FortiSIEM

Use the FortiSIEM integration to search and update events and manage resource lists.

Use Cases

  • Get alerts using different filters
  • Maintain resource lists
  • Close incidents

Configure FortiSIEM on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for FortiSIEM.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Fetch incidents
    • Incident type
    • Server URL (e.g.: https://192.168.0.1)
    • Credentials
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get events by incident


Gets events by incident.

Base Command

fortisiem-get-events-by-incident

Input
Argument Name Description Required
incID ID of the incident by which to filter. Required
maxResults Maximum number of results to return. Optional
extendedData Whether to extend the data. Optional
maxWaitTime Maximum time for the event report to finish (in seconds). Optional

Context Output
Path Type Description
FortiSIEM.Events.EventType string Event type.
FortiSIEM.Events.EventID string FortiSIEM Event ID.
FortiSIEM.Events.RawEventLog string Raw Event Log.
FortiSIEM.Events.ReportingDevice string Reporting Device.
FortiSIEM.Events.IncidentID number Incident ID.
FortiSIEM.Events.User string Event User.
FortiSIEM.Events.EventReceiveTime number Event received timestamp.
FortiSIEM.Events.EventName string Event Name.
FortiSIEM.Events.ReportingIP string Reporting IP address.
FortiSIEM.Events.SystemEventCategory string System Event Category.
FortiSIEM.Events.EventAction string EventAction.
FortiSIEM.Events.RelayingIP string Relaying IP address.
FortiSIEM.Events.EventSeverityCategory string Severity Category.
FortiSIEM.Events.OrganizationName string Organization Name.
FortiSIEM.Events.ReportingVendor string Reporting Vendor.
FortiSIEM.Events.ReportingModel string Reporting Model.
FortiSIEM.Events.OrganizationName string Organization name.
FortiSIEM.Events.CollectorID number Collector ID.
FortiSIEM.Events.EventParserName string Name of raw event parser.
FortiSIEM.Events.HostIP string Host IP address.
FortiSIEM.Events.HostName string Host name.
FortiSIEM.Events.FileName string Name of the file associated with the event.
FortiSIEM.Events.ProcessName string Name of the process associated with the event.
FortiSIEM.Events.JobName string Name of the job associated with the event.
FortiSIEM.Events.Status string Event status.
FortiSIEM.Events.DestinationPort string Port of the traffic’s destination.
FortiSIEM.Events.SourcePort string Port of the traffic’s origin.
FortiSIEM.Events.DestinationIP string Destination IP address for the web.
FortiSIEM.Events.SourceIP string IP address of the traffic’s origin. The source varies by the direction: In HTTP requests, this is the web browser or other client. In HTTP responses, this is the physical server.
FortiSIEM.Events.ExtendedData string All additional data returned by FortiSIEM.
FortiSIEM.Events.DestinationInterface string Interface of the traffic’s destination.
FortiSIEM.Events.NATTranslation string NAT source port.
FortiSIEM.Events.Protocol string tcp: The protocol used by web traffic (tcp by default).
FortiSIEM.Events.SourceMAC string MAC address associated with the source IP address.
FortiSIEM.Events.NATIP string NAT source IP.

Command Example
!fortisiem-get-events-by-incident incID=1919 maxResults=3
Context Example
{
    "FortiSIEM.Events": [
        {
            "Destination Host Name": "google-public-dns-a.google.com", 
            "Event Name": "Permitted traffic flow started", 
            "Destination IP": "8.8.8.8", 
            "Incident ID": "1919", 
            "Source IP": "10.10.10.17", 
            "Raw Event Log": "<14>May  2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/02 19:53:33,10.100.100.17,8.8.8.8,80.80.80.146,8.8.8.8,Internet allow,,,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0", 
            "Reporting IP": "10.100.100.254", 
            "Source TCP/UDP Port": "57184", 
            "IP Protocol": "17 (UDP)", 
            "ExtendedData": {
                "1121": "HOST-10.100.100.17", 
                "1126": "Trust", 
                "1127": "Untrust", 
                "3061": "dns", 
                "3001": "", 
                "110": 10000, 
                "3008": "dns", 
                "24": "LOW", 
                "20": "Permitted traffic flow started", 
                "21": 1, 
                "1": "PAN-OS-TRAFFIC-start-allow", 
                "1038": 0, 
                "5": "0 (Permit)", 
                "8": "10.10.10.254", 
                "1010": "17 (UDP)", 
                "2422": "Google", 
                "1151": "allow", 
                "1150": "Internet allow", 
                "9": "10.10.10.254", 
                "2410": "United States", 
                "1004": "8.8.8.8", 
                "1002": "google-public-dns-a.google.com", 
                "1001": "8.8.8.8", 
                "1000": "10.10.10.17"
                ...
            }, 
            "Event Receive Time": 1556690013000, 
            "Event Type": "PAN-OS-TRAFFIC-start-allow", 
            "Destination TCP/UDP Port": "53 (DOMAIN)", 
            "Event ID": "8255801804490150940"
        }, 
        ...
    ]
}
Human Readable Output

