Incident Notification Settings

Notification Policies handles the sending of notifications when an incident occurs. Instead of setting notifications for each rule, you can create a policy and apply it to multiple rules. 

The following section describes the procedures to enable Incident Notification settings:

Adding Incident Notification Settings

  1. Go to ADMIN > Settings > General > Notification Policy tab.
  2. Click New.
  3. Select the Severity.
  4. For Rules, click the drop-down and select the rule or rules you want to trigger this notification from the folders. 
  5. Set a Time Range during which this notification will be in effect. 
    Notifications will be sent only if an incident occurs during the time range you set here.  
  6. For Affected Items, click the drop-down and select the devices or applications from the Select Devices drop-down list for which this policy should apply. 
    Instead of individual devices or groups, you can apply the notification policy to an IP address or range by clicking Add IP/Range. You can also select a group, and move to the (NOT) Selections column to explicitly exclude that group of applications or devices from the notification policy.
  7. For Service Provider deployments, select the Affected Orgs to which the notification policy should apply.
    Notifications will be sent only if the triggering incidents affect the selected organization.
  8. Select the Action to take when the notification is triggered. 
    • Send Email/SMS to the target users. See here.
    • Run Remediation/Script. See here.
    • Invoke integration Policy. Click on Run to change policy. A drop-down list will appear. Select the policies you wish to invoke. For example, click on FortiGUARD IOC Lookup to invoke this integration policy, if it is available for your FortiSIEM environment.
    • Send SNMP message to the destination set in ADMIN > Settings > Analytics > Incident Notification.
    • Send XML file over HTTP(S) to the destination set in ADMIN> Settings > Analytics > Incident Notification.
    • Open Remedy ticket using the configuration set in ADMIN > Settings > Analytics > Incident Notification.
  9. Select the Settings to enable the exceptions for notification trigger. 
    • Do not notify when an incident is cleared automatically.
    • Do not notify when an incident is cleared manually.
    • Do not notify when an incident is cleared by system.
  10. Enter any Comments about the policy.
  11. Click Save.

You can also create a duplicate notification by selecting a notification from the table and clicking Clone.

Remember to enable your notification policy after creating it. See Enabling Notification Policies.

Modifying Incident Notification Settings

Complete these steps to modify an Incident Notification setting.

  1. Go to ADMIN > Settings > General > Notification Policy tab.
  2. Use the following buttons to modify Incident Notification settings:
    • Edit - To edit an Incident Notification setting
    • Delete - To delete an Incident Notification setting
  3. Click Save.

Enabling Notification Policies

Complete these steps to enable or disable a notification policy

  1. Go to ADMIN > Settings > General > Notification Policy tab.

  2. In the Enabled column, click on a notification policy's checkbox to enable or disable it.