Fortinet black logo

Online Help

Home FortiCNP 22.3.a Online Help

Get Finding List

22.3.a
22.4.a
22.3.b
22.3.a
Copy Link
Copy Doc ID cf00dcb1-0886-11ed-bb32-fa163e15d75b:252925

Get Finding List

Description

Get all the findings of a specific resource in a custom date range.

URL

/api/v2/finding/list

Request Method: Post

Request Headers

Key

Value

Type

Description
companyId <12345> Integer Company ID in FortiCNP can be obtained through Get Resource Map

roleId

<12345>

Long

Login user identity, can be obtained through Get Resource Map
Authorization Bearer <Authorization Token> String Authorization credential generated by FortiCNP
Content-Type application/json String

Request Body Parameters

Name Required Type Description
startTime Required Long Starting time in of filtered open alerts in Unix Epoch timestamps. The timestamps needs to be in millisecond.To convert date and time to Unix Epoch timestamps, refer to https://www.epochconverter.com/.
endTime Required Long Ending time of filtered open alerts in Unix Epoch timestamps. The timestamps needs to be in millisecond. To convert date and time to Unix Epoch timestamps, refer to https://www.epochconverter.com/.
skip Required Integer Indexes in a result set, used to exclude response from the first N items of a resource collection.
limit Required Integer Maximum number of returned items.

objectId

Required

Integer

The resource ID of the resource. The resource ID can be obtained through FortiCNP INSIGHTS > Risk > Resource Detail page.

Resource ID

Look for a resource that has at least 1 finding in the Resource Detail page. Use the Resource ID as the objectId parameter in the request body.

Sample Request

Use the resource ID as the objectId parameter and convert the start time and end time of the requested resource into Epoch timestamps in milliseconds for startTime and endTime parameters.

Request URL

POST https://www.forticnp.com/api/v2/finding/list

Request Header

Authorization: Bearer <Authorization_Token>

roleId: 89145

companyId: 89146

Content-Type: application/json
Request Body

{

"skip" : 0,

"limit" : 20,

"endTime" : 1656201875000,

"startTime" : 1655597075000,

"objectId": 8368758

}

Response Variables

Name Required / Optional Type Description
buId Required integer Business ID, one service ID per one buId
companyId Required String Company ID
id Required String Alert identity
object Optional String Object name that triggered the alert
objectType Required String Object type of alert
objectId (File ID) Required String Object ID is the resource ID of the reource.
user Optional String User information
userName Optional String User name
severity Required String Severity of the finding.
serviceId Required String ID to distinguish between different accounts of the same cloud service in forticnp.
violationActivity Required String Violating activity that triggered the alert
displayOperation Required String Operation that triggered the alert
createTime Required long Timestamp of when the alert is created
updateTime Required long Timestamp of when the alert is updated
policyName Required String Name of the policy that alert is triggered by
policyId Required String ID of the policy that alert is triggered by
policyCode Required String Policy code of the policy violation in alert
contextName Required String Context name of violation policy
userId Required String ID of the user who triggered the alert
eventId Required String Event ID
eventIdList Required Array List of the event IDs
service Required Application Cloud service (e.g. AWS, Google Cloud etc.)
resultDesc Required String Description for violation context
geoLocationList Required Array Place where the activity occurred.
alertType Required String Classification of the alert
alertSubType Required String Sub calcification of the alert
defineType Required String Type of policy, predefined or customized
state Required String Alert state

resourceId

Requried

String

The resource ID of the resource provided by the cloud vendor like AWS, Azure, etc.
totalPage Required integer Total page of searched alerts
limit Required integer Maximum number of return alerts in one page
skip Required integer Indexes in a result set, used to exclude a response from the first N items of a resource collection.
totalCount Required integer Total number of alerts

Sample Response

{

"data": [

{

"buId": 8364327,

"companyId": "895146",

"timestampUUID": "8364327-AWS-1117262733534276-arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58",

"id": "8364327-AWS-1117262733534276-arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58",

"object": "ProxyVM",

"objectType": "RESOURCE",

"objectId": "8368758",

"user": "",

"userName": "",

"severity": "High",

"applicationId": "677383417454",

"violationActivity": "NONE",

"displayOperation": "NONE",

"createTime": 1655756680980,

"updateTime": 1656092259000,

"policyName": "TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS",

"policyId": "1117262733534276",

"policyCode": "1117262733534276",

"contextName": "TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS",

"eventIdList": [

null

],

"service": "AWS",

"description": "EC2 instance i-07d63da1e57a53ed0 is querying a domain name that is associated with Bitcoin-related activity.",

