Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate Cloud 26.2.a Administration Guide
    26.2.a
    26.2.a
    26.2.0
    26.1.a
    26.1.0

    Event Handler

    Event Handler

    Go to Analytics > Incidents & Events > Event Handler, to view event handlers and create notification profiles for events.

    This topic contains the following information:

    To view event handlers:

    1. Go to Analytics > Incidents & Events > Event Handler. The list of event handlers is displayed.

    2. Hover the mouse over each event handler to display a tooltip of information.

    Creating Event Handlers

    To create an Event Handler:
    1. Go to Analytics > Incidents & Events > Event Handler.
    2. In the Event Handler tab, click Create.
    3. Configure the Event Handler details:

      Field

      Description

      NameEnter the event handler name.
      Event TypeSelect and event type from the dropdown.
      Description(Optional) Enter a description of the event handler.
    4. Configure the event Rules.
      1. Click Create.
      2. (Optional) Toggle Status to enable/disable the event handler.
      3. Select the event Severity from the dropdown.

      4. Choose Your Logs: Select the Log Type and Log Subtype that you want to monitor for events. Select the Log Field to categorize logs into smaller groups based on the chosen log fields.

      5. Refine Your Logs: Once logs are grouped, you can refine the data within each group by applying filters with other log fields. Logs that match the filters will be retained within each group.

      6. Define Event Conditions: Once you have organized and filtered the logs, set up criteria that enables the system to automatically initiate events when log records reoccur within each group.

    5. Click OK.
    To clone an Event Handler:
    1. Go to Analytics > Incidents & Events > Event Handler.
    2. Select a handler from the list and click Clone.
    3. Edit the Event Handler Details and Rules and click OK.
    Some event handlers cannot be cloned, including OFTP, the Tunnel Down event handler, IoC events, and Sandbox events.

    Creating Notification Profiles

    To create a notification profile:
    1. Go to Analytics > Incidents & Events > Event Handler.
    2. On the Notification Profile tab, click Create New.
    3. Enter a name for the profile.
    4. If desired, enable Email.
      1. Configure the desired email addresses to send the notification to.
      2. Configure the Subject field as desired, then click OK.
    5. If desired, enable Webhook.
      1. Configure the webhook options as follows:

        Field

        Description

        Type

        Select Generic or MS Teams.

        Port

        Available if you selected Generic. Enter the port number that FortiGate Cloud uses to communicate with the platform.

        Method

        Select POST or PUT for the REST API call method.

        Title

        Enter the title for the message.

        URL

        Enter the webhook URL from the desired platform.

        HTTP body

        Available if you selected Generic. Enter the message body text.

        HTTP authentication

        Available if you selected Generic.

        Select Basic or OAuth2 to configure and allow HTTP authentication between FortiGate Cloud and the platform.

        Username

        Available if you selected Basic for HTTP authentication. Enter the username to use for HTTP authentication between FortiGate Cloud and the platform.

        Password

        Available if you selected Basic for HTTP authentication. Enter the password to use for HTTP authentication between FortiGate Cloud and the platform.

        Authorization server

        Available if you selected OAuth2 for HTTP authentication. Enter the IP address of the authorization server to use for HTTP authentication between FortiGate Cloud and the platform.

        Auth client ID

        Available if you selected OAuth2 for HTTP authentication. Enter the client ID to use for HTTP authentication between FortiGate Cloud and the platform.

        Auth client secret

        Available if you selected OAuth2 for HTTP authentication. Enter the client secret to use for HTTP authentication between FortiGate Cloud and the platform.

      2. Click OK.

    Creating Incidents

    When an automation stitch is triggered, a new event is created in the Event Monitor. You can use this event to create or update an incident, allowing repeated triggers to be tracked against the same incident.

    To create an incident:
    1. Go to Incidents & Events > Event Monitor.
    2. Select an event and click Actions > Create New Incident. The Create New Incident pane opens.
      Alternatively, you can select Add to Existing Incident and select an incident from the list.
    3. Configure the incident and click OK. The incident is added to the Incidents page.
      FieldDescription
      NameEnter a descriptive name for the incident to identify the issue.
      Incident CategorySelect the incident category from the dropdown.
      SeveritySelect the severity level of the incident.
      StatusSelec the current state of the incident.
      DescriptionProvides additional details about the incident. Enter relevant context or observations to support investigation.
      Assign ToAssign a user to manage the incident.
    Previous
    Next

    Event Handler

    Event Handler

    Go to Analytics > Incidents & Events > Event Handler, to view event handlers and create notification profiles for events.

    This topic contains the following information:

    To view event handlers:

    1. Go to Analytics > Incidents & Events > Event Handler. The list of event handlers is displayed.

    2. Hover the mouse over each event handler to display a tooltip of information.

    Creating Event Handlers

    To create an Event Handler:
    1. Go to Analytics > Incidents & Events > Event Handler.
    2. In the Event Handler tab, click Create.
    3. Configure the Event Handler details:

      Field

      Description

      NameEnter the event handler name.
      Event TypeSelect and event type from the dropdown.
      Description(Optional) Enter a description of the event handler.
    4. Configure the event Rules.
      1. Click Create.
      2. (Optional) Toggle Status to enable/disable the event handler.
      3. Select the event Severity from the dropdown.

      4. Choose Your Logs: Select the Log Type and Log Subtype that you want to monitor for events. Select the Log Field to categorize logs into smaller groups based on the chosen log fields.

      5. Refine Your Logs: Once logs are grouped, you can refine the data within each group by applying filters with other log fields. Logs that match the filters will be retained within each group.

      6. Define Event Conditions: Once you have organized and filtered the logs, set up criteria that enables the system to automatically initiate events when log records reoccur within each group.

    5. Click OK.
    To clone an Event Handler:
    1. Go to Analytics > Incidents & Events > Event Handler.
    2. Select a handler from the list and click Clone.
    3. Edit the Event Handler Details and Rules and click OK.
    Some event handlers cannot be cloned, including OFTP, the Tunnel Down event handler, IoC events, and Sandbox events.

    Creating Notification Profiles

    To create a notification profile:
    1. Go to Analytics > Incidents & Events > Event Handler.
    2. On the Notification Profile tab, click Create New.
    3. Enter a name for the profile.
    4. If desired, enable Email.
      1. Configure the desired email addresses to send the notification to.
      2. Configure the Subject field as desired, then click OK.
    5. If desired, enable Webhook.
      1. Configure the webhook options as follows:

        Field

        Description

        Type

        Select Generic or MS Teams.

        Port

        Available if you selected Generic. Enter the port number that FortiGate Cloud uses to communicate with the platform.

        Method

        Select POST or PUT for the REST API call method.

        Title

        Enter the title for the message.

        URL

        Enter the webhook URL from the desired platform.

        HTTP body

        Available if you selected Generic. Enter the message body text.

        HTTP authentication

        Available if you selected Generic.

        Select Basic or OAuth2 to configure and allow HTTP authentication between FortiGate Cloud and the platform.

        Username

        Available if you selected Basic for HTTP authentication. Enter the username to use for HTTP authentication between FortiGate Cloud and the platform.

        Password

        Available if you selected Basic for HTTP authentication. Enter the password to use for HTTP authentication between FortiGate Cloud and the platform.

        Authorization server

        Available if you selected OAuth2 for HTTP authentication. Enter the IP address of the authorization server to use for HTTP authentication between FortiGate Cloud and the platform.

        Auth client ID

        Available if you selected OAuth2 for HTTP authentication. Enter the client ID to use for HTTP authentication between FortiGate Cloud and the platform.

        Auth client secret

        Available if you selected OAuth2 for HTTP authentication. Enter the client secret to use for HTTP authentication between FortiGate Cloud and the platform.

      2. Click OK.

    Creating Incidents

    When an automation stitch is triggered, a new event is created in the Event Monitor. You can use this event to create or update an incident, allowing repeated triggers to be tracked against the same incident.

    To create an incident:
    1. Go to Incidents & Events > Event Monitor.
    2. Select an event and click Actions > Create New Incident. The Create New Incident pane opens.
      Alternatively, you can select Add to Existing Incident and select an incident from the list.
    3. Configure the incident and click OK. The incident is added to the Incidents page.
      FieldDescription
      NameEnter a descriptive name for the incident to identify the issue.
      Incident CategorySelect the incident category from the dropdown.
      SeveritySelect the severity level of the incident.
      StatusSelec the current state of the incident.
      DescriptionProvides additional details about the incident. Enter relevant context or observations to support investigation.
      Assign ToAssign a user to manage the incident.
    Previous
    Next