Description
Automation stitches allow to decrease response times to security events by automating the activities between different device components in the Security Fabric.
Monitor events from any source in the security fabric and set up action responses to any destination is possible
This article describes this feature.
Solution
Creating automation stitches.
To create an automation stitch, a trigger event and a response action or actions are selected.
Automation stitches can also be tested after they are created.
To create an automation stitch from the GUI:
Go to Security Fabric -> Automation.
Select 'Create New'. The New Automation Stitch page opens.
Enter the following information:
Name: Enter a name for the automation stitch.
Status: Enable/disable the stitch.
FortiGate: Select the FortiGate to apply the automation stitch to, or select All FortiGates to apply it to all of them.
Trigger: Select a trigger.
Action: Select and configure one or more actions.
Minimum interval (seconds): Enter a minimum time interval during which notifications for the same trigger event will not be sent.
After the time interval elapses, an alert is sent that includes the last event since the time interval elapsed.
Select 'OK'.
To create an automation stitch from the CLI.
Create an automation trigger.
# config system automation-triggerThe available options will vary depending on the selected event type.
edit <automation-trigger-name>
set trigger-type {event-based | scheduled}
set event-type <option>
set license-type <option>
set ioc-level {medium | high}
set logid <integer>
set trigger-frequency {hourly | daily | weekly | monthly}
set trigger-weekday <option>
set trigger-day <integer>
set trigger-hour <integer>
set trigger-minute <integer>
set faz-event-severity <string>
set faz-event-tags <string>
next
end
Create an automation action.
# config system automation-actionCreate an automation destination.
edit <name>
set action-type <option>
set email-to <names>
set email-from <string>
set email-subject <string>
set email-body <string>
set minimum-interval <integer>
set delay <integer>
set required {enable | disable}
set aws-api-id <string>
set aws-region <string>
set aws-domain <string>
set aws-api-stage <string>
set aws-api-path <string>
set aws-api-key <string>
set azure-app <string>
set azure-function <string>
set azure-domain <string>
set azure-function-authorization {anonymous | function | admin}
set azure-api-key <string>
set gcp-function-region <string>
set gcp-project <string>
set gcp-function-domain <string>
set gcp-function <string>
set alicloud-account-id <string>
set alicloud-region <string>
set alicloud-function-domain <string>
set alicloud-version <string>
set alicloud-service <string>
set alicloud-function <string>
set alicloud-function-authorization {anonymous | function}
set alicloud-access-key-id <string>
set alicloud-access-key-secret <string>
set protocol {http | https}
set method {post | put | get | patch | delete}
set uri <string>
set http-body <string>
set port <integer>
set headers <header>
set script <string>
set security-tag <string>
set sdn-connector <connector_name>
next
end
# config system automation-destinationCreate the automation stitch.
edit <name>
set type {fortigate | ha-cluster}
set destination <serial numbers>
set ha-group-id <integer>
next
end
# config system automation-stitchTo test an automation stitch.
edit <automation-stitch-name>
set status {enable | disable}
set trigger <trigger-name>
set action <action-name>
set destination <serial-number>
next
end
From GUI, go to Security Fabric -> Automation, select the automation stitch and select 'Test Automation Stitch'.
From CLI, enter the following command:
# diagnose automation test <stitch-name> <log>
