FortiSIEM Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

Leave a reply
Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

You can populate an external CMDB from FortiSIEM CMDB. Currently, ServiceNow CMDB population is natively supported. For other CMDB, you need to write a Java class and add some mapping files.

Prerequisites

Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials must have sufficient permission to make changes to the CMDB.

Procedure

Creating an integration policy

  1. Log into your Supervisor node with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Add.
  4. For Type, select Device.
  5. For Direction, select Outbound.
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

When you select the Vendor:

  1. An Instance is created – this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
  2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here
  1. For Host/URL, enter the host name or URL of the external system.
  2. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
  3. Enter the Maximum number of devices to send to the external system.
  4. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
  5. For ConnectWise, it is possible to define a Content Mapping
    1. Enter Column Mapping
      1. To add a new mapping, Click on the + button
      2. Choose an FortiSIEM CMDB attribute as the Source Column
  • Enter external (ConnectWise) attribute as the Destination Column
  1. Specify Default Mapped Value as the value assigned to the Destination Column if the Source Column is not found in Data Mapping definitions.
  2. Select Put to a Question is the Destination Column is a custom column in ConnectWise b. Enter Data Mapping
  3. Choose the (Destination) Column Name
  4. Enter From as the value in FortiSIEM iii. Enter To as the value in ConnectWise
  1. For Groups, click Edit if you want the policy to only apply to a specific group of CMDB devices.
  2. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
  3. Click Save.

Updating external CMDB automatically after FortiSIEM discovery

  1. Create an integration policy
  2. Make sure Run after Discovery is checked.
  3. Click Save

Updating external CMDB automatically on a schedule

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Schedule and then click +
    1. Select the integration policies
    2. Select a schedule

Updating external CMDB on-demand (one-time)

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Select a specific integration policy and Click Run

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

Setting Schedules for Receiving Information from External Systems

Prerequisites

Procedure

You can set schedules for when your inbound external integration policies will run and update your incidents or CMDB.

Prerequisites

You should already have created an inbound policy for importing a device from an external system or an an inbound policy for receiving Incidents.

Procedure
  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > Integration.
  3. Click Schedule.
  4. Click +.
  5. Select the notification policy you want to create a schedule for, and use the arrow buttons to add it to the Selected
  6. Set the parameters for one-time, Hourly, Daily, Weekly, or Monthly scheduled updates.
  7. Click OK.

Using the AccelOps API to Integrate with External Systems

Exporting Events to External Systems via Kafka

This section describes procedures for exporting FortiSIEM events to an external system via the Kafka message bus.

Prerequisites

Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.

Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.

Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An example would be Logstash receiver (see here) that can store in a Elastic Search database. Supported Kafka version: 0.8

Procedure

 

 

 

 

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.