"resultDesc": "{\"awsAccountId\":\"677383417454\",\"companyName\":\"Amazon\",\"createdAt\":\"2022-06-20T20:24:40.980Z\",\"description\":\"EC2 instance i-07d63da1e57a53ed0 is querying a domain name that is associated with Bitcoin-related activity.\",\"findingProviderFields\":{\"severity\":{\"label\":\"HIGH\"},\"types\":[\"TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS\",\"Effects/Resource Consumption/CryptoCurrency:EC2-BitcoinTool.B!DNS\"]},\"firstObservedAt\":\"2022-06-20T19:46:03.000Z\",\"generatorId\":\"arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114\",\"id\":\"arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58\",\"lastObservedAt\":\"2022-06-24T16:50:49.000Z\",\"productArn\":\"arn:aws:securityhub:us-east-1::product/aws/guardduty\",\"productFields\":{\"aws/guardduty/service/action/dnsRequestAction/blocked\":\"false\",\"aws/guardduty/service/additionalInfo/threatListName\":\"ProofPoint\",\"aws/guardduty/service/archived\":\"false\",\"aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatNames\":\"[]\",\"aws/guardduty/service/additionalInfo/value\":\"{\\\"threatListName\\\":\\\"ProofPoint\\\"}\",\"aws/guardduty/service/resourceRole\":\"TARGET\",\"aws/securityhub/ProductName\":\"GuardDuty\",\"aws/guardduty/service/count\":\"11\",\"aws/guardduty/service/action/dnsRequestAction/domain\":\"pool.minergate.com\",\"aws/guardduty/service/additionalInfo/type\":\"default\",\"aws/guardduty/service/serviceName\":\"guardduty\",\"aws/guardduty/service/action/dnsRequestAction/protocol\":\"UDP\",\"aws/guardduty/service/detectorId\":\"aabe29283493fbad8bb9b851b28c9114\",\"aws/securityhub/CompanyName\":\"Amazon\",\"aws/guardduty/service/eventFirstSeen\":\"2022-06-20T19:46:03.000Z\",\"aws/guardduty/service/eventLastSeen\":\"2022-06-24T16:50:49.000Z\",\"aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatListName\":\"ProofPoint\",\"aws/guardduty/service/action/actionType\":\"DNS_REQUEST\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58\"},\"productName\":\"GuardDuty\",\"recordState\":\"ACTIVE\",\"region\":\"us-east-1\",\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::677383417454:instance-profile/ssm_role\",\"imageId\":\"ami-013f17f36f8b1fefb\",\"ipV4Addresses\":[\"3.238.202.145\",\"172.31.59.59\"],\"launchedAt\":\"2021-03-31T18:44:00.000Z\",\"subnetId\":\"subnet-0eccfc01\",\"type\":\"r5.large\",\"vpcId\":\"vpc-d64dc7ac\"}},\"id\":\"arn:aws:ec2:us-east-1:677383417454:instance/i-07d63da1e57a53ed0\",\"partition\":\"aws\",\"region\":\"us-east-1\",\"tags\":{\"Name\":\"ProxyVM\"},\"type\":\"AwsEc2Instance\"}],\"sample\":false,\"schemaVersion\":\"2018-10-08\",\"severity\":{\"label\":\"HIGH\",\"normalized\":50,\"product\":8.0},\"sourceUrl\":\"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=30c0c164f78a232c69b2a75f341e8e58\",\"title\":\"Bitcoin-related domain name queried by EC2 instance i-07d63da1e57a53ed0.\",\"types\":[\"TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS\",\"Effects/Resource Consumption/CryptoCurrency:EC2-BitcoinTool.B!DNS\"],\"updatedAt\":\"2022-06-24T17:37:39.672Z\",\"workflow\":{\"status\":\"NEW\"},\"workflowState\":\"NEW\"}",

"matches": 0,

"region": "us-east-1",

"alertType": "Amazon GuardDuty",

"defineType": "Predefined",

"title": "Bitcoin-related domain name queried by EC2 instance i-07d63da1e57a53ed0.",

"nodeType": "EC2 Instance",

"port": "0",

"state": "Open",

"resourceId": "i-07d63da1e57a53ed0"

}

],

"totalPage": 6,

"limit": 1,

"skip": 0,

"totalCount": 6

}

Previous
Next

Get Finding List

Description

Get all the findings of a specific resource in a custom date range.

URL

/api/v2/finding/list

Request Method: Post

Request Headers

Key

Value

Type

Description
companyId <12345> Integer Company ID in FortiCNP can be obtained through Get Resource Map

roleId

<12345>

Long

Login user identity, can be obtained through Get Resource Map
Authorization Bearer <Authorization Token> String Authorization credential generated by FortiCNP
Content-Type application/json String

Request Body Parameters

Name Required Type Description
startTime Required Long Starting time in of filtered open alerts in Unix Epoch timestamps. The timestamps needs to be in millisecond.To convert date and time to Unix Epoch timestamps, refer to https://www.epochconverter.com/.
endTime Required Long Ending time of filtered open alerts in Unix Epoch timestamps. The timestamps needs to be in millisecond. To convert date and time to Unix Epoch timestamps, refer to https://www.epochconverter.com/.
skip Required Integer Indexes in a result set, used to exclude response from the first N items of a resource collection.
limit Required Integer Maximum number of returned items.

objectId

Required

Integer

The resource ID of the resource. The resource ID can be obtained through FortiCNP INSIGHTS > Risk > Resource Detail page.

Resource ID

Look for a resource that has at least 1 finding in the Resource Detail page. Use the Resource ID as the objectId parameter in the request body.

Sample Request

Use the resource ID as the objectId parameter and convert the start time and end time of the requested resource into Epoch timestamps in milliseconds for startTime and endTime parameters.

Request URL

POST https://www.forticnp.com/api/v2/finding/list

Request Header

Authorization: Bearer <Authorization_Token>

roleId: 89145

companyId: 89146

Content-Type: application/json
Request Body

{

"skip" : 0,

"limit" : 20,

"endTime" : 1656201875000,

"startTime" : 1655597075000,

"objectId": 8368758

}

Response Variables

Name Required / Optional Type Description
buId Required integer Business ID, one service ID per one buId
companyId Required String Company ID
id Required String Alert identity
object Optional String Object name that triggered the alert
objectType Required String Object type of alert
objectId (File ID) Required String Object ID is the resource ID of the reource.
user Optional String User information
userName Optional String User name
severity Required String Severity of the finding.
serviceId Required String ID to distinguish between different accounts of the same cloud service in forticnp.
violationActivity Required String Violating activity that triggered the alert
displayOperation Required String Operation that triggered the alert
createTime Required long Timestamp of when the alert is created
updateTime Required long Timestamp of when the alert is updated
policyName Required String Name of the policy that alert is triggered by
policyId Required String ID of the policy that alert is triggered by
policyCode Required String Policy code of the policy violation in alert
contextName Required String Context name of violation policy
userId Required String ID of the user who triggered the alert
eventId Required String Event ID
eventIdList Required Array List of the event IDs
service Required Application Cloud service (e.g. AWS, Google Cloud etc.)
resultDesc Required String Description for violation context
geoLocationList Required Array Place where the activity occurred.
alertType Required String Classification of the alert
alertSubType Required String Sub calcification of the alert
defineType Required String Type of policy, predefined or customized
state Required String Alert state

resourceId

Requried

String

The resource ID of the resource provided by the cloud vendor like AWS, Azure, etc.
totalPage Required integer Total page of searched alerts
limit Required integer Maximum number of return alerts in one page
skip Required integer Indexes in a result set, used to exclude a response from the first N items of a resource collection.
totalCount Required integer Total number of alerts

Sample Response

{

"data": [

{

"buId": 8364327,

"companyId": "895146",

"timestampUUID": "8364327-AWS-1117262733534276-arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58",

"id": "8364327-AWS-1117262733534276-arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58",

"object": "ProxyVM",

"objectType": "RESOURCE",

"objectId": "8368758",

"user": "",

"userName": "",

"severity": "High",

"applicationId": "677383417454",

"violationActivity": "NONE",

"displayOperation": "NONE",

"createTime": 1655756680980,

"updateTime": 1656092259000,

"policyName": "TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS",

"policyId": "1117262733534276",

"policyCode": "1117262733534276",

"contextName": "TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS",

"eventIdList": [

null

],

"service": "AWS",

"description": "EC2 instance i-07d63da1e57a53ed0 is querying a domain name that is associated with Bitcoin-related activity.",

