Technical Tip: Custom Automation Trigger for admin user creation

The Automation Trigger will be based on 44547 - LOGID_EVENT_CONFIG_OBJATTR44547, also known as 'Object Attribute Configured'. There are two methods available for creating the trigger:

Option 1: Navigate to Log & Report -> System Events and check for the presence of logs with the message 'Add system.admin'. If an Admin User was created recently, then 'right-click' on the matching log and select the option 'Create Automation Trigger'.

Option 2: From the GUI, navigate to Security Fabric -> Automation -> Trigger and select Create New. The Trigger will utilize the wildcard log filter as described in the following screenshot:

The same process can be followed to create an Automation Trigger for when SSO administrator accounts are created, though the field is slightly different ('msg' and 'Add system.sso-admin *'):

Once the Automation Triggers are created, they can be utilized in automation stitches to send email notifications. For more information on creating the email Automation Action, refer to the following KB article: Technical Tip: Use FortiGate automation stitches for alert emails.

Example automation stitch:

Note that separate automation stitches must be created: one using the automation trigger for local administrator accounts and another using the automation trigger for SSO administrator accounts.

To create an automation trigger for edits made under System -> Administrator, the following field filters can be used:

Starting in v7.6.3, 44560 - LOGID_EVENT_CONFIG_ACCPROFILE_SUPER_ADMIN 'Configure admin accprofile as super_admin' can be used as an Automation Trigger. This event log is triggered whenever a super_admin profile is applied to an existing or newly created administrator account.

Starting v7.6.3, a default automation stitch 'Super Admin Creation Notification' is available on FortiGate and gets triggered whenever an admin with a super_admin profile is created.

Related document: