Working with Cases

FortiSIEM allows you to create and assign cases for IT infrastructure tasks, and create tickets. You can see all tickets that have been created under CASES tab and use filter controls to view tickets by assignees, organization, priority, and other attributes.

You can also configure FortiSIEM and Remedy system so that Remedy will take tickets created by incident notification actions.

Configuring Remedy to Accept Tickets from FortiSIEM Incident Notifications

Before configuring Remedy to accept tickets, make sure you have configured the Remedy Notifications under ADMIN > General Settings > Analytics > Remedy Notification in FortiSIEM.

  1. In Remedy, create a new form, FortiSIEM_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.
  2. When you have defined the fields in the form, right-click on the field and select the Data Type that corresponds to the incident attribute.
  3. After setting the form field data type, click in the form field again to set the Label for the field.
  4. When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service
  5. For Base Form, enter FortiSIEM_Incident_Interface.
  6. Click the WSDL tab.
  7. For the WSDL Handler URL, enter http://<midtier_server>/arsys/WSDL/public/<servername>/FortiSIEM_Incident_Interface.
  8. Click the Permissions tab and select Public.
  9. Click Save.

You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7 above, substituting the Remedy Server IP address for <midtier_server> and localhost for <servername>. If you see an XML page, your configuration was successful. 

Incident Attributes for Defining Remedy Forms

Incident Attribute Data type Description
biz_service text Name of the business services affected by this incident
cleared_events text Events which cleared the incident
cleared_reason text Reason for clearing the incident if it was cleared
cleared_time bigint Time at which the incident was cleared
cleared_user character varying (255) User who cleared the incident
comments text Comments
cust_org_id bigint Organization id to which the incident belongs
first_seen_time bigint Time when the incident occurred for the first time
last_seen_time bigint Time when the incident occurred for the last time
incident_count integer Number of times the incident triggered between the first and last seen times
incident_detail text Incident Detail attributes that are not included in incident_src and incident_target
incident_et text Incident Event type
incident_id bigint Incident Id
incident_src text Incident Source
incident_status integer Incident Status
incident_target text Incident Target
notif_recipients text Incident Notification recipients
notification_action_status text Incident Notification Status
orig_device_ip text Originating/Reporting device IP
ph_incident_category character varying(255) FortiSIEM defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other
rule_id bigint Rule id
severity integer Incident Severity 0 (lowest) - 10 (highest)
severity_cat character varying(255) LOW (0-4),  MEDIUM (5-8), HIGH (9-10)
ticket_id character varying(2048) Id of the ticket created in FortiSIEM
ticket_status integer Status of ticket created in FortiSIEM
ticket_user character varying(1024) Name of the user to which the ticket is assigned to in FortiSIEM
view_status integer View status
view_users text View users

The following topics provide instructions for ticket related operations: