Fortinet FortiSIEM

the fortinet fortisiem connector enables seamless integration with swimlane turbine, allowing for automated security monitoring and incident response fortinet fortisiem is a comprehensive security information and event management (siem) solution that provides real time visibility across an organization's security posture this connector enables swimlane turbine users to automate incident retrieval, agent status checks, device information gathering, and incident updates directly within the swimlane platform by integrating with fortinet fortisiem, users can streamline their security operations, enhance incident response times, and leverage detailed event analysis for informed decision making prerequisites to effectively utilize the fortinet fortisiem connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint url for the fortisiem api username your fortisiem account username password your fortisiem account password capabilities this connector provides the following capabilities fetch incidents get agent status by host get incidents/events get incidents/events by query id get incident by incident id get devices get device information get triggering events update incident update incident external notes for more information on fortisiem https //www fortinet com/products/siem/fortisiem api documentation link https //fortinetweb s3 amazonaws com/docs fortinet com/v2/attachments/e499a132 794a 11ec bdf2 fa163e15d75b/fortisiem 6 5 0 integration api guide pdf#discover configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch incidents retrieve incidents from the fortinet fortisiem database using a specified time range defined by 'timefrom' and 'timeto' endpoint url /phoenix/rest/pub/incident method post input argument name type required description filters object optional parameter for fetch incidents filters status array optional status value filters incidentid array optional unique identifier start number optional parameter for fetch incidents size number optional parameter for fetch incidents timefrom number optional parameter for fetch incidents timeto number optional parameter for fetch incidents orderby string optional parameter for fetch incidents descending boolean optional parameter for fetch incidents fields array optional parameter for fetch incidents input example {"json body" {"filters" {" status" \[0],"incidentid" \[8064]},"start" 0,"size" 500,"timefrom" 1620677781736,"timeto" 1620684981736,"orderby" "incidentlastseen","descending"\ true,"fields" \["eventseveritycat","eventseverity","incidentlastseen","incidentfirstseen","eventtype","eventname","incidentsrc","incidenttarget","incidentdetail","incidentrptip","incidentrptdevname","incidentstatus","incidentcomments","customer","incidentclearedreason","incidentclearedtime","incidentcleareduser","count","incidentid","incidentsrc","incidenttarget","incidentextuser","incidentextclearedtime","incidentextticketid","incidentextticketstate","incidentexttickettype","incidentreso","phincidentcategory","phsubincidentcategory","incidenttitle","attacktechnique","attacktactic"]}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total start number output field start size number output field size data array response data data incidenttitle string response data data eventseverity number response data data incidentfirstseen number response data data incidentreso number response data data incidentrptip string response data data incidentlastseen number response data data incidentsrc string response data data count number response data data attacktechnique string response data data eventtype string response data data phincidentcategory number response data data incidentclearedtime number response data data incidenttarget string response data data attacktactic string response data data eventseveritycat string response data data incidentdetail string response data data incidentrptdevname string response data data eventname string response data data incidentid number response data output example {"status code" 200,"reason" "ok","json body" {"total" 317,"start" 0,"size" 10,"data" \[{}]}} get agent status by host retrieve the status of an agent on a specified host within a given organization in fortinet fortisiem, requiring orgid and hostname endpoint url /phoenix/rest/agentstatus/all?request={{orgid}},{{hostname}} method get input argument name type required description path parameters orgid number required parameters for the get agent status by host action path parameters hostname string required parameters for the get agent status by host action input example {"path parameters" {"orgid" 12134,"hostname" "fsm test 6501741 5835"}} output parameter type description status code number http status code of the response reason string response reason phrase type string type of the resource agentstatus string status value policyid string unique identifier heartbeattime string time value lasteventreceivetime string time value output example {"status code" 200,"reason" "ok","json body" {"type" "968352","agentstatus" "1","policyid" "1234","heartbeattime" "1621557630000","lasteventreceivetime" "1621557630000"}} get device info retrieve detailed information for specified devices in fortinet fortisiem using device ips and load dependencies endpoint url /phoenix/rest/cmdbdeviceinfo/devices method get input argument name type required description parameters device ips string required parameters for the get device info action parameters loaddepend string required parameters for the get device info action input example {"parameters" {"device ips" "10 165 6 2,10 165 6 3","loaddepend" "true"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource devicetype vendor string type of the resource devicetype version string type of the resource devicetype model string type of the resource accessip string output field accessip unmanaged string output field unmanaged approved string output field approved output example {"status code" 200,"reason" "ok","json body" {"name" "super","devicetype vendor" "fortisiem","devicetype version" "3 9 0","devicetype model" "6501741 5835","accessip" "10 165 6 2","unmanaged" "unmanaged","approved" "yes"}} get devices retrieves a list of devices managed by fortinet fortisiem for monitoring and analysis endpoint url /phoenix/rest/cmdbdeviceinfo/devices method get output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource devicetype vendor string type of the resource devicetype version string type of the resource devicetype model string type of the resource accessip string output field accessip unmanaged string output field unmanaged approved string output field approved output example {"status code" 200,"reason" "ok","json body" {"name" "super","devicetype vendor" "fortisiem","devicetype version" "3 9 0","devicetype model" "6501741 5835","accessip" "10 165 6 2","unmanaged" "unmanaged","approved" "yes"}} get incident by id retrieve detailed information for a specific incident in fortinet fortisiem using the provided incident id endpoint url /phoenix/rest/query/eventquery method post input argument name type required description parameters incidentid string required parameters for the get incident by id action parameters timeout mins number optional parameters for the get incident by id action parameters minutes ago string optional parameters for the get incident by id action parameters get query