System Integration Settings

This tab allows you to integrate devices and incidents with external CMDB and helpdesk/workflow systems. You can also write your own plugins to support other systems.

This section provides the procedures to configure External Systems Integration.

Proxy Settings

If you want the communication between the FortiSIEM Supervisor and the external system to go through a proxy, then complete the following steps

  1. Login to Supervisor as admin.
  2. Go to the glassfish configuration directory: /opt/glassfish/domains/domain1/config.
  3. Add proxy server information to the domain.xml file:

    <jvm-options>-Dhttp.proxyHost=172.30.57.100</jvm-options>

    <jvm-options>-Dhttp.proxyPort=3128</jvm-options>

    <jvm-options>-Dhttp.proxyUser=foo</jvm-options>

    <jvm-options>-Dhttp.proxyPassword=password</jvm-options>

  4. Restart glassfish.

Setting Up External System Integration

FortiSIEM integration helps to create a two-way linkage between external ticketing/work flow systems like ServiceNow, ConnectWise and Salesforce. The integration can be for Incidents and CMDB.

This involves two steps:

  1. Create an integration.
  2. Attach the integration to an Incident Notification Policy or run the integration on a schedule.

Four types of integrations are supported:

  • Incident Outbound Integration: This creates a ticket in an external ticketing system from FortiSIEM incidents.
  • Incident Inbound Integration: This updates FortiSIEM incident ticket state from external system ticket states. Specifically, when a ticket is closed in the external ticketing system, the incident is cleared in FortiSIEM and the ticket status is marked closed to synchronize with the external ticketing system.
  • CMDB Outbound Integration: This populates an external CMDB from FortiSIEM CMDB.
  • CMDB Inbound Integration: This populates FortiSIEM CMDB from an external CMDB.

FortiSIEM provides a Java-based API that can be used to integrate with ticketing systems. Out of the box integration is available for ServiceNow, ConnectWise, Salesforce, RiskIQ, VirusTotal, and Jira. Integration with other systems can be built using the API. Contact Fortinet support for assistance.

See the following sections to set up External Systems Integration:

ConnectWise Integration

Adding a Client ID for ConnectWise Integration

ConnectWise has recently changed their policy and requires that vendors create a client ID in order to integrate with FortiSIEM. Due to this change and restriction from ConnectWise, Fortinet has published a public client ID in order to allow clients to integrate with ConnectWise. This Client ID is 1a7ed749-47a1-4d3e-94b0-696288a1140f.

Note: A ConnectWise working account is required before integration can occur.

To add this client ID for ConnectWise, take the following steps:

  1. Go to ADMIN > Settings >General > External Integration.
  2. Click New to create a new Integration Policy or select an existing Integration Policy and click Edit.
  3. From the Vendor drop-down list, select ConnectWise.
  4. In the Client ID field, paste the following Client ID:

    1a7ed749-47a1-4d3e-94b0-696288a1140f

  5. Make any necessary configuration changes.
  6. Click Save.

Configuring ConnectWise for FortiSIEM Integration

  1. Log in to ConnectWise MANAGE.
  2. Go to Setup Tables > Integrator Login List.
  3. Create a new Integrator Login for FortiSIEM:
    1. Enter Username.
    2. Enter Password.
    3. Set Access Level to Records created by integrator.
    4. Enable Service Ticket API for Incident Integration.
    5. Enable Configure API for CMDB Integration.
  4. For Service Provider Configurations, create Companies by creating:
    1. Company Name
    2. Company ID

ConnectWise Incident Outbound Integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General  > External Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. ConnectWise is supported out of the box.
    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had two ConnectWise installations, each would have different Instance names.
    2. Choose whether the Plugin Type is SOAP or REST.
    3. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ConnectWise. For other vendors, you must create your own plugin and enter the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system. For ConnectWise, enter the login URL.
  8. If you chose SOAP as Plugin Type, enter a User Name, Password, and Client ID that the system can use to authenticate with the external system. For ConnectWise, select the credentials created in Configuring ConnectWise for FortiSIEM Integration, Step 3. If you chose REST, enter the Public Key and the Private Key in addition to the User Name, Password, and Client ID.
  9. For Incidents Comments Template, specify the formatting of the incident fields.
  10. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For ConnectWise, enter the Company names in Configuring ConnectWise for FortiSIEM Integration, Step 4.
  11. For Run For, choose the organizations for whom tickets will be created.
  12. Enter the Max Incidents to be recorded.
  13. Click Save.

Next, link the integration to one or more incident notification policies.

ConnectWise Incident Inbound Integration

This updates the FortiSIEM incident state and clears the incident when the incident is cleared in the external help desk system. Built-in integrations are available for ConnectWise.

The steps are:

  1. Create an Incident Inbound integration schedule.
  2. Create a schedule for automatically running the Incident Inbound integration.

  3. This will update the FortiSIEM incident inbound integration schedule and clears the incident when the incident is cleared in the external help desk system.

Step 1: Create an Incident Inbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General > External Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Inbound
  6. For Vendor, select the vendor of the system you want to connect to. ConnectWise is supported out of the box.
    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had two ConnectWise installations, each would have different Instance names.
    2. Choose whether the Plugin Type is SOAP or REST.
    3. A default Plugin Name is populated. This is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ConnectWise. For other vendors, you must create your own plugin and enter the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system (see section Configuring external helpdesk systems). For ConnectWise, select the login URL.
  8. If you chose SOAP as Plugin Type, enter a User Name, Password, and Client ID that the system can use to authenticate with the external system. For ConnectWise, select the credentials created in Configuring ConnectWise for FortiSIEM Integration, Step 3. If you chose REST, enter the Public Key and the Private Key in addition to the User Name, Password, and Client ID.
  9. For Time Window, select the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.
  10. Click Save.

Step 2: Create an Incident Inbound integration schedule

This will update FortiSIEM following incident fields when ticket state is updated in the external ticketing system.

  • External Ticket State
  • Ticket State
  • External Cleared Time
  • External Resolve Time

Follow these steps:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click Schedule and then click +.
    1. Select the integration policy.
    2. Select a schedule.

ConnectWise CMDB Outbound Integration

CMDB Outbound Integration populates an external CMDB from FortiSIEM’s own CMDB. Built in integrations are available for ServiceNow, ConnectWise and Salesforce.

Step 1: Create a CMDB Outbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General > External Integration
  3. Click New.
  4. For Type, select Device
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. ConnectWise is supported out of the box.
    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had two ConnectWise installations, each would have different Instance names.
    2. Choose whether the Plugin Type is SOAP or REST.
    3. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system. For ConnectWise, select the login URL.
  8. If you chose SOAP as Plugin Type, enter a User Name, Password, and Client ID that the system can use to authenticate with the external system. For ConnectWise, select the credentials created in Configuring ConnectWise for FortiSIEM Integration, Step 3. If you chose REST, enter the Public Key and the Private Key in addition to the User Name, Password, and Client ID.
  9. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For ConnectWise, select the Company name in Configuring ConnectWise for FortiSIEM Integration, Step 4.
  10. For Run For, choose the organizations for whom tickets will be created.
  11. For ConnectWise, it is possible to define a Content Mapping.
    1. Enter Column Mapping values:
      1. To add a new mapping, click the + button.
      2. Choose FortiSIEM CMDB attribute as the Source Column.
      3. Enter external (ConnectWise) attribute as the Destination Column.
      4. Specify Default Mapped Value as the value assigned to the Destination Column if the Source Column is not found in Data Mapping definitions.
      5. Select Put to a Question is the Destination Column is a custom column in ConnectWise.
    2. Enter Data Mapping values:
      1. Choose the (Destination) Column Name.
      2. Enter From as the value in FortiSIEM.
      3. Enter To as the value in ConnectWise.
  12. For Groups, select the FortiSIEM CMDB Groups whose member devices would be synched to external CMDB.
  13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
  14. Enter the Max Devices: the number of devices to send to the external system.
  15. Click Save.

