Configuring External Integrations

This section describes how to configure FortiSIEM to integrate with external CMDB and ticket management systems and threat entity reputation systems. Currently out-of-the-box supported external systems include ticket management systems such as ServiceNow, Connectwise, Salesforce and Jira, and reputation systems, such as VirusTotal, RiskIQ and FortiGuard IOC lookup.

• Configuring Ticketing System Integrations

• Configuring Reputation System Integrations

• Configuring Communication through Proxies

• Modifying an External System Integration

Configuring Ticketing System Integrations

FortiSIEM integration helps to create a two-way linkage between external ticketing/work flow systems like ServiceNow, ConnectWise and Salesforce. The integration can be for Incidents and CMDB.

This involves two steps.

1. Create an integration.
2. Attach the integration to an Incident Notification Policy or run the integration on a schedule.

Four types of integrations are supported:

• Incident Outbound Integration: This integration creates a ticket in an external ticketing system from FortiSIEM incidents. When an incident triggers in FortiSIEM, a ticket is opened in the external ticketing system. Currently, this out-of-the-box integration is supported for ServiceNow, ConnectWise, Salesforce and Jira.
• Incident Inbound Integration: This integration updates FortiSIEM incident ticket state from external system ticket states. Specifically, when a ticket is closed in the external ticketing system, the incident is cleared in FortiSIEM and the ticket status is marked closed to synchronize with the external ticketing system. Currently, this out-of-the-box integration is supported for ServiceNow, ConnectWise, Salesforce and Jira.
• CMDB Outbound Integration: This integration populates an external CMDB from FortiSIEM CMDB. When a device is added or updated in FortiSIEM CMDB, a device can be created in the external ticketing system. Currently, this out-of-the-box integration is supported for ServiceNow, ConnectWise and Salesforce.
• CMDB Inbound Integration: This integration populates FortiSIEM CMDB from an external CMDB. It works for any external CMDB.

Integration with other systems can be built using the API.

• ServiceNow Integration
• Jira Integration
• ConnectWise Integration
• Salesforce Integration
• CMDB Inbound Integration

ServiceNow Integration

• ServiceNow SOAP Based Integration
• ServiceNow Security Operations (SecOps) Integration

ServiceNow SOAP Based Integration

• Configuring ServiceNow for FortiSIEM Integration

• FortiSIEM Incident Schema

• Incident Outbound Integration (Default)

• Incident Inbound Integration (Default)

• Incident Outbound Integration (Custom)

• Incident Inbound Integration (Custom)

• CMDB Outbound Integration (Default)

• Example Custom Integration

Configuring ServiceNow for FortiSIEM Integration

1. Log in to ServiceNow.
2. For Service Provider Configurations, create Companies by creating Company Name.

3. For the integrations to work, FortiSIEM needs to modify certain ServiceNow database tables.

   • If you are using default integration, make sure that the FortiSIEM user account has the permissions specified, see Required Permissions for ServiceNow SOAP Integration.

   • if you are using custom integration, then sure that the FortiSIEM user account has the read/write permissions on the specific ServicNow tables and columns.

FortiSIEM Incident Schema

The following FortiSIEM Incident fields are available for integration.

FortiSIEM Incident Field	Type	Description	Required for Custom Integration
Incident ID	64bit Integer	Incident Id in FortiSIEM database.	Optional for outbound
Incident Title	String	Incident Title is a formatted string to capture Incident details and actors .	Optional for outbound
Rule Name	String	The name of the rule that triggered the Incident.	Optional for outbound
Rule Description	String	The description of the rule that triggered the Incident.	Optional for outbound
First Seen Time	64bit Integer	The first time an incident triggered in FortiSIEM. Format: Unix epoch timestamp (number of seconds that have elapsed since 00:00:00 UTC on 1 January 1970)	Optional for outbound
Last Seen Time	64bit Integer	The last time an incident triggered in FortiSIEM. Format: Unix epoch timestamp (number of seconds that have elapsed since 00:00:00 UTC on 1 January 1970)	Optional for outbound
Incident Severity	32bit integer – values 1-10	Severity of the Incident. Severities are increasing meaning 1 is lowest and 10 is highest.	Optional for outbound
Incident Severity Category	String – takes 3 values: LOW, MEDIUM, HIGH	Incident severity categorized into 3 levels: LOW, MEDIUM, HIGH	Optional for outbound
Incident Source	String	Incident source attributes in comma separated attribute:Value format. Following attributes are included: srcIpAddr	Optional for outbound
Incident Target	String	Incident destination in comma separated attribute:Value format. Following attributes are included: destIpAddr, destName, hostIpAddr, hostname, user, targetUser	Optional for outbound
Incident Detail	String	Incident details in comma separated attribute:Value format. All attributes not included in Incident Source and Incident target are included in this attribute.	Optional for outbound
Triggering Attributes	String	List of attributes present in the incident.	Optional for outbound
Incident Count	32bit integer	Number of times the incident triggered.	Optional for outbound
Host Name	String	Host Name in incident. This is also present in Incident Target.	Optional for outbound
Incident Comment	String	Comments added by user or by a notification script.	Optional for outbound
Status	32bit integer	Incident Status: 0 means Active, 1 means System Cleared, 2 means User Cleared.	Optional for outbound
Incident Resolution	String	Four values: Open, InProgress, TruePostive and FalsePositive	Optional for outbound
Rule Remediation Note	String		Optional for outbound
External Ticket Id	String	ServiceNow Ticket Id	Required for both Inbound and Outbound
External Ticket State	String	ServiceNow Ticket State	Required for Inbound and must have a value mapping for “Closed”
External User	String	User who closed the Ticket in ServiceNow.	Optional for outbound
External Cleared Time	String	Time at which Incident cleared in ServiceNow.	Required for Inbound

There are two main requirements for a successful custom integration.

1. Outbound and Inbound – must have a mapping for External Ticket Id.

2. Inbound - External Ticket State must have value “Closed”.

3. Inbound - must have a mapping for External Cleared Time.

Incident Outbound Integration (Default)

In this integration, you can create tickets in ServiceNow when an Incident triggers in FortiSIEM. In the Default integration, FortiSIEM Incidents are written to the ServiceNow incident table. FortiSIEM incident attributes are mapped to ServiceNow incident table columns as follows.

FortiSIEM Incident Attribute	ServiceNow Incident Table Column
Incident Status	work_notes
Incident Name	short_description
Incident Comments (generated string containing few Incident attributes – see Step 1.4.k.)	comments
Organization Name	company
Incident Severity	impact
Incident Severity	urgency

Step 1: Create an Integration

1. Log into your Supervisor node with administrator credentials.

2. Navigate to ADMIN > Settings > General > External Integration.

3. Click New.

4. From the Integration Policy window, take the following steps.

   1. From the Type drop-down list, select Incident.

   2. From the Direction drop-down list, select Outbound.

   3. From the Vendor drop-down list, select ServiceNow. When you select a vendor, an instance is created, with a unique name for the policy. For example, if you had two ServiceNow installations, each would have different instance names.

   4. For Plugin Type, select Ticket.

   5. For Plugin Name, a default Plugin Name is populated. Leave it as is. This is the Java code that implements the integration, including connecting to the external help desk systems and synching the CMDB elements.

   6. In the Host/URL field, enter the login URL, for example, https://vendor123.service-now.com.

   7. In the User Name field, enter the ServiceNow username login credential.

   8. In the Password field, enter the ServiceNow password login credential.

   9. Leave the ServiceNow Table Name attribute alone.

   10. In the Description field, enter a description as to what the integration does. This is for display purposes only.

   11. For Incident Comment, you can keep the default format shown in Step 1.k.i, or create your own, shown in Step 1.k.ii.

       1. Default format : [FortiSIEM]Incident Id:<val>;First seen time:<val>;Target IP:<val>;Incident Details:<val>;Mitre TechniqueId:<val>;Mitre Tactics:<val>; Description:<Rule Name>

       2. To create your own, click the Edit icon, and form a string by combining your own text and incident attributes by choosing from the Insert Content drop-down list. When done, click Save.

   12. For Organization Mapping, click the Edit icon to create mappings between the Organizations in your FortiSIEM deployment and Company names in ServiceNow (created in Configuring ServiceNow for FortiSIEM Integration, Step 2).

   13. For Run For, click the Edit icon, and choose the organizations for whom tickets will be created.

   14. In the Max Incidents field, enter the maximum number of incidents you want to record.

   15. Click Save.

 

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

Incident Inbound Integration (Default)

Using this integration, a FortiSIEM Incident can be programmatically cleared when a user closes the corresponding ticket in ServiceNow. In the default integration, the following fields from ServiceNow incident table are mapped to FortiSIEM incident fields.

ServiceNow Incident Table Column	FortiSIEM Incident Field
incident_state	Incident Status
Closed_code	Incident Resolution
Closed_by	External User
number	External Ticket Id
incident_state	External Ticket Status

Step 1: Create an Incident Inbound Integration

1. Log into your Supervisor node with administrator credentials.

2. Navigate to ADMIN > Settings > General > External Integration.

3. Click New.

4. From the Integration Policy window, take the following steps.

   1. From the Type drop-down list, select Incident.

   2. From the Direction drop-down list, select Inbound.

   3. From the Vendor drop-down list, select ServiceNow. When you select a vendor, an instance is created, with a unique name for the policy. For example, if you had two ServiceNow installations, each would have different instance names.

   4. For Plugin Type, select Ticket.

   5. For Plugin Name, a default Plugin Name is populated. Leave it as is. This is the Java code that implements the integration, including connecting to the external help desk systems and synching the CMDB elements.

   6. In the Host/URL field, enter the login URL, for example, https://vendor123.service-now.com.

   7. In the User Name field, enter the ServiceNow username login credential.

   8. In the Password field, enter the ServiceNow password login credential.

   9. Leave the ServiceNow Table Name attribute alone.

   10. In the Description field, enter a description as to what the integration does. This is for display purposes only.

   11. For Content Mapping, do not make any edits. Keep the system defined one.

   12. In the Time Window field, enter/select the number of hours for which incident states will be synched from ServiceNow. For example, if time window is set to 10 hours, then the states of incidents that occurred in the last 10 hours will be synched.

   13. When done, click Save.

 

Step 2: Create an Incident Inbound Integration Schedule

This determines the schedule on which the inbound integration policy defined in Step 1: Create an Incident Inbound Integration will be run.

1. Log into your Supervisor node with administrator credentials.

2. Navigate to ADMIN > Settings > General > External Integration.

3. Click Schedule.

4. Click + to open the Integration Policy Schedules window.

   1. From the Integration Policy column, select your integration policy and move it to the Selected column.

   2. Under Time Range, configure your schedule by taking the following steps.

      1. In the Start Time field, enter the start time of your schedule.

      2. From the Local/UTC Timeand Region drop-down lists, configure the start time of the schedule.

   3. Under Recurrence Pattern, configure the frequency.

      1. Select Once, Minutely, Hourly, Daily, Weekly, or Monthly for the schedule's recurrence pattern. Depending on what is selected, configure the related date/time schedule attributes.

      2. In the Start From field, enter the date which the schedule starts.

   4. When done, click Save.

Incident Outbound Integration (Custom)

In this integration, you can create tickets in ServiceNow when an Incident triggers in FortiSIEM. You can choose your own ServiceNow table to map FortiSIEM Incidents to. Take the following steps to create a custom outbound integration.

Step 1: Create an Integration

1. Log into your Supervisor node with administrator credentials.

2. Navigate to ADMIN > Settings > General > External Integration.

3. Click New.

4. From the Integration Policy window, take the following steps.

   1. From the Type drop-down list, select Incident.

   2. From the Direction drop-down list, select Outbound.

   3. From the Vendor drop-down list, select ServiceNow. When you select a vendor, an instance is created, with a unique name for the policy. For example, if you had two ServiceNow installations, each would have different instance names.

   4. For Plugin Type, select Ticket.

   5. For Plugin Name, a default Plugin Name is populated. Leave it as is. This is the Java code that implements the integration, including connecting to the external help desk systems and synching the CMDB elements. For other vendors, you must create your own plugin and enter the plugin name here.

   6. In the Host/URL field, enter the login URL, for example, https://vendor123.service-now.com.

   7. In the User Name field, enter the ServiceNow username login credential.

   8. In the Password field, enter the ServiceNow password login credential.

   9. In the ServiceNow Table Name field, enter the custom ServiceNow table

   10. In the Description field, enter a description as to what the integration does. This is for display purposes only.

   11. For Incident Comment, you can keep the default format shown in Step 1.k.i, or create your own, shown in Step 1.k.ii.

       1. Default format : [FortiSIEM]Incident Id:<val>;First seen time:<val>;Target IP:<val>;Incident Details:<val>;Mitre TechniqueId:<val>;Mitre Tactics:<val>; Description:<Rule Name>

       2. To create your own, click the Edit icon, and form a string by combining your own text and incident attributes by choosing from the Insert Content drop-down list. When done, click Save.