FortiSIEM events for Incident 1919

Event Receive Time Event Type Event Name Source IP Destination IP Destination Host Name IP Protocol Source TCP/UDP Port Destination TCP/UDP Port Reporting IP Raw Event Log
1556690013000 PAN-OS-TRAFFIC-start-allow Permitted traffic flow started 10.10.10.17 8.8.8.8 google-public-dns-a.google.com 17 (UDP) 57184 53 (DOMAIN) 10.10.10.254 <14>May 2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/01 09:53:33,10.100.100.17,8.8.8.8,80.227.43.146,8.8.8.8,Internet allow,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0

2. Clear an incident


Clear (close) a FortiSIEM incident.

Base Command

fortisiem-clear-incident

Input
Argument Name Description Required
incident_id ID of the incident to close. Required
close_reason Reason for closing. Optional
Context Output

There is no context output for this command.

Command Example
!fortisiem-clear-incident incident_id=1919 close_reason="False Positive"
Human Readable Output

Incident cleared successfully.

3. Get events using a filter


Returns an event list according to the specified filters.

Base Command

fortisiem-get-events-by-filter

Input
Argument Name Description Required
maxResults Maximum number of results to return. Optional
extendedData Whether to extend the data. Optional
maxWaitTime Maximum time for the event report to finish (in seconds). Optional
reptDevIpAddr Reporting IP address. Optional
destIpAddr Destination IP address. Optional
srcIpAddr Source IP address. Optional
destMACAddr Destination MAC address. Optional
srcMACAddr Source MAC address. Optional
destDomain Destination domain. Optional
srcDomain Source domain. Optional
destName Destination name. Optional
srcName Source name. Optional
destAction Destination action. Optional
destUser Destination user. Optional
reportWindow Relative report time value. Optional
reportWindowUnit Relative report time unit. Optional
eventType Event type. Optional
srcGeoCountry Source geo country. Optional
User User. Optional

Context Output
Path Type Description
FortiSIEM.Events.EventType Unknown FortiSIEM event type.
FortiSIEM.Events.SourceCountry Unknown Event source country.

