Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
vschmitt_FTNT
Staff
Staff

Created on ‎08-01-2024 01:37 AM

Article Id 329737

Troubleshooting Tip: How to query FortiSIEM API from command line

Description

This article describes how to query from the command line the FortiSIEM API using curl or get. A simple query will be processed on the FortiSIEM CMDB to get the monitored devices in an XML payload format.

FortiSIEM API uses basic authentication method and if no valid credentials are provided, a HTTP/1.1 401 Not Authorized status will be obtained.
Scope FortiSIEM, API, CMDB.
Solution

The basic authentication will take a base64 encoded string.

To generate this base64 encoded string from the username and password, encode the following:

 

<ORG>/<username>:<password>


For example, if interacting with the super account called admin with password mysecretpassword, the string to encode will be:

 

super/admin:mysecretpassword

 

To encode a string, use:

  • PowerShell converts command under Windows:

 

C:\> powershell "[convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes(\"super/admin:mysecretpassword\"))"

c3VwZXIvYWRtaW46bXlzZWNyZXRwYXNzd29yZA==

 

  • base64 tool under Linux:

 

# echo -n 'super/admin:mysecretpassword' | base64

c3VwZXIvYWRtaW46bXlzZWNyZXRwYXNzd29yZA==

 

Note:

The string generated is encoded and not encrypted, therefore anyone with the base64 string can decode it and retrieve the credentials.

 

With this encoded string, it is possible to use wget or curl to query the FortiSIEM API endpoint deviceInfo/monitoredDevices:

 

curl -k -H "Authorization: Basic c3VwZXIvYWRtaW46bXlzZWNyZXRwYXNzd29yZA==" https://192.88.99.2/phoenix/rest/deviceInfo/monitoredDevices

 

The -k is to bypass the server certificate validation in case of HTTPS connection, as the example in this article is querying the IP 192.88.99.2 which does not have a valid certificate.

 

Curl has a built-in base64 encoder and it is possible to bypass the encoding step if specifying to curl that a Basic authentication is wanted:

 

curl -k -u super/admin:mysecretpassword --basic https://192.88.99.2/phoenix/rest/deviceInfo/monitoredDevices

 

If the query succeeds, an XML payload will be obtained:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<monitoredDevices>
<perfMonDevices>
<device>
<accessIp>192.88.99.122</accessIp>
<deviceName>fortios-kb-article</deviceName>
<deviceType>Fortinet FortiOS</deviceType>
<monitors>
<monitor>
<category>App</category>
<method>FortiAP Metric (FORTIOS_REST_API)</method>
</monitor>
<monitor>
<category>System</category>
<method>Ping Stat (PING)</method>
</monitor>
<monitor>
<category>App</category>
<method>FortiGate Metric (FORTIOS_REST_API)</method>
</monitor>
<monitor>
<category>App</category>
<method>FortiSwitch Metric (FORTIOS_REST_API)</method>
</monitor>
</monitors>
<organization>Super</organization>
</device>
</perfMonDevices>
<eventPullingDevices>
<device>
<accessIp>192.88.99.13</accessIp>
<deviceName>podman-server</deviceName>
<deviceType>Generic Linux</deviceType>
<monitors>
<monitor>
<method>phoenix_agent_accelops_audit (JDBC)</method>
</monitor>
</monitors>
<organization>Super</organization>
</device>
</eventPullingDevices>
</monitoredDevices>

 

Note:

API documentation is on the Fndn website https://fndn.fortinet.net/index.php?/fortiapi/2627-fortisiem/
350
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.