Ticket Related Operations

Creating a ticket without an Incident

1. Go to Incidents > Tickets.
2. Click New.
3. Enter a Summary and Description for the ticket. Both of these fields are required.
4. For Assigned To, select a user from the menu.
5. Set any Due Date for the ticket.
6. Select a Priority for the ticket.
7. Click Save.

Creating a ticket from an Incident

1. In the Incident Dashboard, select the incident you want to create a ticket for.
2. Click Ticket.

The Incident ID, Summary and Description for the ticket will be populated from the incident information.

3. Select the person you want to assign the ticket to.
4. Enter a Due Date for the ticket.
5. Set a Priority for the ticket.
6. Click Save.

Closing a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For State drop down, select Closed
5. Click

Changing the assignee in a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For Assigned drop down, select the new Assignee
5. Click

Changing the due date in a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For Due Date edit box, select the date and then the time Click Save.

Adding notes to a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. Add to Description
5. Click Save

Adding attachments to a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. Click PDF or PNG under Attach file
5. Include the file and Click Upload.
6. Click Save

Exporting a ticket

1. Go to Incidents > Tickets. 2. Select a ticket
2. Click Export

Viewing Ticket History

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. See Action History on bottom right pane

Searching tickets

This can be done in two ways

Type in key words in Search box

Use the Attribute Value Search –

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating Tickets In FortiSIEM In-built Ticketing System

AccelOps includes a feature that will let you create and assign tickets for IT infrastructure tasks, and create tickets directly from incidents. You can see all tickets that have been created by going to Incidents > Tickets, and then use the filter controls to view tickets by assignee, organization, priority, and other attributes. You can also configure AccelOps and you Remedy system so that Remedy will take tickets created by incident notification actions.

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications Ticket Related Operations

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications

This topic describes how to configure Remedy to accept tickets as notification actions from AccelOps.

Prerequisites

Procedure

Incident Attributes for Defining Remedy Forms

Prerequisites

Make sure you have configured the Remedy server settings in AccelOps.

Procedure

• In Remedy, create a new form, AccelOps_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.

2. When you have defined the fields in the form, right-click on the field and select the Data Type that corresponds to the incident attribute.
3. After setting the form field data type, click in the form field again to set the Label for the field.
4. When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service.
5. For Base Form, enter AccelOps_Incident_Interface.
6. Click the WSDL
7. For the WSDL Handler URL, enter http://<midtier_server>/arsys/WSDL/public/<servername>/AccelOps_Incident_I nterface.
8. Click the Permissions tab and select
9. Click

You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7, substituting the Remedy Server IP address for <midtier_server> and localhost for <servername>. If you see an XML page, your configuration was successful.

Incident Attributes for Defining Remedy Forms

Incident Attribute	Data Type	Description
biz_service	text	Name of the business services affected by this incident
cleared_events	text
cleared_reason	text	The reason for clearing the incident if it was cleared,
cleared_time	bigint	The time at which the incident was cleared
cleared_user	character varying(255)	The user who cleared the incident
comments	text	Comments
cust_org_id	bigint	The organization id to which the incident belongs
first_seen_time	bigint	Time when the incident occurred for the first time
last_seen_time	bigint	Time when the incident occurred for the last time
incident_count	integer	Number of times the incident triggered between the first and last seen times
incident_detail	text	Incident Detail attributes that are not included in incident_src and incident_target
incident_et	text	Incident Event type
incident_id	bigint	Incident Id
incident_src	text	Incident Source
incident_status	integer	Incident Status
incident_target	text	Incident Target
notif_recipients	text	Incident Notification recipients
notification_action_status	text

 

orig_device_ip	text
ph_incident_category	character varying(255)	AccelOps defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other
rule_id	bigint	Rule id
severity	integer	Incident Severity 0 (lowest) – 10 (highest)
severity_cat	character varying(255)	LOW (0-4),  MEDIUM (5-8), HIGH (9-10)
ticket_id	character varying(2048)	Id of the ticket created in AccelOps
ticket_status	integer	Status of ticket created in AccelOps
ticket_user	character varying(1024)	Name of the user to which the ticket is assigned to in AccelOps
view_status	integer
view_users	text

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Viewing Incident Notification History

There are two ways you can view the notification history for an incident.

1. In the Incident Notification Status column of the Incident Dashboard.
2. Click on an incident in the Incident Name column of the Incident Dashboard, and then select View Notification History from the Option s

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Incident XML File Format

This topic includes an example of the XML file that is generated for incidents, and descriptions of its contents.

