Fortinet FortiSIEM

the fortinet fortisiem connector enables seamless integration with swimlane turbine, allowing for automated security monitoring and incident response fortinet fortisiem is a comprehensive security information and event management (siem) solution that provides real time visibility across an organization's security posture this connector enables swimlane turbine users to automate incident retrieval, agent status checks, device information gathering, and incident updates directly within the swimlane platform by integrating with fortinet fortisiem, users can streamline their security operations, enhance incident response times, and leverage detailed event analysis for informed decision making prerequisites to effectively utilize the fortinet fortisiem connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint url for the fortisiem api username your fortisiem account username password your fortisiem account password capabilities this connector provides the following capabilities fetch incidents get agent status by host get incidents/events get incidents/events by query id get incident by incident id get devices get device information get triggering events update incident update incident external api documentation link fortisiem api documentation link https //fortinetweb s3 amazonaws com/docs fortinet com/v2/attachments/e499a132 794a 11ec bdf2 fa163e15d75b/fortisiem 6 5 0 integration api guide pdf#discover configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch incidents retrieve incidents from the fortinet fortisiem database using a specified time range defined by 'timefrom' and 'timeto' endpoint url /phoenix/rest/pub/incident method post input argument name type required description filters object optional parameter for fetch incidents status array optional status value incidentid array optional unique identifier start number optional parameter for fetch incidents size number optional parameter for fetch incidents timefrom number required parameter for fetch incidents timeto number required parameter for fetch incidents orderby string optional parameter for fetch incidents descending boolean optional parameter for fetch incidents fields array optional parameter for fetch incidents output parameter type description status code number http status code of the response reason string response reason phrase total number output field total start number output field start size number output field size data array response data incidenttitle string unique identifier eventseverity number output field eventseverity incidentfirstseen number unique identifier incidentreso number unique identifier incidentrptip string unique identifier incidentlastseen number unique identifier incidentsrc string unique identifier count number count value attacktechnique string output field attacktechnique eventtype string type of the resource phincidentcategory number unique identifier incidentclearedtime number unique identifier incidenttarget string unique identifier attacktactic string output field attacktactic eventseveritycat string output field eventseveritycat incidentdetail string unique identifier incidentrptdevname string unique identifier eventname string name of the resource incidentid number unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "total" 317, "start" 0, "size" 10, "data" \[] } } ] get agent status by host retrieve the status of an agent on a specified host within a given organization in fortinet fortisiem, requiring orgid and hostname endpoint url /phoenix/rest/agentstatus/all?request={{orgid}},{{hostname}} method get input argument name type required description orgid number required unique identifier hostname string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase type string type of the resource agentstatus string status value policyid string unique identifier heartbeattime string time value lasteventreceivetime string time value example \[ { "status code" 200, "reason" "ok", "json body" { "type" "968352", "agentstatus" "1", "policyid" "1234", "heartbeattime" "1621557630000", "lasteventreceivetime" "1621557630000" } } ] get device info retrieve detailed information for specified devices in fortinet fortisiem using device ips and load dependencies endpoint url /phoenix/rest/cmdbdeviceinfo/devices method get input argument name type required description device ips string required parameter for get device info loaddepend string required parameter for get device info output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource devicetype vendor string type of the resource devicetype version string type of the resource devicetype model string type of the resource accessip string output field accessip unmanaged string output field unmanaged approved string output field approved example \[ { "status code" 200, "reason" "ok", "json body" { "name" "super", "devicetype vendor" "fortisiem", "devicetype version" "3 9 0", "devicetype model" "6501741 5835", "accessip" "10 165 6 2", "unmanaged" "unmanaged", "approved" "yes" } } ] get devices retrieves a list of devices managed by fortinet fortisiem for monitoring and analysis endpoint url /phoenix/rest/cmdbdeviceinfo/devices method get output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource devicetype vendor string type of the resource devicetype version string type of the resource devicetype model string type of the resource accessip string output field accessip unmanaged string output field unmanaged approved string output field approved example \[ { "status code" 200, "reason" "ok", "json body" { "name" "super", "devicetype vendor" "fortisiem", "devicetype version" "3 9 0", "devicetype model" "6501741 5835", "accessip" "10 165 6 2", "unmanaged" "unmanaged", "approved" "yes" } } ] get incident by id retrieve detailed information for a specific incident in fortinet fortisiem using the provided incident id endpoint url /phoenix/rest/query/eventquery method post input argument name type required description incidentid