   12. For Organization Mapping, click the Edit icon to create mappings between the Organizations in your FortiSIEM deployment and Company names in ServiceNow (created in Configuring ServiceNow for FortiSIEM Integration, Step 2).

   13. For Run For, click the Edit icon, and choose the organizations for whom tickets will be created.

   14. For Content Mapping, click the Edit icon to define mappings between FortiSIEM Incident fields and ServiceNow custom table columns.

       1. Select the Field Mappings dialog box and click +.
          
          

          Note: To delete a Field Mapping, select the entry and click -. To edit a Field Mapping, click the Edit icon.
          
          

       2. From the FortiSIEM Incident Field drop-down list, select a FortiSIEM Incident field.

       3. From the ServiceNow Field drop-down list, select a mapped ServiceNow field. Note that the menu is populated from the table in step 4.i.

       4. Select the Value Mappings dialog box and click + to enter Value Mappings if you want the values for a specific field to be transformed. A standard example is Severity, where FortiSIEM Incident Severity 1-> 4 may be mapped to Low, 5-8 as Medium and 9-10 as High.

       5. From Field, select the ServiceNow Field whose values need to be transformed.

       6. In the From field, select the value that FortiSIEM generates.

       7. In the To field, select the value that you want ServiceNow to store.

       8. When done, click Save.

   15. In the Max Incidents field, enter the maximum number of incidents you want to record.

   16. Click Save.

 

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Note: In the default Outbound integration, Incident updates are recorded in the comments field. However, in the custom integration, Incident updates are not reflected in ServiceNow.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

Incident Inbound Integration (Custom)

In this integration, you can clear tickets in FortiSIEM when a user closes the corresponding ServiceNow ticket. You can choose your own ServiceNow table to update the following FortiSIEM Incident fields:

• External Ticket Id

• Incident Status

• Incident Resolution

• External User

• External Ticket State

Step 1: Create an Incident Inbound Integration

1. Log into your Supervisor node with administrator credentials.

2. Navigate to ADMIN > Settings > General > External Integration.

3. Click New.

4. From the Integration Policy window, take the following steps.

   1. From the Type drop-down list, select Incident.

   2. From the Direction drop-down list, select Inbound.

   3. From the Vendor drop-down list, select ServiceNow. When you select a vendor, an instance is created, with a unique name for the policy. For example, if you had two ServiceNow installations, each would have different instance names.

   4. For Plugin Type, select Ticket.

   5. For Plugin Name, a default Plugin Name is populated. Leave it as is. This is the Java code that implements the integration, including connecting to the external help desk systems and synching the CMDB elements.

   6. In the Host/URL field, enter the login URL, for example, https://vendor123.service-now.com.

   7. In the User Name field, enter the ServiceNow username login credential.

   8. In the Password field, enter the ServiceNow password login credential.

   9. For the ServiceNow Table Name, choose your custom ServiceNow table.

   10. In the Description field, enter a description as to what the integration does. This is for display purposes only.

   11. For Content Mapping, click the Edit icon to define mappings between FortiSIEM Incident fields and ServiceNow custom table columns.

       1. Select the Field Mappings dialog box and click +.
          
          

          Note: To delete a Field Mapping, select the entry and click -. To edit a Field Mapping, click the Edit icon.
          
          

       2. From the FortiSIEM Incident Field drop-down list, select a FortiSIEM Incident field.

       3. From the ServiceNow Field drop-down list, select a mapped ServiceNow field. Note that the menu is populated from the table in step 4.i.

       4. Select the Value Mappings dialog box and click + to enter Value Mappings if you want the values for a specific field to be transformed. For the Incident Inbound Integration to function, we need a mapping to the “Closed” value of FortiSIEM Incident Status field. This allows FortiSIEM to close an Incident.
          

       5. From Field, select the ServiceNow Field whose values need to be transformed.

       6. In the From field, select the value that FortiSIEM generates.

       7. In the To field, select the value that you want ServiceNow to store.

       8. When done, click Save.

   12. In the Time Window field, enter/select the number of hours for which incident states will be synched from ServiceNow. For example, if time window is set to 10 hours, then the states of incidents that occurred in the last 10 hours will be synched.

   13. When done, click Save.

    

   Step 2: Create an Incident Inbound Integration Schedule

   This determines the schedule on which the inbound integration policy defined in Step 1: Create an Incident Inbound Integration will be run.

   1. Log into your Supervisor node with administrator credentials.

   2. Navigate to ADMIN > Settings > General > External Integration.

   3. Click Schedule.

   4. Click + to open the Integration Policy Schedules window.

      1. From the Integration Policy column, select your integration policy and move it to the Selected column.

      2. Under Time Range, configure your schedule by taking the following steps.

         1. In the Start Time field, enter the start time of your schedule.

         2. From the Local/UTC Timeand Region drop-down lists, configure the start time of the schedule.

      3. Under Recurrence Pattern, configure the frequency.

         1. Select Once, Minutely, Hourly, Daily, Weekly, or Monthly for the schedule's recurrence pattern. Depending on what is selected, configure the related date/time schedule attributes.

         2. In the Start From field, enter the date which the schedule starts.

      4. When done, click Save.

CMDB Outbound Integration (Default)

CMDB Outbound Integration populates an external CMDB from FortiSIEM’s own CMDB. Built in integrations are available for ServiceNow.

Step 1: Create a CMDB Outbound integration

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General > External Integration. 
3. Click New.
4. For Type, select Device. 
5. For Direction, select Outbound. 
6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.
   
   When you select the Vendor:
   1. An Instance is created - this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
   2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow. For other vendors, you have to create your own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system. For ServiceNow, select the login URL
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For ServiceNow, select the login credentials.
9. In Attribute Mapping, specify the mapping of attributes to resources.
10. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For ServiceNow, select the Company names as in Configuring ServiceNow for FortiSIEM Integration, Step 2.
11. For Run For, choose the organizations for whom tickets will be created.
12. For Groups, select the FortiSIEM CMDB Groups whose member devices would be synched to external CMDB.
13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
14. Enter the Maximum number of devices to send to the external system.
15. Click Save.

