In FortiSIEM it is necessary declare the Access Method for FortiMail:

• Device Type: Fortinet FortiMail.
• Access Protocol: HTTPS.
• Port: 443.
• URI: <leave empty>.
• Username and Password.

Note:

The URI should be empty. In the Device credential association, create the association using the FQDN to verify the SSL certificate.

The test connectivity should be successful.

Remediation scripts:

FortiMail remediation is located under /opt/phoenix/data-definition/remediations. The scripts makes 2 API calls when triggered:

• Login : POST request https://<fortimail>/api/v1/AdminLogin
• Add the email to ban in the session profile blacklist list: POST https://<fortimail>/api/v1/ProfSession/' + session_profile + '/ProfSessionSenderBlacklist/' + email2ban

It will be necessary to modify the session_profile variable in the script to match the FortiMail configuration. In FortiMail, enable the REST API in webservice:

• Connect to a console in FortiMail.
• Enable the REST API:

config system web-service
(web-service) # set rest-api-status enable

The username used to connect must have REST access:

• Connect to FortiMail GUI.
• Enable the Advanced View.

• In System/Administrator, edit the user and verify the REST API is enabled:

• In Profile/Session, edit the profile session used in the script:

• Expand the list at the bottom and enable 'Enable sender blocklist checking':