FortiSIEM
This Integration is part of the FortiSIEM Pack.#
Use the FortiSIEM integration to search and update events and manage resource lists.
Use Cases
- Get alerts using different filters
- Maintain resource lists
- Close incidents
Configure FortiSIEM on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for FortiSIEM.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Fetch incidents
- Incident type
- Server URL (e.g.: https://192.168.0.1)
- Credentials
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get events by incident: fortisiem-get-events-by-incident
- Clear an incident: fortisiem-clear-incident
- Get events using a filter: fortisiem-get-events-by-filter
- Get device descriptions: fortisiem-get-cmdb-devices
- Get events using a query: fortisiem-get-events-by-query
- Get all resource lists: fortisiem-get-lists
- Add an element to a resource list: fortisiem-add-item-to-resource-list
- Remove an element from a resource list: fortisiem-remove-item-from-resource-list
- Get a list of all elements in a resource list: fortisiem-get-resource-list
1. Get events by incident
Gets events by incident.
Base Command
fortisiem-get-events-by-incident
Input
| Argument Name | Description | Required |
|---|---|---|
| incID | ID of the incident by which to filter. | Required |
| maxResults | Maximum number of results to return. | Optional |
| extendedData | Whether to extend the data. | Optional |
| maxWaitTime | Maximum time for the event report to finish (in seconds). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| FortiSIEM.Events.EventType | string | Event type. |
| FortiSIEM.Events.EventID | string | FortiSIEM Event ID. |
| FortiSIEM.Events.RawEventLog | string | Raw Event Log. |
| FortiSIEM.Events.ReportingDevice | string | Reporting Device. |
| FortiSIEM.Events.IncidentID | number | Incident ID. |
| FortiSIEM.Events.User | string | Event User. |
| FortiSIEM.Events.EventReceiveTime | number | Event received timestamp. |
| FortiSIEM.Events.EventName | string | Event Name. |
| FortiSIEM.Events.ReportingIP | string | Reporting IP address. |
| FortiSIEM.Events.SystemEventCategory | string | System Event Category. |
| FortiSIEM.Events.EventAction | string | EventAction. |
| FortiSIEM.Events.RelayingIP | string | Relaying IP address. |
| FortiSIEM.Events.EventSeverityCategory | string | Severity Category. |
| FortiSIEM.Events.OrganizationName | string | Organization Name. |
| FortiSIEM.Events.ReportingVendor | string | Reporting Vendor. |
| FortiSIEM.Events.ReportingModel | string | Reporting Model. |
| FortiSIEM.Events.OrganizationName | string | Organization name. |
| FortiSIEM.Events.CollectorID | number | Collector ID. |
| FortiSIEM.Events.EventParserName | string | Name of raw event parser. |
| FortiSIEM.Events.HostIP | string | Host IP address. |
| FortiSIEM.Events.HostName | string | Host name. |
| FortiSIEM.Events.FileName | string | Name of the file associated with the event. |
| FortiSIEM.Events.ProcessName | string | Name of the process associated with the event. |
| FortiSIEM.Events.JobName | string | Name of the job associated with the event. |
| FortiSIEM.Events.Status | string | Event status. |
| FortiSIEM.Events.DestinationPort | string | Port of the traffic’s destination. |
| FortiSIEM.Events.SourcePort | string | Port of the traffic’s origin. |
| FortiSIEM.Events.DestinationIP | string | Destination IP address for the web. |
| FortiSIEM.Events.SourceIP | string | IP address of the traffic’s origin. The source varies by the direction: In HTTP requests, this is the web browser or other client. In HTTP responses, this is the physical server. |
| FortiSIEM.Events.ExtendedData | string | All additional data returned by FortiSIEM. |
| FortiSIEM.Events.DestinationInterface | string | Interface of the traffic’s destination. |
| FortiSIEM.Events.NATTranslation | string | NAT source port. |
| FortiSIEM.Events.Protocol | string | tcp: The protocol used by web traffic (tcp by default). |
| FortiSIEM.Events.SourceMAC | string | MAC address associated with the source IP address. |
| FortiSIEM.Events.NATIP | string | NAT source IP. |
Command Example
!fortisiem-get-events-by-incident incID=1919 maxResults=3
Context Example
{
"FortiSIEM.Events": [
{
"Destination Host Name": "google-public-dns-a.google.com",
"Event Name": "Permitted traffic flow started",
"Destination IP": "8.8.8.8",
"Incident ID": "1919",
"Source IP": "10.10.10.17",
"Raw Event Log": "<14>May 2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/02 19:53:33,10.100.100.17,8.8.8.8,80.80.80.146,8.8.8.8,Internet allow,,,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0",
"Reporting IP": "10.100.100.254",
"Source TCP/UDP Port": "57184",
"IP Protocol": "17 (UDP)",
"ExtendedData": {
"1121": "HOST-10.100.100.17",
"1126": "Trust",
"1127": "Untrust",
"3061": "dns",
"3001": "",
"110": 10000,
"3008": "dns",
"24": "LOW",
"20": "Permitted traffic flow started",
"21": 1,
"1": "PAN-OS-TRAFFIC-start-allow",
"1038": 0,
"5": "0 (Permit)",
"8": "10.10.10.254",
"1010": "17 (UDP)",
"2422": "Google",
"1151": "allow",
"1150": "Internet allow",
"9": "10.10.10.254",
"2410": "United States",
"1004": "8.8.8.8",
"1002": "google-public-dns-a.google.com",
"1001": "8.8.8.8",
"1000": "10.10.10.17"
...
