Fortinet black logo

Administration Guide

Home FortiAnalyzer 7.2.2 Administration Guide
7.2.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.9
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.13
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.0
4.2.0
4.1.0
4.0.0

Using the Automation Stitch for event handlers

Using the Automation Stitch for event handlers

All FortiGates added to FortiAnalyzer use a default event handler on the FortiAnalyzer side to receive high severity events such as Botnet Communication, IPS Attack Pass Through, and Virus Pass Through AntiVirus. This basic event handler, Default-Botnet-Communication-Detection, has automation stitch enabled in FortiAnalyzer.

Automation Stitch can also be enabled for any custom event handler. See Creating a custom event handler and Creating a custom correlation handler.

To determine if an event handler has automation stitch enabled, review the Automation Stitch column in FortiSoC/Incidents & Events > Handlers > Event Handler List and FortiSoC/Incidents & Events > Handlers > Correlation Handler List.

When an event is generated by a handler with automation stitch enabled, FortiAnalyzer sends a notification to the FortiGate automation framework. If an automation stitch is configured on the FortiGate, the notification will trigger the related automation stitch and activate an action in response. For example, the FortiGate could send a custom email notification, execute a CLI script, and/or perform a system action in response to the trigger. For more information about automation stitches, including their triggers and actions, see the FortGate/FortiOS Administration Guide.

The events generated by handlers with the automation stitch enabled can also be viewed in the FortiAnalyzer GUI through FortiSoC/Incidents & Events > Event Monitor.

Note

To receive the notifications from FortiAnalyzer on the FortiGate device, you must configure FortiAnalyzer logging on the FortiGate device.

To use the notifications as part of an automation stitch, you must configure a trigger on the FortiGate device for each event handler that has automation stitch enabled. This includes the predefined event handlers with automation stitch enabled, such as Default-Botnet-Communication-Detection.

For more information about configuring FortiAnalyzer logging and automation stitch triggers, see the FortiGate/FortiOS Administration Guide.

Previous
Next

Using the Automation Stitch for event handlers

All FortiGates added to FortiAnalyzer use a default event handler on the FortiAnalyzer side to receive high severity events such as Botnet Communication, IPS Attack Pass Through, and Virus Pass Through AntiVirus. This basic event handler, Default-Botnet-Communication-Detection, has automation stitch enabled in FortiAnalyzer.

Automation Stitch can also be enabled for any custom event handler. See Creating a custom event handler and Creating a custom correlation handler.

To determine if an event handler has automation stitch enabled, review the Automation Stitch column in FortiSoC/Incidents & Events > Handlers > Event Handler List and FortiSoC/Incidents & Events > Handlers > Correlation Handler List.

When an event is generated by a handler with automation stitch enabled, FortiAnalyzer sends a notification to the FortiGate automation framework. If an automation stitch is configured on the FortiGate, the notification will trigger the related automation stitch and activate an action in response. For example, the FortiGate could send a custom email notification, execute a CLI script, and/or perform a system action in response to the trigger. For more information about automation stitches, including their triggers and actions, see the FortGate/FortiOS Administration Guide.

The events generated by handlers with the automation stitch enabled can also be viewed in the FortiAnalyzer GUI through FortiSoC/Incidents & Events > Event Monitor.

Note

To receive the notifications from FortiAnalyzer on the FortiGate device, you must configure FortiAnalyzer logging on the FortiGate device.

To use the notifications as part of an automation stitch, you must configure a trigger on the FortiGate device for each event handler that has automation stitch enabled. This includes the predefined event handlers with automation stitch enabled, such as Default-Botnet-Communication-Detection.

For more information about configuring FortiAnalyzer logging and automation stitch triggers, see the FortiGate/FortiOS Administration Guide.

Previous
Next