Description
This article describes the way to create a custom playbook that is triggered by the event handler, create an incident, and attach a report to it.
Scope
FortiAnalyzer 6.4.0 or above.
Solution
A Playbook is a sequence of one or more actions (offered by SOC connectors) that can be defined and executed manually or automatically.
Playbooks consist of a trigger and action(s) from configured connectors.
Playbook = Connector + Trigger + Action(s).
Note:
The playbook should be 'Enabled' from the top right corner button to be in a working state. After it is saved, any update regarding the playbook takes five minutes to be updated. FortiOS connector is added after the first FortiGate has been authorized on an ADOM. It takes about 10 minutes for the connector to show as Up (green).
A few articles describing the event handler:
Technical Tip: Configure Event Handler for specific Source IP and Interface-status change
Technical Tip: How to create Event Handler for FortiAnalyzer Local Events
Event handler example scenarios
Docs: FortiAnalyzer event handler trigger
- Setup the event handler:
Go to FortiSoC -> Handlers -> Event Handler List.
Search for threat. Choose the 'Default-Risky-Destination-Detection-By-Threat' and use the Clone button. A new window will be opened.
The name in this case will be Test_threat.
In this case will be the default one 'Default-Risky-Destination-Detection-By-Threat' that is cloned.
Go to FortiSoC -> Handlers -> Event Handler List -> More -> Show Predefined (untick) and then only the custom-created even handlers will be shown.
-
The predefined report will be used.
The important part is to select 'Enable Auto-Cache' to have it as an option under the Playbook menu.
Go to Report -> Settings -> Enable Auto-cache.
And Report -> Settings -> Extended Log Filtering. -
Creating the Playbook.
Go to FortiSoC -> Automation -> Playbooks -> New Playbook created from scratch.Choosing the event handler is the next step.
EVENT_TRIGGER
The playbook is run when an event is created that matches the configured filters.
When no filters are set, all events will trigger the playbook.
INCIDENT_TRIGGER
The playbook is run when an incident is created that matches the configured filters.
When no filters are set, all incidents will trigger the playbook.
ON_SCHEDULE
The playbook is run during the configured schedule.
It is possible to define the start time, end time, interval type, and interval frequency for the schedule.
ON_DEMAND
The playbook is run manually and started by an administrator.
It is possible to run playbooks configured with the ON_DEMAND trigger from FortiSoC -> Automation > Playbook or within an incident's Analysis page.
Related document:
After the Event trigger is chosen the next step is to create the Incident.
All the options under this menu should be present. Default settings should be chosen.
The Category, Severity, and status are based on the user's choice. -
Creating the Report.
Will be created at the same time as the Incident. Under connectors is picked the FortiAnalyzer.
- The name is set to Run_Report.
- The connector is a Local Connector.
- The action is Run Report.
- The report is the one that was created previously.
- The time Period is Yesterday.
- OK.
- Save Playbook.
The new task is connected to the two previous tasks.
The status of playbook jobs is under FortiSoC -> Automation -> Playbook Monitor.
Go to FortiSOC -> Automation -> Playbook Monitor -> Details -> View Raw Log -> for more details regarding the playbook.
And FortiSoC -> Incidents.
The Incident is successfully created and updated with the PDF file.
Troubleshooting:
If the trigger is not 'On Demand', try to re-create the playbook with the 'On Demand' option and test whether the playbook can run at all (if all necessary logs and data are obtained, and if all variables are set correctly).
If there are multiple actions in the playbook and it is not generating, try to remove actions to simplify the playbook and re-test.
Start simple and add more tasks/actions to see where the playbook stops running as expected.
Go to FortiSOC -> Automation -> Playbook Monitor -> Details -> View Raw Log -> for more details regarding the playbook.
The raw log can provide useful information on why the playbook failed to be generated.
The following debugs can provide related data when generating a playbook:
diagnose debug reset
diagnose debug application fazsvcd 8
diagnose debug application gui 8
diagnose debug enable
diagnose debug disable
diagnose debug reset
Related documents:
Technical Tip: How to determine the failed status from FortiSoC Playbook monitor
Technical Tip: How to run a FortiClient Endpoint Antivirus scanning using FortiSoC Playbook
