Fortinet black logo

Administration Guide

Automated Incident Response - Playbooks Page

Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:419440
Download PDF

Automated Incident Response - Playbooks Page

The AUTOMATED INCIDENT RESPONSE – PLAYBOOKS page displays a row for each Playbook policy. To access this page, click the down arrow next to SECURITY SETTINGS and then select Playbooks.

Each Playbook policy row can be expanded to show the actions that it contains, as shown below:

You can drill down in a Playbook policy row to view the actions for that policy by clicking the icon.

Note: There are more options and actions than those shown above that can be added to a Playbook policy, such as the blocking of a malicious IP address. You may consult Fortinet Support about how to add them.

Note: Automatic Incident Response Playbook features can also be triggered by extended detection events when follow-up actions are configured for the Collector Group of a device on which the event triggered. This enables the system to follow up upon the detection of such an event and execute a sequence of actions, such as to block an address on a firewall or to isolate the device in which part of the event occurred.

Automated Incident Response - Playbooks Page

The AUTOMATED INCIDENT RESPONSE – PLAYBOOKS page displays a row for each Playbook policy. To access this page, click the down arrow next to SECURITY SETTINGS and then select Playbooks.

Each Playbook policy row can be expanded to show the actions that it contains, as shown below:

You can drill down in a Playbook policy row to view the actions for that policy by clicking the icon.

Note: There are more options and actions than those shown above that can be added to a Playbook policy, such as the blocking of a malicious IP address. You may consult Fortinet Support about how to add them.

Note: Automatic Incident Response Playbook features can also be triggered by extended detection events when follow-up actions are configured for the Collector Group of a device on which the event triggered. This enables the system to follow up upon the detection of such an event and execute a sequence of actions, such as to block an address on a firewall or to isolate the device in which part of the event occurred.