 

Step 2: Create a CMDB Outbound integration schedule

Updating external CMDB automatically after FortiSIEM discovery:

  1. Create an integration policy.
  2. Make sure Run after Discovery is checked.
  3. Click Save.

Updating external CMDB on a schedule:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click Schedule and then click +.
  1. Select the integration policies.
  2. Select a schedule.

Updating external CMDB on-demand (one-time):

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Select a specific integration policy and click Run.

 

ServiceNow Integration

Configuring ServiceNow for FortiSIEM Integration

  1. Log in to ServiceNow.
  2. For Service Provider Configurations, create Companies by creating Company Name.

ServiceNow Incident Outbound Integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General  > External Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had two ServiceNow installations, each would have different Instance names.
    2. Select whether Plugin Type is Ticket or Event Management.
    3. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow. For other vendors, you must create your own plugin and enter the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system. For ServiceNow, enter the login URL.
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For ServiceNow, enter the login credentials.
  9. If your Plugin Type is Ticket, specify the formatting of the incident fields in the Incidents Comments Template. If your Plugin Type is Event Management, specify the mapping of attributes to resources in the Attribute Mapping table.
  10. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For ServiceNow, enter the Company names as in Configuring ServiceNow for FortiSIEM Integration, Step 2.
  11. For Run For, choose the organizations for whom tickets will be created.
  12. Enter the maximum number of incidents you want to record in Max Incidents.
  13. Click Save.

Next, link the integration to one or more incident notification policies.

 

ServiceNow Incident Inbound Integration

This updates the FortiSIEM incident state and clears the incident when the incident is cleared in the external help desk system. Built-in integrations are available for ServiceNow.

The steps are:

  1. Create an Incident Inbound integration schedule.
  2. Create a schedule for automatically running the Incident Inbound integration.

  3. This will update the FortiSIEM incident inbound integration schedule and clears the incident when the incident is cleared in the external help desk system.

Step 1: Create an Incident Inbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General > External Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Inbound
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.
    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had two ServiceNow installations, each would have different Instance names.
    2. A default Plugin Name is populated. This is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow. For other vendors, you must create your own plugin and enter the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system (see section Configuring external helpdesk systems). For ServiceNow, select the login URL.
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For ServiceNow, select the login credentials.
  9. In Attribute Mapping, specify the mapping of attributes to resources.
  10. For Time Window, select the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.
  11. Click Save.

 

Step 2: Create an Incident Inbound integration schedule

This will update FortiSIEM following incident fields when ticket state is updated in the external ticketing system.

  • External Ticket State
  • Ticket State
  • External Cleared Time
  • External Resolve Time

Follow these steps:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click Schedule and then click +.
    1. Select the integration policy.
    2. Select a schedule.

ServiceNow CMDB Outbound Integration

CMDB Outbound Integration populates an external CMDB from FortiSIEM’s own CMDB. Built in integrations are available for ServiceNow.

Step 1: Create a CMDB Outbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General > External Integration
  3. Click New.
  4. For Type, select Device
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
    2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow. For other vendors, you have to create your own plugin and type in the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system. For ServiceNow, select the login URL
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For ServiceNow, select the login credentials.
  9. In Attribute Mapping, specify the mapping of attributes to resources.
  10. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For ServiceNow, select the Company names as iin Configuring ServiceNow for FortiSIEM Integration, Step 2.
  11. For Run For, choose the organizations for whom tickets will be created.
  12. For Groups, select the FortiSIEM CMDB Groups whose member devices would be synched to external CMDB.
  13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
  14. Enter the Maximum number of devices to send to the external system.
  15. Click Save.

Step 2: Create a CMDB Outbound integration schedule

Updating external CMDB automatically after FortiSIEM discovery:

  1. Create an integration policy.
  2. Make sure Run after Discovery is checked.
  3. Click Save.

Updating external CMDB on a schedule:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click Schedule and then click +.
  1. Select the integration policies.
  2. Select a schedule.

Updating external CMDB on-demand (one-time):

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Select a specific integration policy and click Run.

Salesforce Integration

Configuring Salesforce for FortiSIEM Integration

  1. Log in to Salesforce.
  2. Create a custom domain.
  3. For Service Provider Configurations, create Service App > Accounts.
    FortiSIEM will use the Account Name.

Salesforce Incident Outbound Integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General  > External Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. Salesforce is supported out of the box.
    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had two Salesforce installations, each would have different Instance names.
    2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for Salesforce. For other vendors, you must create your own plugin and enter the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system. For Salesforce:
    1.  Log in to Salesforce.
    2. Go to Setup > Settings.
    3. Use the Custom URL under My Domain, typically it is xyz.my.salesforce.com  
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. 
    1. For Salesforce, enter the login credentials.
  9. For Security Token, enter the security token from Salesforce. If you do not have your security token information, you can get this by taking the following steps:
    1. Log in to Salesforce.
    2. At <your name>, click the drop-down list and navigate to Setup > Personal Setup > My Personal Information.
    3. Click Reset My Security Token to get Salesforce to email your security token.
  10. For Incidents Comments Template, specify the formatting of the incident fields.
  11. For Organization Mapping, click the Edit icon to take you to the Integration Policy > Org Mapping window. Here, you can create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For Salesforce, to get your account name, take the following steps in Salesforce:
    1. Go to Service App > Accounts.

    2. Use Account Name.
    3. In FortiSIEM, at the Integration Policy > Org Mapping window, enter the Account Name in the Default field.
      Note: You can choose to provide an organization name from FortiSIEM in the Default field.
  12. For Run For, choose the organizations for whom tickets will be created.
  13. In the Max Incidents field, enter the maximum number of incidents you want recorded.
  14. Click Save.
  15. Click Run to confirm the integration. If you receive an "...unable to find valid certification path to requested target", you need to upload a certificate to FortiSIEM.

Next, link the integration to one or more incident notification policies.

 

Salesforce Incident Inbound Integration

This updates the FortiSIEM incident state and clears the incident when the incident is cleared in the external help desk system. Built-in integrations are available for Salesforce.

The steps are:

  1. Create an Incident Inbound integration schedule.
  2. Create a schedule for automatically running the Incident Inbound integration.

  3. This will update the FortiSIEM incident inbound integration schedule and clears the incident when the incident is cleared in the external help desk system.

     

Step 1: Create an Incident Inbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General > External Integration
  3. Click New.
  4. For Type, select Incident
  5. For Direction, select Inbound
  6. For Vendor, select the vendor of the system you want to connect to. Salesforce is supported out of the box.
    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had two Salesforce installations, each would have different Instance names.
    2. A default Plugin Name is populated. This is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for Salesforce. For other vendors, you must create your own plugin and enter the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system. For Salesforce:
    1. Log in to Salesforce.

    2. Go to Setup > Settings.
    3. Use the custom URL under My Domain – typically it is xyz.my.salesforce.com.
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For Salesforce, select the login credentials.
  9. For Time Window, select the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.
  10. Click Save.

 

Step 2: Create an Incident Inbound integration schedule

This will update FortiSIEM following incident fields when ticket state is updated in the external ticketing system.

  • External Ticket State
  • Ticket State
  • External Cleared Time
  • External Resolve Time

Follow these steps:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click Schedule and then click +.
    1. Select the integration policy.
    2. Select a schedule.

 

Salesforce CMDB Outbound Integration

CMDB Outbound Integration populates an external CMDB from FortiSIEM’s own CMDB. Built in integrations are available for Salesforce.

