboard": "",
"myPCIDashboard": ""
}
Parameter | Description |
---|---|
Resource Group ID | Specify the ID of the resource group from which you want to retrieve the specific element types. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups. |
Resource Type | Select the type of resource (element) that you want to retrieve from the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options:
|
Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th incident. By default, this is set as 0. |
Number Of Items To Return In Response | (Optional) Specify the maximum number of entries that you want this operation to return in the response. By default, this parameter is set to 100 entries. |
The output contains the following populated JSON schema:
{
"headerData": {
"objectTypeName": "",
"columnNames": [],
"columnTypes": [],
"methodNames": [],
"columnWidths": [],
"columnActions": [],
"keys": [],
"attrKeys": []
},
"lightValueObjects": [
{
"objectId": "",
"custId": "",
"parentId": "",
"collectorId": "",
"data": [],
"extData": "",
"naturalId": "",
"aoSys": ""
}
],
"errCode": "",
"errObj": "",
"dataType": "",
"totalCount": ""
}
Parameter | Description |
---|---|
Resource Group ID | Specify the ID of the resource group to which you want to add the specified element. You can use the 'Get All Resource Lists' operation to find the IDs of the resource groups. |
Resource Data | Specify the resource (element) data in a key-value pair that you want to add to the specified resource group in the Fortinet FortiSIEM server. For example,
{ "singleIp": "3.3.3.3", "enableDateFound": false, "enableLastSeen": false, "dateFound": null, "lastSeen": null, "name": "3.3.3.3", "malwareType": "ip", "severity": "low", "highIp": "3.3.3.3", "lowIp": "3.3.3.3", "sysDefined": false, "active": true, "groupId": 15732450304 } |
Resource Type | Select the type of resource (element) that you want to add to the specified resource group in the Fortinet FortiSIEM server. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"lastModified": "",
"creationTime": "",
"custId": "",
"ownerId": "",
"collectorId": "",
"grpNid": "",
"id": "",
"naturalId": "",
"name": "",
"lowIp": "",
"highIp": "",
"description": "",
"sysDefined": "",
"active": "",
"malwareType": "",
"confidence": "",
"severity": "",
"country": "",
"asn": "",
"dateFound": "",
"lastSeen": "",
"org": "",
"groupId": "",
"naturalIdProperty": "",
"creationDate": "",
"lastModifiedDate": "",
"xmlId": "",
"systemEntity": ""
}
Parameter | Description |
---|---|
Resource IDs | Specify the IDs of the resources you want to delete from the Fortinet FortiSIEM server. |
Resource Type | Select the type of resource (element) that you want to delete from the Fortinet FortiSIEM server. You can choose from the following options:
|
The output contains a non-dictionary value.
The Sample - Fortinet FortiSIEM - 5.0.1
playbook collection comes bundled with the Fortinet FortiSIEM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiSIEM connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiSIEM. Currently, Incidents in Fortinet FortiSIEM are mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
NOTE: To link MITRE techniques records to alerts that are being created using the Data Ingestion Wizard, use the MITRE ATT&CK Enrichment Framework and MITRE ATT&CK Threat Hunting Solution Packs.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming FortiSIEM Incidents to FortiSOAR™Alerts.
IMPORTANT: You must reconfigure data ingestion if you have upgraded your FortiSIEM connector to version 5.1.1 (or later) from a version earlier than 5.1.1. For more information, see the Reconfiguring FortiSIEM Data Ingestion section. You must reconfigure data ingestion after upgrading the connector even if your connector is on version 5.1.0 and you are upgrading the connector to version 5.1.1 (or later).
The Data Ingestion Wizard helps you configure the scheduled pulling of data from FortiSIEM into FortiSOAR™. It also helps you pull some sample data from FortiSIEM using which you can define the mapping of data between FortiSIEM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiSIEM incident.
To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiSIEM connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between FortiSIEM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiSIEM data.
Users can choose to pull data from Fortinet FortiSIEM by selecting either the last X minutes in which the incidents have been created or updated in FortiSIEM (By Updates in Last X Minutes) or by specifying an Incident ID (By Sample Incident ID) from the Fetch Mode drop-down list. When fetching data based on By Updates in Last X Minutes, specify the number of minutes from when to retrieve incidents that were created or updated in Fortinet FortiSIEM, in the Pull Incidents Creates/Updates In Last X Minutes field. When fetching data based on By Sample Incident ID, specify the ID of the incident to retrieve from Fortinet FortiSIEM, in the Incident ID field. When fetching data based on By Updates in Last X Minutes, you can apply additional parameters such as:
500
items.{ "status": [0], "eventType": ["PH_RULE_SERVER_CPU_WARN"], "incidentRptIp": [10.7.12.156"] }
On the Field Mapping screen, map the fields of a FortiSIEM incident to the fields of an alert present in FortiSOAR™
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the attackTactic parameter of a FortiSIEM incident to the Tactics parameter of a FortiSOAR™ alert, click the Tactics field and then click the attackTactic field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the FortiSOAR™ product documentation's Connectors Guide. Once you have completed the mapping of fields, click Save Mapping & Continue.
NOTE: The 'Field Mapping' was updated in the release 5.1.0 of the FortiSIEM connector as follows:
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiSIEM, so that the content gets pulled from the FortiSIEM integration into FortiSOAR™
On the Scheduling screen, from the Do to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression, for example, if you want to pull data from FortiSIEM every morning at 5 a.m., click Daily, in the hour box enter 5
, and in the minute box, enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
If you have upgraded your FortiSIEM connector to version 5.1.1 or later from a version earlier than 5.1.1, then you must reconfigure the 'FortiSIEM' Data Ingestion as follows:
Post-upgrade, if you want to use FortiSIEM v5.1.1 (or later) data ingestion, then you need to re-run the "Data Ingestion Wizard" to reconfigure FortiSIEM data ingestion. Open the Data Ingestion Wizard Start page and ensure that you click Let's Start by fetching some data button and not the "Let's start with last saved data" button. As the requirement is to reconfigure the data ingestion, you must not use the "Let's start with last saved data button", which is displayed if you had previously run ingestion using this connector. Run through all the pages of the Data Ingestion Wizard to completely re-configure your FortiSIEM connector.
Following is a list of recommendations and suggested best practices for working with the FortiSOAR FortiSIEM integration: