FortiSIEM

FortiSIEM provides organizations with a comprehensive, holistic and scalable solution, from IoT to the Cloud, with patented analytics that are actionable to tightly manage network security, performance and compliance standards, all delivered through a single pane of glass view of the organization.

Integration with LogicHub

Connecting with FortiSIEM

To connect to FortiSIEM following details are required:

  • Label: Connection name.
  • Server URL: Application server URL to connect to the FortiSIEM. Example: abc.abcd.net or 10.10.10.10
  • Domain: The domain used to connect to the FortiSIEM.
  • Username: The username used to connect to the FortiSIEM.
  • Password: The password used to connect to the FortiSIEM.
  • Server Port (Optional): Application server port to connect to the FortiSIEM (Default is 443).

Actions with FortiSIEM

Execute Event Query

Execute event query and returns the incident attributes.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Jinja Template for Query COLUMN NAME: Jinja-templated XML query containing the query parameters. Example for "Top FortiSIEM Events By Count":
<Reports> <Report baseline="" rsSync=""> <Name>Top FortiSIEM Events By Count</Name> <Description>Ranks the events by the number of times they have occurred in a given time period.</Description> <CustomerScope groupByEachCustomer="false"> </CustomerScope> <SelectClause> <AttrList>eventType,COUNT(*)</AttrList> </SelectClause> <OrderByClause> <AttrList>COUNT(*) DESC</AttrList> </OrderByClause> <PatternClause window="3600"> <SubPattern id="1164394" name="Filter_OVERALL_STATUS"> <GroupByAttr>eventType</GroupByAttr> </SubPattern> </PatternClause> <userRoles> <roles custId="0">1169250</roles> </userRoles> <SyncOrgs/> </Report> </Reports>

From UI
There is a three step wizard to generate query.

This gives the facility to save the query as report (XML) for later use. You can export the report and
copy the content.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: A JSON result against query.

Did this page help you?