Step 1: Create a CMDB Outbound integration

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General > External Integration
  3. Click New.
  4. For Type, select Device
  5. For Direction, select Outbound
  6. For Vendor, select the vendor of the system you want to connect to. Salesforce is supported out of the box.
    When you select the Vendor:
    1. An Instance is created - this is the unique name for this policy. For example if you had 2 Salesforce installations, each would have different Instance names.
    2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for Salesforce . For other vendors, you have to create your own plugin and type in the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system. For Salesforce:
    1.  Log in to Salesforce.
    2. Go to Setup > Settings.
    3. Use the Custom URL under My Domain, typically it is xyz.my.salesforce.com.
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For Salesforce, select the login credentials.
  9. Enter the Maximum number of devices to send to the external system.
  10. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For Salesforce:
    1. Go to Service App > Accounts.

    2. Use Account Name.
  11. For Run For, choose the organizations for whom tickets will be created.
  12. For Groups, select the FortiSIEM CMDB Groups whose member devices would be synched to external CMDB.
  13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
  14. Click Save.

 

Step 2: Create a CMDB Outbound integration schedule

Updating external CMDB automatically after FortiSIEM discovery:

  1. Create an integration policy.
  2. Make sure Run after Discovery is checked.
  3. Click Save.

Updating external CMDB on a schedule:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click Schedule and then click +.
  1. Select the integration policies.
  2. Select a schedule.

Updating external CMDB on-demand (one-time):

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Select a specific integration policy and click Run.

 

RiskIQ Integration

Configuring RiskIQ for FortiSIEM Integration

Register at the RiskIQ website to obtain a user name, password, and the API keys. For more information, see https://api.riskiq.net/api/concepts.html.

RiskIQ Incident Outbound Integration

To create an outbound integration, follow these steps:

  1. Go to Admin > Settings > General > External Integration.
  2. Click New to create a new integration or Edit to modify an existing integration.
  3. In the Integration Policy dialog box, provide the following values:
    • Type: select Incident.
    • Direction: select Outbound.
    • Vendor: select RiskIQ.
    • Instance: enter an instance name or accept the default.
    • Plugin Name: is pre-populated with the name of the integration class: com.accelops.phoenix.jira.JiraTicketIntegration.
    • Username and Password, enter your RiskIQ user name and the API key as the password.
  4. Enter an optional Description of the integration.
  5. Click the edit icon next to Attribute Mapping.
    1. In the Incident Comments Template dialog box, select content from the Insert Content drop-down list.
    2. Click Save when you are finished.
  6. Click the edit icon next to the Organization Mapping to map attributes to resources.
  7. Click the edit icon next to the Run for.

    1. In the Run for dialog box, select the organizations for which the integrations will be run.
    2. Click Save when you are finished.

  8. Enter the maximum number of incidents you want recorded in the Max Incidents field.
  9. Click Save.

 

VirusTotal Integration

Configuring VirusTotal for FortiSIEM Integration

Register at the VirusTotal website to obtain a user name, password, and the API key. For more information, see https://developers.virustotal.com/reference?gclid=Cj0KCQjw4-XlBRDuARIsAK96p3AvLlJSGdBtBWpE1Tm0_KJkWci7U0aAxBVcoOgoZKfd3qjDMG2jJ9IaArVuEALw_wcB#getting-started.

VirusTotal Incident Outbound Integration

To create an outbound integration, follow these steps:

  1. Go to Admin > Settings > General > External Integration.
  2. Click New to create a new integration or Edit to modify an existing integration.
  3. In the Integration Policy dialog box, provide the following values:
    • Type: select Incident.
    • Direction: select Outbound.
    • Vendor: select VirusTotal.
    • Instance: enter an instance name or accept the default.
    • Plugin Name: is pre-populated with the name of the integration class: com.accelops.service.integration.impl.VirusTotalIntegrationServiceImpl.
    • Password: enter your API key in the password field.
  4. Enter an optional Description of the integration.
  5. Click the edit icon next to the Incident Comments template.
    1. In the Incident Comments Template dialog box, select content from the Insert Content drop-down list.
    2. Click Save when you are finished.
  6. Click the edit icon next to the Organization Mapping.
    1. In the Org Mapping dialog box, click beneath External Company ID to enter the ID of the company you want to map to organizations.
    2. Click Save when you are finished.
  7. Click the edit icon next to the Run for.

