Working with Cases
FortiSIEM allows you to create and assign cases for IT infrastructure tasks, and create tickets. You can see all tickets that have been created under CASES tab and use filter controls to view tickets by assignees, organization, priority, and other attributes.
You can also configure FortiSIEM and Remedy system so that Remedy will take tickets created by incident notification actions.
Configuring Remedy to Accept Tickets from FortiSIEM Incident Notifications
Before configuring Remedy to accept tickets, make sure you have configured the Remedy Notifications under ADMIN > General Settings > Analytics > Remedy Notification in FortiSIEM.
- In Remedy, create a new form, FortiSIEM_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.
- When you have defined the fields in the form, right-click on the field and select the Data Type that corresponds to the incident attribute.
- After setting the form field data type, click in the form field again to set the Label for the field.
- When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service
- For Base Form, enter FortiSIEM_Incident_Interface.
- Click the WSDL tab.
- For the WSDL Handler URL, enter
http://<midtier_server>/arsys/WSDL/public/<servername>/FortiSIEM_Incident_Interface
. - Click the Permissions tab and select Public.
- Click Save.
You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7 above, substituting the Remedy Server IP address for <midtier_server>
and localhost
for <servername>
. If you see an XML page, your configuration was successful.
Incident Attributes for Defining Remedy Forms
Incident Attribute | Data type | Description |
---|---|---|
biz_service | text | Name of the business services affected by this incident |
cleared_events | text | Events which cleared the incident |
cleared_reason | text | Reason for clearing the incident if it was cleared |
cleared_time | bigint | Time at which the incident was cleared |
cleared_user | character varying (255) | User who cleared the incident |
comments | text | Comments |
cust_org_id | bigint | Organization id to which the incident belongs |
first_seen_time | bigint | Time when the incident occurred for the first time |
last_seen_time | bigint | Time when the incident occurred for the last time |
incident_count | integer | Number of times the incident triggered between the first and last seen times |
incident_detail | text | Incident Detail attributes that are not included in incident_src and incident_target |
incident_et | text | Incident Event type |
incident_id | bigint | Incident Id |
incident_src | text | Incident Source |
incident_status | integer | Incident Status |
incident_target | text | Incident Target |
notif_recipients | text | Incident Notification recipients |
notification_action_status | text | Incident Notification Status |
orig_device_ip | text | Originating/Reporting device IP |
ph_incident_category | character varying(255) | FortiSIEM defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other |
rule_id | bigint | Rule id |
severity | integer | Incident Severity 0 (lowest) - 10 (highest) |
severity_cat | character varying(255) | LOW (0-4), MEDIUM (5-8), HIGH (9-10) |
ticket_id | character varying(2048) | Id of the ticket created in FortiSIEM |
ticket_status | integer | Status of ticket created in FortiSIEM |
ticket_user | character varying(1024) | Name of the user to which the ticket is assigned to in FortiSIEM |
view_status | integer | View status |
view_users | text | View users |
The following topics provide instructions for ticket related operations: