Fortinet FortiSIEM

Integration version: 5.0

Configure Fortinet FortiSIEM integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https://x.x.x.x:port Yes Specify the API root for the target FortiSIEM installation.
Username String N/A Yes Specify the username to use for the target FortiSIEM installation.
Password Password N/A Yes Specify the password to use for the target FortiSIEM installation.
Verify SSL Checkbox Checked No If enabled, the Google Security Operations SOAR server checks that the certificate is configured for API root.

Product Use Cases

  1. Ingest alerts from SIEM to Google Security Operations SOAR.
  2. Use data from SIEM for Google Security Operations SOAR alert enrichment.
  3. Synchronize statuses of processed with Google Security Operations SOAR alerts back at SIEM side.

Actions

Ping

Description

Test connectivity to FortiSIEM with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the FortiSIEM installation with the provided connection parameters!"

The action should fail and stop a playbook execution:

>If not successful: "Failed to connect to the FortiSIEM installation! Error is {0}".format(exception.stacktrace)"

General

Enrich Entities

Description

Enrich entities using information from Fortinet FortiSIEM CMDB. Supported entities: Hostname, IP Address.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Target Organization String N/A No Specify the optional target organization name to look for enrichment information in this organization only.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
[
  {
    "Entity": "centos-xxx",
    "EntityResult": {
      "device": {
        "organization": {
          "@id": "1xx",
          "@name": "Super"
        },
        "accessIp": "172.30.xxx.xxx",
        "approved": "true",
        "components": null,
        "creationMethod": "LOG",
        "deviceType": {
          "accessProtocols": "TELNET,SSH",
          "jobWeight": "10",
          "model": "Unix",
          "vendor": "Generic",
          "version": "ANY"
        },
        "discoverMethod": "LOG",
        "discoverTime": "1640008485000",
        "eventParserList": null,
        "interfaces": null,
        "ipToHostNames": null,
        "luns": null,
        "name": "centos-xxx",
        "naturalId": "centos%2dxxx",
        "processors": null,
        "properties": {
          "customproperty": [
            {
              "matched": "false",
              "propertyDef": {
                "displayInCMDB": "false",
                "displayName": "Importance",
                "groupKey": "false",
                "propertyName": "importance",
                "subValueType": "STRING",
                "valueType": "STRING"
              },
              "propertyName": "importance",
              "propertyValue": "Normal",
              "updated": "false"
            },
            {
              "matched": "false",
              "propertyDef": {
                "displayInCMDB": "false",
                "displayName": "Location Name",
                "groupKey": "false",
                "propertyName": "locationName",
                "subValueType": "STRING",
                "valueType": "STRING"
              },
              "propertyName": "locationName",
              "updated": "false"
            }
          ]
        },
        "raidGroups": null,
        "sanControllerPorts": null,
        "softwarePatches": null,
        "softwareServices": null,
        "status": "2",
        "storageGroups": null,
        "storages": null,
        "unmanaged": "false",
        "updateMethod": "LOG",
        "version": "ANY",
        "winMachineGuid": null
      }
    }
  },
  {
    "Entity": "172.30.xxx.xxx",
    "EntityResult": {
      "device": {
        "organization": {
          "@id": "1xx",
          "@name": "Super"
        },
        "accessIp": "172.30.xxx.xxx",
        "applications": null,
        "approved": "true",
        "components": null,
        "creationMethod": "LOG",
        "deviceType": {
          "accessProtocols": "TELNET,SSH",
          "jobWeight": "10",
          "model": "Unix",
          "vendor": "Generic",
          "version": "ANY"
        },
        "discoverMethod": "LOG",
        "discoverTime": "1640070721000",
        "eventParserList": {
          "eventparser": {
            "deviceType": {
              "category": "Appliance",
              "jobWeight": "10",
              "model": "Generic",
              "vendor": "Generic",
              "version": "ANY"
            },
            "enabled": "true",
            "name": "SyslogNGParser",
            "parserXml": "<patternDefinitions><pattern>..."
          }
        },
        "interfaces": null,
        "ipToHostNames": null,
        "luns": null,
        "name": "centos-xxx",
        "naturalId": "centos",
        "primaryContactUser": "0",
        "processors": null,
        "properties": {
          "customproperty": [
            {
              "matched": "false",
              "propertyDef": {
                "displayInCMDB": "false",
                "displayName": "Importance",
                "groupKey": "false",
                "propertyName": "importance",
                "subValueType": "STRING",
                "valueType": "STRING"
              },
              "propertyName": "importance",
              "propertyValue": "Mission Critical",
              "updated": "false"
            },
            {
              "matched": "false",
              "propertyDef": {
                "displayInCMDB": "false",
                "displayName": "Location Name",
                "groupKey": "false",
                "propertyName": "locationName",
                "subValueType": "STRING",
                "valueType": "STRING"
              },
              "propertyName": "locationName",
              "updated": "false"
            }
          ]
        },
        "raidGroups": null,
        "sanControllerPorts": null,
        "secondaryContactUser": "0",
        "softwarePatches": null,
        "softwareServices": null,
        "status": "2",
        "storageGroups": null,
        "storages": null,
        "unmanaged": "false",
        "updateMethod": "MANUAL",
        "version": "ANY",
        "winMachineGuid": null
      }
    }
  }
]
Entity Enrichment
Enrichment Field Name Source (JSON Key) Logic - When to apply
accessIp accessIp When available in XML
name name When available in XML
applications CSV of "applications/name" When available in XML
creationMethod creationMethod When available in XML
deviceType_model deviceType_model When available in XML

