FortiSIEM Events and Report Integration

Events and Report Integration

This API provides a way to programmatically run any query or report that can be executed on the event data from the AccelOps GUI.

General Description

Request API Parameters

Polling API Parameters

Results API Parameters

Sample XML Output

Sample Code

General Description
Methodology REST API based:

make an HTTP(S) request with an input XML that defines the query.

Since the number of returned results can be large, the caller has to first get the total number of results

Then get the results one chunk at a time. Every time, an output XML containing the query results is returned.

Request API Parameters
Input URL https:///phoenix/rest/query/eventQuery
Input

Parameters

 XML file containing the query parameters
Input

Credentials

Enterprise Deployments: Username and password of any AccelOps account

Multi-tenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed.

Output  queryId or an error code if there is a problem in handling the query or the query format
Polling API Parameters

The request will poll until the server completes the query.

Input

URL

https:///phoenix/rest/query/progress/
Output progress (pct)

Until progress reaches 100, at which point the server completes the query, you need to continue polling the server. This is because the server may need to aggregate the results or insert meta-information before sending the results.

Results API Parameters
Input

URL

https:///phoenix/rest/query/events///
Output totalCount (first time) and an XML containing the incident attributes.

For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached.

Sample XML Output

Failed-Logins-Report.txt

Sample Code

This sample takes the credentials, input XML and. optionally. organization name as arguments and writes out the query results in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

Sample XML Input Files

Failed Login at Any Device Top Events by Severity and

Count

Top Reporting Device and Module by Event Count Top Servers By Least Free

Disk Space

Sample Python Script

<script name>.py Script Usage
You also need to download the getMonitoredOrganizations python script into the same directory Sample Query

python GetQueryResultsByOrg.py 172.16.20.210 “super/admin” “admin*1” all ./failed-login.xml

Super_user needs to be explicitly stated in

organization/user format, for example “super/admin

” or “super/admin” instead of just “admin”


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.