},
"Event Receive Time": 1556690013000,
"Event Type": "PAN-OS-TRAFFIC-start-allow",
"Destination TCP/UDP Port": "53 (DOMAIN)",
"Event ID": "8255801804490150940"
},
...
]
}
Human Readable Output
FortiSIEM events for Incident 1919
| Event Receive Time | Event Type | Event Name | Source IP | Destination IP | Destination Host Name | IP Protocol | Source TCP/UDP Port | Destination TCP/UDP Port | Reporting IP | Raw Event Log |
|---|---|---|---|---|---|---|---|---|---|---|
| 1556690013000 | PAN-OS-TRAFFIC-start-allow | Permitted traffic flow started | 10.10.10.17 | 8.8.8.8 | google-public-dns-a.google.com | 17 (UDP) | 57184 | 53 (DOMAIN) | 10.10.10.254 | <14>May 2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/01 09:53:33,10.100.100.17,8.8.8.8,80.227.43.146,8.8.8.8,Internet allow,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 |
2. Clear an incident
Clear (close) a FortiSIEM incident.
Base Command
fortisiem-clear-incident
Input
| Argument Name | Description | Required |
|---|---|---|
| incident_id | ID of the incident to close. | Required |
| close_reason | Reason for closing. | Optional |
Context Output
There is no context output for this command.
Command Example
!fortisiem-clear-incident incident_id=1919 close_reason="False Positive"
Human Readable Output
Incident cleared successfully.
3. Get events using a filter
Returns an event list according to the specified filters.
Base Command
fortisiem-get-events-by-filter
Input
| Argument Name | Description | Required |
|---|---|---|
| maxResults | Maximum number of results to return. | Optional |
| extendedData | Whether to extend the data. | Optional |
| maxWaitTime | Maximum time for the event report to finish (in seconds). | Optional |
| reptDevIpAddr | Reporting IP address. | Optional |
| destIpAddr | Destination IP address. | Optional |
| srcIpAddr | Source IP address. | Optional |
| destMACAddr | Destination MAC address. | Optional |
| srcMACAddr | Source MAC address. | Optional |
| destDomain | Destination domain. | Optional |
| srcDomain | Source domain. | Optional |
| destName | Destination name. | Optional |
| srcName | Source name. | Optional |
| destAction | Destination action. | Optional |
| destUser | Destination user. | Optional |
| reportWindow | Relative report time value. | Optional |
| reportWindowUnit | Relative report time unit. | Optional |
| eventType | Event type. | Optional |
| srcGeoCountry | Source geo country. | Optional |
| User | User. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| FortiSIEM.Events.EventType | Unknown | FortiSIEM event type. |
| FortiSIEM.Events.SourceCountry | Unknown | Event source country. |
Command Example
!fortisiem-get-events-by-filter maxResults=4 srcIpAddr=10.100.100.17
Context Example
{
"FortiSIEM.Events": [
{
"Destination Host Name": "google-public-dns-a.google.com",
"Event Name": "Permitted traffic flow started",
"Destination IP": "8.8.8.8",
"Incident ID": "1919",
"Source IP": "10.100.100.17",
"Raw Event Log": "<14>May 2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/02 19:53:33,10.100.100.17,8.8.8.8,80.80.80.146,8.8.8.8,Internet allow,,,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0",
"Reporting IP": "10.100.100.254",
"Source TCP/UDP Port": "57184",
"IP Protocol": "17 (UDP)",
"ExtendedData": {
"1121": "HOST-10.100.100.17",
"1126": "Trust",
"1127": "Untrust",
"3061": "dns",
"3001": "",
"110": 10000,
"3008": "dns",
"24": "LOW",
"20": "Permitted traffic flow started",
"21": 1,
"1": "PAN-OS-TRAFFIC-start-allow",
"1038": 0,
"5": "0 (Permit)",
"8": "10.10.10.254",
"1010": "17 (UDP)",
"2422": "Google",
"1151": "allow",
"1150": "Internet allow",
"9": "10.10.10.254",
"2410": "United States",
"1004": "8.8.8.8",
"1002": "google-public-dns-a.google.com",
"1001": "8.8.8.8",
"1000": "10.10.10.17"
...
