Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
tskandamis
Staff
Staff

Created on ‎01-27-2023 07:37 AM

Article Id 244054

Technical Tip: How to query results via an API request

Description

This article describes how to easily make a query via the API for an Organization in FortiSIEM. Instead of creating the query XML file manually, it is possible to create it automatically.
Scope API.
Solution

1) Connect on Supervisor CLI as root user and type:


cd /opt/phoenix/cache/query/completed

 

Take a note of the latest directory.

 

2) Go to the Analytics tab and do the necessary query to do via the API.

 

3) On Supervisor CLI, in the same previous directory: notice that one new directory has been created.


Inside the latest directory, there is the query.xml file with the xml code of the query that was just done at the Analytics tab:


/opt/phoenix/cache/query/completed/<LatestDirectory>/query.xml

 

4) Once query.xml is obtained, it is possible to copy it and keep it for the next step. Also, download the zip with the API examples from the official documentation:


API examples Documentation

 

It is possible to use getQueryResultsByOrg.py script in the 'events' directory, with the query.xml as an input:


Usage: getQueryResultByOrg.py appServer user password inputXML.


Example: python getQueryResultByOrg.py 192.168.20.116 super/admin adm1n query.xml.
Labels:
338
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.