deviceType_accessProtocols

deviceType_vendor

deviceType_accessProtocols

deviceType_vendor

When available in XML
discoverMethod discoverMethod When available in XML
discoverTime discoverTime When available in XML
Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from FortiSIEM: {entity.identifier}."

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from FortiSIEM: {entity.identifier}."

If data is not available for all entities (is_success=false): "None of the provided entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Title: {entity.identifier}

Table Columns:

  • Key
  • Value
Entity

Execute Simple Query

Description

Execute FortiSIEM events query based on the provided parameters.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Event Types CSV N/A No

Specify the event types query should fetch.

Parameter accepts multiple values as a comma-separated string.

Minimum Severity to Fetch Integer N/A No

Specify the minimum event severity to fetch to Google Security Operations SOAR in numbers.

Example: 5 or 7

Event Category CSV N/A No

Specify the event category query should fetch.

Parameter accepts multiple values as a comma-separated string.

Event IDs CSV N/A No

Specify optionally exact event ids query should fetch.

Parameter accepts multiple values as a comma-separated string.

Fields To Return CSV N/A No

Specify the fields to return.

If nothing is provided, the action returns all fields.

Sort Field String phRecvTime No Specify the parameter that should be used for sorting.
Sort Order DDL

DESC

Possible Values:

  • ASC
  • DESC
No Specify the order of sorting.
Time Frame DDL

Last Hour

Possible Values:

  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Custom
No

Specify a time frame for the results.

If "Custom" is selected, you also need to provide the "Start Time" parameter.

Start Time String N/A No

Specify the start time for the results.

This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter.

Format: ISO 8601

Example: 2021-04-23T12:38Z

End Time String N/A No

Specify the end time for the results.

If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time.

Format: ISO 8601

Max Results To Return Integer 50 No Specify the number of results to return.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
[
  {
    "custId": "1",
    "attributes": {
      "eventType": "Unknown_EventType",
      "eventSeverity": "3",
      "eventAction": "0 (Permit)",
      "phRecvTime": "Wed Dec 29 00:36:55 IST 2021",
      "relayDevIpAddr": "172.30.20xxx",
      "reptDevIpAddr": "172.30.20xxx",
      "destIpAddr": "172.30.20xxx",
      "destName": "HOST-172.30.20xxx",
      "reptDevName": "centos-xxx",
      "reptVendor": "Unknown",
      "customer": "Super",
      "reptModel": "Unknown",
      "rawEventMsg": "<27>Dec 29 00:36:47 centos-xxx aella_flow[5074]: 1902195|aos_afix_json|ERR|Failed to send message: Couldn't connect to server/7",
      "collectorId": "1",
      "eventId": "4242813061460978xxx",
      "phEventCategory": "0 (External)",
      "count": "1",
      "eventName": "Unknown event type",
      "eventParsedOk": "0",
      "parserName": "SyslogNGParser"
    },
    "dataStr": null,
    "eventType": "Unknown_EventType",
    "id": "4242813061460978xxx",
    "index": "0",
    "nid": "4242813061460978xxx",
    "receiveTime": "2021-12-29T00:36:55+02:00"
  }
]
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If found at least some data (is_success=true): "Successfully retrieved results for the constructed query "{query}" in FortiSIEM.".

If no results are found (is_success=false): "No results were found for the constructed query "{Query}" in FortiSIEM."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Simple Query". Reason: {0}''.format(error.Stacktrace)

If the "Start Time" parameter is empty and the "Time Frame" parameter is set to "Custom" (fail): "Error executing action "". Reason: "Start Time" should be provided, when "Custom" is selected in the "Time Frame" parameter."

If value of the "Start Time" is greater than value of the "End Time" parameter (fail): "Error executing action "". Reason: "End Time" should be later than "Start Time".

General
Table

Table Name: Simple Query Results

Table Columns: All of the columns from response

General

Execute Custom Query

Description

Execute a custom query in FortiSIEM.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Query String multi line input field (Attribute = Value OR Value) AND (Attribute Value OR Value) Yes

Specify a query that is used to retrieve information about the events.

Example: (relayDevIpAddr = 172.30.202.1 OR 172.30.202.2) AND (reptDevName = HOST1)

Fields To Return CSV No

Specify the fields to return.

If nothing is provided, the action returns all fields.

