Creating FortiGate Response Action Rules

Role Availability Read-Only Investigator Analyst Manager

You can create orchestration rules in USM Anywhere that automatically trigger a FortiGate response action when events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall., alarms Alarms provide notification of an event or sequence of events that require attention or investigation., or vulnerabilities A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. match the criteria that you specify. For example, you might create a rule where USM Anywhere automatically creates a new FortiGate incident when malware is detected so that a member of your response team can manage and address the issue. FortiGate events are updated on an hourly basis.

After you create a rule, new events, alarms, or vulnerabilities that match the rule, conditions will trigger the FortiGate response action to create a new incident. The rule does not trigger for existing events, alarms, or vulnerabilities.

You can create a new rule as follows:

  • From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, event rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules.

    Go to Settings > Rules and select Response Action Rules on the left navigation panel. Then click Create Response Action Rule to define the new rule.

To define a new FortiGate response action rule

  1. Enter a name for the rule.

  2. Select the App Action for the rule and specify the information for the FortiGate incident.

    The FortiGate parameters that you set will depend on the action that you select.

    • Create a New Incident from a Vulnerability Status Update

      This is the default action if you create the rule after applying a FortiGate response action to a vulnerability. Use this action to open a new incident when a status change occurs for a vulnerability that satisfies the matching criteria.

      Important: To match vulnerability status updates, your rule must include the following criteria: (packet_type == 'system_event' AND object_type == 'AssetVulnerabilityStatus').

      However, it is important to be aware that this will return all vulnerability status changes matching these rules. It is advisable to narrow the rule with further conditions. Additionally, you can create a similar alarm rule first to test the amount of responses it would generate when active before you use the rule with FortiGate..

      Rules for vulnerabilities tickets

    • Create a New Incident from an Alarm

      This is the default action if you create the rule after applying a FortiGate response action to an alarm. Use this action to open a new FortiGate incident for a new alarm that satisfies the matching criteria.

    • Create a New Issue from Event-Based Orchestration

      Use this action to open a new FortiGate incident for any event that satisfies the matching criteria.

  3. At the bottom of the dialog box, set the Rule Condition parameters to specify the criteria for a matching alarm or event to trigger the rule.

    Set the matching conditions for triggering the rule

    • If you create the rule from an applied action, this section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
    • If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
    • At the bottom of the dialog box, click More to display the optional multiple occurrence and window length parameters.
  4. Click Save Rule.
  5. In the confirmation dialog box, click OK.