},
"Event Receive Time": 1556690013000,
"Event Type": "PAN-OS-TRAFFIC-start-allow",
"Destination TCP/UDP Port": "53 (DOMAIN)",
"Event ID": "8255801804490150940"
},
...
]
}
Human Readable Output
| Event Receive Time | Event Type | Event Name | Source IP | Destination IP | Destination Host Name | IP Protocol | Source TCP/UDP Port | Destination TCP/UDP Port | Reporting IP | Raw Event Log |
|---|---|---|---|---|---|---|---|---|---|---|
| 1556690013000 | PAN-OS-TRAFFIC-start-allow | Permitted traffic flow started | 10.10.10.17 | 8.8.8.8 | google-public-dns-a.google.com | 17 (UDP) | 57184 | 53 (DOMAIN) | 10.10.10.254 | <14>May 2 19:53:33 PA-Firewall 1,2019/05/02 19:53:33,007151000004733,TRAFFIC,start,2304,2019/05/01 09:53:33,10.100.100.17,8.8.8.8,80.227.43.146,8.8.8.8,Internet allow,dns,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/05/02 19:53:33,156575,1,57184,53,59686,53,0x400000,udp,allow,109,109,0,1,2019/05/02 19:53:31,0,any,0,32724731,0x0,10.0.0.0-10.255.255.255,United States,0,1,0,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 |
4. Get device descriptions
Returns the description of each device.
Base Command
fortisiem-get-cmdb-devices
Input
| Argument Name | Description | Required |
|---|---|---|
| device_ip | CSV list of device IPs. | Optional |
| limit | Maximum number of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| FortiSIEM.CmdbDevice | Unknown | CMDB devices. |
Command Example
!fortisiem-get-cmdb-devices limit=4
Context Example
{
"FortiSIEM.CmdbDevices": [
{
"Name": "HOST-10.10.10.230",
"DiscoverTime": "N/A",
"WinMachineGuid": "N/A",
"CreationMethod": "N/A",
"UpdateMethod": "N/A",
"Version": "N/A",
"DeviceType": "FortiSIEM Fortinet",
"Unmanaged": "false",
"AccessIp": "10.10.10.230",
"DiscoverMethod": "N/A",
"Approved": "false"
},
{
"Name": "HOST-10.10.10.21",
"DiscoverTime": "N/A",
"WinMachineGuid": "N/A",
"CreationMethod": "N/A",
"UpdateMethod": "N/A",
"Version": "N/A",
"DeviceType": "FortiSIEM Fortinet",
"Unmanaged": "false",
"AccessIp": "10.10.10.21",
"DiscoverMethod": "N/A",
"Approved": "false"
},
{
"Name": "HOST-10.10.10.243",
"DiscoverTime": "N/A",
"WinMachineGuid": "N/A",
"CreationMethod": "N/A",
"UpdateMethod": "N/A",
"Version": "N/A",
"DeviceType": "FortiSIEM Fortinet",
"Unmanaged": "false",
"AccessIp": "10.10.10.243",
"DiscoverMethod": "N/A",
"Approved": "false"
},
{
"Name": "HOST-10.10.10.241",
"DiscoverTime": "N/A",
"WinMachineGuid": "N/A",
"CreationMethod": "N/A",
"UpdateMethod": "N/A",
"Version": "N/A",
"DeviceType": "FortiSIEM Fortinet",
"Unmanaged": "false",
"AccessIp": "10.10.10.241",
"DiscoverMethod": "N/A",
"Approved": "false"
}
]
}
Human Readable Output
Devices
| Name | DiscoverTime | Version | DeviceType | AccessIp | WinMachineGuid | CreationMethod | UpdateMethod | Unmanaged | DiscoverMethod | Approved |
|---|---|---|---|---|---|---|---|---|---|---|
| HOST-10.10.10.230 | N/A | N/A | FortiSIEM Fortinet | 10.10.10.230 | N/A | N/A | N/A | false | N/A | false |
| HOST-10.10.10.21 | N/A | N/A | FortiSIEM Fortinet | 10.10.10.21 | N/A | N/A | N/A | false | N/A | false |
| HOST-10.10.10.243 | N/A | N/A | FortiSIEM Fortinet | 10.10.10.243 | N/A | N/A | N/A | false | N/A | false |
| HOST-10.10.10.241 | N/A | N/A | FortiSIEM Fortinet | 10.10.10.241 | N/A | N/A | N/A | false | N/A | false |
5. Get events using a query
Returns an event list filtered by a query.
