Using the Automation Stitch for event handlers
All FortiGates added to FortiAnalyzer use a default event handler on the FortiAnalyzer side to receive high severity events such as Botnet Communication, IPS Attack Pass Through, and Virus Pass Through AntiVirus. This basic event handler, Default-Botnet-Communication-Detection, has automation stitch enabled in FortiAnalyzer.
Automation Stitch can also be enabled for any custom event handler. See Creating a custom event handler and Creating a custom correlation handler.
To determine if an event handler has automation stitch enabled, review the Automation Stitch column in Incidents & Events > Event Handlers > Basic Handlers and Incidents & Events > Event Handlers > Correlation Handlers.
When an event is generated by a handler with automation stitch enabled, FortiAnalyzer sends a notification to the FortiGate automation framework. If an automation stitch is configured on the FortiGate, the notification will trigger the related automation stitch and activate an action in response. For example, the FortiGate could send a custom email notification, execute a CLI script, and/or perform a system action in response to the trigger. For more information about automation stitches, including their triggers and actions, see the FortGate/FortiOS Administration Guide.
The events generated by handlers with the automation stitch enabled can also be viewed in the FortiAnalyzer GUI through Incidents & Events > Event Monitor.
To receive the notifications from FortiAnalyzer on the FortiGate device, you must configure FortiAnalyzer logging on the FortiGate device. To use the notifications as part of an automation stitch, you must configure a trigger on the FortiGate device for each event handler that has automation stitch enabled. This includes the predefined event handlers with automation stitch enabled, such as Default-Botnet-Communication-Detection. For more information about configuring FortiAnalyzer logging and automation stitch triggers, see the FortiGate/FortiOS Administration Guide. |