Technical Tip: Incidents created automatically by FortiAnalyzer even though the 'Automatically Create Incident' in v7.6.x releases
| Description | This article describes how to resolve the automatic creation of incidents even though the 'Automatically Create Incident' option is disabled in v7.6.x releases. |
| Scope | FortiAnalyzer. |
| Solution | Context: Normally, when configure and event handler in FortiAnalyzer (Incident & Events -> Event handlers -> Event handler name -> Edit), there is an option to enable/disable automatically creating an incident when that event is raised, but in releases of v7.6.x in certain situations disable that option does not ensure some incidents will not be raised.
In the following example, it is configured, and an event handler with the 'Automatically Create Incident' option is disabled, but the log that is related to the event has a level 'Critical', which causes the default configuration of 'Alert grouping feature' to still generate incidents.
The reason: In versions 7.6.x, it was enabled a feature called 'Alert grouping feature' that is a new option to group alerts with severity greater than or equal to high/critical into a single incident when they share the same target. That option is enabled by default for 'Critical' events, and it could cause a confusing situation.
To stop the incident creation, a configuration should be applied with the following commands and change to none to disable the 'Alert grouping feature':
config system log alert end
Note: The configuration applies to global settings and affects all the ADOMs. After setting the value to none, the incidents stopped.
Related documents: |
