Help
FortiSIEM Discussions
harshjoshi
New Contributor II

Created on ‎01-06-2025 04:39 AM

Want a workflow for implementation

Hey there,

 

I have a use case to be implemented in FortiSIEM. So the flow is that I want to filter the events and based on filtered event I want IOCs from that and I want to enrich that particular IOC using API call and store the API response. Using that stored API response I want to create dashboards. So, the questions are as below mentioned

 

  1. How to filter the events ?
  2. Once the events are filtered, How to extract IOC from that event and where to store that to make API call ?
  3. How to make an API call to external lookup tool for that filtered events or IOC ? Like do we have to create any integration ? 
  4. How and where to store API response data so that it can be used to create dashboard
  5. How to create a custom dashboards ?

 

Please guide me to the entire flow how to implement this. Like what should be the idea flow of all this procedure.

229
0 Kudos
4 REPLIES 4
Secusaurus
Contributor II

Created on ‎01-06-2025 05:05 AM

Hi @harshjoshi,

 

These are a lot of steps, adding a lot of complexity and probably raising a lot of questions while trying to answer that.

I suppose, you will get better answers when asking for specific tasks.

 

For a start, I would recommend to go through the (free!) Fortinet Trainings "FCP" and "FCSS" for FortiSIEM at https://training.fortinet.com

That might answer a lot of questions. Especially your question about filterting feels like you might want to look at the basic principles of FSM as well.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
218
0 Kudos
harshjoshi
New Contributor II
In response to Secusaurus

Created on ‎01-06-2025 08:49 PM

Basically I want to enrich log data (eg., IP address, URLs, File hashes etc. basically IOCs) using external lookup tool like Virustotal or Malwarebytes which can provide me detailed information about a particular IOC using API call and After enrichment I want to create dashboard using that data. So, Logs and data used to enrich will be of platform itself and after data is filtered. So I want clarity on the flow that how enrichment can happen using the data present.

162
0 Kudos
FSM_FTNT
Staff
Staff
In response to harshjoshi

Created on ‎01-07-2025 06:21 AM

You can do this with FortiGuard and VirusTotal for incidents, but not on events as they are received.

You need to configure it as per https://help.fortinet.com/fsiem/7-3-0/Online-Help/HTML5_Help/Integration-settings.htm?Highlight=viru... and then when looking at an Incident (from v 7.2 onwards) in the slide in on the right, any indicators extracted can be reviewed by clicking the icon of a man

enrich.png
It isnt practical to do real time lookups and enrichment of events to external services when they are received, if you can imagine thousands of logs being received, an API to lookup in real time wouldnt keep up.

An alternative would be to enrich the events using lookup tables that are populated on a schedule at query time.

128
FSM_FTNT
Staff
Staff

Created on ‎01-06-2025 05:21 AM

Hi @harshjoshi some of these questions can be addressed with this https://docs.fortinet.com/document/fortisiem/7.3.0/external-systems-configuration-guide/412973/gener...

use it to monitor an API endpoint, get the results back as an event and then parser, create rules or dashboards on the event.

215
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.