Example Incident XML File

XML Tag and Attribute Definitions

Example Incident XML File

<?xml version=”1.0″ encoding=”UTF-8″ ?> <incident incidentId=”5672″ ruleType=”PH_RULE_AUTO_SRVC_DOWN” severity=”10″ repeatCount=”1″ organization=”Super” status=”Cleared”>   <name>Auto Service Stopped</name>   <description>Detects that an automatically running service stopped.

Currently this works for windows servers and is detected via

WMI.</description>

<displayTime>Fri Jun 29 15:51:10 PDT 2012</displayTime>

<incidentSource>

</incidentSource>

<incidentTarget>

<entry attribute=”hostIpAddr” name=”Host IP”>172.16.10.15</entry>

<entry attribute=”hostName” name=”Host Name”>QA-V-WIN03-ADS</entry>

</incidentTarget>

<incidentDetails>

<entry attribute=”serviceName” name=”OS Service

Name”>Spooler</entry>

<entry attribute=”servicePath” name=”OS Service

Path”>C:\WINDOWS\system32\spoolsv.exe</entry>

</incidentDetails>

<affectedBizSrvc>Auth Service</affectedBizSrvc>

<identityLocation>

</identityLocation>  <rawEvents>

[SrvcDown]

[PH_DEV_MON_AUTO_SVC_START_TO_STOP]:[eventSeverity]=PHL_INFO,[fileName]= phPerfJob.cpp,[lineNumber]=6005,[hostName]=QA-V-WIN03-ADS,[hostIpAddr]=1 72.16.10.15,[serviceName]=Spooler,[servicePath]=C:\WINDOWS\system32\spoo lsv.exe,[serviceDesc]=Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.,[phLogDetail]=  </rawEvents>

</incident>

XML Tag and Attribute Definitions

XML Tag	Attributes	Description
<incident>
	incidentID	Unique id of the incident in AccelOps. You can search for the incident by using this ID.

 

	ruleType	Unique id of the rule in AccelOps
	severity	The severity of the incident, HIGH MEDIUM LOW
	repeatCount	How many times this incident has occurred
	organization	In multi-tenant deployments, the organization affected by the incident
	status	The status of the incident
<name>		The name of the rule that triggered the incident
<description>		The description of the rule that triggered the incident
<displayTime>		The time when the incident occurred
<incidentSource>		The source of the incident. It includes the event attributes associated with the source presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, de stIpAddr, hostIpAddr.
<incidentTarget>		Where the incident occurred, or the target of an IPS alert. It includes the event attributes associated with the target presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, destIpAddr, hostIpAddr.
<incidentDetails>		The event attributes associated with the rule definition that triggered the incident
<affectedBizSrvc>		Any business services impacted by the event
<identityLocation>		Information associated with the Identity and Location Report
<rawevents>		The contents of the raw event log for the incident.

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Setting Scripts as Notification Actions

One of the actions you can specify for an incident notification is to execute a script. For example, suppose you are monitoring Windows services that are in Auto mode, and you have rules that will trigger an incident if one of those services is stopped. The notification action for that incident can include the running of a script by AccelOps that will re-start the service, as shown in the example scripts in this topic.

How Script Notification Actions are Processed

1. When you specify the notification action as a script, you must provide the full path to the script in the notification policy settings, for example /tmp/Myscript.py.
2. You must write the script so it expects the incident XML file to be located in the same directory as the script, for example /tmp if the script location is /tmp/Myscript.py.
3. When a notification policy is triggered by an incident, the policy actions are handled in sequential order, so if there are multiple script actions, the first one will be processed before the second one.
4. When the script action is processed, the AccelOps notification module will first generate an incident XML file and put it in the same directory as the script. AccelOps will then call the script with the XML file name as an argument.
5. When the script returns, the incident XML file that was created by AccelOps is deleted, so there is no confusion with the next script action which involves a new incident XML file and is processed only after the previous script action is complete.

Setting a Script Notification Action

1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Select the notification policy where you want to add the script action.
4. Under Actions, next to the Methods table, click … .
5. Under Run Script, click Add.
6. For Script Name, enter the name of the script and the absolute directory path to it.
7. Click OK.

 

Example of a Windows Restart Script as a Notification Action

This topic provides an example of a script that could be used as a notification action, following the example of re-starting a Windows service that has stopped an triggered an incident as described in Setting Scripts as Notification Actions.