 

Step 2: Create a CMDB Outbound integration schedule

Updating external CMDB automatically after FortiSIEM discovery:

1. Create an integration policy.
2. Make sure Run after Discovery is checked.
3. Click Save.

Updating external CMDB on a schedule:

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Click Schedule and then click +.

1. Select the integration policies.
2. Select a schedule.

Updating external CMDB on-demand (one-time):

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Select a specific integration policy and click Run.

Example Custom Integration

This section provides a sample integration.

There are a few main requirements for a successful custom integration

1. Outbound and Inbound – must have a mapping for External Ticket Id

2. Inbound - External Ticket State must have value “Closed”

3. Inbound - must have a mapping for External Cleared Time

Follow these steps:

Step 1. From ServiceNow, take the following steps to create a ServiceNow Table.

1. Login to ServiceNow.

2. From the left pane, navigate to System Definitions > Tables.

   
   

3. Next to the heading Tables, click New to create a table.

   1. In the Label field, enter a label. Here, we can use "fsm demo". The Name field will be automatically populated. Keep this name recorded, as it will be needed later.
      

      

   2. Under Controls, check the Auto-number checkbox. This is required to map the External Ticket Id.
      

      
      

   3. Under Application Access, check the following checkboxes.

      • Can read

      • Can create

      • Can update

      • Can delete
        

        

   4. Click Submit.
      

      A ServiceNow table has now been created.

4. Next to the heading Table Columns, click New to create a table column.

   1. Create your column/mappings and ensure that Type is set correctly (See FortiSIEM Incident Schema for the correct Types). For this example, we use the following:
      

      Type: String

      Column label: ticketnumber
      

      Note: For External Ticket ID

      Max length: 256

   2. Type: String

      Column label: externalcleartime

      Note: For External Cleared Time

      Max length: 256

   3. Type: String

   4. Column label: incident_status

      Note: For Ticket Status

   5. Max length: 256

   6. Configure any additional mappings necessary for your ServiceNow table.
      

      To create a drop-down list, navigate to Choice List Specification, and from the Choice drop-down list, make a selection. To configure what will appear in your drop-down list, click the Advanced view link, and under Choices, click New to add items to appear in your drop-down list.
      

5. When done, click Submit.
   

 

Step 2. From FortiSIEM, take the following steps to create Incident Outbound Integration Policy.

1. Login to FortiSIEM.

2. Navigate to ADMIN > Settings > General > External Integration.

3. Click New to create an Integration Policy, and take the following steps.

   1. From the Type drop-down list, select Incident.

   2. From the Direction drop-down list, select Outbound.

   3. From the Vendor drop-down list, select ServiceNow.

   4. In the Host/URL field, enter the ServiceNow URL being used.

   5. In the User Name field, enter the ServiceNow username credential.

   6. In the Password and Confirm Password field, enter the password associated with the ServiceNow User Name account.

   7. In the ServiceNow Table Name field, enter the name of the ServiceNow table that was set up during the ServiceNow table creation.

   8. In the Content Mapping row, click the Edit icon.

   9. In the Integration Policy > Incident Outbound Content Mapping window, take the following steps.

      1. From the FortiSIEM Incident Field drop-down list, select External Ticket Id.

      2. From the ServiceNow Field drop-down list, select the "ticketnumber" mapping.

      3. From the FortiSIEM Incident Field drop-down list, select External Ticket State.

      4. From the ServiceNow Field drop-down list, select the "externalcleartime" mapping.
         

         A more complicated custom mapping is provided in the following screenshot.
         

         
         

      5. Click Save.

   10. Click Save.
       

       Your Outbound Integration Policy has been created.
       

 

Step 3. From FortiSIEM, take the following steps to create Incident Inbound Integration Policy.

1. Click New to create an Integration Policy, and take the following steps.

   1. From the Type drop-down list, select Incident.

   2. From the Direction drop-down list, select Inbound.

   3. From the Vendor drop-down list, select ServiceNow.

   4. In the Host/URL field, enter the ServiceNow URL being used.

   5. In the User Name field, enter the ServiceNow username credential.

   6. In the Password and Confirm Password field, enter the password associated with the ServiceNow User Name account.

   7. In the ServiceNow Table Name field, enter the name of the ServiceNow table that was set up during the ServiceNow table creation.

   8. In the Content Mapping row, click the Edit icon.

   9. In the Integration Policy > Incident Outbound Content Mapping window, take the following steps.

      1. From the FortiSIEM Incident Field drop-down list, select from External Cleared Time, External Ticket Id, External Ticket State, External User, or Incident Resolution.
         

         Note: External Ticket ID and External Ticket State are required.
         

      2. From the ServiceNow Field drop-down list, select the corresponding column.

      3. Click Save.

      4. Repeat i.-iii. for any additional mappings. Proceed to v. when done with incident mapping.

      5. In Value Mapping, click + .

      6. In the Field drop-down list, select the ServiceNow "external ticket state".

      7. In the From field, enter "Closed".

         The value mapping should appear similar to the following example: u_incident_status: Closed => closed
         

         

      8. Click Save.
         

   10. Click Save.
       

       Your Inbound Integration Policy has been created. Now, if you close an incident/ticket in ServiceNow, and run the inbound integration in FortiSIEM, the incident/ticket will also be closed.
       

 

Step 4. Run Outbound Integration

1. Confirm you are on the External Integration page. (ADMIN > Settings > General > External Integration)

2. Select the Outbound Integration you created.

3. Click Run.
   

   Note: The maximum number of incidents can be configured by changing the value of the Max Incidents field in your Outbound Integration Notification policy .
   

   

4. Click Yes to confirm.

Step 5. Run Inbound Integration

1. Confirm you are on the External Integration page. (ADMIN > Settings > General > External Integration)

2. Select the Inbound Integration you created.

3. Click Run.

   Note: You can verify the closing of an incident/ticket by checking the External Ticket State column.
   

Jira Integration

• Configuring Jira for FortiSIEM Integration
• Jira Incident Outbound Integration
• Jira Incident Inbound Integration

Configuring Jira for FortiSIEM Integration

Before configuring Jira, you must log in to your Jira account and create an API Key. Follow these steps.

1. Log in to your Jira account.
2. Create an API Key.
3. Use the GUI user name and API Key in FortiSIEM.

Jira Incident Outbound Integration

Jira outbound integration allows a user to map FortiSIEM fields to Jira ticket fields and to create incidents in Jira. When the integration runs, FortiSIEM looks for incidents that match the mappings and creates a ticket in the Jira system.

