Forti Analyzer

forti analyzer is a network security analytics and reporting tool that provides deep insights into log data, helping organizations manage security events efficiently forti analyzer is a comprehensive network security analysis tool that aggregates log data from fortinet devices and other syslog compatible devices the forti analyzer connector for swimlane turbine enables automated fetching of alert events and log search capabilities, enhancing monitoring and analysis of security alerts by integrating with forti analyzer, swimlane turbine users can streamline their security operations, leverage detailed insights for threat detection, and conduct efficient incident investigations without manual intervention prerequisites to effectively utilize the forti analyzer connector within swimlane turbine, ensure you have the following prerequisites custom authentication with the following parameters url the endpoint url for the forti analyzer api json rpc the version of the json rpc protocol used by forti analyzer username the username for authenticating with forti analyzer password the password associated with the provided username capabilities this connector provides the following capabilities get alerts search logs notes to access fortianalyzer api documentation for the connector https //fndn fortinet net/index php?/fortiapi/175 fortianalyzer/4091/175/logview/ configurations fortianalyzer api authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required jsonrpc json remote procedure call string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get alerts fetches alert events from forti analyzer, allowing for monitoring and analysis of security alerts endpoint url /eventmgmt/alerts method get input argument name type required description id string optional an identifier established by the client jsonrpc string optional a string specifying the json rpc protocol version method string optional a string containing the method name to be invoked params array optional parameter for get alerts params apiver number required current api version params filter string optional filter expression 'event value', 'severity', 'trigger name', 'count', 'comment' and 'flags' are supported i e trigger name='local device event' and severity >= 3 params limit number optional the max number of records to get (min 1, max 2000) params offset number optional offset of records to get params time range object optional time range for data selection params time range end string required ending date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params time range start string required starting date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params timezone string optional the timezone index or name time range in request and date/time if any in response will follow this timezone params url string required the resource path to alert events example /eventmgmt/adom/ /alerts session string optional the cookie of an active session in fortianalyzer input example {"json body" {"id" "string","jsonrpc" "2 0","method" "get","params" \[{"apiver" 3,"filter" "","limit" 1000,"offset" 0,"time range" {"end" "2025 04 10t06 48 48 637z","start" "2025 04 10t06 48 48 637z"},"timezone" "string","url" "/eventmgmt/adom/\<adom name>/alerts"}],"session" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 2 may 2024 20 37 23 gmt"},"reason" "ok","json body" {}} search logs initiates a task to search logs in forti analyzer with specified parameters, requiring a 'params' json body input endpoint url /logview/logsearch method post input argument name type required description id string optional an identifier established by the client jsonrpc string optional a string specifying the json rpc protocol version method string optional a string containing the method name to be invoked params array optional a structure that holds the parameter values params apiver number required current api version params case sensitive boolean optional case sensitivity in filter params device array required device filter for all devices in some type please use the all device id params device csfname string optional name of security fabric format csfname e g 'corp sf' params device devid string optional format devid\[vdom] e g 'fgt60c0000000001\[root]' params device devname string optional format devname\[vdom] e g 'fgt vancouver\[traffic]' params filter string optional filter expression params logtype string required the name of the logtype params time order string optional sort result in descending or ascending order by time params time range object required time range for log selection params time range end string required ending date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format is 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params time range start string required starting date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format is 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params timezone string optional the timezone index or name time range in request and date/time if any in response will follow this timezone params url string required the resource path to log search session string optional the cookie of an active session in fortianalyzer input example {"json body" {"id" "string","jsonrpc" "2 0","method" "add","params" \[{"apiver" 3,"case sensitive"\ false,"device" \[{"csfname" "corp sf","devid" "fgt60c0000000001\[root]","devname" "fgt vancouver\[traffic]"}],"filter" "","logtype" "traffic","time order" "desc","time range" {"end" "2019 07 03t17 16 35","start" "2019 07 02t17 16 35"},"timezone" "string","url" "/logview/adom/root/logsearch"}],"session" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier jsonrpc string output field jsonrpc result object result of the operation result tid number unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "string","jsonrpc" "2 0","result" {"tid" 0}}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 2 may 2024 20 37 23 gmt