This example requires two scripts: one located on the Windows server that hosts the service, and a script on the AccelOps Supervisor host machine that will be triggered by the incident notification and will execute the Windows server script.

Windows Script

AccelOps Script

Windows Script

1. Create a script named installWinexeSvc.bat for starting the remote winexe provider service.

This script, restartWinService.py, reads the incident XML file, parses out the target IP and stopped service, and issues a winexe command to restart the service.

#!/usr/bin/python importos, re, sys, time importxml.dom.minidom iflen(sys.argv) != 2:

print “Usage: parseTargetIP.py incident.xml”    exit() else:

fileName = sys.argv[1] print “parsing incident xml file : “, fileName #os.system(“cp “+ fileName + ” “+ fileName + “.txt”) # /incident/incidentTarget/entry[@attribute=’hostIpAddr’] doc = xml.dom.minidom.parse(fileName) nodes = doc.getElementsByTagName(‘incidentTarget’) ifnodes.length < 1:

print “no incident Target found!” else:

targeNode = nodes[0] targetIP = “” fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “hostIpAddr”:

targetIP = node.firstChild.data iftargetIP == “”:

print “no incident target found!” # trim IP, e.g. 10.1.20.189(SH-Quidway-SW1) targetIP = re.sub(r’\(.+\)’, “”, targetIP) print “restart service for target IP: “, targetIP # parse process name nodes = doc.getElementsByTagName(‘incidentDetails’) ifnodes.length < 1:

print “no incidentDetails found!” else:

targeNode = nodes[0] fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “serviceName”:

targetService = node.firstChild.data ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

# ########################################################################

######################## # stop the service stopCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc stop “+ targetService + “‘” ret = os.system(stopCmd)

print “stop service with return code ,”, ret print “waiting service stop” time.sleep(10) ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

#

########################################################################

######################## ## start the service startCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc start “+ targetService + “‘”

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Sending Email and SMS Notifications for Incidents

When you set actions for an incident notification, one option is to send an email or SMS message to groups or individuals, and you also have an option to specify a template that should be used in the email.

Prerequisites

Procedure

Related Links

Prerequisites

Make sure the email gateway has been configured for your deployment.

You should also have set up any email templates that you want to use for notifications.

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Select the policy that you want to set up the email or SMS notification for.
4. Under Actions, next to the email/sms notification table, click … .
5. For multi-tenant deployments, select the Organization that contains the individuals or groups you want notified.

Under Folders, you will see the user groups for that organization listed.

6. In the Folders pane, select a group.

In the Items pane, you will see a list of users for that group.

7. Select a group and click Folder >> to add a group to the Notification Actions list, or select individual users and click Items >>.
8. Under Notification Actions, select the Method, Email or SMS, that you want to use sending the notification.
9. Select an Email Template if you are sending an email notification. If you leave this blank, the default email template will be used.

Related Links

Setting Up the Email Gateway

Setting Scripts as Notification Actions

Customizing Email Templates for Notifications

Email templates for incident notifications are based on incident variables that you put into the subject and body of the template, which are then populated with the actual attribute values in the incident.

Incident Attribute Variables

Example Email Template

Template

Generated Email

Creating an Email Template

Incident Attribute Variables

These are the incident attribute variables you can use for your email template.

$organization

$status

$hostName

$incidentId

$incidentTime

$firstSeenTime

$lastSeenTime

$incident_severityCat

$incident_severity

$incident_incidentCount

$ruleName

$ruleDescription

$incident_source

$incident_target

$incident_detail

$affectedBizService

Example Email Template

This example first shows a template with the incident attribute variables, and then an email based on this template with the variables populated from an incident.

Template

Email Subject:

$ruleName was triggered at $incidentTime

Email Body:

The host, $incident_target, was being scanned by $incident_source starting at $firstSeenTime and ending at $lastSeenTime. There were $incident_incidentCount hits.

Please investigate and report as necessary.

Generated Email

Subject: Server Memory Warning was triggered at Jan 10 22:43 UTC

Body: The host, Host IP: 192.168.1.23 Host Name: QA-V-WIN03-ORCL, was being scanned by 10.1.1.1 starting at Jan 10 22:05 UTC and ending at Jan 10 22:11 UTC. There were 2 hits.

Please investigate and report as necessary.

Creating an Email Template

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Incident Email Templates.
3. Click Add.
4. For multi-tenant deployments, select the organization for which you are creating the email template.
5. Enter a Name for the template.
6. Enter the Email Subject and Email Body.