"resultDesc": "{\"awsAccountId\":\"677383417454\",\"companyName\":\"Amazon\",\"createdAt\":\"2022-06-20T20:24:40.980Z\",\"description\":\"EC2 instance i-07d63da1e57a53ed0 is querying a domain name that is associated with Bitcoin-related activity.\",\"findingProviderFields\":{\"severity\":{\"label\":\"HIGH\"},\"types\":[\"TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS\",\"Effects/Resource Consumption/CryptoCurrency:EC2-BitcoinTool.B!DNS\"]},\"firstObservedAt\":\"2022-06-20T19:46:03.000Z\",\"generatorId\":\"arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114\",\"id\":\"arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58\",\"lastObservedAt\":\"2022-06-24T16:50:49.000Z\",\"productArn\":\"arn:aws:securityhub:us-east-1::product/aws/guardduty\",\"productFields\":{\"aws/guardduty/service/action/dnsRequestAction/blocked\":\"false\",\"aws/guardduty/service/additionalInfo/threatListName\":\"ProofPoint\",\"aws/guardduty/service/archived\":\"false\",\"aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatNames\":\"[]\",\"aws/guardduty/service/additionalInfo/value\":\"{\\\"threatListName\\\":\\\"ProofPoint\\\"}\",\"aws/guardduty/service/resourceRole\":\"TARGET\",\"aws/securityhub/ProductName\":\"GuardDuty\",\"aws/guardduty/service/count\":\"11\",\"aws/guardduty/service/action/dnsRequestAction/domain\":\"pool.minergate.com\",\"aws/guardduty/service/additionalInfo/type\":\"default\",\"aws/guardduty/service/serviceName\":\"guardduty\",\"aws/guardduty/service/action/dnsRequestAction/protocol\":\"UDP\",\"aws/guardduty/service/detectorId\":\"aabe29283493fbad8bb9b851b28c9114\",\"aws/securityhub/CompanyName\":\"Amazon\",\"aws/guardduty/service/eventFirstSeen\":\"2022-06-20T19:46:03.000Z\",\"aws/guardduty/service/eventLastSeen\":\"2022-06-24T16:50:49.000Z\",\"aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatListName\":\"ProofPoint\",\"aws/guardduty/service/action/actionType\":\"DNS_REQUEST\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58\"},\"productName\":\"GuardDuty\",\"recordState\":\"ACTIVE\",\"region\":\"us-east-1\",\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::677383417454:instance-profile/ssm_role\",\"imageId\":\"ami-013f17f36f8b1fefb\",\"ipV4Addresses\":[\"3.238.202.145\",\"172.31.59.59\"],\"launchedAt\":\"2021-03-31T18:44:00.000Z\",\"subnetId\":\"subnet-0eccfc01\",\"type\":\"r5.large\",\"vpcId\":\"vpc-d64dc7ac\"}},\"id\":\"arn:aws:ec2:us-east-1:677383417454:instance/i-07d63da1e57a53ed0\",\"partition\":\"aws\",\"region\":\"us-east-1\",\"tags\":{\"Name\":\"ProxyVM\"},\"type\":\"AwsEc2Instance\"}],\"sample\":false,\"schemaVersion\":\"2018-10-08\",\"severity\":{\"label\":\"HIGH\",\"normalized\":50,\"product\":8.0},\"sourceUrl\":\"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=30c0c164f78a232c69b2a75f341e8e58\",\"title\":\"Bitcoin-related domain name queried by EC2 instance i-07d63da1e57a53ed0.\",\"types\":[\"TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS\",\"Effects/Resource Consumption/CryptoCurrency:EC2-BitcoinTool.B!DNS\"],\"updatedAt\":\"2022-06-24T17:37:39.672Z\",\"workflow\":{\"status\":\"NEW\"},\"workflowState\":\"NEW\"}",

"matches": 0,

"region": "us-east-1",

"alertType": "Amazon GuardDuty",

"defineType": "Predefined",

"title": "Bitcoin-related domain name queried by EC2 instance i-07d63da1e57a53ed0.",

"nodeType": "EC2 Instance",

"port": "0",

"state": "Open",

"resourceId": "i-07d63da1e57a53ed0"

}

],

"totalPage": 6,

"limit": 1,

"skip": 0,

"totalCount": 6

}

Previous
Next