Fortinet black logo

Administration Guide

Actions

Actions

The following table outlines the available automation stitch actions. Multiple actions can be added and reorganized as needed by dragging and dropping.

Action

Description

Alert

Generate a FortiOS dashboard alert.

This option is only available in the CLI.

CLI Script

Run one or more CLI scripts. See CLI script action for details. See Execute a CLI script based on CPU and memory thresholds for an example.

Disable SSID

Disable the SSID interface.

This option is only available in the CLI.

Email

Send a custom email message to the selected recipients. At least one recipient and an email subject must be specified.

The email body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

FortiExplorer Notification

Send push notifications to FortiExplorer.

The FortiGate must be registered to FortiCare on the iOS App that will receive the notification.

Access Layer Quarantine

This option is only available for Compromised Host triggers.

Impose a dynamic quarantine on multiple endpoints based on the access layer.

Quarantine FortiClient via EMS

This option is only available for Compromised Host triggers.

Use FortiClient EMS to block all traffic from the source addresses that are flagged as compromised hosts.

Quarantined devices are flagged on the Security Fabric topology views. Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

Assign VMware NSX Security Tag

This option is only available for Compromised Host triggers.

If an endpoint instance in a VMware NSX environment is compromised, the configured security tag is assigned to the compromised endpoint. See Assign VMware NSX security tag action and Assign VMware NSX-T security tag action for details.

IP Ban

This option is only available for Compromised Host triggers.

Block all traffic from the source addresses flagged by the IoC.

Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

AWS Lambda

Send log data to an integrated AWS service. See AWS Lambda action for details.

Azure Function

Send log data to an Azure function. See Azure Function action for details.

Google Cloud Function

Send log data to a Google Cloud function. See Google Cloud Function action for details.

AliCloud Function

Send log data to an AliCloud function. See AliCloud Function action for details.

Slack Notification

Send a notification to a Slack channel. See Slack notification action for details.

Webhook

Send an HTTP request using a REST callback. See Webhook action for details, and Slack integration webhook and Microsoft Teams integration webhook for examples.

Actions

The following table outlines the available automation stitch actions. Multiple actions can be added and reorganized as needed by dragging and dropping.

Action

Description

Alert

Generate a FortiOS dashboard alert.

This option is only available in the CLI.

CLI Script

Run one or more CLI scripts. See CLI script action for details. See Execute a CLI script based on CPU and memory thresholds for an example.

Disable SSID

Disable the SSID interface.

This option is only available in the CLI.

Email

Send a custom email message to the selected recipients. At least one recipient and an email subject must be specified.

The email body can use parameters from logs or previous action results. Wrapping the parameter with %% will replace the expression with the JSON value for the parameter, for example: %%results.source%% is the source property from the previous action.

FortiExplorer Notification

Send push notifications to FortiExplorer.

The FortiGate must be registered to FortiCare on the iOS App that will receive the notification.

Access Layer Quarantine

This option is only available for Compromised Host triggers.

Impose a dynamic quarantine on multiple endpoints based on the access layer.

Quarantine FortiClient via EMS

This option is only available for Compromised Host triggers.

Use FortiClient EMS to block all traffic from the source addresses that are flagged as compromised hosts.

Quarantined devices are flagged on the Security Fabric topology views. Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

Assign VMware NSX Security Tag

This option is only available for Compromised Host triggers.

If an endpoint instance in a VMware NSX environment is compromised, the configured security tag is assigned to the compromised endpoint. See Assign VMware NSX security tag action and Assign VMware NSX-T security tag action for details.

IP Ban

This option is only available for Compromised Host triggers.

Block all traffic from the source addresses flagged by the IoC.

Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.

AWS Lambda

Send log data to an integrated AWS service. See AWS Lambda action for details.

Azure Function

Send log data to an Azure function. See Azure Function action for details.

Google Cloud Function

Send log data to a Google Cloud function. See Google Cloud Function action for details.

AliCloud Function

Send log data to an AliCloud function. See AliCloud Function action for details.

Slack Notification

Send a notification to a Slack channel. See Slack notification action for details.

Webhook

Send an HTTP request using a REST callback. See Webhook action for details, and Slack integration webhook and Microsoft Teams integration webhook for examples.