id boolean optional parameters for the get incident by id action input example {"parameters" {"incidentid" "8064","timeout mins" 10,"minutes ago" "524160","get query id"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase queryid string unique identifier output example {"status code" 200,"reason" "ok","json body" {"queryid" "12345"}} get incidents retrieve a list of incidents/events from fortinet fortisiem for further analysis or response endpoint url /phoenix/rest/query/eventquery method post input argument name type required description parameters timeout mins number optional parameters for the get incidents action parameters minutes ago string optional parameters for the get incidents action parameters get query id boolean optional parameters for the get incidents action input example {"parameters" {"timeout mins" 10,"minutes ago" "524160","get query id"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase queryid string unique identifier output example {"status code" 200,"reason" "ok","json body" {"queryid" "12345"}} get incidents by query id retrieve specific incidents or events from fortinet fortisiem within a time range using a query id endpoint url /phoenix/rest/query/events/{{query id}}/{{begin}}/{{end}} method get input argument name type required description path parameters begin string required parameters for the get incidents by query id action path parameters end string required parameters for the get incidents by query id action path parameters query id string required parameters for the get incidents by query id action input example {"path parameters" {"begin" "0","end" "1000","query id" "12345"}} output parameter type description status code number http status code of the response reason string response reason phrase raw json object output field raw json output example {"status code" 200,"reason" "ok","json body" {"raw json" {}}} get triggering events retrieve the raw events that initiated an incident in fortinet fortisiem, using incidentid, timeto, and timefrom parameters endpoint url /phoenix/rest/pub/incident/triggeringevents method get input argument name type required description parameters incidentid number required the incident id for which we are retrieving underlying events parameters timeto number required this is ending time range to retrieve raw events for this incident the max interval from timeto and timefrom cannot exceed 24 hours parameters timefrom number required this is the start time range to search raw events for the given incident id the max interval from timeto and timefrom cannot exceed 24 hours parameters size number optional this is an optional size parameter, the number of raw events to return default is 10 max is 100 input example {"parameters" {"incidentid" 123456,"timeto" 1685985215000,"timefrom" 1685985216000,"size" 20}} output parameter type description status code number http status code of the response reason string response reason phrase result object result of the operation result code number result of the operation result description string result of the operation data array response data data custid number response data data index number response data data id number response data data eventtype string response data data receivetime number response data data rawmessage string response data data nid number response data data attributes object response data data attributes user string response data data attributes reporting ip string response data data attributes event parser name string response data data eventattributes array response data data datastr object response data output example {"status code" 200,"response headers" {"date" "tue, 06 aug 2024 07 25 19 gmt","server" "apache/2 4 41 (ubuntu)","x frame options" "sameorigin","x content type options" "nosniff","expires" "thu, 19 nov 1981 08 52 00 gmt","cache control" "no store, no cache, must revalidate","pragma" "no cache","content encoding" "gzip","content length" "1467","connection" "close","content type" "text/html;charset=utf 8"},"reason" "ok","json body" {"result" {"code" 0,"description" "1 event found in this time range update incident updates an existing incident in fortinet fortisiem by using the provided incident id endpoint url /phoenix/rest/pub/incident/update/{{incidentid}} method post input argument name type required description path parameters incidentid string required parameters for the update incident action incidentextuser string optional unique identifier incidentextclearedtime string optional unique identifier incidentextticketid string optional unique identifier incidentextticketstate string optional unique identifier incidentexttickettype string optional unique identifier input example {"json body" {"incidentextuser" "user a","incidentextclearedtime" "1620677781736","incidentextticketid" "ins00456","incidentextticketstate" "closed","incidentexttickettype" "in process"},"path parameters" {"incidentid" "8064"}} output example {"status code" 200,"reason" "ok","json body" {"raw json" {}},"type" "object","properties" {"json body" {"title" "json body","examples" \[],"type" "object","properties" {},"required" \[],"additionalproperties"\ true}},"required" \[],"additionalproperties"\ true} update incident external updates a specified fortisiem incident by the provided incidentid a json body with updated details is required endpoint url /phoenix/rest/incident/external method post input argument name type required description incidentid number optional this is the unique incident id for this individual incident severity number optional integer severity 1 10 (1 4 low, 5 8 medium, 9 10 high) resolution number optional integer resolution code (0 4) incidentstatus number optional integer status code (0 3) externalassigneduser string optional the user as defined in the external ticketing system externalcleartime number optional the cleared time as defined in the external ticketing system, in epoch millis externalticketid number optional this is the ticket id as defined in the external system externalticketstate string optional this is the state of the case as defined in external system externaltickettype string optional external ticket system ticket type playbook string optional this is the playbook that was executed on the incident comments string optional investigation notes to be added to this individual incident input example {"json body" {"incidentid" 22,"severity" 9,"resolution" 1,"incidentstatus" 0,"externalassigneduser" "myuser","externalcleartime" 1683595260000,"externalticketid" 12345,"externalticketstate" "closed","externaltickettype" "incident","playbook" "blockiocs","comments" "this is a test comment"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" {}} response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate connection http response header connection close content encoding http response header content encoding gzip content length the length of the response body in bytes 1467 content type the media type of the resource text/html;charset=utf 8 date the date and time at which the message was originated tue, 06 aug 2024 07 25 19 gmt expires the date/time after which the response is considered stale thu, 19 nov 1981 08 52 00 gmt pragma http response header pragma no cache server information about the software used by the origin server apache/2 4 41 (ubuntu) x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin