Fortinet black logo

Setting up the FortiAnalyzer Integration App

6.2.3
Copy Link
Copy Doc ID 393b7b6d-744c-11ea-9384-00505692583a:12900
Download PDF

Setting up the FortiAnalyzer Integration App

ServiceNow requirements

  • A ServiceNow subscription.
  • FortiAnalyzer 6.0.2 or higher.
  • ServiceNow SecOps Incident Response App

For information on ServiceNow licenses, contact ServiceNow.

For information on ServiceNow user roles and permissions, see ServiceNow roles

Download the FortiAnalyzer Integration App

To download the app, go to the ServiceNow store and search for FortiAnaylzyer Integration App V2. Click Get, then follow the onscreen instructions to download the app.

After downloading the app, add it to the Favorites menu for easy access.

Create a ServiceNow API account

  1. In ServiceNow, create an account for API communication with FortiAnalyzer.

    For more information, see the ServiceNow documentation.

  2. Assign these roles to this account:

    Role

    Description

    import_transformer

    This is a system role to manage import set transform maps and run transforms.

    x_forti_fazintgv2.snAPI This role is required to access ServiceNow API so FortiAnalyzer can send incident notifications to the FortiAnalyzer Integration App.
    sn_si.basic

    This role comes with ServiceNow SecOps Incident Response App to view and create security incidents.

    Refer to ServiceNow documents for more information.

Set up the system properties

  1. Open the FortiAnalyzer Integration App and go to FortiAnalyzer System Properties.
  2. Configure Connection to FortiAnalyzer API:

    Property

    Description

    Domain Enter the FortiAnalyzer domain name without the protocol, for example, fortianalyzer.myorganization.com
    Port number If you change the port number, you must also change it in FortiAnalyzer.

    Username

    Password

    Enter the username and password of the FortiAnalyzer account to use with the FortiAnalyzer Integration App. This account must have JSON-RPC read-write permission in FortiAnalyzer.
  3. Configure Connection to ServiceNow API.

    Enter the Username and Password for the ServiceNow API account you created in the previous section.

  4. Configure App Settings:

    Property

    Description

    Create a security incident in Security Incident Response App, upon receiving new incident notifications from FortiAnalyzer

    Automatically creates an incident in the FortiAnalyzer Integration App from an imported FortiAnalyzer incident.

    Tooltip

    You can create a business rule to further customize incidents after creation in ServiceNow. See Automation with business rules.

    Keep updating FortiAnalyzer incidents, upon receiving update notifications from FortiAnalyzer

    Updates FortiAnalyzer incidents after the initial import.

    This setting is enabled by default.

    Fetch events from FortiAnalyzer ADOMs automatically
    1. From the FortiAnalyzer ADOMs list, select the ADOMs you want to import events from.
    2. Use the Start Date filter to select the date to start importing events.
    3. (Optional) Select Keep updating FortiAnalyzer events to automatically update FortiAnalyzer events after the initial import.
  5. Click Save.

Setting up the FortiAnalyzer Integration App

ServiceNow requirements

  • A ServiceNow subscription.
  • FortiAnalyzer 6.0.2 or higher.
  • ServiceNow SecOps Incident Response App

For information on ServiceNow licenses, contact ServiceNow.

For information on ServiceNow user roles and permissions, see ServiceNow roles

Download the FortiAnalyzer Integration App

To download the app, go to the ServiceNow store and search for FortiAnaylzyer Integration App V2. Click Get, then follow the onscreen instructions to download the app.

After downloading the app, add it to the Favorites menu for easy access.

Create a ServiceNow API account

  1. In ServiceNow, create an account for API communication with FortiAnalyzer.

    For more information, see the ServiceNow documentation.

  2. Assign these roles to this account:

    Role

    Description

    import_transformer

    This is a system role to manage import set transform maps and run transforms.

    x_forti_fazintgv2.snAPI This role is required to access ServiceNow API so FortiAnalyzer can send incident notifications to the FortiAnalyzer Integration App.
    sn_si.basic

    This role comes with ServiceNow SecOps Incident Response App to view and create security incidents.

    Refer to ServiceNow documents for more information.

Set up the system properties

  1. Open the FortiAnalyzer Integration App and go to FortiAnalyzer System Properties.
  2. Configure Connection to FortiAnalyzer API:

    Property

    Description

    Domain Enter the FortiAnalyzer domain name without the protocol, for example, fortianalyzer.myorganization.com
    Port number If you change the port number, you must also change it in FortiAnalyzer.

    Username

    Password

    Enter the username and password of the FortiAnalyzer account to use with the FortiAnalyzer Integration App. This account must have JSON-RPC read-write permission in FortiAnalyzer.
  3. Configure Connection to ServiceNow API.

    Enter the Username and Password for the ServiceNow API account you created in the previous section.

  4. Configure App Settings:

    Property

    Description

    Create a security incident in Security Incident Response App, upon receiving new incident notifications from FortiAnalyzer

    Automatically creates an incident in the FortiAnalyzer Integration App from an imported FortiAnalyzer incident.

    Tooltip

    You can create a business rule to further customize incidents after creation in ServiceNow. See Automation with business rules.

    Keep updating FortiAnalyzer incidents, upon receiving update notifications from FortiAnalyzer

    Updates FortiAnalyzer incidents after the initial import.

    This setting is enabled by default.

    Fetch events from FortiAnalyzer ADOMs automatically
    1. From the FortiAnalyzer ADOMs list, select the ADOMs you want to import events from.
    2. Use the Start Date filter to select the date to start importing events.
    3. (Optional) Select Keep updating FortiAnalyzer events to automatically update FortiAnalyzer events after the initial import.
  5. Click Save.