Upload Event Handler Configuration#
Upload or import event handler configurations for bulk deployment and configuration management.
✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.
Overview#
This endpoint uploads event handler configurations - useful for:
Bulk deployment of event handlers across multiple ADOMs
Configuration backup and restore operations
Migrating event handler settings between systems
Implementing configuration as code workflows
Standardizing incident response automation across environments
Uploading event handler configurations enables consistent automated incident response deployment and simplified configuration management.
Endpoint Details#
Method: POST
URL: /jsonrpc
API Path: /eventmgmt/adom/{adom}/conf-eventhandler
ADOM Support: Yes
Requires Authentication: Yes
Minimum Version: 7.4.0
Request Example#
{
"method": "set",
"params": [{
"url": "/eventmgmt/adom/root/conf-eventhandler",
"data": [
{
"name": "Critical_IPS_Alert",
"description": "Critical IPS detections forwarded to Splunk and ServiceNow",
"status": "enabled",
"trigger": "ips-signature",
"action": "webhook",
"target": "Splunk_HEC"
},
{
"name": "Ransomware_Detection",
"description": "Ransomware indicators trigger immediate alerting",
"status": "enabled",
"trigger": "threat-signature",
"action": "webhook",
"target": "ServiceNow_Incidents"
}
]
}],
"session": "{{session_id}}",
"id": 1
}
{
"result": [{
"data": {},
"status": {
"code": 0,
"message": "OK"
},
"url": "/eventmgmt/adom/root/conf-eventhandler"
}],
"session": "{{session_id}}",
"id": 1
}
Complete Python Example#
import requests
import urllib3
import json
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def upload_event_handler_config(session_id, adom, handlers):
"""
Upload event handler configurations
Args:
session_id: Active session ID
adom: ADOM name
handlers: List of event handler configuration dictionaries
Returns:
bool: True if successful
"""
url = "https://faz.example.com/jsonrpc"
payload = {
"method": "set",
"params": [{
"url": f"/eventmgmt/adom/{adom}/conf-eventhandler",
"data": handlers
}],
"session": session_id,
"id": 1
}
response = requests.post(url, json=payload, verify=False)
result = response.json()
if result['result'][0]['status']['code'] == 0:
print(f"✓ Uploaded {len(handlers)} event handler configurations")
return True
else:
raise Exception(f"API error: {result['result'][0]['status']['message']}")
# Example: Upload multiple event handlers
event_handlers = [
{
"name": "Critical_IPS_Alert",
"description": "Critical IPS detections forwarded to Splunk and ServiceNow",
"status": "enabled",
"trigger": "ips-signature",
"action": "webhook",
"target": "Splunk_HEC"
},
{
"name": "Ransomware_Detection",
"description": "Ransomware indicators trigger immediate alerting",
"status": "enabled",
"trigger": "threat-signature",
"action": "webhook",
"target": "ServiceNow_Incidents"
},
{
"name": "C2_Communication_Block",
"description": "Command and control traffic detection and blocking",
"status": "enabled",
"trigger": "botnet-detection",
"action": "webhook",
"target": "Slack_Security_Channel"
}
]
upload_event_handler_config(
session_id="your_session_id",
adom="root",
handlers=event_handlers
)
Use Cases#
Configuration Backup and Restore#
# Export existing event handlers
from get_eventhandler import get_event_handlers
import json
from datetime import datetime
# Backup: Export current configuration
handlers = get_event_handlers(session_id=session, adom="root")
backup_filename = f"event_handlers_backup_{datetime.now().strftime('%Y%m%d_%H%M%S')}.json"
with open(backup_filename, 'w') as f:
json.dump(handlers, f, indent=2)
print(f"✓ Backed up {len(handlers)} event handlers to {backup_filename}")
# Restore: Upload saved configuration
with open(backup_filename, 'r') as f:
handlers_to_restore = json.load(f)
upload_event_handler_config(
session_id=session,
adom="root",
handlers=handlers_to_restore
)
print(f"✓ Restored {len(handlers_to_restore)} event handlers")