Command Example
!fortisiem-get-events-by-filter maxResults=4 srcIpAddr=10.100.100.17
Context Example
{
    "FortiSIEM.Events": [
        {
            "Destination Host Name": "google-public-dns-a.google.com", 
            "Event Name": "Permitted traffic flow started", 
            "Destination IP": "8.8.8.8", 
            "Incident ID": "1919", 
            "Source IP": "10.100.100.17", 
            "Raw Event Log": "<14>May  2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/02 19:53:33,10.100.100.17,8.8.8.8,80.80.80.146,8.8.8.8,Internet allow,,,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0", 
            "Reporting IP": "10.100.100.254", 
            "Source TCP/UDP Port": "57184", 
            "IP Protocol": "17 (UDP)", 
            "ExtendedData": {
                "1121": "HOST-10.100.100.17", 
                "1126": "Trust", 
                "1127": "Untrust", 
                "3061": "dns", 
                "3001": "", 
                "110": 10000, 
                "3008": "dns", 
                "24": "LOW", 
                "20": "Permitted traffic flow started", 
                "21": 1, 
                "1": "PAN-OS-TRAFFIC-start-allow", 
                "1038": 0, 
                "5": "0 (Permit)", 
                "8": "10.10.10.254", 
                "1010": "17 (UDP)", 
                "2422": "Google", 
                "1151": "allow", 
                "1150": "Internet allow", 
                "9": "10.10.10.254", 
                "2410": "United States", 
                "1004": "8.8.8.8", 
                "1002": "google-public-dns-a.google.com", 
                "1001": "8.8.8.8", 
                "1000": "10.10.10.17"
                ...
            }, 
            "Event Receive Time": 1556690013000, 
            "Event Type": "PAN-OS-TRAFFIC-start-allow", 
            "Destination TCP/UDP Port": "53 (DOMAIN)", 
            "Event ID": "8255801804490150940"
        }, 
        ...
    ]
}
Human Readable Output
Event Receive Time Event Type Event Name Source IP Destination IP Destination Host Name IP Protocol Source TCP/UDP Port Destination TCP/UDP Port Reporting IP Raw Event Log
1556690013000 PAN-OS-TRAFFIC-start-allow Permitted traffic flow started 10.10.10.17 8.8.8.8 google-public-dns-a.google.com 17 (UDP) 57184 53 (DOMAIN) 10.10.10.254 <14>May 2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/01 09:53:33,10.100.100.17,8.8.8.8,80.227.43.146,8.8.8.8,Internet allow,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0

4. Get device descriptions


Returns the description of each device.

Base Command

fortisiem-get-cmdb-devices

Input
Argument Name Description Required
device_ip CSV list of device IPs. Optional
limit Maximum number of results to return. Optional

Context Output
Path Type Description
FortiSIEM.CmdbDevice Unknown CMDB devices.

Command Example
!fortisiem-get-cmdb-devices limit=4
Context Example
{
    "FortiSIEM.CmdbDevices": [
        {
            "Name": "HOST-10.10.10.230", 
            "DiscoverTime": "N/A", 
            "WinMachineGuid": "N/A", 
            "CreationMethod": "N/A", 
            "UpdateMethod": "N/A", 
            "Version": "N/A", 
            "DeviceType": "FortiSIEM Fortinet", 
            "Unmanaged": "false", 
            "AccessIp": "10.10.10.230", 
            "DiscoverMethod": "N/A", 
            "Approved": "false"
        }, 
        {
            "Name": "HOST-10.10.10.21", 
            "DiscoverTime": "N/A", 
            "WinMachineGuid": "N/A", 
            "CreationMethod": "N/A", 
            "UpdateMethod": "N/A", 
            "Version": "N/A", 
            "DeviceType": "FortiSIEM Fortinet", 
            "Unmanaged": "false", 
            "AccessIp": "10.10.10.21", 
            "DiscoverMethod": "N/A", 
            "Approved": "false"
        }, 
        {
            "Name": "HOST-10.10.10.243", 
            "DiscoverTime": "N/A", 
            "WinMachineGuid": "N/A", 
            "CreationMethod": "N/A", 
            "UpdateMethod": "N/A", 
            "Version": "N/A", 
            "DeviceType": "FortiSIEM Fortinet", 
            "Unmanaged": "false", 
            "AccessIp": "10.10.10.243", 
            "DiscoverMethod": "N/A", 
            "Approved": "false"
        }, 
        {
            "Name": "HOST-10.10.10.241", 
            "DiscoverTime": "N/A", 
            "WinMachineGuid": "N/A", 
            "CreationMethod": "N/A", 
            "UpdateMethod": "N/A", 
            "Version": "N/A", 
            "DeviceType": "FortiSIEM Fortinet", 
            "Unmanaged": "false", 
            "AccessIp": "10.10.10.241", 
            "DiscoverMethod": "N/A", 
            "Approved": "false"
        }
    ]
}
Human Readable Output

Devices

Name DiscoverTime Version DeviceType AccessIp WinMachineGuid CreationMethod UpdateMethod Unmanaged DiscoverMethod Approved
HOST-10.10.10.230 N/A N/A FortiSIEM Fortinet 10.10.10.230 N/A N/A N/A false N/A false
HOST-10.10.10.21 N/A N/A FortiSIEM Fortinet 10.10.10.21 N/A N/A N/A false N/A false
HOST-10.10.10.243 N/A N/A FortiSIEM Fortinet 10.10.10.243 N/A N/A N/A false N/A false
HOST-10.10.10.241 N/A N/A FortiSIEM Fortinet 10.10.10.241 N/A N/A N/A false N/A false

5. Get events using a query


Returns an event list filtered by a query.

