Fabric connector event trigger

With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events.

In the following example, an authorized FortiDeceptor in the Security Fabric deploys a decoy called ubuntu16 configured with SSH, SAMBA, HTTP, and HTTPS services.

This example assumes the Security Fabric is already configured. Refer to Configuring the root FortiGate and downstream FortiGates and FortiDeceptor for detailed configuration steps. On the root FortiGate, the Allow downstream device REST API access option must be enabled (set downstream-access enable). The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

Three stitches are configured, one for each FortiDeceptor trigger type:

Stitch name

Fabric connector event trigger

Actions

fortideceptor_threat

Insider threat

Email and IP ban

fortideceptor_ban

Notify ban

Email and IP ban

fortideceptor_unban

Notify unban

Email and CLI script

To configure stitches with the Fabric connector event trigger in the GUI:
  1. Configure the triggers:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click Fabric Connector Event and enter the following:

      Name

      fdc_Insider_Threat

      Description

      Insider_Threat

      Connector

      Select the FortiDeceptor connector

      Event Name

      Insider Threat

    3. Click OK.

    4. Repeat these steps to create two more triggers with the following settings:

      Name

      fdc_Notify_Ban

      Description

      Notify_Ban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Ban

      Name

      fdc_Notify_Unban

      Description

      Notify_Unban

      Connector

      Select the FortiDeceptor connector

      Event Name

      Notify Unban

  2. Configure the actions:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Security Response section, click IP Ban and enter the name, fdc_ban-ip.

    3. Click OK.

    4. Repeat these steps to create an Email (in the Notifications section) and a CLI Script (in the General section) action with the following settings:

      Email

      Name

      email_log

      To

      Enter an email address

      Subject

      CSF stitch alert

      CLI Script

      Name

      fdc_unban

      Script

      diagnose user quarantine delete src4 %%log.srcip%%

      Administrator profile

      super_admin

  3. Configure the fortideceptor_threat stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_threat.

    3. Click Add Trigger. Select fdc_Insider_Threat and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_ban-ip and click Apply.

    6. Click the Add delay located between both actions. Enter 5 and click OK.

    7. Click OK.

  4. Configure the fortideceptor_ban stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_ban.

    3. Click Add Trigger. Select fdc_Notify_Ban and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_ban-ip and click Apply.

    6. Click the Add delay located between both actions. Enter 5 and click OK.

    7. Click OK.

  5. Configure the fortideceptor_unban stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, fortideceptor_unban.

    3. Click Add Trigger. Select fdc_Notify_Unban and click Apply.

    4. Click Add Action. Select email_log and click Apply.

    5. Click Add Action. Select fdc_unban and click Apply.

    6. Click the Add delay located between both actions. Enter 5 and click OK.

    7. Click OK.

To configure stitches with the Fabric connector event trigger in the CLI:
  1. Configure the triggers:
    config system automation-trigger
        edit "fdc_Insider_Threat"
            set description "Insider_Threat"
            set event-type fabric-event
            set serial "FDC-VMTM210000**"
            set fabric-event-name "insider_threat"
        next
        edit "fdc_Notify_Ban"
            set description "Notify_Ban"
            set