FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Article Id 244054

This article describes how to easily make a query via the API for an Organization in FortiSIEM. Instead of creating the query XML file manually, it is possible to create it automatically.

Scope API.

1) Connect on Supervisor CLI as root user and type:

cd /opt/phoenix/cache/query/completed


Take a note of the latest directory.


2) Go to the Analytics tab and do the necessary query to do via the API.


3) On Supervisor CLI, in the same previous directory: notice that one new directory has been created.

Inside the latest directory, there is the query.xml file with the xml code of the query that was just done at the Analytics tab:



4) Once query.xml is obtained, it is possible to copy it and keep it for the next step. Also, download the zip with the API examples from the official documentation:

API examples Documentation


It is possible to use script in the 'events' directory, with the query.xml as an input:

Usage: appServer user password inputXML.

Example: python super/admin adm1n query.xml.