Playbooks
To manage playbooks, go to FortiSoC > Automation > Playbooks. The following options are available:
Create New | Create a new playbook. Playbooks can be created from scratch or by using playbook templates. |
Run | Run selected playbooks that are configured with the ON_DEMAND trigger. |
Edit | Edit the selected playbook. |
Delete | Delete the selected playbook. |
Column Settings | Choose which columns are displayed in the playbook table. |
Search |
Perform a text search for the playbook name, description, created time, and modified time. |
To manage playbooks, administrators must be assigned to an administrator profile with Read-Write permissions for Incidents & Events. See Administrator profiles. |
Creating a playbook
Playbooks include a starter event (trigger) and one or more tasks configured with automated actions.
A task is run as soon as the playbook is triggered and all connected tasks preceding it are complete.
To create a playbook:
- Go to FortiSoC > Automation > Playbooks, and click Create New.
Select a playbook template or choose New Playbook created from scratch.
The playbook editor opens.When a playbook template is selected, the playbook designer is automatically populated with a trigger and one or more tasks. You can configure trigger filter conditions and add or remove tasks to customize the playbook. See Playbook templates.
- Click within the playbook's title field to change its name and description.
- Select a playbook trigger from the Triggers menu and configure the trigger's filter conditions.
Once the trigger is created, it is displayed in the playbook editor with highlighted connector points.
For more information on the available playbook triggers, see Triggers and tasks.
- Add playbook tasks.
Drag-and-drop any connector point to add a new task. A new placeholder step is added to the playbook editor, and the Tasks window is displayed showing available FortiSoC connectors. See Connectors.
- Select a connector type and configure an automated action:
Name Enter a name for the task. Description Enter a description of the task. Connector Select a connector to use from the dropdown menu. See Connectors.
Action Select the automated action to be performed. Parameters
Configure the parameters for the selected action.
- Connect playbook tasks.
Additional connector points can be added to connect this task to other tasks in the playbook. A task automatically begins once all preceding tasks connected to it have been completed. A playbook ends when there are no additional tasks to run.
- (Optional) Manage your playbook by clicking on one of the options displayed when hovering your mouse over the trigger or task:
- Edit: Edit the trigger or task.
-
Delete: Delete the task.
- Click Save Playbook.
Enabling and disabling playbooks
Once created, playbooks can be enabled or disabled through the playbook editor. Enabled playbooks will run as soon as their trigger conditions are met. Playbooks configured with the On_Demand trigger start when manually initiated by the administrator in FortiSoC > Automation > Playbook Monitor or an Incident Analysis page.
To enable or disable a playbook:
- Go to FortiSoC > Automation > Playbooks.
- Edit a previously configured playbook.
- In the playbook designer, select the option to Enable or Disable the playbook located in the top-right corner.
- Click Save Playbook.