    1. In the Run for dialog box, select the organizations for which the integrations will be run.
    2. Click Save when you are finished.

  8. Enter the maximum number of incidents you want recorded in the Max Incidents field.
  9. Click Save.

 

Jira Integration

Configuring Jira for FortiSIEM Integration

Before configuring Jira, you must log in to your Jira account and create an API Key. Follow these steps:

  1. Log in to your Jira account.
  2. Create an API Key.
  3. Use the GUI user name and API Key in FortiSIEM.

Jira Incident Outbound Integration

Jira outbound integration allows a user to map FortiSIEM fields to Jira ticket fields and to create incidents in Jira. When the integration runs, FortiSIEM looks for incidents that match the mappings and creates a ticket in the Jira system.

To create an outbound integration, follow these steps:


Step 1: Provide Configuration Information

  1. Go to Admin > Settings > General > External Integration.
  2. Click New to create a new integration or Edit to modify an existing integration.
  3. In the Integration Policy dialog box, provide the following values:
    • Type: select Incident.
    • Direction: select Outbound.
    • Vendor: select Jira.
    • Instance: enter an instance name or accept the default.
    • Plugin Name: is pre-populated with the name of the Jira integration class: com.accelops.phoenix.jira.JiraTicketIntegration.
    • Host/URL, enter the URL of the Jira provider, for example, https://<customer>.atlassian.net.
    • Username and Password, enter your Jira user name and password.

 

Step 2: Specify the FortiSIEM to Jira Field Mapping

  1. Click the edit icon next to Field Mapping.
  2. In the Field Mapping dialog box, provide the following values:
    • Project: enter a name for the project.
    • Issue Type: select Event.
    • The Summary: field is pre-populated with the Incident Rule Name ($ruleName).
    • For Description: click the edit icon to build the expression for the Jira issue description. The drop-down list contains FortiSIEM fields that can be mapped to.
    • The Priority: field is pre-populated with Incident Severity Category ($incident_severityCat).
  3. Create mappings between Jira fields and FortiSIEM fields by clicking New.

    Select Jira fields from the upper drop-down list and match them with corresponding FortiSIEM fields in the lower drop-down list.

  4. Click Save when you are finished mapping fileds. The mappings are reflected in the table in the Field Mapping dialog box.
  5. Click Save to dismiss the Mapping Fields dialog box.

 

Step 3: Run the Jira Integration

Select the Jira instance and click Run. FortiSIEM looks for incidents that match the mappings and creates a ticket in the Jira system.

Jira Incident Inbound Integration

Jira inbound integration allows a user to close a ticket in FortiSIEM if the ticket is closed in Jira.

To create an inbound integration, follow these steps:

 

Step 1: Provide Configuration Information

  1. Go to Admin > Settings > General > External Integration.
  2. Click New to create a new integration or Edit to modify an existing integration.
  3. In the Integration Policy dialog box, provide the following values:
    • Type: select Incident.
    • Direction: select Inbound.
    • Vendor: select Jira.
    • Instance: enter an instance name or accept the default.
    • Plugin Name: is pre-populated with the name of the Jira integration class: com.accelops.phoenix.jira.JiraTicketIntegration.
    • Host/URL, enter the URL of the Jira provider, for example, https://<customer>.atlassian.net.
    • Username and Password, enter your Jira user name and password.
    • Description: enter an optional description of the integration.
    • Time Window: enter the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.