To create an outbound integration, follow these steps.

Step 1: Create an Integration

1. Go to Admin > Settings > General > External Integration.
2. Click New to create a new integration or Edit to modify an existing integration.
3. In the Integration Policy dialog box, provide the following values:
   • Type: select Incident.
   • Direction: select Outbound.
   • Vendor: select Jira.
   • Instance: enter an instance name or accept the default.
   • Plugin Name: is pre-populated with the name of the Jira integration class: com.accelops.phoenix.jira.JiraTicketIntegration.
   • Host/URL, enter the URL of the Jira provider, for example, https://<customer>.atlassian.net.
   • Username and Password, enter your Jira user name and password.
4. Click the edit icon next to Field Mapping.
5. In the Field Mapping dialog box, provide the following values:
   • Project: enter a name for the project
   • Issue Type: select Event.
   • The Summary: field is pre-populated with the Incident Rule Name ($ruleName).
   • For Description: click the edit icon to build the expression for the Jira issue description. The drop-down list contains FortiSIEM fields that can be mapped to.
   • The Priority: field is pre-populated with Incident Severity Category ($incident_severityCat).
6. Create mappings between Jira fields and FortiSIEM fields by clicking New.
   Select Jira fields from the upper drop-down list and match them with corresponding FortiSIEM fields in the lower drop-down list.
7. Click Save when you are finished mapping fileds. The mappings are reflected in the table in the Field Mapping dialog box.
   Note: Click Cancel to dismiss the Mapping Fields dialog box.

 

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

Jira Incident Inbound Integration

Jira inbound integration allows a user to close a ticket in FortiSIEM if the ticket is closed in Jira.

To create an inbound integration, follow these steps.

Step 1: Create an Integration

1. Go to Admin > Settings > General > External Integration.
2. Click New to create a new integration or Edit to modify an existing integration.
3. In the Integration Policy dialog box, provide the following values:
   • Type: select Incident.
   • Direction: select Inbound.
   • Vendor: select Jira.
   • Instance: enter an instance name or accept the default.
   • Plugin Name: is pre-populated with the name of the Jira integration class: com.accelops.phoenix.jira.JiraTicketIntegration.
   • Host/URL, enter the URL of the Jira provider, for example, https://<customer>.atlassian.net.
   • Username and Password, enter your Jira user name and password.
   • Description: enter an optional description of the integration.
   • Time Window: enter the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.
4. Click the edit icon next to Field Mapping.
5. In the Field Mapping dialog box, provide the following values:
   • Project: enter a name for the project.
   • Issue Type: select Event.
   • The Summary: field is pre-populated with the Incident Rule Name ($ruleName).
   • For Description: click the edit icon to build the expression for the Jira issue description. The drop-down list contains FortiSIEM fields that can be mapped to.
   • The Priority: field is pre-populated with Incident Severity Category ($incident_severityCat).
6. Create mappings between Jira fields and FortiSIEM fields by clicking New.

   Select Jira fields from the upper drop-down list and match them with corresponding FortiSIEM fields in the lower drop-down list.

7. Click Save when you are finished mapping fileds. The mappings are reflected in the table in the Field Mapping dialog box.
   Note: Click Cancel to dismiss the Mapping Fields dialog box.

 

Step 2: Create an Incident Inbound Integration Schedule

This determines the schedule on which the inbound integration policy defined in Step 1: Create an Incident Inbound Integration will be run.

1. Log into your Supervisor node with administrator credentials.

2. Navigate to ADMIN > Settings > General > External Integration.

3. Click Schedule.

4. Click + to open the Integration Policy Schedules window.

   1. From the Integration Policy column, select your integration policy and move it to the Selected column.

   2. Under Time Range, configure your schedule by taking the following steps.

      1. In the Start Time field, enter the start time of your schedule.

      2. From the Local/UTC Timeand Region drop-down lists, configure the start time of the schedule.

   3. Under Recurrence Pattern, configure the frequency.

      1. Select Once, Minutely, Hourly, Daily, Weekly, or Monthly for the schedule's recurrence pattern. Depending on what is selected, configure the related date/time schedule attributes.

      2. In the Start From field, enter the date which the schedule starts.

   4. When done, click Save.

ConnectWise Integration

• Adding a Client ID for ConnectWise Integration
• Configuring ConnectWise for FortiSIEM Integration
• ConnectWise Incident Outbound Integration
• ConnectWise Incident Inbound Integration
• ConnectWise CMDB Outbound Integration

Adding a Client ID for ConnectWise Integration

ConnectWise has recently changed their policy and requires that vendors create a client ID in order to integrate with FortiSIEM. Due to this change and restriction from ConnectWise, Fortinet has published a public client ID in order to allow clients to integrate with ConnectWise. This Client ID is 1a7ed749-47a1-4d3e-94b0-696288a1140f.

Note: A ConnectWise working account is required before integration can occur.

To add this client ID for ConnectWise, take the following steps.

1. Go to ADMIN > Settings >General > External Integration.
2. Click New to create a new Integration Policy or select an existing Integration Policy and click Edit.
3. From the Vendor drop-down list, select ConnectWise.
4. In the Client ID field, paste the following Client ID:
   1a7ed749-47a1-4d3e-94b0-696288a1140f
   
5. Make any necessary configuration changes.
6. Click Save.

Configuring ConnectWise for FortiSIEM Integration

1. Log in to ConnectWise MANAGE.
2. Go to Setup Tables > Integrator Login List.
3. Create a new Integrator Login for FortiSIEM:
   1. Enter Username.
   2. Enter Password.
   3. Set Access Level to Records created by integrator.
   4. Enable Service Ticket API for Incident Integration.
   5. Enable Configure API for CMDB Integration.
4. For Service Provider Configurations, create Companies by creating:
   1. Company Name
   2. Company ID
      

ConnectWise Incident Outbound Integration

Step 1: Create an Integration

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General  > External Integration. 
3. Click New.
4. For Type, select Incident. 
5. For Direction, select Outbound. 
6. For Vendor, select the vendor of the system you want to connect to. ConnectWise is supported out of the box.
   When you select the Vendor:
   1. An Instance is created - this is the unique name for this policy. For example if you had two ConnectWise installations, each would have different Instance names.
   2. Choose whether the Plugin Type is SOAP or REST.
      Note: The SOAP method is deprecated, so you should select REST.
      