Base Command

fortisiem-get-events-by-query

Input
Argument Name Description Required
query The query to get events. Required
report-window Interval time of the search. Optional
interval-type Interval unit. Optional
limit Maximum number of results to return. Optional
extended-data Whether to extend the data. Optional
max-wait-time Command timeout. Optional

Context Output
Path Type Description
FortiSIEM.Events.EventType Unknown FortiSIEM event type.
FortiSIEM.Events.SourceCountry Unknown Event source country.

Command Example
!fortisiem-get-events-by-query query=`destIpAddr = 116.202.56.112 OR destIpAddr = 17.252.141.15` interval-type=Hourly report-window=17
Context Example
{
    "FortiSIEM.Events": [
        {
            "Event Name": "Permitted traffic flow started", 
            "Destination IP": "116.202.56.112", 
            "Incident ID": null, 
            "Raw Event Log": "<14>Apr 30 17:42:25 PA-Firewall 1,2019/04/30 17:42:24,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:24,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,,,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:24,201358,1,54273,443,51021,443,0x400000,tcp,allow,553,487,66,4,2019/04/30 17:42:22,0,any,0,32241586,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0", 
            "Reporting IP": "10.100.100.254", 
            "ExtendedData": {
                "1322": 4, 
                "4188": "Syslog", 
                "1121": "HOST-10.100.100.66", 
                "2430": "77.2167", 
                "1126": "Trust", 
                "1127": "Untrust", 
                "3061": "ssl", 
                "3001": "", 
                "110": 10000, 
                "3008": "ssl", 
                "2531": "Emirates Integrated Telecommunications Company PJS", 
                "24": "LOW", 
                "20": "Permitted traffic flow started", 
                "21": 1, 
                "44": "PAN-OS", 
                "2529": "Dubai", 
                "2528": "United Arab Emirates", 
                "1": "PAN-OS-TRAFFIC-start-allow", 
                "1038": 0, 
                "2": 1, 
                "5": "0 (Permit)", 
                "7": 1556631745000, 
                "6": 1556631742000, 
                "1014": "443 (HTTPS)", 
                "8": "10.100.100.254", 
                "1010": "6 (TCP)", 
                "1011": 54273, 
                "1012": "443 (HTTPS)", 
                "1013": 51021, 
                "43": "Palo Alto", 
                "2422": "MTS", 
                "1151": "allow", 
                "1150": "Internet allow", 
                "2426": "28.6667", 
                "9": "10.100.100.254", 
                "122": "PaloAltoParser", 
                "17": 1, 
                "2533": "55.3081", 
                "128": 3, 
                "129": 1, 
                "11": "PA-Firewall", 
                "1284": 553, 
                "12": 1, 
                "15": "8255801804489112226", 
                "1046": "201358", 
                "1023": "ethernet1/1", 
                "1022": "ethernet1/3", 
                "3035": "any", 
                "16": "4 (Traffic)", 
                "53": "Super", 
                "2410": "India", 
                "3000": "", 
                "2414": "Delhi", 
                "1100": 1, 
                "2532": "25.2639", 
                "2418": "Delhi", 
                "2530": "Dubai", 
                "1004": "116.202.56.112", 
                "1003": "80.227.43.146", 
                "1002": "static.112.56.202.116.clients.your-server.de", 
                "1001": "116.202.56.112", 
                "1000": "10.100.100.66"
            }, 
            "Event Receive Time": 1556631745000, 
            "Event Type": "PAN-OS-TRAFFIC-start-allow", 
            "Event ID": "8255801804489112226"
        }, 
        {
            "Event Name": "Permitted traffic flow started", 
            "Destination IP": "116.202.56.112", 
            "Incident ID": null, 
            "Raw Event Log": "<14>Apr 30 17:42:26 PA-Firewall 1,2019/04/30 17:42:25,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:25,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,,,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:25,195836,1,54274,443,1459,443,0x400000,tcp,allow,493,427,66,3,2019/04/30 17:42:24,0,any,0,32241609,0x0,10.0.0.0-10.255.255.255,Germany,0,2,1,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0", 
            "Reporting IP": "10.100.100.254", 
            "ExtendedData": {
                "1322": 3, 
                "4188": "Syslog", 
                "1121": "HOST-10.100.100.66", 
                "2430": "77.2167", 
                "1126": "Trust", 
                "1127": "Untrust", 
                "3061": "ssl", 
                "3001": "", 
                "110": 10000, 
                "3008": "ssl", 
                "2531": "Emirates Integrated Telecommunications Company PJS", 
                "24": "LOW", 
                "20": "Permitted traffic flow started", 
                "21": 1, 
                "44": "PAN-OS", 
