Automation Policy

Note: Automation Policy replaces Notification Policy.

Automation Policies handles the sending of notifications when an incident occurs. Instead of setting notifications for each rule, you can create a policy and apply it to multiple rules. 

The following section describes the procedures to create, modify, and enable Automation Policy settings:

Adding Automation Policy Settings

  1. Go to ADMIN > Settings > General > Automation Policy tab.
  2. Click New.
  3. Select the Severity.
    Note: More than one severity can be selected.
  4. For Rules, click the drop-down and select the rule or rules you want to trigger this notification from the folders. 
  5. Set a Time Range during which this notification will be in effect. 
    Notifications will be sent only if an incident occurs during the time range you set here.  
  6. For Affected Items, click the drop-down and select the devices or applications from the Select Devices drop-down list for which this policy should apply. 
    Instead of individual devices or groups, you can apply the automation policy to an IP address or range by clicking Add IP/Range. You can also select a group, and move to the (NOT) Selections column to explicitly exclude that group of applications or devices from the automation policy.
  7. For Service Provider deployments, select the Affected Orgs to which the automation policy should apply.
    Notifications will be sent only if the triggering incidents affect the selected organization.
  8. Select the Action to take when the notification is triggered. 
    • Send Email/SMS to the target users. See here.
    • Run Remediation/Script. See here.
    • Invoke integration Policy. Click on Run to change policy. A drop-down list will appear. Select the policies you wish to invoke. For example, click on FortiGUARD IOC Lookup to invoke this integration policy, if it is available for your FortiSIEM environment.
    • Create Case when an incident is created. See here.
      Note: A group must be created under FortiSIEM Analysts before you are able to access this option.
      This option also requires a Case Management Policy (from Admin > Settings > General > Case Management).
    • Send SNMP message to the destination set in ADMIN > Settings > Analytics > Incident Notification.
    • Send XML file over HTTP(S) to the destination set in ADMIN> Settings > Analytics > Incident Notification.
    • Open Remedy ticket using the configuration set in ADMIN > Settings > Analytics > Incident Notification.
    • Invoke FortiAI and update Comments.
  9. Select the Settings to enable the exceptions for notification trigger. 
    • Do not notify when an incident is cleared automatically.
    • Do not notify when an incident is cleared manually.
    • Do not notify when an incident is cleared by system.
  10. Enter any Comments about the policy.
  11. Click Save.

You can also create a duplicate notification by selecting a notification from the table and clicking Clone.

Remember to enable your automation policy after creating it. See Enabling Automation Policies.

Modifying Automation Policy Settings

Complete these steps to modify an Automation Policy setting.

  1. Go to ADMIN > Settings > General > Automation Policy tab.
  2. Use the following buttons to modify automation policy settings:
    • Edit - To edit an automation policy setting
    • Delete - To delete an automation policy setting
  3. Click Save.

Enabling Automation Policies

Complete these steps to enable or disable an automation policy

  1. Go to ADMIN > Settings > General > Automation Policy tab.
  2. In the Enabled column, click on an automation policy's checkbox to enable or disable it.

Applying Case Creation to Automation Policy

To associate a Case Management Policy to an Automation Policy, take the following steps.

  1. In the Case Management Policy drop-down list, select the Case Management Policy you wish to apply.
  2. From the Teams: FIRST drop-down list, select first team to be used in a case management policy.
  3. Click on the + icon to add another team to be attached to the case management policy.
    Note: You can click the - icon to remove an existing team drop-down list option, but there must be at least one team configured.
  4. In the Teams: THEN drop-down list, select the next FortiSIEM Analysts team that should be applied in the Case Management Policy.
  5. Repeat steps 3-4 until you have configured all the teams that you wish to be part of the case management policy, then click Save.You will then be taken back to the Automation Policy window, where you can continue to configure your automation policy.