Skip to content

Latest commit

 

History

History
29 lines (20 loc) · 3.59 KB

configuring-alert-ingestion-process.md

File metadata and controls

29 lines (20 loc) · 3.59 KB
Raw
Home

Configuring Alert Ingestion Process

Alert Ingestion is a process that periodically pulls actionable data from sources such as SIEM, EDR, and even email inboxes. For example, to respond to use cases involving suspicous emails, you would configure ingestion of emails from email providers like Exchange or GMail.

The Data Ingestion page displays all the connectors that are installed and can be configured for alert ingestion using the Data Ingestion Wizard.

To view the Data Ingestion page, log on to FortiSOAR. On the left navigation pane, click Automation > Data Ingestion. This page displays connectors that are enabled for data ingestion, along with the count of configurations available for that connector.

  1. To configure a connector for data ingestion, refer to the document Configuring a connector in FortiSOAR. Following connectors are installed, by default, with SOAR Framework Solution Pack:

  2. The Data Ingestion Wizard maps the incoming data (from source) to target field in the Alert Schema. During the mapping process, you might find that you need to add some fields that are not present. To add new fields, refer to Extending Default Alert Schema.

    IMPORTANT: This is a key step to ensure correct mapping into alert schema, which subsequently becomes a part of the indicator extraction process.

  3. Use the Scheduling screen, in the Data Ingestion Wizard, to configure schedule-based ingestion.

    NOTE: Some connectors, like the Exchange connector, support Email Notification Service. This service sets up a listener that instantly notifies FortiSOAR when a new email arrives in the mailbox.

After the configuration is complete, the system is ready to ingest data and as per the defined mapping, create alerts in FortiSOAR.

Installation Configuration Usage Contents