Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.5.0 User Guide
    7.5.0
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Trigger Steps

    Trigger Steps

    A Trigger step defines the starting point of a playbook's execution and is always the first step in a playbook. After the playbook is triggered, it follows the defined steps based on the routes set on the canvas, using the trigger as the starting point.

    When you create a playbook, it is initially generated with a placeholder Trigger step. Depending on your requirements, you can choose between two trigger methods: Application Event or Referenced .

    Application Event

    The Application Event trigger starts a playbook from either an application event or a scheduled event. Playbooks are triggered when an event, to which they are subscribed, is received. For details on events, see Playbook Assets.

    To add a playbook with an Application Event trigger:

    1. In the Playbook Designer, click Application Event.

    2. In the Application Event pane, select the event trigger you want to use to initiate the playbook.

      Application events are grouped by connector (integration) names. Expand the relevant integration and select the desired application event.

    3. In the selected application event pane, provide the following details:

      1. The Step Name field contains the name of the application event. You can optionally click Add Description to add a description for the step.

      2. (Optional) To add additional filter criteria to trigger the playbook, such as triggering the playbook only when the event is of a specific type, define the filter conditions in the Configure Filter Criteria section.

      3. Toggle the Enable to configure periodic event polling option to configure periodic event polling, which pulls content from the third-party integration into FortiSIEM at defined intervals:

        1. From the Target field, select whether you want to run the action on the Self Agent node that is configured by default on FortiSIEM or another configured custom agent.

        2. From the Configuration field, select the configuration name to be used for running the action.

          You can add multiple configurations while configuring the connector.

      4. Click the Edit icon in the Configure Connector Action: <Name of the action> section to view the action parameters used to pull content from the third-party integration. Update the values of parameters as per your requirements.

      5. Use the Schedule section to adjust the frequency of pulling content from the third-party integration. By default, events are configured with a periodic pull of 5 minutes.

      6. Use the Batch Processing (Looping) section to select your playbook execution preferences. You can choose between:

        • Single Execution for Entire Dataset: Choose this option to run the playbook once for the entire dataset.

        • Execute in Batches: For large datasets, this option is recommended for better performance. If selected, then you must specify the batch Size for processing.

    4. Click Save to save the trigger.

    Referenced

    The Referenced trigger is used for playbooks triggered from another playbook using the Reference a Playbook step or from a specific schedule. Keep in mind that any dynamic data required for a child playbook during execution must be provided by the parent(s) playbooks.

    To add a playbook with a Referenced trigger:

    1. In the Playbook Designer, click Referenced.

    2. In the Referenced pane, enter the following details:

      1. In the Step Name field, type the name of the step.

      2. (Optional) Click Add Description to add a description for the step.

      3. (Optional) Add playbook actions, such as Variables, Loops, etc., to this step by clicking Variables in the playbook step footer. For more information on playbook actions that extend playbook steps, see Playbook Steps.

      4. Click Save to save the trigger.

    Previous
    Next

    Trigger Steps

    Trigger Steps

    A Trigger step defines the starting point of a playbook's execution and is always the first step in a playbook. After the playbook is triggered, it follows the defined steps based on the routes set on the canvas, using the trigger as the starting point.

    When you create a playbook, it is initially generated with a placeholder Trigger step. Depending on your requirements, you can choose between two trigger methods: Application Event or Referenced .

    Application Event

    The Application Event trigger starts a playbook from either an application event or a scheduled event. Playbooks are triggered when an event, to which they are subscribed, is received. For details on events, see Playbook Assets.

    To add a playbook with an Application Event trigger:

    1. In the Playbook Designer, click Application Event.

    2. In the Application Event pane, select the event trigger you want to use to initiate the playbook.

      Application events are grouped by connector (integration) names. Expand the relevant integration and select the desired application event.

    3. In the selected application event pane, provide the following details:

      1. The Step Name field contains the name of the application event. You can optionally click Add Description to add a description for the step.

      2. (Optional) To add additional filter criteria to trigger the playbook, such as triggering the playbook only when the event is of a specific type, define the filter conditions in the Configure Filter Criteria section.

      3. Toggle the Enable to configure periodic event polling option to configure periodic event polling, which pulls content from the third-party integration into FortiSIEM at defined intervals:

        1. From the Target field, select whether you want to run the action on the Self Agent node that is configured by default on FortiSIEM or another configured custom agent.

        2. From the Configuration field, select the configuration name to be used for running the action.

          You can add multiple configurations while configuring the connector.

      4. Click the Edit icon in the Configure Connector Action: <Name of the action> section to view the action parameters used to pull content from the third-party integration. Update the values of parameters as per your requirements.

      5. Use the Schedule section to adjust the frequency of pulling content from the third-party integration. By default, events are configured with a periodic pull of 5 minutes.

      6. Use the Batch Processing (Looping) section to select your playbook execution preferences. You can choose between:

        • Single Execution for Entire Dataset: Choose this option to run the playbook once for the entire dataset.

        • Execute in Batches: For large datasets, this option is recommended for better performance. If selected, then you must specify the batch Size for processing.

    4. Click Save to save the trigger.

    Referenced

    The Referenced trigger is used for playbooks triggered from another playbook using the Reference a Playbook step or from a specific schedule. Keep in mind that any dynamic data required for a child playbook during execution must be provided by the parent(s) playbooks.

    To add a playbook with a Referenced trigger:

    1. In the Playbook Designer, click Referenced.

    2. In the Referenced pane, enter the following details:

      1. In the Step Name field, type the name of the step.

      2. (Optional) Click Add Description to add a description for the step.

      3. (Optional) Add playbook actions, such as Variables, Loops, etc., to this step by clicking Variables in the playbook step footer. For more information on playbook actions that extend playbook steps, see Playbook Steps.

      4. Click Save to save the trigger.

    Previous
    Next