Sort Field String phRecvTime No Specify the parameter that should be used for sorting.
Sort Order DDL

DESC

Possible Values:

  • ASC
  • DESC
No Specify the order of sorting.
Time Frame DDL

Last Hour

Possible Values:

  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Custom
No

Specify a time frame for the results.

If "Custom" is selected, you also need to provide the "Start Time" parameter.

Start Time String N/A No

Specify the start time for the results.

This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter.

Format: ISO 8601

Example: 2021-04-23T12:38Z

End Time String N/A No

Specify the end time for the results.

If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time.

Max Results To Return Integer 50 No Specify the number of results to return.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
[
  {
    "custId": "1",
    "attributes": {
      "eventType": "Unknown_EventType",
      "eventSeverity": "3",
      "eventAction": "0 (Permit)",
      "phRecvTime": "Wed Dec 29 00:36:55 IST 2021",
      "relayDevIpAddr": "172.30.20xxx",
      "reptDevIpAddr": "172.30.20xxx",
      "destIpAddr": "172.30.20xxx",
      "destName": "HOST-172.30.20xxx",
      "reptDevName": "centos-xxx",
      "reptVendor": "Unknown",
      "customer": "Super",
      "reptModel": "Unknown",
      "rawEventMsg": "<27>Dec 29 00:36:47 centos-xxx aella_flow[5074]: 1902195|aos_afix_json|ERR|Failed to send message: Couldn't connect to server/7",
      "collectorId": "1",
      "eventId": "4242813061460978xxx",
      "phEventCategory": "0 (External)",
      "count": "1",
      "eventName": "Unknown event type",
      "eventParsedOk": "0",
      "parserName": "SyslogNGParser"
    },
    "dataStr": null,
    "eventType": "Unknown_EventType",
    "id": "4242813061460978xxx",
    "index": "0",
    "nid": "4242813061460978xxx",
    "receiveTime": "2021-12-29T00:36:55+02:00"
  }
]
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If found at least some data (is_success=true): "Successfully retrieved results for the provided query "{query}" in FortiSIEM."

If no results are found (is_success=false): "No results were found for the provided query "{Query}" in FortiSIEM."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Simple Query". Reason: {0}''.format(error.Stacktrace)

If the "Start Time" parameter is empty and the "Time Frame" parameter is set to "Custom" (fail): "Error executing action "". Reason: "Start Time" should be provided, when "Custom" is selected in the "Time Frame" parameter."

If value of the "Start Time" is grater than value of the "End Time" parameter (fail): "Error executing action "". Reason: "End Time" should be later than "Start Time".

General
Table

Table Name: Custom Query Results

Table Columns: All of the columns from response

General

Connectors

FortiSIEM Incidents Connector

Connector Description

Connector can be used to fetch FortiSIEM incidents. Connector whitelist can be used to ingest only specific types of incidents based on the incident's "eventType" attribute value. SourceGroupIdentifier of the connector can be used to group Google Security Operations SOAR alerts based on the incident ID. Connector requires FortiSIEM version 6.3 or newer.

Connector Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String deviceProduct Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String eventType Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout Integer 300 Yes Specify the timeout for connector to run.
API Root String https:/x.x.x.x:port Yes Specify the API root for the target FortiSIEM installation.
Username String N/A Yes Specify the username to use for the target FortiSIEM installation.
Password Password N/A Yes Specify the password to use for the target FortiSIEM installation.
Verify SSL Checkbox Checked No If enabled, the Google Security Operations SOAR server checks the certificate configured for API root.
Target Organization CSV N/A No

Specify organizations the connector should fetch incidents for.

Parameters accepts multiple values as a comma separated string.

Max hours backwards Integer 24 Yes Specify the time frame to fetch incidents from X hours backwards.
Max Incidents Per Cycle Integer 10 Yes Specify the number of incidents should be processed during one connector run.
Max Events Per Incidents Integer 100 Yes

Specify the maximum number of events the connector should track for the incident.

Once the limit is reached, new events are not added to Google Security Operations SOAR.

Incident Statuses to Fetch CSV 0 No

Specify incident's statuses to fetch to Google Security Operations SOAR.

Parameter accepts multiple values as a comma-separated string.

0 stands for incidents in open status.

Minimum Severity to Fetch Integer N/A No Specify the minimum incident's event severity to fetch to Google Security Operations SOAR in numbers, for example 5 or 7.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist is used as a blacklist.
Track New Events Added to Already Ingested Incidents Checkbox Checked Yes If enabled, if new events are added to already ingested FortiSIEM incident, additional new alert is created in Google Security Operations SOAR that has those new events.
Track New Events Threshold (hours) Integer 24 Yes

If "Track New Events Added to Already Ingested Incidents" checkbox is checked, specify the maximum number of hours connector should track already ingested incidents for new events.

Once the limit is reached, new events are not added to Google Security Operations SOAR.

Proxy Server Address String N/A No Specify the address of the proxy server to use.
Proxy Username String N/A No Specify the proxy username to authenticate with.
Proxy Password Password N/A No Specify the proxy password to authenticate with.

Connector Rules

Proxy Support

Connector supports Proxy.