 

Step 2: Specify the FortiSIEM to Jira Field Mapping

  1. Click the edit icon next to Field Mapping.
  2. In the Field Mapping dialog box, provide the following values:
    • Project: enter a name for the project.
    • Issue Type: select Event.
    • The Summary: field is pre-populated with the Incident Rule Name ($ruleName).
    • For Description: click the edit icon to build the expression for the Jira issue description. The drop-down list contains FortiSIEM fields that can be mapped to.
    • The Priority: field is pre-populated with Incident Severity Category ($incident_severityCat).
  3. Create mappings between Jira fields and FortiSIEM fields by clicking New.

    Select Jira fields from the upper drop-down list and match them with corresponding FortiSIEM fields in the lower drop-down list.

  4. Click Save when you are finished mapping fileds. The mappings are reflected in the table in the Field Mapping dialog box.
  5. Click Save to dismiss the Mapping Fields dialog box.

 

Step 3: Run the Jira Integration

Select the Jira instance and click Run. FortiSIEM looks for incidents which are closed in the Jira system and closes them if they also appear in FortiSIEM.

Link the Integration to One or More Incident Notification Policies (for Incident Outbound)

  1. Complete the incident outbound integration steps for your system.
  2. Go to ADMIN > Settings > General > Notification Policy.
  3. Click New to create a new policy or Edit to edit an existing policy.
  4. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
  5. Choose a specific integration from the drop-down list.
  6. Click Save.

CMDB Inbound Integration

CMDB Inbound Integration populates FortiSIEM CMDB from an external CMDB.

Step 1: Create a CMDB Inbound integration

You must create a CSV file for mapping the contents of the external database to a location on your FortiSIEM Supervisor, which will be periodically updated based on the schedule you set.

  1. Log into your Supervisor node with administrator credentials. 
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click New.
  4. For Type, select Device
  5. For Direction, select Inbound
  6. Enter the File Path to the CSV file. 
  7. For Content Mapping, click the edit icon.
    1. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination CMDB.
      1. Enter Source CSV column Name for Source Column
      2. Check Create Property if it Does not Exist to create the new attribute in FortiSIEM if it does not exist
        1. Enter a name for the Destination Column of the property from the drop-down list.
        2. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite it's current value.
      3. If the property exists in the CMDB, select FortiSIEM CMDB attribute for Destination Column.
      4. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite its current value.
      5. Click OK.
    2. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.
      For example, if you wanted to change all instances of California in the entries for the State attribute in the external system to CA in the destination CMDB, you would select the State attribute, enter California for From. and CA for To
  8. In Attribute Mapping, map attributes to resources.
  9. Click OK.
  10. Click Save.

Step 2: Create a CMDB Inbound integration schedule

Updating FortiSIEM CMDB on a schedule:

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Click Schedule and then click +.
  1. Select the integration policies.
  2. Select a schedule.

Updating FortiSIEM CMDB on-demand (one-time):

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to ADMIN > Settings > General > External Integration.
  3. Select a specific integration policy and click Run.

FortiGuard IOC Integration

Configuring FortiGuard for FortiSIEM Integration

No additional license is required to use the FortiGuard feature. Follow the steps in FortiGuard Incident Outbound Integration and Adding Incident Notification Settings to configure this feature.

FortiGuard Incident Outbound Integration

To create an outbound integration, follow these steps:

  1. Go to ADMIN > Settings > General > External Integration.
  2. Click New to create a new integration or Edit to modify an existing integration.
  3. In the Integration Policy dialog box, provide the following values:
    • Type: select Incident.
    • Direction: select Outbound.
    • Vendor: select FortiGuard IOC Lookup.
    • Instance: enter an instance name or accept the default.
    • Plugin Name: is pre-populated with the name of the integration class: com.accelops.service.integration.impl.FortiGuardIOCIntegrationServiceImpl.
  4. Enter an optional Description of the integration.
  5. In the Max Incidents field, enter the maximum number of incidents you want recorded.
  6. Click Save.

Modifying an External System Integration

Complete these steps to modify an External System Integration.

  1. Use the below options to modify an External System Integration setting.

    SettingsGuidelines
    EditTo edit an External System Integration setting.
    DeleteTo delete an External System Integration setting.
  2. Click Save.