Setting up the FortiAnalyzer Integration App
ServiceNow requirements
- A ServiceNow subscription.
- FortiAnalyzer 6.0.2 or higher.
-
ServiceNow SecOps Incident Response App
For information on ServiceNow licenses, contact ServiceNow.
For information on ServiceNow user roles and permissions, see ServiceNow roles
Download the FortiAnalyzer Integration App
To download the app, go to the ServiceNow store and search for FortiAnaylzyer Integration App V2. Click Get, then follow the onscreen instructions to download the app.
After downloading the app, add it to the Favorites menu for easy access.
Create a ServiceNow API account
- In ServiceNow, create an account for API communication with FortiAnalyzer.
For more information, see the ServiceNow documentation.
- Assign these roles to this account:
Role
Description
import_transformer
This is a system role to manage import set transform maps and run transforms.
x_forti_fazintgv2.snAPI
This role is required to access ServiceNow API so FortiAnalyzer can send incident notifications to the FortiAnalyzer Integration App. sn_si.basic
This role comes with ServiceNow SecOps Incident Response App to view and create security incidents.
Refer to ServiceNow documents for more information.
Set up the system properties
- Open the FortiAnalyzer Integration App and go to FortiAnalyzer System Properties.
- Configure Connection to FortiAnalyzer API:
Property
Description
Domain Enter the FortiAnalyzer domain name without the protocol, for example, fortianalyzer.myorganization.com
Port number If you change the port number, you must also change it in FortiAnalyzer. Username
Password
Enter the username and password of the FortiAnalyzer account to use with the FortiAnalyzer Integration App. This account must have JSON-RPC read-write permission in FortiAnalyzer. - Configure Connection to ServiceNow API.
Enter the Username and Password for the ServiceNow API account you created in the previous section.
- Configure App Settings:
Property
Description
Create a security incident in Security Incident Response App, upon receiving new incident notifications from FortiAnalyzer Automatically creates an incident in the FortiAnalyzer Integration App from an imported FortiAnalyzer incident.
You can create a business rule to further customize incidents after creation in ServiceNow. See Automation with business rules.
Keep updating FortiAnalyzer incidents, upon receiving update notifications from FortiAnalyzer Updates FortiAnalyzer incidents after the initial import.
This setting is enabled by default.
Fetch events from FortiAnalyzer ADOMs automatically - From the FortiAnalyzer ADOMs list, select the ADOMs you want to import events from.
- Use the Start Date filter to select the date to start importing events.
- (Optional) Select Keep updating FortiAnalyzer events to automatically update FortiAnalyzer events after the initial import.
- Click Save.