Forti Analyzer

fortianalyzer is a centralized logging and reporting solution that provides visibility into network security events forti analyzer is a comprehensive security management solution that provides centralized logging, analysis, and reporting for fortinet security devices this connector enables swimlane turbine users to automate the retrieval and analysis of security alerts and logs from forti analyzer, enhancing threat detection and response capabilities by integrating forti analyzer with swimlane turbine, users can streamline security operations, improve incident response times, and gain deeper insights into their security posture through automated workflows prerequisites before you can use the fortianalyzer connector for turbine, you'll need access to the fortianalyzer api this requires the following custom authentication using the following parameters url the endpoint url for accessing fortianalyzer services json rpc the protocol used for remote procedure calls username your fortianalyzer account username password the password associated with your fortianalyzer account capabilities this connector provides the following capabilities get alerts search logs notes to access fortianalyzer api documentation for the connector https //fndn fortinet net/index php?/fortiapi/175 fortianalyzer/4091/175/logview/ additional documentation https //docs swimlane com/connectors/forti analyzer https //fndn fortinet net/index php?/fortiapi/175 fortianalyzer/4091/175/logview/ configurations fortianalyzer api authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required jsonrpc json remote procedure call string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get alerts fetches alert events from forti analyzer for monitoring and analysis of security alerts requires json body input endpoint url /eventmgmt/alerts method get input argument name type required description id string optional an identifier established by the client jsonrpc string optional a string specifying the json rpc protocol version method string optional a string containing the method name to be invoked params array optional parameter for get alerts params apiver number required current api version params filter string optional filter expression 'event value', 'severity', 'trigger name', 'count', 'comment' and 'flags' are supported i e trigger name='local device event' and severity >= 3 params limit number optional the max number of records to get (min 1, max 2000) params offset number optional offset of records to get params time range object optional time range for data selection params time range end string required ending date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params time range start string required starting date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params timezone string optional the timezone index or name time range in request and date/time if any in response will follow this timezone params url string required the resource path to alert events example /eventmgmt/adom/ /alerts session string optional the cookie of an active session in fortianalyzer input example {"json body" {"id" "string","jsonrpc" "2 0","method" "get","params" \[{"apiver" 3,"filter" "","limit" 1000,"offset" 0,"time range" {"end" "2025 04 10t06 48 48 637z","start" "2025 04 10t06 48 48 637z"},"timezone" "string","url" "/eventmgmt/adom/\<adom name>/alerts"}],"session" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 2 may 2024 20 37 23 gmt"},"reason" "ok","json body" {}} search logs initiate a task to search logs in forti analyzer using specified parameters, requiring a 'params' json body input endpoint url /logview/logsearch method post input argument name type required description id string optional an identifier established by the client jsonrpc string optional a string specifying the json rpc protocol version method string optional a string containing the method name to be invoked params array optional a structure that holds the parameter values params apiver number required current api version params case sensitive boolean optional case sensitivity in filter params device array required device filter for all devices in some type please use the all device id params device csfname string optional name of security fabric format csfname e g 'corp sf' params device devid string optional format devid\[vdom] e g 'fgt60c0000000001\[root]' params device devname string optional format devname\[vdom] e g 'fgt vancouver\[traffic]' params filter string optional filter expression params logtype string required the name of the logtype params time order string optional sort result in descending or ascending order by time params time range object required time range for log selection params time range end string required ending date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format is 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params time range start string required starting date time consider it following the timezone parameter's, adom's or fortianalyzer's timezone if timezone info is not specified within time range format is 'yyyy mm dd't'hh\ mm \ ssz ' (rfc 3339) e g '2016 10 17t20 45 37 07 00 or 'yyyy mm dd hh\ mm \ ss ' e g '2016 10 17 20 45 37 ' params timezone string optional the timezone index or name time range in request and date/time if any in response will follow this timezone params url string required the resource path to log search session string optional the cookie of an active session in fortianalyzer input example {"json body" {"id" "string","jsonrpc" "2 0","method" "add","params" \[{"apiver" 3,"case sensitive"\ false,"device" \[{"csfname" "corp sf","devid" "fgt60c0000000001\[root]","devname" "fgt vancouver\[traffic]"}],"filter" "","logtype" "traffic","time order" "desc","time range" {"end" "2019 07 03t17 16 35","start" "2019 07 02t17 16 35"},"timezone" "string","url" "/logview/adom/root/logsearch"}],"session" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier jsonrpc string output field jsonrpc result object result of the operation result tid number unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "string","jsonrpc" "2 0","result" {"tid" 0}}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 2 may 2024 20 37 23 gmt