Multi-ADOM Deployment#
# Deploy standard event handlers across multiple ADOMs
standard_handlers = [
{
"name": "Critical_Security_Events",
"description": "Critical security event forwarding",
"status": "enabled",
"trigger": "ips-signature",
"action": "webhook",
"target": "Splunk_HEC"
},
{
"name": "Compliance_Alerts",
"description": "Compliance violation notifications",
"status": "enabled",
"trigger": "policy-violation",
"action": "webhook",
"target": "ServiceNow_Incidents"
}
]
adoms = ["root", "Production", "Development", "DMZ"]
for adom in adoms:
try:
upload_event_handler_config(
session_id=session,
adom=adom,
handlers=standard_handlers
)
print(f"✓ {adom}: Deployed {len(standard_handlers)} handlers")
except Exception as e:
print(f"✗ {adom}: Failed - {e}")
Configuration as Code#
# Load event handler definitions from YAML/JSON configuration file
import json
# Load configuration template
with open('event_handlers_config.json', 'r') as f:
config = json.load(f)
# Customize for environment
env = "production"
handlers = []
for handler_template in config['event_handlers']:
handler = handler_template.copy()
handler['name'] = f"{env}_{handler['name']}"
handler['description'] = f"[{env.upper()}] {handler['description']}"
handlers.append(handler)
# Deploy to environment
upload_event_handler_config(
session_id=session,
adom="root",
handlers=handlers
)
print(f"✓ Deployed {len(handlers)} event handlers for {env} environment")
Migrate Between FortiAnalyzer Systems#
# Export from source FortiAnalyzer
source_session = login_to_faz("source-faz.example.com", "admin", "password")
source_handlers = get_event_handlers(session_id=source_session, adom="root")
print(f"✓ Exported {len(source_handlers)} handlers from source system")
# Import to destination FortiAnalyzer
dest_session = login_to_faz("dest-faz.example.com", "admin", "password")
upload_event_handler_config(
session_id=dest_session,
adom="root",
handlers=source_handlers
)
print(f"✓ Imported {len(source_handlers)} handlers to destination system")
Template-Based Deployment#
# Create event handlers from templates with variable substitution
handler_templates = {
"ips_alert": {
"name": "{severity}_IPS_Alert",
"description": "{severity} IPS detections - {destination}",
"status": "enabled",
"trigger": "ips-signature",
"action": "webhook",
"target": "{destination}"
},
"threat_detection": {
"name": "{threat_type}_Detection",
"description": "{threat_type} threat detection - {destination}",
"status": "enabled",
"trigger": "threat-signature",
"action": "webhook",
"target": "{destination}"
}
}
# Generate handlers from templates
deployments = [
{"template": "ips_alert", "severity": "Critical", "destination": "Splunk_HEC"},
{"template": "ips_alert", "severity": "High", "destination": "ServiceNow_Incidents"},
{"template": "threat_detection", "threat_type": "Ransomware", "destination": "Slack_Security_Channel"},
{"template": "threat_detection", "threat_type": "Botnet", "destination": "Splunk_HEC"}
]
handlers = []
for deploy in deployments:
template = handler_templates[deploy['template']]
handler = {k: v.format(**deploy) for k, v in template.items()}
handlers.append(handler)
upload_event_handler_config(
session_id=session,
adom="root",
handlers=handlers
)
print(f"✓ Deployed {len(handlers)} handlers from templates")
Best Practices#
💡 Tip: Always backup existing event handler configurations before uploading new ones. The
setmethod may overwrite existing configurations.
💡 Tip: Validate event handler configurations in a test environment before deploying to production.
💡 Tip: Use version control (Git) for event handler configuration files to track changes and enable rollback.
⚠️ Warning: Ensure all referenced automation connectors (targets) exist in the destination ADOM before uploading event handlers.
💡 Tip: Include timestamps and environment identifiers in event handler descriptions for better tracking and auditing.