Connectors
Connectors displays the automated actions that can be performed in playbooks using configured FortiSoC connectors.
Local (FortiAnalyzer), FortiOS, FortiMail, FortiGuard, and FortiClient EMS connectors are supported. To view FortiSoC connectors, go to FortiSoC > Automation > Connectors.
FortiOS devices are organized by standalone, Cooperative Security Fabric (CSF), and high availability (HA). Clicking a CSF or HA grouping will expand the list to display all FortiGate members.
The status of FortiSoC connectors are indicated with a colored icon:
- Green: The API connection successful.
- Black: The API connection is unknown.
- Red: The API connection is down.
You can see when the status was last updated by hovering your mouse over the status icon. Click the refresh icon to get an updated status.
The following information is displayed for configured connectors:
Connector type |
Field |
Description |
---|---|---|
Local, FortiMail, FortiGuard and EMS connectors | Name | The name of the action. |
Description | A description of the action. | |
Parameter |
The parameters that can be specified when configuring the action. Required parameters are listed with an asterisk. |
|
Output |
The output available with the action. Not applicable to FortiGuard connectors. |
|
FOS connectors |
Automation Rule |
The name of the automation rule created on FortiOS. |
Automation Action |
The action(s) that occur when the task is triggered. |
|
Parameter |
The parameters that can be specified when configuring the action. Required parameters are listed with an asterisk. |
Configuring FortiSoC connectors
Local Connector
The local connector is the default connector for FortiAnalyzer and is available automatically. The local connector displays a set of predefined FortiAnalyzer actions to be used within playbooks.
Local connectors include the following actions:
Name |
Description |
Output |
---|---|---|
Update Asset and Identity | Update FortiAnalyzer's Asset and Identity. |
N/A |
Get Events |
Get events. |
events |
Get Endpoint Vulnerabilities |
Get endpoint vulnerabilities. |
vulnerabilities |
Create Incident |
Create a new incident. |
incident_id |
Update Incident |
Update an existing incident. |
N/A |
Attach Data to Incident |
Attach the specified data to an existing incident. |
attach_ids |
Run Report |
Run the specified FortiAnalyzer report. |
report_uuid |
Get EPEU from incidents |
Get the EPEU from an incident. |
epeu |
EMS Connector
FortiClient EMS connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors. Individual FortiClient EMS connector actions can be toggled on and off while editing the connector in Fabric View.
FortiClient EMS connectors include the following actions:
Name |
Description |
Output |
---|---|---|
Get Endpoints | Retrieve list of endpoints and all of the related information to enrich FortiAnalyzer asset and identity views. |
ems_endpoints |
Quarantine |
Quarantines an endpoint. |
N/A |
Unquarantine |
Unquarantines an endpoint. |
N/A |
Vulnerability Scan |
Run a vulnerability scan on endpoints. |
N/A |
AV Quick Scan |
Run a quick antivirus scan on endpoints. |
N/A |
AV Full Scan |
Run a full antivirus scan on endpoints. |
N/A |
Get Software Inventory |
Retrieve list of software and apps installed on an endpoint to enrich FortiAnalyzer asset view. |
softwares |
Get Process List |
Retrieve list of running process on endpoints OS. |
processes |
Get Vulnerabilities |
Retrieve list of endpoint vulnerabilities on endpoints OS. |
vulnerabilities |
FortiMail Connector
FortiMail connectors are configured as Security Fabric connectors in Fabric View > Fabric Connectors. See Creating or editing Security Fabric connectors.
Individual FortiMail connector actions can be toggled on and off while editing the connector in Fabric View.
FortiMail connectors include the following actions:
Name |
Description |
Output |
---|---|---|
Get Email Statistics |
Query a given email address. |
statistics |
Get Sender Reputation |
Query a given sender's reputation information. |
reputation |
Add Sender to Blocklist | Update system and domain level blocklist. |
N/A |
FortiGuard Connector
The FortiGuard connector is automatically configured in FortiSoC when a valid license has been applied to FortiAnalyzer.
FortiGuard connectors include the following actions:
Name |
Description |
---|---|
Lookup Indicator |
Lookup indicators in FortiGuard to get threat intelligence. |
FortiOS Connector
The FortiOS connector is added after the first FortiGate has been authorized on an ADOM. Additional devices authorized to the ADOM are displayed as separate entries within the same connector. FortiOS connectors are available in FortiGate and Fabric ADOMs.
Enabling FortiOS actions
The actions available with FortiOS connectors are determined by automation rules configured on each FortiGate. Automation rules using the Incoming Webhook trigger must be created in FortiOS before they are shown as actions in FortiSoC. FortiOS automation rules are configured on FortiOS in Security Fabric > Automation. For information on creating FortiOS automation rules, see the FortiOS administration guide.
Rules for FortiOS actions:
- Automation rules must use the Incoming Webhook trigger.
- Automation rules are configured on FortiGate devices individually.
- When multiple FortiOS connectors are configured, FortiAnalyzer decides which device to call based on the devid (serial number) identified in the task. FortiGate serial numbers can be manually entered or supplied by a preceding task.
- Automation rules must have unique names to be displayed in the task's Action dropdown menu. Rules sharing the same name will appear only once, as they are considered to be the same automation rule configured on multiple FortiGate devices.
- FortiOS automation rules are only displayed in FortiSoC when they are enabled in FortiOS.