Disable Event Handler#
Disable an event handler to stop automated incident response actions.
✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.
Overview#
This endpoint disables event handlers - useful for:
Temporarily stopping automated incident response workflows
Maintenance and troubleshooting of event handling configurations
Testing environment changes without affecting production automation
Preventing event handler execution during system maintenance
Managing event handler lifecycle
Disabling an event handler stops all automated actions and event forwarding while preserving the configuration for future re-enablement.
Endpoint Details#
Method: POST
URL: /jsonrpc
API Path: /eventmgmt/adom/{adom}/conf-eventhandler/{handler_name}
ADOM Support: Yes
Requires Authentication: Yes
Minimum Version: 7.4.0
Request Example#
{
"method": "update",
"params": [{
"url": "/eventmgmt/adom/root/conf-eventhandler/Critical_IPS_Alert",
"data": {
"status": "disabled"
}
}],
"session": "{{session_id}}",
"id": 1
}
{
"result": [{
"data": {},
"status": {
"code": 0,
"message": "OK"
},
"url": "/eventmgmt/adom/root/conf-eventhandler/Critical_IPS_Alert"
}],
"session": "{{session_id}}",
"id": 1
}
Complete Python Example#
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def disable_event_handler(session_id, adom, handler_name):
"""
Disable event handler
Args:
session_id: Active session ID
adom: ADOM name
handler_name: Event handler name to disable
Returns:
bool: True if successful
"""
url = "https://faz.example.com/jsonrpc"
payload = {
"method": "update",
"params": [{
"url": f"/eventmgmt/adom/{adom}/conf-eventhandler/{handler_name}",
"data": {
"status": "disabled"
}
}],
"session": session_id,
"id": 1
}
response = requests.post(url, json=payload, verify=False)
result = response.json()
if result['result'][0]['status']['code'] == 0:
print(f"✓ Event handler '{handler_name}' disabled")
return True
else:
raise Exception(f"API error: {result['result'][0]['status']['message']}")
def enable_event_handler(session_id, adom, handler_name):
"""
Re-enable event handler
Args:
session_id: Active session ID
adom: ADOM name
handler_name: Event handler name to enable
Returns:
bool: True if successful
"""
url = "https://faz.example.com/jsonrpc"
payload = {
"method": "update",
"params": [{
"url": f"/eventmgmt/adom/{adom}/conf-eventhandler/{handler_name}",
"data": {
"status": "enabled"
}
}],
"session": session_id,
"id": 1
}
response = requests.post(url, json=payload, verify=False)
result = response.json()
if result['result'][0]['status']['code'] == 0:
print(f"✓ Event handler '{handler_name}' enabled")
return True
else:
raise Exception(f"API error: {result['result'][0]['status']['message']}")
# Example: Disable event handler during maintenance
disable_event_handler(
session_id="your_session_id",
adom="root",
handler_name="Critical_IPS_Alert"
)
Use Cases#
Maintenance Mode#
# Disable event handler during system maintenance
disable_event_handler(
session_id=session,
adom="root",
handler_name="Critical_IPS_Alert"
)
print("⚠️ Event handler disabled for maintenance window")
print(" Automated responses temporarily suspended")
# ... Perform maintenance ...
# Re-enable after maintenance
enable_event_handler(
session_id=session,
adom="root",
handler_name="Critical_IPS_Alert"
)
print("✓ Event handler re-enabled - automation resumed")
Bulk Disable/Enable#
# Disable multiple event handlers for system upgrade
from get_eventhandler import get_event_handlers
handlers = get_event_handlers(session_id=session, adom="root")
print("Disabling all event handlers for system upgrade...\n")
for handler in handlers:
handler_name = handler.get('name')
if handler.get('status') == 'enabled':
disable_event_handler(
session_id=session,
adom="root",
handler_name=handler_name
)
print("\n✓ All event handlers disabled")
print(" Perform system upgrade...")
print(" Re-enable handlers when complete")
Conditional Disable#
# Disable only non-critical event handlers
from get_eventhandler import get_event_handlers
handlers = get_event_handlers(session_id=session, adom="root")
critical_handlers = ["Critical_IPS_Alert", "Ransomware_Detection"]
for handler in handlers:
handler_name = handler.get('name')
if handler_name not in critical_handlers:
disable_event_handler(
session_id=session,
adom="root",
handler_name=handler_name
)
print(f"✗ Disabled: {handler_name}")
else:
print(f"✓ Kept active: {handler_name} (critical)")
Safe Disable with Verification#
# Verify handler exists and is enabled before disabling
from get_eventhandler import get_event_handlers
handler_to_disable = "Test_Event_Handler"
handlers = get_event_handlers(session_id=session, adom="root")
handler_names = {h['name']: h for h in handlers}
if handler_to_disable in handler_names:
current_status = handler_names[handler_to_disable].get('status')
if current_status == 'enabled':
confirm = input(f"Disable event handler '{handler_to_disable}'? (yes/no): ")
if confirm.lower() == 'yes':
disable_event_handler(
session_id=session,
adom="root",
handler_name=handler_to_disable
)
else:
print(f"ℹ️ Event handler '{handler_to_disable}' is already disabled")
else:
print(f"✗ Event handler '{handler_to_disable}' not found")
Best Practices#
⚠️ Warning: Disabling an event handler stops ALL automated responses and event forwarding. Ensure alternative alerting mechanisms are in place for critical events.
💡 Tip: Document the reason for disabling in the event handler description field, including expected re-enablement date.
💡 Tip: Use Update Event Handler Target Status to disable specific targets instead of the entire handler when possible.
💡 Tip: Verify event handler status after maintenance to ensure critical automation is resumed.
⚠️ Warning: Disabled event handlers do not process events. Security incidents may go undetected if critical handlers remain disabled.