Base Command
fortisiem-get-events-by-query
Input
| Argument Name | Description | Required |
|---|---|---|
| query | The query to get events. | Required |
| report-window | Interval time of the search. | Optional |
| interval-type | Interval unit. | Optional |
| limit | Maximum number of results to return. | Optional |
| extended-data | Whether to extend the data. | Optional |
| max-wait-time | Command timeout. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| FortiSIEM.Events.EventType | Unknown | FortiSIEM event type. |
| FortiSIEM.Events.SourceCountry | Unknown | Event source country. |
Command Example
!fortisiem-get-events-by-query query=`destIpAddr = 116.202.56.112 OR destIpAddr = 17.252.141.15` interval-type=Hourly report-window=17
Context Example
{
"FortiSIEM.Events": [
{
"Event Name": "Permitted traffic flow started",
"Destination IP": "116.202.56.112",
"Incident ID": null,
"Raw Event Log": "<14>Apr 30 17:42:25 PA-Firewall 1,2019/04/30 17:42:24,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:24,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,,,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:24,201358,1,54273,443,51021,443,0x400000,tcp,allow,553,487,66,4,2019/04/30 17:42:22,0,any,0,32241586,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0",
"Reporting IP": "10.100.100.254",
"ExtendedData": {
"1322": 4,
"4188": "Syslog",
"1121": "HOST-10.100.100.66",
"2430": "77.2167",
"1126": "Trust",
"1127": "Untrust",
"3061": "ssl",
"3001": "",
"110": 10000,
"3008": "ssl",
"2531": "Emirates Integrated Telecommunications Company PJS",
"24": "LOW",
"20": "Permitted traffic flow started",
"21": 1,
"44": "PAN-OS",
"2529": "Dubai",
"2528": "United Arab Emirates",
"1": "PAN-OS-TRAFFIC-start-allow",
"1038": 0,
"2": 1,
"5": "0 (Permit)",
"7": 1556631745000,
"6": 1556631742000,
"1014": "443 (HTTPS)",
"8": "10.100.100.254",
"1010": "6 (TCP)",
"1011": 54273,
"1012": "443 (HTTPS)",
"1013": 51021,
"43": "Palo Alto",
"2422": "MTS",
"1151": "allow",
"1150": "Internet allow",
"2426": "28.6667",
"9": "10.100.100.254",
"122": "PaloAltoParser",
"17": 1,
"2533": "55.3081",
"128": 3,
"129": 1,
"11": "PA-Firewall",
"1284": 553,
"12": 1,
"15": "8255801804489112226",
"1046": "201358",
"1023": "ethernet1/1",
"1022": "ethernet1/3",
"3035": "any",
"16": "4 (Traffic)",
"53": "Super",
"2410": "India",
"3000": "",
"2414": "Delhi",
"1100": 1,
"2532": "25.2639",
"2418": "Delhi",
"2530": "Dubai",
"1004": "116.202.56.112",
"1003": "80.227.43.146",
"1002": "static.112.56.202.116.clients.your-server.de",
"1001": "116.202.56.112",
"1000": "10.100.100.66"
},
"Event Receive Time": 1556631745000,
"Event Type": "PAN-OS-TRAFFIC-start-allow",
"Event ID": "8255801804489112226"
},
{
"Event Name": "Permitted traffic flow started",
"Destination IP": "116.202.56.112",
"Incident ID": null,
"Raw Event Log": "<14>Apr 30 17:42:26 PA-Firewall 1,2019/04/30 17:42:25,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:25,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,,,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:25,195836,1,54274,443,1459,443,0x400000,tcp,allow,493,427,66,3,2019/04/30 17:42:24,0,any,0,32241609,0x0,10.0.0.0-10.255.255.255,Germany,0,2,1,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0",
