Technical Tip: FortiAnalyzer auto create default handler incident when button 'Automatically Create Incident' is disabled

By default, incidents can be generated automatically by event handlers, even if no specific incidents have been manually enabled. This is due to the 'Automatically Create Incident' option being enabled by default for certain event handlers, such as those related to Outbreak Alerts. If an event handler triggers an alert, an incident is created automatically.

To ensure FortiAnalyzer does not auto-create the incident in the incident section, configure the behavior under the alert setting.

config system log alert

get
    set max-alert-count : 10000  <-- Display the number of alerts for the handlers at the incident event.
    set min-severity-to-raise-incident-by-grouping: none  <-- FortiAnalyzer will auto-generate the incident.

end

Related article:

Technical Tip: How to trigger automation stitch on FortiGate using FortiAnalyzer Event Handler