FortiSIEM Incident XML File Format

Incident XML File Format

This topic includes an example of the XML file that is generated for incidents, and descriptions of its contents.

Example Incident XML File

XML Tag and Attribute Definitions

Example Incident XML File

<?xml version=”1.0″ encoding=”UTF-8″ ?> <incident incidentId=”5672″ ruleType=”PH_RULE_AUTO_SRVC_DOWN” severity=”10″ repeatCount=”1″ organization=”Super” status=”Cleared”>   <name>Auto Service Stopped</name>   <description>Detects that an automatically running service stopped.

Currently this works for windows servers and is detected via

WMI.</description>

<displayTime>Fri Jun 29 15:51:10 PDT 2012</displayTime>

<incidentSource>

</incidentSource>

<incidentTarget>

<entry attribute=”hostIpAddr” name=”Host IP”>172.16.10.15</entry>

<entry attribute=”hostName” name=”Host Name”>QA-V-WIN03-ADS</entry>

</incidentTarget>

<incidentDetails>

<entry attribute=”serviceName” name=”OS Service

Name”>Spooler</entry>

<entry attribute=”servicePath” name=”OS Service

Path”>C:\WINDOWS\system32\spoolsv.exe</entry>

</incidentDetails>

<affectedBizSrvc>Auth Service</affectedBizSrvc>

<identityLocation>

</identityLocation>  <rawEvents>

[SrvcDown]

[PH_DEV_MON_AUTO_SVC_START_TO_STOP]:[eventSeverity]=PHL_INFO,[fileName]= phPerfJob.cpp,[lineNumber]=6005,[hostName]=QA-V-WIN03-ADS,[hostIpAddr]=1 72.16.10.15,[serviceName]=Spooler,[servicePath]=C:\WINDOWS\system32\spoo lsv.exe,[serviceDesc]=Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.,[phLogDetail]=  </rawEvents>

</incident>

XML Tag and Attribute Definitions

XML Tag Attributes Description
<incident>
incidentID Unique id of the incident in AccelOps. You can search for the incident by using this ID.

 

ruleType Unique id of the rule in AccelOps
severity The severity of the incident, HIGH MEDIUM LOW
repeatCount How many times this incident has occurred
organization In multi-tenant deployments, the organization affected by the incident
status The status of the incident
<name> The name of the rule that triggered the incident
<description> The description of the rule that triggered the incident
<displayTime> The time when the incident occurred
<incidentSource> The source of the incident. It includes the event attributes associated with the source presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, de stIpAddr, hostIpAddr.
<incidentTarget> Where the incident occurred, or the target of an IPS alert. It includes the event attributes associated with the target presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, destIpAddr, hostIpAddr.
<incidentDetails> The event attributes associated with the rule definition that triggered the incident
<affectedBizSrvc> Any business services impacted by the event
<identityLocation> Information associated with the Identity and Location Report
<rawevents> The contents of the raw event log for the incident.

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Incident XML File Format

  1. Henrik

    HI there,

    I’m trying to integrate FortiSIEM with ServiceNow and I’m looking for a way to get the IncidenId value into ServiceNow form.

    I tried to edit the .xsl file called “ServiceNow-Incident-Insert.xsl” with:

    hoping to get the IncidentId into the correlation_id column in ServiceNow, but nothing gets written into ServiceNow form field. The incidenId is written into the work notes, but not into the form…

    Using the ServiceNow plugin, Do you know IF it is possible to edit the xsl file or if that’s just an example on what the .jar-file is building up in FortiSIEM?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.