"Reporting IP": "10.100.100.254",
"ExtendedData": {
"1322": 3,
"4188": "Syslog",
"1121": "HOST-10.100.100.66",
"2430": "77.2167",
"1126": "Trust",
"1127": "Untrust",
"3061": "ssl",
"3001": "",
"110": 10000,
"3008": "ssl",
"2531": "Emirates Integrated Telecommunications Company PJS",
"24": "LOW",
"20": "Permitted traffic flow started",
"21": 1,
"44": "PAN-OS",
"2529": "Dubai",
"2528": "United Arab Emirates",
"1": "PAN-OS-TRAFFIC-start-allow",
"1038": 0,
"2": 1,
"5": "0 (Permit)",
"7": 1556631746000,
"6": 1556631744000,
"1014": "443 (HTTPS)",
"8": "10.100.100.254",
"1010": "6 (TCP)",
"1011": 54274,
"1012": "443 (HTTPS)",
"1013": 1459,
"43": "Palo Alto",
"2422": "MTS",
"1151": "allow",
"1150": "Internet allow",
"2426": "28.6667",
"9": "10.100.100.254",
"122": "PaloAltoParser",
"17": 1,
"2533": "55.3081",
"128": 2,
"129": 1,
"11": "PA-Firewall",
"1284": 493,
"12": 1,
"15": "8255801804489112236",
"1046": "195836",
"1023": "ethernet1/1",
"1022": "ethernet1/3",
"3035": "any",
"16": "4 (Traffic)",
"53": "Super",
"2410": "India",
"3000": "",
"2414": "Delhi",
"1100": 1,
"2532": "25.2639",
"2418": "Delhi",
"2530": "Dubai",
"1004": "116.202.56.112",
"1003": "80.227.43.146",
"1002": "static.112.56.202.116.clients.your-server.de",
"1001": "116.202.56.112",
"1000": "10.100.100.66"
},
"Event Receive Time": 1556631746000,
"Event Type": "PAN-OS-TRAFFIC-start-allow",
"Event ID": "8255801804489112236"
},
{
"Event Name": "Permitted traffic flow started",
"Destination IP": "116.202.56.112",
"Incident ID": null,
"Raw Event Log": "<14>Apr 30 17:42:27 PA-Firewall 1,2019/04/30 17:42:26,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:26,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,,,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:26,200640,1,59920,443,27164,443,0x400000,tcp,allow,775,709,66,4,2019/04/30 17:42:24,0,any,0,32241625,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-Firewall,from-policy,,,0,,0,,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0",
"Reporting IP": "10.100.100.254",
"ExtendedData": {
"1322": 4,
"4188": "Syslog",
"1121": "HOST-10.100.100.66",
"2430": "77.2167",
"1126": "Trust",
"1127": "Untrust",
"3061": "ssl",
"3001": "",
"110": 10000,
"3008": "ssl",
"2531": "Emirates Integrated Telecommunications Company PJS",
"24": "LOW",
"20": "Permitted traffic flow started",
"21": 1,
"44": "PAN-OS",
"2529": "Dubai",
"2528": "United Arab Emirates",
"1": "PAN-OS-TRAFFIC-start-allow",
"1038": 0,
"2": 1,
"5": "0 (Permit)",
"7": 1556631747000,
"6": 1556631744000,
"1014": "443 (HTTPS)",
"8": "10.100.100.254",
"1010": "6 (TCP)",
"1011": 59920,
"1012": "443 (HTTPS)",
"1013": 27164,
"43": "Palo Alto",
"2422": "MTS",
"1151": "allow",
"1150": "Internet allow",
"2426": "28.6667",
"9": "10.100.100.254",
"122": "PaloAltoParser",
"17": 1,
"2533": "55.3081",
"128": 3,
"129": 1,
"11": "PA-Firewall",
"1284": 775,
"12": 1,
"15": "8255801804489310488",
"1046": "200640",
"1023": "ethernet1/1",
"1022": "ethernet1/3",
"3035": "any",
"16": "4 (Traffic)",
"53": "Super",
"2410": "India",
"3000": "",
"2414": "Delhi",
"1100": 1,
"2532": "25.2639",
"2418": "Delhi",
