- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which executed playbook's template should I use in foritanalyzer (FAZ) ?
I'd like to set up an executed playbook within an unhandled (not mitigated by FGT) incident.
It's job is to send back the malicious event to fortigate (FGT) and have it mitigated automatically.
Which playbook's template does fit this need ? and which associated "Action" ?
It's about a malware hasn't been blocked by FGT and it shows "passthrough" in FAZ.
Solved! Go to Solution.
- Labels:
-
FortiAnalyzer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you need to create a new Playbook with trigger " INCIDENT_TRIGGER ", connector "FortiOS" and the actions depends on the automation rules configured on each FortiGate.
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/51460/actions
https://docs.fortinet.com/document/fortianalyzer/7.4.1/administration-guide/28682/playbooks
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you need to create a new Playbook with trigger " INCIDENT_TRIGGER ", connector "FortiOS" and the actions depends on the automation rules configured on each FortiGate.
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/51460/actions
https://docs.fortinet.com/document/fortianalyzer/7.4.1/administration-guide/28682/playbooks
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the quick and helpful response.
I thought there might be a template for it. But I've understood I should create one from scratch.
The trigger and the connector are clear to me.
yet I have to dive in the Actions because I want the fortigate to mitigate it or put it in quarantine automatically., not just send a notification.
thanks again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please review the following articles:
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-to-run-a-FortiClient-Endpoint-Anti...
https://docs.fortinet.com/document/fortianalyzer/7.2.2/administration-guide/28682/playbooks
https://docs.fortinet.com/document/fortianalyzer/7.2.2/administration-guide/691884/configuring-playb...
https://docs.fortinet.com/document/fortianalyzer/7.2.2/administration-guide/813113/analyzing-an-inci...
https://docs.fortinet.com/document/fortianalyzer/6.4.0/new-features/447371/default-playbook-template...
https://docs.fortinet.com/document/fortianalyzer/7.0.0/new-features/949810/importing-and-exporting-p...
https://docs.fortinet.com/document/fortianalyzer/7.2.2/administration-guide/763118/configuring-tasks...
https://docs.fortinet.com/document/fortianalyzer/6.4.0/new-features/893685/automation-playbooks