Fortinet black logo

Administration Guide

Triggers and tasks

Triggers and tasks

Triggers

Triggers determine when a playbook is to be executed. Triggers are always the first step in a playbook, and each playbook can only include one trigger. Once a playbook has been triggered, it flows through the remaining tasks as defined by the routes in the playbook using the trigger as a starting point.

The following playbook triggers are available:

Trigger

Description

EVENT_TRIGGER

The playbook is run when an event is created that matches the configured filters.

When no filters are set, all events will trigger the playbook.

INCIDENT_TRIGGER

The playbook is run when an incident is created that matches the configured filters.

When no filters are set, all incidents will trigger the playbook.

ON_SCHEDULE

The playbook is run during the configured schedule.

You can define the start time, end time, interval type, and interval frequency for the schedule.

ON_DEMAND

The playbook is run when manually started by an administrator.

You can run playbooks configured with the ON_DEMAND trigger from FortiSoC > Automation > Playbook or within an incident's Analysis page.

Tasks

Tasks include automated actions that take place on FortiAnalyzer or devices with configured FortiSoC connectors. See Connectors.

Tasks can be linked together in sequences. A task's automated action will only begin once the playbook is triggered and all preceding connected tasks are complete.

Tasks can be configured with default input values or take inputs from the trigger or preceding tasks. For more information about linking and configuring tasks in a playbook, see Playbooks.

Note

FortiOS actions are configured using automation rules created on FortiGate. For more information on enabling FortiOS actions in tasks, see Connectors.

Triggers and tasks

Triggers

Triggers determine when a playbook is to be executed. Triggers are always the first step in a playbook, and each playbook can only include one trigger. Once a playbook has been triggered, it flows through the remaining tasks as defined by the routes in the playbook using the trigger as a starting point.

The following playbook triggers are available:

Trigger

Description

EVENT_TRIGGER

The playbook is run when an event is created that matches the configured filters.

When no filters are set, all events will trigger the playbook.

INCIDENT_TRIGGER

The playbook is run when an incident is created that matches the configured filters.

When no filters are set, all incidents will trigger the playbook.

ON_SCHEDULE

The playbook is run during the configured schedule.

You can define the start time, end time, interval type, and interval frequency for the schedule.

ON_DEMAND

The playbook is run when manually started by an administrator.

You can run playbooks configured with the ON_DEMAND trigger from FortiSoC > Automation > Playbook or within an incident's Analysis page.

Tasks

Tasks include automated actions that take place on FortiAnalyzer or devices with configured FortiSoC connectors. See Connectors.

Tasks can be linked together in sequences. A task's automated action will only begin once the playbook is triggered and all preceding connected tasks are complete.

Tasks can be configured with default input values or take inputs from the trigger or preceding tasks. For more information about linking and configuring tasks in a playbook, see Playbooks.

Note

FortiOS actions are configured using automation rules created on FortiGate. For more information on enabling FortiOS actions in tasks, see Connectors.