Fortinet black logo

Cookbook

Triggers

Triggers

The following table outlines the available automation stitch triggers:

Trigger

Description

Compromised Host

An Indicator of Compromise (IOC) is detected on a host endpoint.

The threat level must be selected and can be Medium or High. If Medium is selected, both medium and high level threats are included.

Note: Additional actions are available only for Compromised Host triggers:

  • Access Layer Quarantine
  • Quarantine FortiClient via EMS
  • Assign VMware NSX Security Tag
  • IP Ban

Security Rating Summary

A summary is available for a recently run Security Rating.

Configuration Change

A FortiGate configuration change has occurred.

Reboot

A FortiGate is rebooting.

Low memory

This option is only available in the CLI.

Conserve mode due to low memory. See Execute a CLI script based on CPU and memory thresholds for an example.

High CPU

This option is only available in the CLI.

High CPU usage. See Execute a CLI script based on CPU and memory thresholds for an example.

License Expiry

A FortiGuard license is expiring.

The license type must be selected. Options include:

  • FortiCare Support
  • FortiGuard Web Filter
  • FortiGuard AntiSpam
  • FortiGuard AntiVirus
  • FortiGuard IPS
  • FortiGuard Management Service
  • FortiGate Cloud

HA Failover

An HA failover is occurring.

AV & IPS DB Update

The antivirus and IPS database is updating.

FortiOS Event Log

The specified FortiOS log has occurred.

The event must be selected from the event list.

FortiAnalyzer Event Handler

The specified FortiAnalyzer event handler has occurred. See FortiAnalyzer event handler trigger for details.

Schedule

A scheduled monthly, weekly, daily, or hourly trigger. Set to occur on a specific minute of an specific hour on a specific day.

FortiGate Cloud-Based IOC

IOC detection from the FortiGate Cloud IOC service.

This option requires an IOC license, a web filter license, and FortiCloud logging must be enabled. See FortiGate Cloud-based IOC for details.

Triggers

Triggers

The following table outlines the available automation stitch triggers:

Trigger

Description

Compromised Host

An Indicator of Compromise (IOC) is detected on a host endpoint.

The threat level must be selected and can be Medium or High. If Medium is selected, both medium and high level threats are included.

Note: Additional actions are available only for Compromised Host triggers:

  • Access Layer Quarantine
  • Quarantine FortiClient via EMS
  • Assign VMware NSX Security Tag
  • IP Ban

Security Rating Summary

A summary is available for a recently run Security Rating.

Configuration Change

A FortiGate configuration change has occurred.

Reboot

A FortiGate is rebooting.

Low memory

This option is only available in the CLI.

Conserve mode due to low memory. See Execute a CLI script based on CPU and memory thresholds for an example.

High CPU

This option is only available in the CLI.

High CPU usage. See Execute a CLI script based on CPU and memory thresholds for an example.

License Expiry

A FortiGuard license is expiring.

The license type must be selected. Options include:

  • FortiCare Support
  • FortiGuard Web Filter
  • FortiGuard AntiSpam
  • FortiGuard AntiVirus
  • FortiGuard IPS
  • FortiGuard Management Service
  • FortiGate Cloud

HA Failover

An HA failover is occurring.

AV & IPS DB Update

The antivirus and IPS database is updating.

FortiOS Event Log

The specified FortiOS log has occurred.

The event must be selected from the event list.

FortiAnalyzer Event Handler

The specified FortiAnalyzer event handler has occurred. See FortiAnalyzer event handler trigger for details.

Schedule

A scheduled monthly, weekly, daily, or hourly trigger. Set to occur on a specific minute of an specific hour on a specific day.

FortiGate Cloud-Based IOC

IOC detection from the FortiGate Cloud IOC service.

This option requires an IOC license, a web filter license, and FortiCloud logging must be enabled. See FortiGate Cloud-based IOC for details.