FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
vraev
Staff
Staff
Article Id 253090
Description

 

This article describes the way to create a custom playbook that is triggered by the event handler, create an incident, and attach a report to it.

 

Scope

 

FortiAnalyzer 6.4.0 or above.

 

Solution

 

A Playbook is a sequence of one or more actions (offered by SOC connectors) that can be defined and executed manually or automatically.

Playbooks consist of a trigger and action(s) from configured connectors.

 

Playbook = Connector + Trigger + Action(s).

 

Note:

The playbook should be 'Enabled' from the top right corner button to be in a working state. After it is saved, any update regarding the playbook takes five minutes to be updated. FortiOS connector is added after the first FortiGate has been authorized on an ADOM. It takes about 10 minutes for the connector to show as Up (green).


A few articles describing the event handler:

Technical Tip: Configure Event Handler for specific Source IP and Interface-status change  

Technical Tip: How to create Event Handler for FortiAnalyzer Local Events  

Event handler example scenarios 

Docs: FortiAnalyzer event handler trigger

 

  1. Setup the event handler:

Go to FortiSoC -> Handlers -> Event Handler List.

Search for threat. Choose the 'Default-Risky-Destination-Detection-By-Threat' and use the Clone button. A new window will be opened.

The name in this case will be Test_threat.

Vito_0-1681903644085.png

 

In this case will be the default one 'Default-Risky-Destination-Detection-By-Threat' that is cloned.

Vito_1-1681903644087.png

 

Go to FortiSoC -> Handlers -> Event Handler List -> More -> Show Predefined (untick) and then only the custom-created even handlers will be shown.

 

Vito_2-1681903705434.png

 

  1. The predefined report will be used.

    The important part is to select 'Enable Auto-Cache' to have it as an option under the Playbook menu.


    Go to Report -> Settings -> Enable Auto-cache.
    And Report -> Settings -> Extended Log Filtering.

    Vito_3-1681903705436.png

     

    Vito_4-1681903705437.png

     

  2. Creating the Playbook.

    Go to FortiSoC -> Automation -> Playbooks -> New Playbook created from scratch.

     

    Vito_5-1681903860227.png

     

    Choosing the event handler is the next step.

    Vito_6-1681903860230.png

     

    EVENT_TRIGGER

    The playbook is run when an event is created that matches the configured filters.

    When no filters are set, all events will trigger the playbook.

    INCIDENT_TRIGGER

    The playbook is run when an incident is created that matches the configured filters.

    When no filters are set, all incidents will trigger the playbook.

    ON_SCHEDULE

    The playbook is run during the configured schedule.

    It is possible to define the start time, end time, interval type, and interval frequency for the schedule.

    ON_DEMAND

    The playbook is run manually and started by an administrator.

    It is possible to run playbooks configured with the ON_DEMAND trigger from FortiSoC -> Automation > Playbook or within an incident's Analysis page.

     

    Related document:

    Triggers and tasks
     

    Vito_7-1681903924386.png

     

    After the Event trigger is chosen the next step is to create the Incident.

    Vito_8-1681903924393.png

     

    All the options under this menu should be present. Default settings should be chosen.
    The Category, Severity, and status are based on the user's choice.

     

     

  3. Creating the Report.

    Will be created at the same time as the Incident. Under connectors is picked the FortiAnalyzer.

    Vito_9-1681903953599.png

     

  • The name is set to Run_Report.
  • The connector is a Local Connector.
  • The action is Run Report.
  • The report is the one that was created previously.
  • The time Period is Yesterday.
  • OK.
  • Save Playbook.

 

Vito_10-1681904021023.png

 

The new task is connected to the two previous tasks.

Vito_11-1681904021029.png

 

The status of playbook jobs is under FortiSoC -> Automation -> Playbook Monitor.

 

Vito_12-1681904058086.png

 

Go to FortiSOC -> Automation -> Playbook Monitor -> Details -> View Raw Log -> for more details regarding the playbook.

 

And FortiSoC -> Incidents.

Vito_13-1681904058109.png

 

The Incident is successfully created and updated with the PDF file.

 

Troubleshooting:

If the trigger is not 'On Demand', try to re-create the playbook with the 'On Demand' option and test whether the playbook can run at all (if all necessary logs and data are obtained, and if all variables are set correctly).

 

If there are multiple actions in the playbook and it is not generating, try to remove actions to simplify the playbook and re-test.

Start simple and add more tasks/actions to see where the playbook stops running as expected.

Go to FortiSOC -> Automation -> Playbook Monitor -> Details -> View Raw Log -> for more details regarding the playbook.

The raw log can provide useful information on why the playbook failed to be generated.

Vito_14-1681904094406.png

 

Vito_15-1681904094410.png

 

The following debugs can provide related data when generating a playbook:

 

diagnose debug reset

diagnose debug application fazsvcd 8

diagnose debug application gui 8

diagnose debug enable

 

diagnose debug disable

diagnose debug reset

Related documents:

Technical Tip: How to determine the failed status from FortiSoC Playbook monitor

Technical Tip: How to run a FortiClient Endpoint Antivirus scanning using FortiSoC Playbook

 

Docs: Automation Playbooks

Docs: Viewing FortiSoC dashboards

Docs: Playbook Connectors

Docs: Playbooks

Docs: Playbook Monitor