"2530": "Dubai",
"1004": "116.202.56.112",
"1003": "80.227.43.146",
"1002": "static.112.56.202.116.clients.your-server.de",
"1001": "116.202.56.112",
"1000": "10.100.100.66"
},
"Event Receive Time": 1556631747000,
"Event Type": "PAN-OS-TRAFFIC-start-allow",
"Event ID": "8255801804489310488"
}
]
}
Human Readable Output
FortiSIEM Event Results
| Event Receive Time | Reporting IP | Event Type | Event Name | Raw Event Log | Destination IP |
|---|---|---|---|---|---|
| 1556631745000 | 10.100.100.254 | PAN-OS-TRAFFIC-start-allow | Permitted traffic flow started | <14>Apr 30 17:42:25 PA-Firewall 1,2019/04/30 17:42:24,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:24,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:24,201358,1,54273,443,51021,443,0x400000,tcp,allow,553,487,66,4,2019/04/30 17:42:22,0,any,0,32241586,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 | 116.202.56.112 |
| 1556631746000 | 10.100.100.254 | PAN-OS-TRAFFIC-start-allow | Permitted traffic flow started | <14>Apr 30 17:42:26 PA-Firewall 1,2019/04/30 17:42:25,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:25,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:25,195836,1,54274,443,1459,443,0x400000,tcp,allow,493,427,66,3,2019/04/30 17:42:24,0,any,0,32241609,0x0,10.0.0.0-10.255.255.255,Germany,0,2,1,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 | 116.202.56.112 |
| 1556631747000 | 10.100.100.254 | PAN-OS-TRAFFIC-start-allow | Permitted traffic flow started | <14>Apr 30 17:42:27 PA-Firewall 1,2019/04/30 17:42:26,007151000004733,TRAFFIC,start,2304,2019/04/30 17:42:26,10.100.100.66,116.202.56.112,80.227.43.146,116.202.56.112,Internet allow,ssl,vsys1,Trust,Untrust,ethernet1/3,ethernet1/1,Forward to Fortisiem,2019/04/30 17:42:26,200640,1,59920,443,27164,443,0x400000,tcp,allow,775,709,66,4,2019/04/30 17:42:24,0,any,0,32241625,0x0,10.0.0.0-10.255.255.255,Germany,0,3,1,n/a,0,0,0,0,PA-Firewall,from-policy,0,0,N/A,0,0,0,0,dcc8adba-6c1a-4eb1-9ac3-d0f33439ea67,0 | 116.202.56.112 |
6. Get all resource lists
Get all FortiSIEM resource lists hierarchy.
Base Command
fortisiem-get-lists
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!fortisiem-get-lists
Context Example
{
"FortiSIEM.ResourceList": [
{
"ResourceType": "Reports",
"NatualID": "PH_SYS_REPORT_Freq",
"DisplayName": "Frequently Used",
"Children": [],
"ID": 500425
},
{
"ResourceType": "Reports",
"NatualID": "PH_SYS_REPORT_Incident",
"DisplayName": "Incidents",
"Children": [],
"ID": 500427
},
{
"ResourceType": "Malware IP",
"NatualID": "Emerging_Threat_Malware_IP_testing_1",
"DisplayName": "testing",
"Children": [
"l4"
],
"ID": 766037000
},
{
"ResourceType": "Malware IP",
"NatualID": "testing_l4_1",
"DisplayName": "l4",
"Children": [],
"ID": 766037001
},
{
"ResourceType": "User Agent",
"NatualID": "PH_SYS_HTTP_UA_BLACKLIST",
"DisplayName": "User Agent Blacklist",
"Children": [],
"ID": 500675
},
{
"ResourceType": "User Agent",
"NatualID": "PH_SYS_HTTP_UA_WHITELIST",
"DisplayName": "User Agent Whitelist",
"Children": [],
"ID": 500676
},
{
"ResourceType": "User Agent",
"NatualID": "User_Agents_Ungrouped_1",
"DisplayName": "Ungrouped",
"Children": [],
"ID": -1
}
]
}
Human Readable Output
Lists:
