Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.4.0 User Guide
    7.4.0
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Evaluate Steps

    Evaluate Steps

    Evaluate steps represent steps that facilitate decision making by allowing users to assess scenarios and provide inputs based on specific conditions.

    Decision step

    The Decision step allows conditional validation within the playbook. You can specify "if this, then that" criteria to direct the flow of the playbook based on the results of a condition. Many organizational processes differ depending on particular criteria, and to accomplish this; you can use the Decision step.

    Use the Decision step to enable the playbook to execute a particular path based on defined conditions; "If criteria = x, then do this next step." You can configure the Decision step with a variety of operators (equals, does not equal, <, >, etc.) and chain logical conditions with AND/OR logic to create granular decision-making criteria.

    To add a Decision step:

    1. In the Playbook Designer, from the Select Step pane, choose Decision.

    2. In the Step Name field, type the name of the step.

    3. (Optional) Click Add Description to add a description for the step.

    4. To define a decision step click Add Condition or Add Default Condition, and then specify the conditions for the decision:

      • Add the Step Name and save the step. Then at a later time, add the conditions and corresponding execution steps.

        OR

      • Define entire step setting, or workflow, for the decision step, even if the corresponding execution steps are unavailable. This allows you to write the complete logic of the decision and plug in the execution steps later.

        The decision step functions in such a way that it evaluates multiple (alternative) conditions until any of them is fulfilled. This means that when the Decision step finds one condition that is fulfilled, then it skips the other conditions.

        Note: The Decision step evaluates conditions sequentially and executes the first condition that is true, skipping the others.

      • Add Default Condition: Define default condition or route when no other condition is met. You must select the default step to execute.

    5. Click Save to save the Decision step.

    Wait

    The Wait step allows you to define a specific delay before the playbook resumes executing its remaining steps. This is useful for time-based escalations, such as missed SLAs.

    To add a Wait step:

    1. In the Playbook Designer, from the Select Step pane, choose Wait.

    2. In the Step Name field, type the name of the step.

    3. (Optional) Click Add Description to add a description for the step.

    4. In the Playbook will resume after section, specify the time the playbook waits before executing the remaining steps.

      Enter values in the Weeks, Days, Hours, Minutes, and Seconds fields based on your requirements.

      To insert dynamic values, type $ and choose from the list of suggested variables, Input/Output parameters or Functions.

    5. Click Save to save the Wait step.

    User Input

    The User Input step displays a custom form to users, allowing them to provide data or provide contextual confirmation to the playbook.

    To add a User Input step:

    1. In the Playbook Designer, from the Select Step pane, choose User Input.

    2. In the Step Name field, type the name of the step.

    3. (Optional) Click Add Description to add a description for the step.

    4. In the User Input Design section, click Edit to design the form:

      1. In the Title field, enter the title for the user prompt.

        To insert dynamic values, type $ and choose from the list of suggested variables, Input/Output parameters or Functions.

      2. (Optional) In the Description field, enter additional information to guide users in providing inputs.

      3. Select form fields to include in the input form. Drag and drop them into the Drop Buttons Here area, which displays the properties that are used to configure the form field.

      4. In the Properties pane for each form field, enter the field label. Optionally, you can set the default value for the field, and provide more information about the field in the Tooltip field. To mark this field as mandatory in the user prompt, select the Mark this field as required checkbox.

        After designing the input form, click Save.

    5. In the User Input Design section, click Medium to choose the medium for delivering the user input prompt.

      • Select the Collect input from Internal users option if you want the user input to be accessible to only FortiSIEM users, where they contextually provide inputs based on record information. Then, choose one of the following options to determine who is responsible for responding to the input prompt:

        • Specific Users: The user input is visible and actionable by users other than the user who is assigned to the record. When selecting this option, Select multi-select list appears allowing you to choose users responsible for making decisions. You can also add custom expressions in this field.

          You can also select the Customize email template checkbox to create a custom email body using a rich text field, instead of using the default template. This allows you to provide context for the input prompt and personalize notifications for each record. You can also include playbook variables using custom Jinja input in the email body.

          Additionally, in the Attachment IRI List field, enter an array or a comma-separated list of record IRIs (file IRI or attachment IRI) for attachments you want included in the email.

        • No specific assignee: The input prompt is visible and actionable by all users in the FortiSIEM system.

      • Select the Collect input from external users option, if you want to non-FortiSIEM users to provide decisions or inputs. In this case, an email with a link to a page containing the input form will be sent to external users. Clicking the link opens the form in a new page, where users can submit their responses.

        In the Provide Email Address (es) field, add email addresses as a JSON list or comma-separated values list, of non-FortiSIEM users, who should provide responses. You can also add custom expressions in this field. You can also select the Customize email template checkbox to define a custom email body using a rich text field, instead of sending the default template. This allows you to provide context for the input prompt.

        Once you have specified the users who need to provide inputs, click Save.

    6. Expand the Escalation section to define actions for cases where input is not provided within the specified time frame. From the Do you wish to configure e-based escalation? section, choose No or Yes.

      If you choose No, then there is no time-based escalation.

      If you choose Yes, then:

      • In the If the decision is not provided within field, specify the time window within which the input must be provided must be specified. You can specify the time in Days, Hours, or Minutes.

      • From the The following step will be executed field, select the escalation step if the time frame is exceeded.

        For example, if you want to send an email notification to the managers, then you can define that step as Escalation Email and connect it to the User Input step and select this option in The following step will be executed field.

        Once you have defined the escalation steps, click Save.

    7. (Optional) Add playbook actions, such as Variables, Loops, etc., to this step by clicking Variables in the playbook step footer. For more information on playbook actions that extend playbook steps, see Playbook Steps.

