CMDB Lookup Function

Details of the following CMDB lookup function is available.

DeviceToCMDBAttr Function

DeviceToCMDBAttr(<deviceId>,<cmdbAttribute>) returns the value of <cmdbAttribute> for the device specified by <deviceId>. The device must be present in CMDB (postGreSQL database).

Syntax

For simple CMDB Attributes that are attached to a device, the syntax is:

DeviceToCMDBAttr(<deviceId >,<cmdbAttr>)

  • deviceId can be any event attribute that can be used by FortiSIEM can look up the device in CMDB. Common examples are device name and Ip fields, e.g. hostName, hostIpAddr, srcName, srcIpAddr, destName, destIpAddr, etc.
  • cmdbAttr are defined in Admin > Device Support > Custom Properties.

Some CMDB Attributes are attached to an interface or a disk of a device. In this case the syntax:

DeviceToCMDBAttr(<deviceId >,<deviceAttr>,<cmdbAttr>)

  • deviceId can be any event attribute that can be used by FortiSIEM can look up the device in CMDB. Common examples are device name and Ip fields, e.g. hostName, hostIpAddr, srcName, srcIpAddr, destName, destIpAddr, etc.
  • deviceAttr is Device Attribute: intfName, diskName
  • cmdbAttr are defined in Admin > Device Support > Custom Properties

As an example:

DeviceToCMDBAttr(hostIpAddr,intfName,IntfErrPctThreshCrit))

DeviceToCMDBAttr(hostIpAddr,diskName,DiskSpaceUtilThreshCrit)

Scope

Available for rules and EventDB, ClickHouse and Elasticsearch queries.

Example

CMDB:

Device Name

country

intfName

NetIntfUtilThreshCrit

Host1

U.S.A

Intf1

75

Host2

France

Intf1

90

Host2

France

Intf2

75

Event Matching:

phRecvTime

eventType

hostName

intfName

intfUtil

DeviceToCMDBAttr(hostname,city)

DeviceToCMDBAttr(hostName,intfName,NetIntfUtilThreshCrit)

T1

Intf_Usage

Host1

Intf1

40

U.S.A

75

T2

Intf_Usage

Host2

Intf1

80

France

90

T2

Intf_Usage

Host2

Intf2

60

France

75

T3

Intf_Usage

Host3

Intf1

 

<No match>

<No match>