This article describes how to easily make a query via the API for an Organization in FortiSIEM. Instead of creating the query XML file manually, it is possible to create it automatically.

1) Connect on Supervisor CLI as root user and type:

cd /opt/phoenix/cache/query/completed

Take a note of the latest directory.

2) Go to the Analytics tab and do the necessary query to do via the API.

3) On Supervisor CLI, in the same previous directory: notice that one new directory has been created.

Inside the latest directory, there is the query.xml file with the xml code of the query that was just done at the Analytics tab:

/opt/phoenix/cache/query/completed/<LatestDirectory>/query.xml

4) Once query.xml is obtained, it is possible to copy it and keep it for the next step. Also, download the zip with the API examples from the official documentation:

API examples Documentation

It is possible to use getQueryResultsByOrg.py script in the 'events' directory, with the query.xml as an input:

Usage: getQueryResultByOrg.py appServer user password inputXML.

Example: python getQueryResultByOrg.py 192.168.20.116 super/admin adm1n query.xml.