Fortinet black logo

Administration Guide

Playbook templates

Playbook templates

When a playbook template is selected, the playbook designer is automatically populated with a trigger and one or more tasks. You can configure, add, or remove tasks to customize the playbook.

When creating a new playbook, the following predefined templates are available:

Connector

Name

Description

FAZ Localhost

Compromised Host Incident Playbook to create an incident on FortiAnalyzer compromised hosts detected by the IoC feature.
Critical Intrusion Incident Playbook to create an incident on FortiAnalyzer for critical intrusions detected by IPS.

Attach Endpoint Vulnerability List to Incident

Playbook to collect the list of endpoint vulnerabilities from logs and attach it to an incident.

FortiOS

Quarantine Endpoint by FortiOS

Playbook to quarantine an endpoint by FOS connector providing the MAC address or FortiClient UID.

FortiClient EMS

Update Asset and Identity Database Playbook to automatically update FortiAnalyzer Asset and Identity database with endpoint and user information from EMS.
Run AV Scan on Endpoint Playbook to run AV scan on an endpoint by EMS Connector.
Run Vulnerability Scan on Endpoint Playbook to run a vulnerability scan on an endpoint.
Quarantine Endpoint by EMS Playbook to quarantine an endpoint by EMS connector.
Unquarantine Endpoint by EMS Playbook to unquarantine an endpoint by EMS connector.
Enrich Incident with Process List Playbook to get running processes on endpoint by EMS connector and attach to an incident.

Enrich Incident with Vulnerability List

Playbook to collect the list of endpoint vulnerabilities from logs and attach to an incident.

Enrich Incident with Software Inventory Playbook to get software inventory from endpoint by EMS connector and attach to an incident.

Playbook templates

When a playbook template is selected, the playbook designer is automatically populated with a trigger and one or more tasks. You can configure, add, or remove tasks to customize the playbook.

When creating a new playbook, the following predefined templates are available:

Connector

Name

Description

FAZ Localhost

Compromised Host Incident Playbook to create an incident on FortiAnalyzer compromised hosts detected by the IoC feature.
Critical Intrusion Incident Playbook to create an incident on FortiAnalyzer for critical intrusions detected by IPS.

Attach Endpoint Vulnerability List to Incident

Playbook to collect the list of endpoint vulnerabilities from logs and attach it to an incident.

FortiOS

Quarantine Endpoint by FortiOS

Playbook to quarantine an endpoint by FOS connector providing the MAC address or FortiClient UID.

FortiClient EMS

Update Asset and Identity Database Playbook to automatically update FortiAnalyzer Asset and Identity database with endpoint and user information from EMS.
Run AV Scan on Endpoint Playbook to run AV scan on an endpoint by EMS Connector.
Run Vulnerability Scan on Endpoint Playbook to run a vulnerability scan on an endpoint.
Quarantine Endpoint by EMS Playbook to quarantine an endpoint by EMS connector.
Unquarantine Endpoint by EMS Playbook to unquarantine an endpoint by EMS connector.
Enrich Incident with Process List Playbook to get running processes on endpoint by EMS connector and attach to an incident.

Enrich Incident with Vulnerability List

Playbook to collect the list of endpoint vulnerabilities from logs and attach to an incident.

Enrich Incident with Software Inventory Playbook to get software inventory from endpoint by EMS connector and attach to an incident.