Description
This article describes how Automation stitches allow for decreasing response times to security events by automating the activities between different device components in the Security Fabric.
Monitor events from any source in the security fabric and set up action responses to any destination is possible
Scope
FortiGate.
Solution
Creating automation stitches.
To create an automation stitch, a trigger event and a response action or actions are selected.
Automation stitches can also be tested after they are created.
To create an automation stitch from the GUI:
Go to Security Fabric -> Automation and select 'Create New'. The New Automation Stitch page opens.
Enter the following information:
- Name: Enter a name for the automation stitch.
- Status: Enable/disable the stitch.
- FortiGate: Select the FortiGate to apply the automation stitch to, or select All FortiGates to apply it to all of them.
- Trigger: Select a trigger.
- Action: Select and configure one or more actions.
- Minimum interval (seconds): Enter a minimum time interval during which notifications for the same trigger event will not be sent.
After the time interval elapses, an alert is sent that includes the last event since the time interval elapsed.
Select 'OK'.
To create an automation stitch from the CLI.
Create an automation trigger:
config system automation-trigger
edit <automation-trigger-name>
set trigger-type {event-based | scheduled}
set event-type <option>
set license-type <option>
set ioc-level {medium | high}
set logid <integer>
set trigger-frequency {hourly | daily | weekly | monthly}
set trigger-weekday <option>
set trigger-day <integer>
set trigger-hour <integer>
set trigger-minute <integer>
set faz-event-severity <string>
set faz-event-tags <string>
next
end
The available options will vary depending on the selected event type.
Create an automation action:
config system automation-action
edit <name>
set action-type <option>
set email-to <names>
set email-from <string>
set email-subject <string>
set email-body <string>
set minimum-interval <integer>
set delay <integer>
set required {enable | disable}
set aws-api-id <string>
set aws-region <string>
set aws-domain <string>
set aws-api-stage <string>
set aws-api-path <string>
set aws-api-key <string>
set azure-app <string>
set azure-function <string>
set azure-domain <string>
set azure-function-authorization {anonymous | function | admin}
set azure-api-key <string>
set gcp-function-region <string>
set gcp-project <string>
set gcp-function-domain <string>
set gcp-function <string>
set alicloud-account-id <string>
set alicloud-region <string>
set alicloud-function-domain <string>
set alicloud-version <string>
set alicloud-service <string>
set alicloud-function <string>
set alicloud-function-authorization {anonymous | function}
set alicloud-access-key-id <string>
set alicloud-access-key-secret <string>
set protocol {http | https}
set method {post | put | get | patch | delete}
set uri <string>
set http-body <string>
set port <integer>
set headers <header>
set script <string>
set security-tag <string>
set sdn-connector <connector_name>
next
end
Create the automation destination:
config system automation-destination
edit <name>
set type {fortigate | ha-cluster}
set destination <serial number>
set ha-group-id <integer>
next
end
Create the automation stitch:
config system automation-stitch
edit <automation-stitch-name>
set status {enable | disable}
set trigger <trigger-name>
set action <action-name>
set destination <serial-number>
next
end
To test an automation stitch.
From the GUI, go to Security Fabric -> Automation, select the automation stitch, and select 'Test Automation Stitch'.
From CLI, enter the following command:
diagnose automation test <stitch-name> <log>
From v7.0 and v7.2, Automation stitches, actions, and triggers now have separate dialog tabs and are no longer part of the main automation stitch. This is to simplify the workflow for managing multiple chained actions.
Related article:
Technical Tip: Creating automation stitches in FortiOS 7.0 and 7.2