   3. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ConnectWise. For other vendors, you must create your own plugin and enter the plugin name here.
7. For Host/URL, enter the host name or URL of the external system. For ConnectWise, enter the login URL of the ConnectWise instance. Make sure to include the https:// prefix.
   Example: https://my.login.test
8. For Company, enter the company name that you use when logging in to ConnectWise Manage. Do not use the company name from within ConnectWise.
   
9. If you chose SOAP as Plugin Type, enter a User Name, Password, and Client ID that the system can use to authenticate with the external system. For ConnectWise, select the credentials created in Configuring ConnectWise for FortiSIEM Integration, Step 3. If you chose REST, enter the Public Key and the Private Key and Client ID.
   Note: The Client ID is 1a7ed749-47a1-4d3e-94b0-696288a1140f. See Adding a Client ID for ConnectWise Integration for more information.
   To get your Public Key and Private Key from ConnectWise, login and take the following steps.
   1. In the upper right part of the window, click your account name to open a drop-down list, and select My Account.
   2. Click the API Keys tab, and create your private and public keys, keeping a record of what they are so you can enter them in the FortiSIEM configuration in the Private Key and Public Key fields.
      
10. For Incidents Comments Template, specify the formatting using the incident fields.
11. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. In ConnectWise, locate and use the Company ID field under Company Details in ConnectWise for the FortiSIEM Organization Mapping, NOT the company name.
    
    
12. For Run For, choose the organizations for whom tickets will be created.
13. Enter the Max Incidents to be recorded.
    Note: The default number for Max Incidents is 50. When running this the first time with the default number, you may encounter a 502 proxy error due to the initial volume of incidents being requested. In this situation, you can change the Max Incidents value to 5 or 10 initially, then change it after running the ConnectWise integration once.
    
14. Click Save.

 

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

ConnectWise Incident Inbound Integration

This updates the FortiSIEM incident state and clears the incident when the incident is cleared in the external help desk system. Built-in integrations are available for ConnectWise.

The steps are:

1. Create an Incident Inbound integration schedule.
2. Create a schedule for automatically running the Incident Inbound integration.
   
   

This will update the FortiSIEM incident inbound integration schedule and clears the incident when the incident is cleared in the external help desk system.

Step 1: Create an Incident Inbound integration

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General > External Integration. 
3. Click New.
4. For Type, select Incident. 
5. For Direction, select Inbound. 
6. For Vendor, select the vendor of the system you want to connect to. ConnectWise is supported out of the box.
   When you select the Vendor:
   1. An Instance is created - this is the unique name for this policy. For example if you had two ConnectWise installations, each would have different Instance names.
   2. Choose whether the Plugin Type is SOAP or REST.
   3. A default Plugin Name is populated. This is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ConnectWise. For other vendors, you must create your own plugin and enter the plugin name here.
7. For Host/URL, enter the host name or URL of the external system (see section Configuring external helpdesk systems). For ConnectWise, select the login URL.
8. If you chose SOAP as Plugin Type, enter a User Name, Password, and Client ID that the system can use to authenticate with the external system. For ConnectWise, select the credentials created in Configuring ConnectWise for FortiSIEM Integration, Step 3. If you chose REST, enter the Public Key, the Private Key, and Client ID.
9. For Time Window, select the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.
10. Click Save.

 

Step 2: Create an Incident Inbound integration schedule

This will update FortiSIEM following incident fields when ticket state is updated in the external ticketing system.

• External Ticket State
• Ticket State
• External Cleared Time
• External Resolve Time

Note: FortiSIEM does not support custom mapping, only "new" and "closed", and the incident resolution is not updated.

Follow these steps.

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Click Schedule and then click +.
   1. Select the integration policy.
   2. Select a schedule.

ConnectWise CMDB Outbound Integration

CMDB Outbound Integration populates an external CMDB from FortiSIEM’s own CMDB. Built in integrations are available for ServiceNow, ConnectWise and Salesforce.

Step 1: Create a CMDB Outbound integration

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General > External Integration. 
3. Click New.
4. For Type, select Device. 
5. For Direction, select Outbound. 
6. For Vendor, select the vendor of the system you want to connect to. ConnectWise is supported out of the box.
   When you select the Vendor:
   1. An Instance is created - this is the unique name for this policy. For example if you had two ConnectWise installations, each would have different Instance names.
   2. Choose whether the Plugin Type is SOAP or REST.
   3. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system. For ConnectWise, select the login URL.
8. If you chose SOAP as Plugin Type, enter a User Name, Password, and Client ID that the system can use to authenticate with the external system. For ConnectWise, select the credentials created in Configuring ConnectWise for FortiSIEM Integration, Step 3. If you chose REST, enter the Public Key and the Private Key in addition to the User Name, Password, and Client ID.
9. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For ConnectWise, select the Company name in Configuring ConnectWise for FortiSIEM Integration, Step 4.
10. For Run For, choose the organizations for whom tickets will be created.
11. For ConnectWise, it is possible to define a Content Mapping.
    1. Enter Column Mapping values:
       1. To add a new mapping, click the + button.
       2. Choose FortiSIEM CMDB attribute as the Source Column.
       3. Enter external (ConnectWise) attribute as the Destination Column.
       4. Specify Default Mapped Value as the value assigned to the Destination Column if the Source Column is not found in Data Mapping definitions.
       5. Select Put to a Question is the Destination Column is a custom column in ConnectWise.
    2. Enter Data Mapping values:
       1. Choose the (Destination) Column Name.
       2. Enter From as the value in FortiSIEM.
       3. Enter To as the value in ConnectWise.
12. For Groups, select the FortiSIEM CMDB Groups whose member devices would be synched to external CMDB.
13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
14. Enter the Max Devices: the number of devices to send to the external system.
15. Click Save.

 

Step 2: Create a CMDB Outbound integration schedule

Updating external CMDB automatically after FortiSIEM discovery:

1. Create an integration policy.
2. Make sure Run after Discovery is checked.
3. Click Save.

Updating external CMDB on a schedule:

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Click Schedule and then click +.

1. Select the integration policies.
2. Select a schedule.

Updating external CMDB on-demand (one-time):

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Select a specific integration policy and click Run.