| ResourceType | NatualID | DisplayName | ID | Children |
|---|---|---|---|---|
| Reports | PH_SYS_REPORT_Freq | Frequently Used | 500425 | |
| Reports | PH_SYS_REPORT_Incident | Incidents | 500427 | |
| Malware IP | Emerging_Threat_Malware_IP_testing_1 | testing | 766037000 | l4 |
| Malware IP | testing_l4_1 | l4 | 766037001 | |
| User Agent | PH_SYS_HTTP_UA_BLACKLIST | User Agent Blacklist | 500675 | |
| User Agent | PH_SYS_HTTP_UA_WHITELIST | User Agent Whitelist | 500676 | |
| User Agent | User_Agents_Ungrouped_1 | Ungrouped | -1 |
7. Add an element to a resource list.
Adds an element to a resource list.
Base Command
fortisiem-add-item-to-resource-list
Input
| Argument Name | Description | Required |
|---|---|---|
| group_id | ID of the resource group. Run the fortisiem-get-lists command to get the ID. command. | Required |
| object-info | CSV list of key-value pairs of attributes, for example: name=SomeName,lowIp=192.168.1.1,highIp=192.168.1.2 | Required |
| resource_type | Resource type. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| FortiSIEM.Resource | Unknown | Resource object in FortiSIEM lists. |
Command Example
!fortisiem-add-item-to-resource-list resource_type="Malware Domains" group_id=766567954 object-info=domainName=test.domain.com,ipAddr=2.2.2.2,org=TeST
Context Example
{
"FortiSIEM.Resource": {
"xmlId": "MalwareSite$test.domain.com",
"domainName": "test.domain.com",
"ipAddr": "2.2.2.2",
"creationTime": 1556692917786,
"naturalId": "test.domain.com",
"systemEntity": true,
"id": 936390355,
"sysDefined": false,
"lastModifiedDate": 1556692917786,
"lastModified": 1556692917786,
"active": true,
"org": "TeST",
"creationDate": 1556692917786,
"custId": 0,
"groupId": 766567954,
"naturalIdProperty": "naturalId",
"ownerId": 500151
}
}
Human Readable Output
Resource was added:
| naturalId | systemEntity | id | groupId | sysDefined | custId | naturalIdProperty | xmlId | lastModifiedDate | ipAddr | active | org | creationDate | domainName | lastModified | creationTime | ownerId |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| test.domain.com | true | 936390355 | 766567954 | false | 0 | naturalId | MalwareSite$test.domain.com | 1556692917786 | 2.2.2.2 | true | TeST | 1556692917786 | test.domain.com | 1556692917786 | 1556692917786 | 500151 |
8. Remove elements from a resource list
Removes elements from a resource list.
Base Command
fortisiem-remove-item-from-resource-list
Input
| Argument Name | Description | Required |
|---|---|---|
| ids | CSV list of resource IDs. | Required |
| resource_type | Resource type. | Required |
Context Output
There is no context output for this command.
Command Example
!fortisiem-remove-item-from-resource-list resource_type="Malware Domains" ids=936390353
Human Readable Output
items with id [u’936390353’] were removed.
9. Get a list of all elements in a resource list
Lists all elements in a resource list.
Base Command
fortisiem-get-resource-list
Input
| Argument Name | Description | Required |
|---|---|---|
| group_id | ID of the resource group. Run the fortisiem-get-lists command to get the ID. | Required |
| resource_type | Resource type. | Required |
Context Output
There is no context output for this command.
Command Example
!fortisiem-get-resource-list resource_type="Malware Domains" group_id=766567954
Context Example
{
"FortiSIEM.Resource": [
{
"origin": "User",
"domainName": "malware.com",
"ipAddr": "3.2.3.2",
"active": true,
"org": "TeST",
"id": 936390354
},
{
"origin": "User",
"domainName": "testing.com",
"ipAddr": "1.2.3.4",
"active": true,
"org": "TeST",
"id": 930309355
}
]
}
Human Readable Output
Resource list:
| Origin | Domain Name | Ip Addr | Id | Active | Org |
|---|---|---|---|---|---|
| User | malware.com | 3.2.3.2 | 936390354 | true | TeST |
| User | testing.com | 1.2.3.4 | 930309355 | true | TeST |