Fortinet black logo

New Features

Home FortiAnalyzer 6.4.0 New Features

Automation Playbooks

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 437aa0e1-63d2-11ea-9384-00505692583a:893685
Download PDF

Automation Playbooks

A sequence of one or more actions offered by SOC connectors can be defined in playbooks and executed manually or automatically.

Playbooks consist of a trigger and multiple actions from configured connectors.

  • Playbook triggers include:
    • Incident
    • Event
    • On Schedule
    • On Demand
  • Playbook actions:
    • This is the automated action taken by the playbook at any step.
    • Actions can be configured with default input values or take inputs from the trigger or preceding actions.
    • Actions be selected from the local FortiAnalyzer or a configured connector's list of actions.

Connectors

To view FortiSoC connectors:
  1. View the connector list from FortiSoC > Automation > Connectors.
  2. Click on a connector to view its details.
    The actions available with each connector are displayed, including the action name, and the action's parameters used in the playbook.
    • EMS connectors:
    • FOS connectors:
    • Local connectors:

Playbooks

To create a playbook:
  1. Click Create New from the Playbook list, and select a template.
    You can also select New Playbook created from scratch to start with a blank playbook.
  2. Provide a name and description for the playbook, and set it to Enabled if you want to use it immediately after saving the playbook.
  3. If a predefined template is selected, check each trigger and task configuration, and update them as need by clicking the edit icon.
  4. If a playbook is created from scratch, select trigger and trigger filter conditions.
  5. Add a task by clicking the connector point of a parent task or trigger and dragging-and-dropping a new task onto the playbook.
    1. Select the Connector type.
    2. Enter a name, description, and the ID for the task.
    3. Select a connector and action, and enter the action's required parameters. The parameter may come from any parent task/trigger output or be a fixed value.
    4. Click OK to save your changes.
  6. Save the playbook once finished and the playbook will appear in the playbook list.
To run an on-demand playbook:
  1. Go to FortiSoC > Automation > Playbooks.
  2. Select a playbook configured with an On_Demand trigger.
  3. Click Run in the toolbar or through the context menu of the selected playbook.
  4. Input the desired parameters if prompted.

Playbooks with an Incident, Event, or On_Schedule trigger run automatically once the trigger's filter is matched.

Playbook Monitor

To view the Playbook Monitor:
  1. Go to FortiSoC > Automation > Playbook Monitor.
    All playbook jobs that are running or have been run are displayed.
  2. Double-click a job or click the details icon in the status column to view the playbook status details.
Previous
Next

Automation Playbooks

A sequence of one or more actions offered by SOC connectors can be defined in playbooks and executed manually or automatically.

Playbooks consist of a trigger and multiple actions from configured connectors.

  • Playbook triggers include:
    • Incident
    • Event
    • On Schedule
    • On Demand
  • Playbook actions:
    • This is the automated action taken by the playbook at any step.
    • Actions can be configured with default input values or take inputs from the trigger or preceding actions.
    • Actions be selected from the local FortiAnalyzer or a configured connector's list of actions.

Connectors

To view FortiSoC connectors:
  1. View the connector list from FortiSoC > Automation > Connectors.
  2. Click on a connector to view its details.
    The actions available with each connector are displayed, including the action name, and the action's parameters used in the playbook.
    • EMS connectors:
    • FOS connectors:
    • Local connectors:

Playbooks

To create a playbook:
  1. Click Create New from the Playbook list, and select a template.
    You can also select New Playbook created from scratch to start with a blank playbook.
  2. Provide a name and description for the playbook, and set it to Enabled if you want to use it immediately after saving the playbook.
  3. If a predefined template is selected, check each trigger and task configuration, and update them as need by clicking the edit icon.
  4. If a playbook is created from scratch, select trigger and trigger filter conditions.
  5. Add a task by clicking the connector point of a parent task or trigger and dragging-and-dropping a new task onto the playbook.
    1. Select the Connector type.
    2. Enter a name, description, and the ID for the task.
    3. Select a connector and action, and enter the action's required parameters. The parameter may come from any parent task/trigger output or be a fixed value.
    4. Click OK to save your changes.
  6. Save the playbook once finished and the playbook will appear in the playbook list.
To run an on-demand playbook:
  1. Go to FortiSoC > Automation > Playbooks.
  2. Select a playbook configured with an On_Demand trigger.
  3. Click Run in the toolbar or through the context menu of the selected playbook.
  4. Input the desired parameters if prompted.

Playbooks with an Incident, Event, or On_Schedule trigger run automatically once the trigger's filter is matched.

Playbook Monitor

To view the Playbook Monitor:
  1. Go to FortiSoC > Automation > Playbook Monitor.
    All playbook jobs that are running or have been run are displayed.
  2. Double-click a job or click the details icon in the status column to view the playbook status details.
Previous
Next