Quantcast
Channel: Fortinet GURU
Viewing all articles
Browse latest Browse all 2380

FortiSIEM Incident XML File Format

$
0
0

Incident XML File Format

This topic includes an example of the XML file that is generated for incidents, and descriptions of its contents.

Example Incident XML File

XML Tag and Attribute Definitions

Example Incident XML File

<?xml version=”1.0″ encoding=”UTF-8″ ?> <incident incidentId=”5672″ ruleType=”PH_RULE_AUTO_SRVC_DOWN” severity=”10″ repeatCount=”1″ organization=”Super” status=”Cleared”>   <name>Auto Service Stopped</name>   <description>Detects that an automatically running service stopped.

Currently this works for windows servers and is detected via

WMI.</description>

<displayTime>Fri Jun 29 15:51:10 PDT 2012</displayTime>

<incidentSource>

</incidentSource>

<incidentTarget>

<entry attribute=”hostIpAddr” name=”Host IP”>172.16.10.15</entry>

<entry attribute=”hostName” name=”Host Name”>QA-V-WIN03-ADS</entry>

</incidentTarget>

<incidentDetails>

<entry attribute=”serviceName” name=”OS Service

Name”>Spooler</entry>

<entry attribute=”servicePath” name=”OS Service

Path”>C:\WINDOWS\system32\spoolsv.exe</entry>

</incidentDetails>

<affectedBizSrvc>Auth Service</affectedBizSrvc>

<identityLocation>

</identityLocation>  <rawEvents>

[SrvcDown]

[PH_DEV_MON_AUTO_SVC_START_TO_STOP]:[eventSeverity]=PHL_INFO,[fileName]= phPerfJob.cpp,[lineNumber]=6005,[hostName]=QA-V-WIN03-ADS,[hostIpAddr]=1 72.16.10.15,[serviceName]=Spooler,[servicePath]=C:\WINDOWS\system32\spoo lsv.exe,[serviceDesc]=Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.,[phLogDetail]=  </rawEvents>

</incident>

XML Tag and Attribute Definitions

XML Tag Attributes Description
<incident>
incidentID Unique id of the incident in AccelOps. You can search for the incident by using this ID.

 

ruleType Unique id of the rule in AccelOps
severity The severity of the incident, HIGH MEDIUM LOW
repeatCount How many times this incident has occurred
organization In multi-tenant deployments, the organization affected by the incident
status The status of the incident
<name> The name of the rule that triggered the incident
<description> The description of the rule that triggered the incident
<displayTime> The time when the incident occurred
<incidentSource> The source of the incident. It includes the event attributes associated with the source presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, de stIpAddr, hostIpAddr.
<incidentTarget> Where the incident occurred, or the target of an IPS alert. It includes the event attributes associated with the target presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, destIpAddr, hostIpAddr.
<incidentDetails> The event attributes associated with the rule definition that triggered the incident
<affectedBizSrvc> Any business services impacted by the event
<identityLocation> Information associated with the Identity and Location Report
<rawevents> The contents of the raw event log for the incident.

 

 


Viewing all articles
Browse latest Browse all 2380

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>