Playbook templates
When a playbook template is selected, the playbook designer is automatically populated with a trigger and one or more tasks. You can configure, add, or remove tasks to customize the playbook.
When creating a new playbook, the following predefined templates are available:
|
Connector |
Name |
Description |
|---|---|---|
|
FAZ Localhost
|
Compromised Host Incident | Playbook to create an incident on FortiAnalyzer compromised hosts detected by the IoC feature. |
| Critical Intrusion Incident | Playbook to create an incident on FortiAnalyzer for critical intrusions detected by IPS. | |
|
Attach Endpoint Vulnerability List to Incident |
Playbook to collect the list of endpoint vulnerabilities from logs and attach it to an incident. |
|
|
FortiOS |
Quarantine Endpoint by FortiOS |
Playbook to quarantine an endpoint by FOS connector providing the MAC address or FortiClient UID. |
|
FortiClient EMS
|
Update Asset and Identity Database | Playbook to automatically update FortiAnalyzer Asset and Identity database with endpoint and user information from EMS. |
| Run AV Scan on Endpoint | Playbook to run AV scan on an endpoint by EMS Connector. | |
| Run Vulnerability Scan on Endpoint | Playbook to run a vulnerability scan on an endpoint. | |
| Quarantine Endpoint by EMS | Playbook to quarantine an endpoint by EMS connector. | |
| Unquarantine Endpoint by EMS | Playbook to unquarantine an endpoint by EMS connector. | |
| Enrich Incident with Process List | Playbook to get running processes on endpoint by EMS connector and attach to an incident. | |
|
Enrich Incident with Vulnerability List |
Playbook to collect the list of endpoint vulnerabilities from logs and attach to an incident. |
|
| Enrich Incident with Software Inventory | Playbook to get software inventory from endpoint by EMS connector and attach to an incident. |