Settings
You can now define various rules to automatically create a Jira or ServiceNow ticket, or send an email when certain Incidents occur. This can help SOC analysts assign an incident to someone else in the organization.
To send email or create Jira tickets when certain incidents occur:
- Go to Threat Analytics > Threat Analytics.
- Select the Settings tab.
- Click Create Notification Template.
- Enter a name for the template.
- For Applications/Devices, select:
- All Applications and Devices: Notifications will be sent when incidents on any of the application or device occur.
- Customized: Notifications will be sent only when incidents on the selected applications or devices occur.
- Select the applications or devices you want to monitor, then move them to the Selected list. Please note that the applications in the list are those for which you have either read-write or read-only permission.
- Turn on Status if you want this notification template to take effect.
- Click Next.
- Select Notify me when incident with certain risk level occurs.
There may have multiple attack events with common characteristics aggregated in one incident. Incident with higher risk level means that there are more attack logs in it. - Select whether to send notification through email or Jira.
- Email
Configure the Recipient, Subject, Template. Separate multiple email addresses with ",".
You can add macros as you want. Type "%%" then the available macro will be popped up. - Jira
- Enter the Jira URL, then the Account and Token for FortiWeb Cloud to build up connection with Jira.
- Click Next. FortiWeb Cloud will verify the token and account. It will not proceed to next page if the verification fails.
- FortiWeb Cloud pulls the project names, issue types, and reporters from Jira, then populate them in the drop-down list. Select from the list. The Jira incident to be created will be tagged with the selected project name, issue type, and reporter.
- Edit the Summary and Description. You can add macros as you want. Type "%%" then the available macro will be popped up.
- Click Save.
- ServiceNow
- Enter the ServiceNow URL, then the Client ID and Client Secret for FortiWeb Cloud to build up connection with ServiceNow.
- Click Next. FortiWeb Cloud will verify the token and account. It will not proceed to next page if the verification fails.
- FortiWeb Cloud pulls the Caller, Assignment Group from ServiceNow, then populate them in the drop-down list. Select from the list. The ServiceNow incident to be created will be tagged with the selected Caller and Assignment Group.
- Edit the Summary and Description. You can add macros as you want. Type "%%" then the available macro will be popped up.
- Click Save.
- Email
The Notification Settings is globally applied, which means the Notification Template created or edited in your account will also be applied to other accounts under the same root account. In certain cases you will see the application names shown as unknown. These are the applications to which you don't have Read-Only or Read-Write permission.
|