FortiSIEM Using the Notification API

Using the Notification API

Applies To

General API Parameters

Request API Parameters

Polling API Parameters

Results API Parameters

Sample XML Ouput

XML Schema

Sample Code

Sample XML Input File

Querying Incidents for the Last 2 Hours

Sample Python Script

Applies To

Enterprise and multitenant deployments.

General API Parameters

Methodology REST API based: make an HTTP(S) request with an input XML. An output XML is returned. Since the number of returned results can be large, the requester has to first get the total number of results, and then get the results one chunk at a time.

Request API Parameters

Input URL https:///phoenix/rest/query/eventQuery
Input

Parameters

 XML file containing the query parameters
Input

Credentials

Enterprise Deployments: Username and password of any AccelOps account

Mulittenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed.

Output  queryId or an error code if there is a problem in handling the query or the query format

Polling API Parameters

The request will poll until the server completes the query.

Input

URL

https:///phoenix/rest/query/progress/
Output progress (pct)

Until progress reaches 100, at which point the server completes the query, you need to continue polling the server. This is because the server may need to aggregate the results or insert meta-information before sending the results.

Results API Parameters

Input

URL

https:///phoenix/rest/query/events///
Output totalCount (first time) and an XML containing the incident attributes.

For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached

Sample XML Ouput

 Incidents Report Output

XML Schema

The AccelOps AONotification.xsd file shows the XML schema for incident notifications..

Sample Code

Sample XML Input File

Sample Python Script

<script name>.py Script Usage
Sample Query

python GetIncidentsByOrg.py 172.16.20.210 “super/admin” “admin*1” SoftwareAB

Super_user needs to be explicitly stated in organization/user format, for example “sup er/admin” or “super/admin” instead of just “admin”

External Help desk / CMDB Integration

Currently AccelOps has inbuilt support for ServiceNow and ConnectWise for CMDB and 2-way incident integration.  Other systems can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.

External Threat Intelligence Integration

New external threat intelligence websites can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.

License Registration

Worker registration

Collector registration

AccelOps License registration

Worker registration
Methodology  Run this command to add or delete a Worker from Super
Usage Command located at /opt/phoenix/deployment/jumpbox

Run commands from Super

Add a Worker to Super: phProvisionWorker –add <user> <password> <super> <worker>

Remove a Worker from Super: phProvisionWorker –delete <user> <password> <super> <worker>

Input Parameters user: username of admin account to logon to GUI password: password of admin account to logon to GUI superIp: Supervisor IP Address or FQDN workerIp: Worker IP Address or FQDN
Output None
Collector registration
Methodology  Run this command to add or delete a collector
Usage Add a Collector to Super

Run this command from Collector

Usage: /opt/phoenix/bin/phProvisionCollector  –add <user> <password> <super> <organization> <collector> Remove a Collector to Super

Run this command from Super

Usage: /opt/phoenix/bin/phProvisionCollector  –delete <user> <password> <super> <organization> <collector>

Input Parameters user: username of admin account to logon to GUI password: password of admin account to logon to GUI super: Supervisor IP Address or FQDN

organization: organization name (SP), Super (Enterprise) collector: Collector IP Address or FQDN

Output None
Sample

Interaction

[root@Super171]# cd /opt/phoenix/deployment/jumpbox

[root@Super171]# phProvisionCollector –delete admin admin*1 10.10.110.171 test-org 10.10.110.172

Continue the provision process…

Deleting Collector: 10.10.110.172 from Super: 10.10.110.171 with Organization: test-org

Sucessfully done.

AccelOps License registration
Methodology  Download License from AccelOps
Usage Run this command from Super as root

Usage: /pbin/phdownloadlicense <user> <password> <ao-license-server>

Input Parameters user: username for obtaining license password: password for obtaining license

ao-license-server: AccelOps license server host name

Output None

 

Sample interaction [root@sp161 pbin]# phdownloadlicense rstest rstest va-reg.accelops.net

Retrieving Information …

New license file has been retrieved. You may use phinstalllicense to install the new license.

Methodology  Install downloaded license as root
Usage Run this command from Super as root

Usage: /pbin/phinstalllicense

Input

Parameters

None
Output None
Sample

interaction

[root@sp161 pbin]# phinstalllicense

The process of installing a license will disrupt AccelOps services. Do you want to start the installation at this time ?

[yes/no] : yes

Installing license …

Number of Licensed VA(s) = 10

Number of Running Worker(s) = 0

Exiting from worker provision …

 

[root@sp161 pbin]# phLicenseTool –verify                 license matched

 

[root@sp161 pbin]# phLicenseTool –show

Report License: workers=9; citems=5000; eps=10000;storage=10737418240000; starttime=1399878000; endtime=1447398000; mode=1; rsOrg=111; rsExp=1432796400; SP=1; organizationNum=10; country=; customerId=1086; customerName=rstest; collectors=5; devicesupport=1; basicAgents=1; advancedAgents=1; profile=0

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Using the Notification API

  1. Ryan

    I stumbled onto your site and thought I post a reply (even though I usually don’y post things on forums). Thanks for setting this up and spending your time to educate others. I have a new FortiSIEM environment and completed the 3 day FortiSIEM training (if you want to call it that). Any help, tips, videos etc on how to tame this SIEM beast would be helpful.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.