                "2529": "Dubai", 
                "2528": "United Arab Emirates", 
                "1": "PAN-OS-TRAFFIC-start-allow", 
                "1038": 0, 
                "2": 1, 
                "5": "0 (Permit)", 
                "7": 1556631746000, 
                "6": 1556631744000, 
                "1014": "443 (HTTPS)", 
                "8": "10.100.100.254", 
                "1010": "6 (TCP)", 
                "1011": 54274, 
                "1012": "443 (HTTPS)", 
                "1013": 1459, 
                "43": "Palo Alto", 
                "2422": "MTS", 
                "1151": "allow", 
                "1150": "Internet allow", 
                "2426": "28.6667", 
                "9": "10.100.100.254", 
                "122": "PaloAltoParser", 
                "17": 1, 
                "2533": "55.3081", 
                "128": 2, 
                "129": 1, 
                "11": "PA-Firewall", 
                "1284": 493, 
                "12": 1, 
                "15": "8255801804489112236", 
                "1046": "195836", 
                "1023": "ethernet1/1", 
                "1022": "ethernet1/3", 
                "3035": "any", 
                "16": "4 (Traffic)", 
                "53": "Super", 
                "2410": "India", 
                "3000": "", 
                "2414": "Delhi", 
                "1100": 1, 
                "2532": "25.2639", 
                "2418": "Delhi", 
                "2530": "Dubai", 
                "1004": "116.202.56.112", 
                "1003": "80.227.43.146", 
                "1002": "static.112.56.202.116.clients.your-server.de", 
                "1001": "116.202.56.112", 
                "1000": "10.100.100.66"
            }, 
            "Event Receive Time": 1556631746000, 
            "Event Type": "PAN-OS-TRAFFIC-start-allow", 
            "Event ID": "8255801804489112236"
        }, 
        {
            "Event Name": "Permitted traffic flow started", 
            "Destination IP": "116.202.56.112", 
            "Incident ID": null, 
            "Raw Event Log": "<14>Apr 30 17:42:27 PA-Firewall 1,2019/04/30 17:42:26,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:26,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,,,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:26,200640,1,59920,443,27164,443,0x400000,tcp,allow,775,709,66,4,2019/04/30 17:42:24,0,any,0,32241625,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0", 
            "Reporting IP": "10.100.100.254", 
            "ExtendedData": {
                "1322": 4, 
                "4188": "Syslog", 
                "1121": "HOST-10.100.100.66", 
                "2430": "77.2167", 
                "1126": "Trust", 
                "1127": "Untrust", 
                "3061": "ssl", 
                "3001": "", 
                "110": 10000, 
                "3008": "ssl", 
                "2531": "Emirates Integrated Telecommunications Company PJS", 
                "24": "LOW", 
                "20": "Permitted traffic flow started", 
                "21": 1, 
                "44": "PAN-OS", 
                "2529": "Dubai", 
                "2528": "United Arab Emirates", 
                "1": "PAN-OS-TRAFFIC-start-allow", 
                "1038": 0, 
                "2": 1, 
                "5": "0 (Permit)", 
                "7": 1556631747000, 
                "6": 1556631744000, 
                "1014": "443 (HTTPS)", 
                "8": "10.100.100.254", 
                "1010": "6 (TCP)", 
                "1011": 59920, 
                "1012": "443 (HTTPS)", 
                "1013": 27164, 
                "43": "Palo Alto", 
                "2422": "MTS", 
                "1151": "allow", 
                "1150": "Internet allow", 
                "2426": "28.6667", 
                "9": "10.100.100.254", 
                "122": "PaloAltoParser", 
                "17": 1, 
                "2533": "55.3081", 
                "128": 3, 
                "129": 1, 
                "11": "PA-Firewall", 
                "1284": 775, 
                "12": 1, 
                "15": "8255801804489310488", 
                "1046": "200640", 
                "1023": "ethernet1/1", 
                "1022": "ethernet1/3", 
                "3035": "any", 
                "16": "4 (Traffic)", 
                "53": "Super", 
                "2410": "India", 
                "3000": "", 
                "2414": "Delhi", 
                "1100": 1, 
                "2532": "25.2639", 
                "2418": "Delhi", 
                "2530": "Dubai", 
                "1004": "116.202.56.112", 
                "1003": "80.227.43.146", 
                "1002": "static.112.56.202.116.clients.your-server.de", 
                "1001": "116.202.56.112", 
                "1000": "10.100.100.66"
            }, 
            "Event Receive Time": 1556631747000, 
            "Event Type": "PAN-OS-TRAFFIC-start-allow", 
            "Event ID": "8255801804489310488"
        }
    ]
}
Human Readable Output

