Skip to main content

FortiSIEM MCP Server

An MCP server implementation for interacting with FortiSIEM. This server provides tools for querying for incidents, getting incident details and related events.

Prerequisites

A FortiSIEM instance.

Usage with Claude Desktop

Add this config to your claude_desktop_config.json:

{
  "mcpServers": {
    "fortisiem-mcp-stdio": {
      "command": "/root/.local/bin/poetry",
      "args": [
        "--directory",
        "/app/fortisiem_mcp/",
        "run",
        "python",
        "fortisiem_mcp.py",
        "stdio"
      ],
      "env": {
        "FORTISIEM_HOST": "<your_FortiSIEM_instance_ip>",
        "FORTISIEM_PORT": "443",
        "FORTISIEM_USER": "<FortiSIEM_user>",
        "FORTISIEM_PASSWORD": "<FortiSIEM_password>",
        "FORTISIEM_SCHEMA": "https",
        "FORTISIEM_SSL_VERIFY": false,
        "FORTISIEM_ORGANIZATION": "<FortiSIEM_organization>"
      }
    }
  }
}

Usage with Arcanna Assistant/Agentic Workflows

Add this config to your MCP Config in Assistant/Agentic Workflows -> Tools:

{
  "fortisiem-mcp": {
    "command": "/root/.local/bin/poetry",
    "args": [
      "--directory",
      "/app/fortisiem_mcp/",
      "run",
      "python",
      "fortisiem_mcp.py",
      "stdio"
    ],
    "env": {
      "FORTISIEM_HOST": "<your_FortiSIEM_instance_ip>",
      "FORTISIEM_PORT": "443",
      "FORTISIEM_USER": "<FortiSIEM_user>",
      "FORTISIEM_PASSWORD": "<FortiSIEM_password>",
      "FORTISIEM_SCHEMA": "https",
      "FORTISIEM_SSL_VERIFY": false,
      "FORTISIEM_ORGANIZATION": "<FortiSIEM_organization>"
    }
  }
}

Features

  • FortiSIEM System Healthcheck: Check if the FortiSIEM instance is reachable and healthy.
  • FortiSIEM Incidents Search: Query for incidents in FortiSIEM. The query accepts filters.
  • FortiSIEM Incident Details: Get more details about a certain incident from FortiSIEM.
  • FortiSIEM Incident Related Events: Fetch the events related to a certain incident.

Tools

FortiSIEM Healthcheck

  • fortisiem_health_check
    • Returns true if the FortiSIEM instance is healthy, false otherwise.

  • fortisiem_get_incidents

    • Search for incidents using filters. (Check the payload in FortiSIEM docs page 32 to see what filters are available)

  • fortisiem_get_incident_by_id

    • Get more information about a certain incident.
  • fortisiem_get_triggering_events_for_incident
    • Retrieves the triggering events associated with an incident.

Usage example