The following table outlines the available triggers.




Security Fabric


Compromised Host

An indicator of compromise (IoC) is detected on a host endpoint.

The threat level must be selected and can be Medium or High. If Medium is selected, both medium and high level threats are included.

Additional actions are available only for Compromised Host triggers:

  • Access Layer Quarantine
  • FortiClient Quarantine
  • VMware NSX Security Tag
  • IP Ban


Security Rating Summary

A summary is available for a recently run Security Rating report. Options include:

  • Security Posture
  • Fabric Coverage
  • Optimization
  • Any


FortiAnalyzer Event Handler

The specified FortiAnalyzer event handler has occurred. See FortiAnalyzer event handler trigger for details.


FortiGate Cloud Event Handler

The specified FortiGate Cloud event handler has occurred.

This option requires a FortiGate Cloud log retention license.


Fabric Connector Event

An event has occurred on a specific Fabric connector. See Fabric connector event trigger for details.


FortiGate Cloud-Based IOC

IOC detection from the FortiGate Cloud IOC service.

This option requires an IOC license, a web filter license, and FortiCloud logging must be enabled.




A FortiGate is rebooting.


HA Failover

An HA failover is occurring.


Conserve Mode

A FortiGate entered conserve mode due to low memory. See Execute a CLI script based on CPU and memory thresholds for an example.


Configuration Change

A FortiGate configuration change has occurred.


License Expiry

A FortiGuard license is expiring.

The license type must be selected. Options include:

  • FortiCare Support
  • FortiGuard Web Filter
  • FortiGuard AntiSpam
  • FortiGuard AntiVirus
  • FortiGuard IPS
  • FortiGuard Management Service
  • FortiGate Cloud
  • Any


AV & IPS DB Update

The antivirus and IPS database is updating.


High CPU

A FortiGate has high CPU usage. See Execute a CLI script based on CPU and memory thresholds for an example.



FortiOS Event Log

The specified FortiOS log has occurred.

Multiple event log IDs can be selected, and log field filters can be applied. See FortiOS event log trigger for an example.


Incoming Webhook

An incoming webhook is triggered.