Skip to main content

FortiSIEM MCP Server

An MCP server implementation for interacting with FortiSIEM. This server provides tools for querying for incidents, getting incident details and related events.

Prerequisites

A FortiSIEM instance.

Usage with Claude Desktop

Add this config to your claude_desktop_config.json:

{
"mcpServers": {
"fortisiem-mcp-stdio": {
"command": "/root/.local/bin/poetry",
"args": [
"--directory",
"/app/fortisiem_mcp/",
"run",
"python",
"fortisiem_mcp.py",
"stdio"
],
"env": {
"FORTISIEM_HOST": "<your_FortiSIEM_instance_ip>",
"FORTISIEM_PORT": "443",
"FORTISIEM_USER": "<FortiSIEM_user>",
"FORTISIEM_PASSWORD": "<FortiSIEM_password>",
"FORTISIEM_SCHEMA": "https",
"FORTISIEM_SSL_VERIFY": false,
"FORTISIEM_ORGANIZATION": "<FortiSIEM_organization>"
}
}
}
}

Usage with Arcanna Assistant/Agentic Workflows

Add this config to your MCP Config in Assistant/Agentic Workflows -> Tools:

{
"fortisiem-mcp": {
"command": "/root/.local/bin/poetry",
"args": [
"--directory",
"/app/fortisiem_mcp/",
"run",
"python",
"fortisiem_mcp.py",
"stdio"
],
"env": {
"FORTISIEM_HOST": "<your_FortiSIEM_instance_ip>",
"FORTISIEM_PORT": "443",
"FORTISIEM_USER": "<FortiSIEM_user>",
"FORTISIEM_PASSWORD": "<FortiSIEM_password>",
"FORTISIEM_SCHEMA": "https",
"FORTISIEM_SSL_VERIFY": false,
"FORTISIEM_ORGANIZATION": "<FortiSIEM_organization>"
}
}
}

Features

  • FortiSIEM System Healthcheck: Check if the FortiSIEM instance is reachable and healthy.
  • FortiSIEM Incidents Search: Query for incidents in FortiSIEM. The query accepts filters.
  • FortiSIEM Incident Details: Get more details about a certain incident from FortiSIEM.
  • FortiSIEM Incident Related Events: Fetch the events related to a certain incident.

Tools

FortiSIEM Healthcheck

  • fortisiem_health_check
    • Returns true if the FortiSIEM instance is healthy, false otherwise.
  • fortisiem_get_incidents

    • Search for incidents using filters. (Check the payload in FortiSIEM docs page 32 to see what filters are available)
  • fortisiem_get_incident_by_id

    • Get more information about a certain incident.
  • fortisiem_get_triggering_events_for_incident
    • Retrieves the triggering events associated with an incident.

Usage example