FortiSIEM Event Results

Event Receive Time Reporting IP Event Type Event Name Raw Event Log Destination IP
1556631745000 10.100.100.254 PAN-OS-TRAFFIC-start-allow Permitted traffic flow started <14>Apr 30 17:42:25 PA-Firewall 1,2019/04/30 17:42:24,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:24,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:24,201358,1,54273,443,51021,443,0x400000,tcp,allow,553,487,66,4,2019/04/30 17:42:22,0,any,0,32241586,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 116.202.56.112
1556631746000 10.100.100.254 PAN-OS-TRAFFIC-start-allow Permitted traffic flow started <14>Apr 30 17:42:26 PA-Firewall 1,2019/04/30 17:42:25,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:25,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:25,195836,1,54274,443,1459,443,0x400000,tcp,allow,493,427,66,3,2019/04/30 17:42:24,0,any,0,32241609,0x0,10.0.0.0-10.255.255.255,Germany,0,2,1,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 116.202.56.112
1556631747000 10.100.100.254 PAN-OS-TRAFFIC-start-allow Permitted traffic flow started <14>Apr 30 17:42:27 PA-Firewall 1,2019/04/30 17:42:26,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:26,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:26,200640,1,59920,443,27164,443,0x400000,tcp,allow,775,709,66,4,2019/04/30 17:42:24,0,any,0,32241625,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 116.202.56.112

6. Get all resource lists


Get all FortiSIEM resource lists hierarchy.

Base Command

fortisiem-get-lists

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example
!fortisiem-get-lists
Context Example
{
    "FortiSIEM.ResourceList": [
        {
            "ResourceType": "Reports", 
            "NatualID": "PH_SYS_REPORT_Freq", 
            "DisplayName": "Frequently Used", 
            "Children": [], 
            "ID": 500425
        }, 
        {
            "ResourceType": "Reports", 
            "NatualID": "PH_SYS_REPORT_Incident", 
            "DisplayName": "Incidents", 
            "Children": [], 
            "ID": 500427
        }, 
        {
            "ResourceType": "Malware IP", 
            "NatualID": "Emerging_Threat_Malware_IP_testing_1", 
            "DisplayName": "testing", 
            "Children": [
                "l4"
            ], 
            "ID": 766037000
        }, 
        {
            "ResourceType": "Malware IP", 
            "NatualID": "testing_l4_1", 
            "DisplayName": "l4", 
            "Children": [], 
            "ID": 766037001
        }, 
        {
            "ResourceType": "User Agent", 
            "NatualID": "PH_SYS_HTTP_UA_BLACKLIST", 
            "DisplayName": "User Agent Blacklist", 
            "Children": [], 
            "ID": 500675
        }, 
        {
            "ResourceType": "User Agent", 
            "NatualID": "PH_SYS_HTTP_UA_WHITELIST", 
            "DisplayName": "User Agent Whitelist", 
            "Children": [], 
            "ID": 500676
        }, 
        {
            "ResourceType": "User Agent", 
            "NatualID": "User_Agents_Ungrouped_1", 
            "DisplayName": "Ungrouped", 
            "Children": [], 
            "ID": -1
        }
    ]
}
Human Readable Output