Salesforce Integration

• Configuring Salesforce for FortiSIEM Integration
• Salesforce Incident Outbound Integration
• Salesforce Incident Inbound Integration
• Salesforce CMDB Outbound Integration

Configuring Salesforce for FortiSIEM Integration

1. Log in to Salesforce.
2. Create a custom domain.
3. For Service Provider Configurations, create Service App > Accounts.
   FortiSIEM will use the Account Name.

Salesforce Incident Outbound Integration

Step 1: Create an Integration

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General  > External Integration. 
3. Click New.
4. For Type, select Incident. 
5. For Direction, select Outbound. 
6. For Vendor, select the vendor of the system you want to connect to. Salesforce is supported out of the box.
   When you select the Vendor:
   1. An Instance is created - this is the unique name for this policy. For example if you had two Salesforce installations, each would have different Instance names.
   2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for Salesforce. For other vendors, you must create your own plugin and enter the plugin name here.
7. For Host/URL, enter the host name or URL of the external system. For Salesforce:
   1.  Log in to Salesforce.
   2. Go to Setup > Settings.
   3. Use the Custom URL under My Domain, typically it is xyz.my.salesforce.com  
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. 
   1. For Salesforce, enter the login credentials.
9. For Security Token, enter the security token from Salesforce. If you do not have your security token information, you can get this by taking the following steps.
   1. Log in to Salesforce.
   2. At <your name>, click the drop-down list and navigate to Setup > Personal Setup > My Personal Information.
   3. Click Reset My Security Token to get Salesforce to email your security token.
10. For Incidents Comments Template, specify the formatting of the incident fields.
11. For Organization Mapping, click the Edit icon to take you to the Integration Policy > Org Mapping window. Here, you can create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For Salesforce, to get your account name, take the following steps in Salesforce:

    1. Go to Service App > Accounts.

    2. Use Account Name.
    3. In FortiSIEM, at the Integration Policy > Org Mapping window, enter the Account Name in the Default field.
       Note: You can choose to provide an organization name from FortiSIEM in the Default field.
12. For Run For, choose the organizations for whom tickets will be created.
13. In the Max Incidents field, enter the maximum number of incidents you want recorded.
14. Click Save.
    
15. Click Run to confirm the integration. If you receive an "...unable to find valid certification path to requested target", you need to upload a certificate to FortiSIEM.

 

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

Salesforce Incident Inbound Integration

This updates the FortiSIEM incident state and clears the incident when the incident is cleared in the external help desk system. Built-in integrations are available for Salesforce.

The steps are:

1. Create an Incident Inbound integration schedule.
2. Create a schedule for automatically running the Incident Inbound integration.
   
   

This will update the FortiSIEM incident inbound integration schedule and clears the incident when the incident is cleared in the external help desk system.

Step 1: Create an Incident Inbound integration

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General > External Integration. 
3. Click New.
4. For Type, select Incident. 
5. For Direction, select Inbound. 
6. For Vendor, select the vendor of the system you want to connect to. Salesforce is supported out of the box.
   When you select the Vendor:
   1. An Instance is created - this is the unique name for this policy. For example if you had two Salesforce installations, each would have different Instance names.
   2. A default Plugin Name is populated. This is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for Salesforce. For other vendors, you must create your own plugin and enter the plugin name here.
7. For Host/URL, enter the host name or URL of the external system. For Salesforce:

   1. Log in to Salesforce.

   2. Go to Setup > Settings.
   3. Use the custom URL under My Domain – typically it is xyz.my.salesforce.com.
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For Salesforce, select the login credentials.
9. For Time Window, select the number of hours for which incident states will be synched. For example, if time windows is set to 10 hours, the states of incidents that occurred in the last 10 hours will be synched.
10. Click Save.

 

Step 2: Create an Incident Inbound integration schedule

This will update FortiSIEM following incident fields when ticket state is updated in the external ticketing system.

• External Ticket State
• Ticket State
• External Cleared Time
• External Resolve Time

Follow these steps.

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Click Schedule and then click +.
   1. Select the integration policy.
   2. Select a schedule.

Salesforce CMDB Outbound Integration

CMDB Outbound Integration populates an external CMDB from FortiSIEM’s own CMDB. Built in integrations are available for Salesforce.

Step 1: Create a CMDB Outbound integration

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General > External Integration. 
3. Click New.
4. For Type, select Device. 
5. For Direction, select Outbound. 
6. For Vendor, select the vendor of the system you want to connect to. Salesforce is supported out of the box.
   When you select the Vendor:
   1. An Instance is created - this is the unique name for this policy. For example if you had 2 Salesforce installations, each would have different Instance names.
   2. A default Plugin Name is populated - this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for Salesforce . For other vendors, you have to create your own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system. For Salesforce:
   1.  Log in to Salesforce.
   2. Go to Setup > Settings.
   3. Use the Custom URL under My Domain, typically it is xyz.my.salesforce.com.
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system. For Salesforce, select the login credentials.
9. Enter the Maximum number of devices to send to the external system.
10. For Organization Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system. For Salesforce:

    1. Go to Service App > Accounts.

    2. Use Account Name.
11. For Run For, choose the organizations for whom tickets will be created.
12. For Groups, select the FortiSIEM CMDB Groups whose member devices would be synched to external CMDB.
13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
14. Click Save.

 

Step 2: Create a CMDB Outbound integration schedule

Updating external CMDB automatically after FortiSIEM discovery:

1. Create an integration policy.
2. Make sure Run after Discovery is checked.
3. Click Save.

Updating external CMDB on a schedule:

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Click Schedule and then click +.

1. Select the integration policies.
2. Select a schedule.

Updating external CMDB on-demand (one-time):

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Select a specific integration policy and click Run.

CMDB Inbound Integration

CMDB Inbound Integration populates FortiSIEM CMDB from an external CMDB.

Step 1: Create a CMDB Inbound integration

You must create a CSV file for mapping the contents of the external database to a location on your FortiSIEM Supervisor, which will be periodically updated based on the schedule you set.

1. Log into your Supervisor node with administrator credentials. 
2. Go to ADMIN > Settings > General > External Integration.
3. Click New.
4. For Type, select Device. 
5. For Direction, select Inbound. 
6. Enter the File Path to the CSV file. 
7. For Content Mapping, click the edit icon.
   1. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination CMDB.
      1. Enter Source CSV column Name for Source Column
      2. Check Create Property if it Does not Exist to create the new attribute in FortiSIEM if it does not exist
         1. Enter a name for the Destination Column of the property from the drop-down list.
         2. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite it's current value.
      3. If the property exists in the CMDB, select FortiSIEM CMDB attribute for Destination Column.
      4. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite its current value.
      5. Click OK.
   2. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.
      For example, if you wanted to change all instances of California in the entries for the State attribute in the external system to CA in the destination CMDB, you would select the State attribute, enter California for From. and CA for To. 
8. In Attribute Mapping, map attributes to resources.
9. Click OK.
10. Click Save.

