External System Integration Settings

This tab allows you to integrate devices and incidents with external CMDB and help desk/workflow systems. You can also write your own plug-ins to support other systems.

This section provides the procedures to configure External Systems Integration.

Proxy Settings

If you want the communication between the FortiSIEM Supervisor and the external system to go through a proxy, then complete the following steps

  1. Login to Supervisor as admin.
  2. Go to the glassfish configuration directory: /opt/glassfish/domains/domain1/config.
  3. Add proxy server information to the domain.xml file:

    <jvm-options>-Dhttp.proxyHost=172.30.57.100</jvm-options>

    <jvm-options>-Dhttp.proxyPort=3128</jvm-options>

    <jvm-options>-Dhttp.proxyUser=foo</jvm-options>

    <jvm-options>-Dhttp.proxyPassword=password</jvm-options>

  4. Restart glassfish.

Setting up External System Integration

FortiSIEM integration helps to create a two-way linkage between external ticketing/work flow systems like ServiceNow, ConnectWise and Salesforce. The integration can be for Incidents and CMDB.

This involves two steps:

  1. Create an integration.
  2. Attach the integration to an Incident Notification Policy or run the integration on a schedule.

Four types of integrations are supported:

  • Incident Outbound Integration: This creates a ticket in an external ticketing system from FortiSIEM incidents.
  • Incident Inbound Integration: This updates FortiSIEM incident ticket state from external system ticket states. Specifically, when a ticket is closed in the external ticketing system, the incident is cleared in FortiSIEM and the ticket status is marked closed to synchronize with the external ticketing system.
  • CMDB Outbound Integration: This populates an external CMDB from FortiSIEM CMDB.
  • CMDB Inbound Integration: This populates FortiSIEM CMDB from an external CMDB.

FortiSIEM provides a Java-based API that can be used to integrate with ticketing systems. Out of the box integration is available for ServiceNow, ConnectWise, Salesforce, RiskIQ, VirusTotal, and Jira. Integration with other systems can be built using the API. Contact Fortinet support for assistance.

See the following sections to set up External Systems Integration:

Setting up External System Integration

Follow the sections below to set up External Systems Integration:

Configuring external helpdesk systems for FortiSIEM integration

This section specifies how to configure the out of the box external ticketing systems for FortiSIEM integration.

Configuring ServiceNow

  1. Login to ServiceNow.
  2. For Service Provider Configurations, create Companies by creating Company Name.

Configuring ConnectWise

  1. Login to ConnectWise MANAGE.
  2. Go to Setup Tables > Integrator Login List.
  3. Create a new Integrator Login for FortiSIEM:
    1. Enter Username.
    2. Enter Password.
    3. Set Access Level to Records created by integrator.
    4. Enable Service Ticket API for Incident Integration.
    5. Enable Configure API for CMDB Integration.
  4. For Service Provider Configurations, create Companies by creating:
    1. Company Name
    2. Company ID

Configuring Salesforce for FortiSIEM Integration

  1. Login to Salesforce.
  2. Create a custom domain.
  3. For Service Provider Configurations, create Service App > Accounts.
    FortiSIEM will use the Account Name.

Incident Outbound Integration

This creates a ticket in an external ticketing system when an incident triggers in FortiSIEM incidents. Built-in integrations are available for ServiceNow, ConnectWise and Salesforce.

The steps are:

  1. Create an Incident Outbound integration.
  2. Link the integration to one or more Incident Notification Policies.
  3. When an incident triggers, the notification policy will be invoked and a ticket will be created in the external system.

Create an Incident Outbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > General Settings > Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
    2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system (see section Configuring external helpdesk systems)
    1. For ServiceNow, select the login URL
    2. For ConnectWise, select the login URL.
    3. For Salesforce:
      1.  Login to Salesforce.
      2. Go to Setup > Settings.
      3. Use the Custom URL under My Domain, typically it is xyz.my.salesforce.com  
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. 
    1. For ServiceNow, select the login credentials.
    2. For ConnectWise, select the credentials created in Step 3.
    3. For Salesforce, select the login credentials.
  9. For Incidents Comments Template, specify the formatting of the incident fields.
  10. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
    1. For ServiceNow, select the Company names as in Step 2.
    2. For ConnectWise, select the Company name in Step 4.
    3. For Salesforce:
      1. Go to Service App > Accounts.
      2. Use Account Name.
  11. For Run For, choose the organizations for whom tickets will be created.
  12. Click Save.

Link the integration to one or more Incident Notification Policies

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Incidents > Incident Notification Policy.
  3. Create a new policy or edit an existing policy.
  4. Select Actions > Invoke an Integration Policy and choose a specific integration.
  5. Click Save.

Incident Inbound Integration

This updates the FortiSIEM incident state and clears the incident when the incident is cleared in the external help desk system. Built-in integrations are available for ServiceNow, ConnectWise and Salesforce.

The steps are:

  1. Create an Incident Inbound integration schedule.
  2. Create a schedule for automatically running the Incident Inbound integration.

  3. This will update the FortiSIEM incident inbound integration schedule and clears the incident when the incident is cleared in the external help desk system.