Lists:

ResourceType NatualID DisplayName ID Children
Reports PH_SYS_REPORT_Freq Frequently Used 500425
Reports PH_SYS_REPORT_Incident Incidents 500427
Malware IP Emerging_Threat_Malware_IP_testing_1 testing 766037000 l4
Malware IP testing_l4_1 l4 766037001
User Agent PH_SYS_HTTP_UA_BLACKLIST User Agent Blacklist 500675
User Agent PH_SYS_HTTP_UA_WHITELIST User Agent Whitelist 500676
User Agent User_Agents_Ungrouped_1 Ungrouped -1

7. Add an element to a resource list.


Adds an element to a resource list.

Base Command

fortisiem-add-item-to-resource-list

Input
Argument Name Description Required
group_id ID of the resource group. Run the fortisiem-get-lists command to get the ID. command. Required
object-info CSV list of key-value pairs of attributes, for example: name=SomeName,lowIp=192.168.1.1,highIp=192.168.1.2 Required
resource_type Resource type. Required

Context Output
Path Type Description
FortiSIEM.Resource Unknown Resource object in FortiSIEM lists.

Command Example
!fortisiem-add-item-to-resource-list resource_type="Malware Domains" group_id=766567954 object-info=domainName=test.domain.com,ipAddr=2.2.2.2,org=TeST
Context Example
{
    "FortiSIEM.Resource": {
        "xmlId": "MalwareSite$test.domain.com", 
        "domainName": "test.domain.com", 
        "ipAddr": "2.2.2.2", 
        "creationTime": 1556692917786, 
        "naturalId": "test.domain.com", 
        "systemEntity": true, 
        "id": 936390355, 
        "sysDefined": false, 
        "lastModifiedDate": 1556692917786, 
        "lastModified": 1556692917786, 
        "active": true, 
        "org": "TeST", 
        "creationDate": 1556692917786, 
        "custId": 0, 
        "groupId": 766567954, 
        "naturalIdProperty": "naturalId", 
        "ownerId": 500151
    }
}
Human Readable Output

Resource was added:

naturalId systemEntity id groupId sysDefined custId naturalIdProperty xmlId lastModifiedDate ipAddr active org creationDate domainName lastModified creationTime ownerId
test.domain.com true 936390355 766567954 false 0 naturalId MalwareSite$test.domain.com 1556692917786 2.2.2.2 true TeST 1556692917786 test.domain.com 1556692917786 1556692917786 500151

8. Remove elements from a resource list


Removes elements from a resource list.

Base Command

fortisiem-remove-item-from-resource-list

Input
Argument Name Description Required
ids CSV list of resource IDs. Required
resource_type Resource type. Required

Context Output

There is no context output for this command.

Command Example
!fortisiem-remove-item-from-resource-list resource_type="Malware Domains" ids=936390353
Human Readable Output

items with id [u’936390353’] were removed.

9. Get a list of all elements in a resource list


Lists all elements in a resource list.

Base Command

fortisiem-get-resource-list

Input
Argument Name Description Required
group_id ID of the resource group. Run the fortisiem-get-lists command to get the ID. Required
resource_type Resource type. Required

Context Output

There is no context output for this command.

Command Example
!fortisiem-get-resource-list resource_type="Malware Domains" group_id=766567954
Context Example
{
    "FortiSIEM.Resource": [
        {
            "origin": "User", 
            "domainName": "malware.com", 
            "ipAddr": "3.2.3.2", 
            "active": true, 
            "org": "TeST", 
            "id": 936390354
        },
        {
            "origin": "User", 
            "domainName": "testing.com", 
            "ipAddr": "1.2.3.4", 
            "active": true, 
            "org": "TeST", 
            "id": 930309355
        }
    ]
}
Human Readable Output

Resource list:

Origin Domain Name Ip Addr Id Active Org
User malware.com 3.2.3.2 936390354 true TeST
User testing.com 1.2.3.4 930309355 true TeST