FortiSIEM Incident Notification

Incident Notification

AccelOps can send notifications via email/SMS, HTTPS, SNMP traps, and over the AccelOps API. These topics describe the formats for these notification types, and how to use the notification API.

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API Using the Notification API

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API

This topic describes the formats for the various types of notifications that AccelOps can send by email/SMS, HTTPS, SNMP trap, or through the API>.

Email/SMS Notification

Subject Line Format

Body Format

SMS Format

SNMP Trap Notification

MIB File

HTTP(S) Notification

XML Schema

XML File Format

Email/SMS Notification

Email is the most common form of incident notification. For integration purposes, an incident email subject and body can be parsed and specific actions can be taken if necessary.

These screenshots shows three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed

New Update Clear

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body Format

Section Field Description
Generic
Incident Id Unique ID of the incident in AccelOps. An incident can be searched in AccelOps by this ID.
Time Time when this incident occurred
Severity Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
Incident Count How many times this incident has occurred. For NEW incidents, the count is 1.
Rule Rule Name Name of the rule, repeated in the subject line
Rule

Description

Incident Target Where the incident occurred, or the target of an IPS alert
Host Name

(optional)

Host IP

(optional)

Other attributes as defined in rule
Incident Source For security-related incidents, where the incident originated
Host Name

(optional)

Host IP

(optional)

Other attributes as defined in rule
Incident Details Rule-specific details that caused the incident to trigger
Affected Business

Services  (optional

)

Identity and

Location

Xontains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by AccelOps and shown in the Identity and Location tab. Host name

User

Domain

Nearest switch name/port or VPN gateway or Wireless Controller

First and last seen times for this IP address to identity/location binding

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.