 

Step 2: Create a CMDB Inbound integration schedule

Updating FortiSIEM CMDB on a schedule:

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Click Schedule and then click +.

1. Select the integration policies.
2. Select a schedule.

Updating FortiSIEM CMDB on-demand (one-time):

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to ADMIN > Settings > General > External Integration.
3. Select a specific integration policy and click Run.

Configuring Reputation System Integrations

• VirusTotal Integration

• FortiGuard IOC Lookup Integration

• RiskIQ Integration

VirusTotal Integration

• Configuring VirusTotal for FortiSIEM Integration
• VirusTotal Incident Outbound Integration

Configuring VirusTotal for FortiSIEM Integration

Register at the VirusTotal website to obtain a user name, password, and the API key. For more information, see https://developers.virustotal.com/reference/overview#getting-started.

VirusTotal Incident Outbound Integration

Step 1: Create an Integration

To create an outbound integration, follow these steps.

1. Go to Admin > Settings > General > External Integration.
2. Click New to create a new integration or Edit to modify an existing integration.
3. In the Integration Policy dialog box, provide the following values:
   • Type: select Incident.
   • Direction: select Outbound.
   • Vendor: select VirusTotal.
   • Instance: enter an instance name or accept the default.
   • Plugin Name: is pre-populated with the name of the integration class: com.accelops.service.integration.impl.VirusTotalIntegrationServiceImpl.
   • Password: enter your API key in the password field.
4. Enter an optional Description of the integration.
5. Click the edit icon next to the Incident Comments template.
   1. In the Incident Comments Template dialog box, select content from the Insert Content drop-down list.
   2. Click Save when you are finished.
6. Click the edit icon next to the Organization Mapping.
   1. In the Org Mapping dialog box, click beneath External Company ID to enter the ID of the company you want to map to organizations.
   2. Click Save when you are finished.

7. Click the edit icon next to the Run for.

   1. In the Run for dialog box, select the organizations for which the integrations will be run.
   2. Click Save when you are finished.

8. Enter the maximum number of incidents you want recorded in the Max Incidents field.
9. Click Save.

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

FortiGuard IOC Lookup Integration

• Configuring FortiGuard for FortiSIEM Integration

• FortiGuard Incident Outbound Integration

Configuring FortiGuard for FortiSIEM Integration

No additional license is required to use the FortiGuard feature. Follow the steps in FortiGuard Incident Outbound Integration and Adding Incident Notification Settings to configure this feature.

FortiGuard Incident Outbound Integration

To create an outbound integration, follow these steps.

Step 1: Create an Integration

1. Go to ADMIN > Settings > General > External Integration.
2. Click New to create a new integration or Edit to modify an existing integration.
3. In the Integration Policy dialog box, provide the following values:
   • Type: select Incident.
   • Direction: select Outbound.
   • Vendor: select FortiGuard IOC Lookup.
   • Instance: enter an instance name or accept the default.
   • Plugin Name: is pre-populated with the name of the integration class: com.accelops.service.integration.impl.FortiGuardIOCIntegrationServiceImpl.
4. Enter an optional Description of the integration.
5. In the Max Incidents field, enter the maximum number of incidents you want recorded.
6. Click Save.

 

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

RiskIQ Integration

• Configuring RiskIQ for FortiSIEM Integration
• RiskIQ Incident Outbound Integration

Configuring RiskIQ for FortiSIEM Integration

Register at the RiskIQ website to obtain a user name, password, and the API keys. For more information, see https://api.riskiq.net/api/concepts.html.

RiskIQ Incident Outbound Integration

Step 1: Create an Integration

To create an outbound integration, follow these steps.

1. Go to Admin > Settings > General > External Integration.
2. Click New to create a new integration or Edit to modify an existing integration.
3. In the Integration Policy dialog box, provide the following values:
   • Type: select Incident.
   • Direction: select Outbound.
   • Vendor: select RiskIQ.
   • Instance: enter an instance name or accept the default.
   • Plugin Name: is pre-populated with the name of the integration class: com.accelops.phoenix.jira.JiraTicketIntegration.
   • Username and Password, enter your RiskIQ user name and the API key as the password.
4. Enter an optional Description of the integration.
5. Click the edit icon next to Attribute Mapping.
   1. In the Incident Comments Template dialog box, select content from the Insert Content drop-down list.
   2. Click Save when you are finished.
6. Click the edit icon next to the Organization Mapping to map attributes to resources.

7. Click the edit icon next to the Run for.

   1. In the Run for dialog box, select the organizations for which the integrations will be run.
   2. Click Save when you are finished.

8. Enter the maximum number of incidents you want recorded in the Max Incidents field.
9. Click Save.

 

Step 2: Link Integration to a Notification Policy

You need to link the integration to a notification policy, so that the integration runs when the notification policy triggers.

Take the following steps.

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New to create a new policy or Edit to edit an existing policy.
3. In the Notification Settings dialog box, select Action > Invoke an Integration Policy, then select the edit icon.
4. Choose a specific integration from the drop-down list.
5. Click Save.

Configuring Communication through Proxies

If you want the communication between the FortiSIEM Supervisor and the external system to go through a proxy, then complete the following steps

1. Login to Supervisor as admin.
2. Go to the glassfish configuration directory: /opt/glassfish/domains/domain1/config.
3. Add proxy server information to the domain.xml file:

   <jvm-options>-Dhttp.proxyHost=172.30.57.100</jvm-options>

   <jvm-options>-Dhttp.proxyPort=3128</jvm-options>

   <jvm-options>-Dhttp.proxyUser=foo</jvm-options>

   <jvm-options>-Dhttp.proxyPassword=password</jvm-options>

4. Restart glassfish.

Modifying an External System Integration

Complete these steps to modify an External System Integration.

1. Use the below options to modify an External System Integration setting.
   
   

   Settings	Guidelines
   Edit	To edit an External System Integration setting.
   Delete	To delete an External System Integration setting.

2. Click Save.