You can select attribute variables from the Insert Content menu to enter into your template, rather than having to type them out by hand.

 

7. Click OK.

be used. To set an email template as default, select the template in the list on the Incident Email Templates page, and then click Set as Default. For multi-tenant deployments, to select a template as default for an organization, first select the organization, then set the default email template for that organization.

 

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating an Incident Notification Policy

Prerequisites

Make sure you have enabled the settings for sending email or other notification actions as described in Setting Up Routing Information for Reports and Incident Notifications.

You should read the introductory topic on incident notifications to understand how policy conditions are processed..

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Click New.
4. Select the Incident Severity.

Only incidents matching the severity level you select will trigger a notification.

5. For Rules, click … and select the rule or rules you want to trigger this notification.
6. Set a Time Range during which this notification will be in effect.

Notifications will be sent only if an incident occurs during the time range you set here.

7. For Affected Items, click … and use the CMDB Browser to select the devices or applications for which this policy should apply.

Instead of individual devices or groups, you can apply the notification policy to an IP address or range by clicking Add under IP/Range. You can also select a group, and then select the Not option to explicitly exclude that group of applications or devices from the notification policy.

8. For multi-tenant deployments, select the Organizations to which the notification policy should apply.

Notifications will be sent only if the triggering incidents affect the selected organization.

9. Select the Actions to take when the notification is triggered.

See the topics under Sending Email and SMS Notifications for Incidents, Creating Tickets In FortiSIEM In-built Ticketing System, Creatin g Inbound Policies for Updating Ticket Status from External Ticketing Systems, and Setting Scripts as Notification Actions for more information about notification actions.

10. Enter any Comments about the policy.
11. When you are finished creating the notification policy, select Enabled to make it active in your deployment.
12. Click Save.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Device Risk View of Incidents

Viewing Devices Sorted By Risk

1. Go to Incident tab
2. Set Group By to Host Risk Score.
3. Left pane shows Devices Sorted By Risk
4. Right pane shows incidents for the device selected in left panel

Calendar View of Incidents

The calendar view of incidents provides a summary view of the number of incidents that have occurred on a calendar day, grouped by severity. Clicking a group loads a summary of those incidents.

This screenshot shows the calendar view of incidents for the month of February 2015.

Fishbone View of Incidents

The fishbone view of incidents presents a view of networks and devices in those networks, along with the incidents triggered for those devices over the last 24. This view is derived from the Network Segments in the CMDB, with the devices associated with those segments overlaid. The numbers and colors for each device indicate the number and severity of incidents associated with that device.

Clicking on an incident  number will show you a summary of those incidents. Clicking on Last Seen, First Seen, Incident Name, or Incid ent Details in that summary will let you select Incident Details to view more information. Clicking on any IP addresses associated with the device will open a contextual menu that will let you find out more information about that device.

Clicking on an IP number or hostname in the fishbone view will let you view the Quick Info for that device, or you can select Topology to view it within the context of your network topology.

Hovering your mouse cursor over a device or incident number will show you the IP address and host name for that device, as well as the type of device.

This screenshot shows an example fishbone view of network segments, devices, and associated incidents.

Incident Notifications

The sending of notifications when an incident occurs is handled by Notification Policies, which you can see listed in the Analytics > Incident Notification Policies page. Instead of having notifications set for each rule, you can create a policy and have it apply to multiple rules.

When viewing the notification policies, think of  the columns on the page as representing a series of “If … and … then” statements that lead to the notification action. For example, you could read the table columns as a sentence:

“IF Incident Severity is X1 AND Rule is X2 AND Time Range is X3 AND Affected Items includes X4 AND Affected Organizations is X5, THEN take the actions specified in the ACTION column.”

When AccelOps evaluates whether a notification action should be triggered based on the notification conditions, it evaluates all notification policies, and will trigger the actions of all policies that meet the condition, instead of just the first policy that meets the conditions. This means that the order of policies in the list doesn’t matter, and that you can write policies with overlapping conditions that could also, for example, include different actions.

See also the topics under Incident Notification for more information about the methods that are available for sending notifications from AccelOps, including the AccelOps API.

Creating an Incident Notification Policy

Sending Email and SMS Notifications for Incidents

Customizing Email Templates for Notifications

Setting Scripts as Notification Actions

Example of a Windows Restart Script as a Notification Action Incident XML File Format

Viewing Incident Notification History

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!