Step 1: Create an Incident Inbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > General Settings > Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Inbound
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
    2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here 
  7. For Host/URL, enter the host name or URL of the external system (see section Configuring external helpdesk systems).
    1. For ServiceNow, select the login URL.
    2. For ConnectWise, select the login URL.
    3. For Salesforce:
      1. Login to Salesforce.
      2. Go to Setup > Settings
      3. Use the custom URL under My Domain – typically it is xyz.my.salesforce.com
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. 
    1. For ServiceNow, select the login credentials
    2. For ConnectWise, select the credentials created in Step 3
    3. For Salesforce, select the login credentials.
  9. For Time Window, select the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.
  10. Click Save.

Step 2: Create an Incident Inbound integration schedule

This will update FortiSIEM following incident fields when ticket state is updated in the external ticketing system.

  • External Ticket State
  • Ticket State
  • External Cleared Time
  • External Resolve Time

Follow these steps:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > General Settings > Integration.
  3. Click Schedule and then click +.
    1. Select the integration policy.
    2. Select a schedule.

CMDB Outbound Integration

CMDB Outbound Integration populates an external CMDB from FortiSIEM’s own CMDB. Built in integrations are available for ServiceNow, ConnectWise and Salesforce.

Step 1: Create a CMDB Outbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > General Settings > Integration
  3. Click New.
  4. For Type, select Device
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
    2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system (see section Configuring external helpdesk systems)
    1. For ServiceNow, select the login URL
    2.   For ConnectWise, select the login URL.
    3. For Salesforce:
      1.  Login to Salesforce.
      2. Go to Setup > Settings.
      3. Use the Custom URL under My Domain, typically it is xyz.my.salesforce.com  
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. 
    1. For ServiceNow, select the login credentials.
    2. For ConnectWise, select the credentials created in Step 3.
    3. For Salesforce, select the login credentials.
  9. Enter the Maximum number of devices to send to the external system.
  10. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
    1. For ServiceNow, select the Company names as in Step 2.
    2. For ConnectWise, select the Company name in Step 4.
    3. For Salesforce:
      1. Go to Service App > Accounts.
      2. Use Account Name.
  11. For Run For, choose the organizations for whom tickets will be created.
  12. For Groups, select the FortiSIEM CMDB Groups whose member devices would be synched to external CMDB.
  13. For ConnectWise, it is possible to define a Content Mapping.
    1. Enter Column Mapping values:
      1. To add a new mapping, click on the + button.
      2. Choose FortiSIEM CMDB attribute as the Source Column.
      3. Enter external (ConnectWise) attribute as the Destination Column.
      4. Specify Default Mapped Value as the value assigned to the Destination Column if the Source Column is not found in Data Mapping definitions.
      5. Select Put to a Question is the Destination Column is a custom column in ConnectWise.
    2. Enter Data Mapping values:
      1. Choose the (Destination) Column Name.
      2. Enter From as the value in FortiSIEM.
      3. Enter To as the value in ConnectWise.
  14. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
  15. Click Save.

Step 2: Create a CMDB Outbound integration schedule

Updating external CMDB automatically after FortiSIEM discovery:

  1. Create an integration policy.
  2. Make sure Run after Discovery is checked.
  3. Click Save.

Updating external CMDB on a schedule:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > General Settings > Integration.
  3. Click Schedule and then click +.
  1. Select the integration policies.
  2. Select a schedule.

Updating external CMDB on-demand (one-time):

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > General Settings > Integration.
  3. Select a specific integration policy and click Run.

CMDB Inbound Integration

CMDB Inbound Integration populates FortiSIEM CMDB from an external CMDB.

Step 1: Create a CMDB Inbound integration

You need to have created a CSV file for mapping the contents of the external database to a location on your FortiSIEM Supervisor, which will be periodically updated based on the schedule you set.

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > General Settings > Integration
  3. Click New.
  4. For Type, select Device
  5. For Direction, select Inbound
  6. Select the Vendor of the external system you want to connect to. 
  7. Enter the File Path to the CSV file. 
  8. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination CMDB.

    For example, if the source CSV has a column IP,  and you want to map that to the column Device IP in the CMDB, you would enter IP for Source Column, and select Device IP for Destination Column.
    1. Enter Source CSV column Name for Source Column
    2. Check Create Property if it Does not Exist to create the new attribute in FortiSIEM if it does not exist
      1. Enter a name for the Destination Column of the property in the CMDB.
      2. Select a Property type.  
      3. Enter the Display Name for the property.  

      4. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite it's current value.
    3. If the property exists in the CMDB, select FortiSIEM CMDB attribute for Destination Column.
    4. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite its current value.
    5. Click OK.
  9. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.

    For example, if you wanted to change all instances of California in the entries for the State attribute in the external system to CA in the destination CMDB, you would select the State attribute, enter California for From. and CA for To
  10. Click OK.
  11. Click Save.

Step 2: Create a CMDB Inbound integration schedule

Updating FortiSIEM CMDB on a schedule:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > General Settings > Integration.
  3. Click Schedule and then click +.
  1. Select the integration policies.
  2. Select a schedule..

Updating FortiSIEM CMDB on-demand (one-time):

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > General Settings > Integration
  3. Select a specific integration policy and click Run.

Modifying an External System Integration

Follow the procedure below to modify an External System Integration.

  1. Go to ADMIN > General Settings > Integration tab.
  2. Use the below options to modify an External System Integration setting.

    SettingsGuidelines
    EditTo edit an External System Integration setting.
    DeleteTo delete an External System Integration setting.
  3. Click Save.