FortiSIEM Incident Notification

Leave a reply

SMS Format

SMS notification is a shortened version of email notification

SNMP Trap Notification

MIB File

AccelOps can send out SNMP traps on incidents. Use the attached MIB file to configure your device to send SNMP traps to AccelOps.

HTTP(S) Notification

XML Schema

The AccelOps AONotification.xsd file shows the XML schema for incident notifications..

XML File Format

Sample Incident XML file pushed out via HTTP(S)

Section Field Description
Generic
incidentId Unique ID of the incident in AccelOps. An incident can be searched in AccelOps by this ID.
ruleId Unique id of the rule in AccelOps
vendor AccelOps
severity Incident severity: HIGH | MEDIUM | LOW
organization The name of the organization for which this incident occurred
status New, Update or Clear
repeatCout how many times this incident has occurred
name Name of the rule that triggered the incident
description Description of the rule including conditions under which the rule is written to trigger
displayTime Time when this incident occurred
incidentTarget Where the incident occurred, or the target of an IPS alert. It consists of attribute, name and value pairs.
attribute Parsed event attribute id
name Display name of the attribute

Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute’s value
incidentSource For security-related incidents, where the incident originated
attribute Parsed event attribute id
name Display name of the attribute

Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute’s value
incidentDetails Rule-specific details that caused the incident to trigger shown as an attribute with name and value pairs.
attribute Parsed event attribute id
name Display name of the attribute

Common examples of attributes are srcIpAddr, destIpAddr, hostIpAddr etc.
value The attribute’s value
affectedBizSrvc A comma-separated list of business service names
deviceDetails Contains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by AccelOps and shown in the Identity and Location tab.

ipAddr hostName vendor model version

users – Logged on users using this IP info obtained from Active Directory userName – Active Directory login name

fullName – Full name of this user in Active Directory or defined manually email – email address of the user in Active Directory or defined manually jobTitle – jobTitle of the user in Active Directory or defined manually

First and last seen times for this IP address to user binding

 

 

 

Unable to render {include}   The included page could not be found.

Pages: 1 2
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.