FortiSIEM Events and Report Integration

1 Reply
Events and Report Integration

This API provides a way to programmatically run any query or report that can be executed on the event data from the AccelOps GUI.

General Description

Request API Parameters

Polling API Parameters

Results API Parameters

Sample XML Output

Sample Code

General Description
Methodology REST API based:

make an HTTP(S) request with an input XML that defines the query.

Since the number of returned results can be large, the caller has to first get the total number of results

Then get the results one chunk at a time. Every time, an output XML containing the query results is returned.
Request API Parameters
Input URL https:///phoenix/rest/query/eventQuery
Input

Parameters

  XML file containing the query parameters
Input

Credentials

 Enterprise Deployments: Username and password of any AccelOps account

Multi-tenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed.
Output  queryId or an error code if there is a problem in handling the query or the query format
Polling API Parameters

The request will poll until the server completes the query.

Input

URL

 https:///phoenix/rest/query/progress/
Output progress (pct)

Until progress reaches 100, at which point the server completes the query, you need to continue polling the server. This is because the server may need to aggregate the results or insert meta-information before sending the results.
Results API Parameters
Input

URL

 https:///phoenix/rest/query/events///
Output totalCount (first time) and an XML containing the incident attributes.

For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached.

Sample XML Output

Failed-Logins-Report.txt

Sample Code

This sample takes the credentials, input XML and. optionally. organization name as arguments and writes out the query results in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

Sample XML Input Files

Failed Login at Any Device Top Events by Severity and

Count

 Top Reporting Device and Module by Event Count Top Servers By Least Free

Disk Space

Sample Python Script

<script name>.py Script Usage
You also need to download the getMonitoredOrganizations python script into the same directory Sample Query

python GetQueryResultsByOrg.py 172.16.20.210 “super/admin” “admin*1” all ./failed-login.xml

Super_user needs to be explicitly stated in

organization/user format, for example “super/admin

” or “super/admin” instead of just “admin”

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Events and Report Integration

  1. Kris

    Great place to start but it is missing documentation for query params XML. It would be much more useful if I could have a link to query params XML docs

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.