string required unique identifier timeout mins number optional parameter for get incident by id minutes ago string optional parameter for get incident by id get query id boolean optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase queryid string unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "queryid" "12345" } } ] get incidents retrieve a list of incidents/events from fortinet fortisiem for further analysis or response endpoint url /phoenix/rest/query/eventquery method post input argument name type required description timeout mins number optional parameter for get incidents minutes ago string optional parameter for get incidents get query id boolean optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase queryid string unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "queryid" "12345" } } ] get incidents by query id retrieve specific incidents or events from fortinet fortisiem within a time range using a query id endpoint url /phoenix/rest/query/events/{{query id}}/{{begin}}/{{end}} method get input argument name type required description begin string required parameter for get incidents by query id end string required parameter for get incidents by query id query id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase raw json object output field raw json example \[ { "status code" 200, "reason" "ok", "json body" { "raw json" {} } } ] get triggering events retrieve the raw events that initiated an incident in fortinet fortisiem, using incidentid, timeto, and timefrom parameters endpoint url /phoenix/rest/pub/incident/triggeringevents method get input argument name type required description incidentid number required the incident id for which we are retrieving underlying events timeto number required this is ending time range to retrieve raw events for this incident the max interval from timeto and timefrom cannot exceed 24 hours timefrom number required this is the start time range to search raw events for the given incident id the max interval from timeto and timefrom cannot exceed 24 hours size number optional this is an optional size parameter, the number of raw events to return default is 10 max is 100 output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation code number output field code description string output field description data array response data custid number unique identifier index number output field index id number unique identifier eventtype string type of the resource receivetime number time value rawmessage string response message nid number unique identifier attributes object output field attributes user string output field user reporting ip string output field reporting ip event parser name string name of the resource eventattributes array output field eventattributes datastr object response data example \[ { "status code" 200, "response headers" { "date" "tue, 06 aug 2024 07 25 19 gmt", "server" "apache/2 4 41 (ubuntu)", "x frame options" "sameorigin", "x content type options" "nosniff", "expires" "thu, 19 nov 1981 08 52 00 gmt", "cache control" "no store, no cache, must revalidate", "pragma" "no cache", "content encoding" "gzip", "content length" "1467", "connection" "close", "content type" "text/html;charset=utf 8" }, "reason" "ok", "json body" { "result" {}, "data" \[] } } ] update incident updates an existing incident in fortinet fortisiem by using the provided incident id endpoint url /phoenix/rest/pub/incident/update/{{incidentid}} method post input argument name type required description incidentid string required unique identifier incidentextuser string optional unique identifier incidentextclearedtime string optional unique identifier incidentextticketid string optional unique identifier incidentextticketstate string optional unique identifier incidentexttickettype string optional unique identifier example \[ { "status code" 200, "reason" "ok", "json body" { "raw json" {} }, "type" "object", "properties" { "json body" {} }, "required" \[], "additionalproperties" true } ] update incident external updates a specified fortisiem incident by the provided incidentid a json body with updated details is required endpoint url /phoenix/rest/incident/external method post input argument name type required description incidentid number required this is the unique incident id for this individual incident severity number optional integer severity 1 10 (1 4 low, 5 8 medium, 9 10 high) resolution number optional integer resolution code (0 4) incidentstatus number optional integer status code (0 3) externalassigneduser string optional the user as defined in the external ticketing system externalcleartime number optional the cleared time as defined in the external ticketing system, in epoch millis externalticketid number optional this is the ticket id as defined in the external system externalticketstate string optional this is the state of the case as defined in external system externaltickettype string optional external ticket system ticket type playbook string optional this is the playbook that was executed on the incident comments string optional investigation notes to be added to this individual incident output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" {} } ] response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate connection http response header connection close content encoding http response header content encoding gzip content length the length of the response body in bytes 1467 content type the media type of the resource text/html;charset=utf 8 date the date and time at which the message was originated tue, 06 aug 2024 07 25 19 gmt expires the date/time after which the response is considered stale thu, 19 nov 1981 08 52 00 gmt pragma http response header pragma no cache server information about the software used by the origin server apache/2 4 41 (ubuntu) x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin notes for more information on fortisiem fortisiem main site https //www fortinet com/products/siem/fortisiem