Ingesting JSON Formatted Events Received via HTTP(S) POST

FortiSIEM can receive, parse, and store JSON formatted events received via HTTP(S) POST. Follow these steps to implement this.

1. Configure the FortiSIEM node with the HTTPS credential for receiving the HTTP(S) POST event.
   1. Identity the FortiSIEM node receiving the events. Most likely, this will be the Collector.
   2. SSH to the Collector and run the command: htpasswd -b /etc/httpd/accounts/passwds <user> <password>
2. Modify the built-in JSON parser to parse event attributes and set the Event Type.

   1. Login to the Supervisor.

   2. Go to ADMIN > Device Support > Parsers.

   3. Clone PHCustomJSONParser.xml and make the changes so that additional event attributes are parsed.
   4. Validate, Test, and Save the parser.
   5. Click Apply All to deploy the parser changes.
3. Make sure the events are being pushed to the FSM node using the credentials in Step 1 via this REST API:

   https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>

   where FSNNodeName is the resolvable host name or FQDN in Step 1. The parameters Reporting Vendor (vendor), Reporting Model (model), Reporting Device (reptHost), and Reporting IP (reptIP) are needed to create a CMDB entry and populate events.

4. Query the events by using the Reporting Device Name or IP in Step 3 and Event Type in Step 2c.