    8. Click Save to save the User Input step.

    Previous
    Next

    Evaluate Steps

    Evaluate Steps

    Evaluate steps represent steps that facilitate decision making by allowing users to assess scenarios and provide inputs based on specific conditions.

    Decision step

    The Decision step allows conditional validation within the playbook. You can specify "if this, then that" criteria to direct the flow of the playbook based on the results of a condition. Many organizational processes differ depending on particular criteria, and to accomplish this; you can use the Decision step.

    Use the Decision step to enable the playbook to execute a particular path based on defined conditions; "If criteria = x, then do this next step." You can configure the Decision step with a variety of operators (equals, does not equal, <, >, etc.) and chain logical conditions with AND/OR logic to create granular decision-making criteria.

    To add a Decision step:

    1. In the Playbook Designer, from the Select Step pane, choose Decision.

    2. In the Step Name field, type the name of the step.

    3. (Optional) Click Add Description to add a description for the step.

    4. To define a decision step click Add Condition or Add Default Condition, and then specify the conditions for the decision:

      • Add the Step Name and save the step. Then at a later time, add the conditions and corresponding execution steps.

        OR

      • Define entire step setting, or workflow, for the decision step, even if the corresponding execution steps are unavailable. This allows you to write the complete logic of the decision and plug in the execution steps later.

        The decision step functions in such a way that it evaluates multiple (alternative) conditions until any of them is fulfilled. This means that when the Decision step finds one condition that is fulfilled, then it skips the other conditions.

        Note: The Decision step evaluates conditions sequentially and executes the first condition that is true, skipping the others.

      • Add Default Condition: Define default condition or route when no other condition is met. You must select the default step to execute.

    5. Click Save to save the Decision step.

    Wait

    The Wait step allows you to define a specific delay before the playbook resumes executing its remaining steps. This is useful for time-based escalations, such as missed SLAs.

    To add a Wait step:

    1. In the Playbook Designer, from the Select Step pane, choose Wait.

    2. In the Step Name field, type the name of the step.

    3. (Optional) Click Add Description to add a description for the step.

    4. In the Playbook will resume after section, specify the time the playbook waits before executing the remaining steps.

      Enter values in the Weeks, Days, Hours, Minutes, and Seconds fields based on your requirements.

      To insert dynamic values, type $ and choose from the list of suggested variables, Input/Output parameters or Functions.

    5. Click Save to save the Wait step.

    User Input

    The User Input step displays a custom form to users, allowing them to provide data or provide contextual confirmation to the playbook.

    To add a User Input step:

    1. In the Playbook Designer, from the Select Step pane, choose User Input.

    2. In the Step Name field, type the name of the step.

    3. (Optional) Click Add Description to add a description for the step.

    4. In the User Input Design section, click Edit to design the form:

      1. In the Title field, enter the title for the user prompt.

        To insert dynamic values, type $ and choose from the list of suggested variables, Input/Output parameters or Functions.

      2. (Optional) In the Description field, enter additional information to guide users in providing inputs.

      3. Select form fields to include in the input form. Drag and drop them into the Drop Buttons Here area, which displays the properties that are used to configure the form field.

      4. In the Properties pane for each form field, enter the field label. Optionally, you can set the default value for the field, and provide more information about the field in the Tooltip field. To mark this field as mandatory in the user prompt, select the Mark this field as required checkbox.

        After designing the input form, click Save.

    5. In the User Input Design section, click Medium to choose the medium for delivering the user input prompt.

      • Select the Collect input from Internal users option if you want the user input to be accessible to only FortiSIEM users, where they contextually provide inputs based on record information. Then, choose one of the following options to determine who is responsible for responding to the input prompt:

        • Specific Users: The user input is visible and actionable by users other than the user who is assigned to the record. When selecting this option, Select multi-select list appears allowing you to choose users responsible for making decisions. You can also add custom expressions in this field.

          You can also select the Customize email template checkbox to create a custom email body using a rich text field, instead of using the default template. This allows you to provide context for the input prompt and personalize notifications for each record. You can also include playbook variables using custom Jinja input in the email body.

          Additionally, in the Attachment IRI List field, enter an array or a comma-separated list of record IRIs (file IRI or attachment IRI) for attachments you want included in the email.

        • No specific assignee: The input prompt is visible and actionable by all users in the FortiSIEM system.

      • Select the Collect input from external users option, if you want to non-FortiSIEM users to provide decisions or inputs. In this case, an email with a link to a page containing the input form will be sent to external users. Clicking the link opens the form in a new page, where users can submit their responses.

        In the Provide Email Address (es) field, add email addresses as a JSON list or comma-separated values list, of non-FortiSIEM users, who should provide responses. You can also add custom expressions in this field. You can also select the Customize email template checkbox to define a custom email body using a rich text field, instead of sending the default template. This allows you to provide context for the input prompt.

        Once you have specified the users who need to provide inputs, click Save.

    6. Expand the Escalation section to define actions for cases where input is not provided within the specified time frame. From the Do you wish to configure e-based escalation? section, choose No or Yes.

      If you choose No, then there is no time-based escalation.

      If you choose Yes, then:

      • In the If the decision is not provided within field, specify the time window within which the input must be provided must be specified. You can specify the time in Days, Hours, or Minutes.

      • From the The following step will be executed field, select the escalation step if the time frame is exceeded.

        For example, if you want to send an email notification to the managers, then you can define that step as Escalation Email and connect it to the User Input step and select this option in The following step will be executed field.

        Once you have defined the escalation steps, click Save.

    7. (Optional) Add playbook actions, such as Variables, Loops, etc., to this step by clicking Variables in the playbook step footer. For more information on playbook actions that extend playbook steps, see Playbook Steps.

    8. Click Save to save the User Input step.

    Previous
    Next