FortiSIEM Incident Notification

Incident Notification

AccelOps can send notifications via email/SMS, HTTPS, SNMP traps, and over the AccelOps API. These topics describe the formats for these notification types, and how to use the notification API.

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API Using the Notification API

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API

This topic describes the formats for the various types of notifications that AccelOps can send by email/SMS, HTTPS, SNMP trap, or through the API>.

Email/SMS Notification

Subject Line Format

Body Format

SMS Format

SNMP Trap Notification

MIB File

HTTP(S) Notification

XML Schema

XML File Format

Email/SMS Notification

Email is the most common form of incident notification. For integration purposes, an incident email subject and body can be parsed and specific actions can be taken if necessary.

These screenshots shows three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed

New Update Clear

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body Format

Section Field Description
Generic
Incident Id Unique ID of the incident in AccelOps. An incident can be searched in AccelOps by this ID.
Time Time when this incident occurred
Severity Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
Incident Count How many times this incident has occurred. For NEW incidents, the count is 1.
Rule Rule Name Name of the rule, repeated in the subject line
Rule

Description

Incident Target Where the incident occurred, or the target of an IPS alert
Host Name

(optional)

Host IP

(optional)

Other attributes as defined in rule
Incident Source For security-related incidents, where the incident originated
Host Name

(optional)

Host IP

(optional)

Other attributes as defined in rule
Incident Details Rule-specific details that caused the incident to trigger
Affected Business

Services  (optional

)

Identity and

Location

Xontains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by AccelOps and shown in the Identity and Location tab. Host name

User

Domain

Nearest switch name/port or VPN gateway or Wireless Controller

First and last seen times for this IP address to identity/location binding


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.