Created on 05-25-2022 09:48 AM Edited on 05-25-2022 10:14 AM By Anonymous
Description
This article describes how to configure a webhook automation stitch that posts a message into a chosen Discord channel when the stitch is triggered.
Scope
This guide is applicable to any FortiOS version that supports webhook automation action (6.0+).
The FortiGate needs to be able to resolve and communicate with the discord.com server.
The user creating the webhook for the Discord channel must have access permissions to manage webhooks.
Solution
a) Select the gear icon next to the channel name to edit the channel, then go to Integrations and select Create Webhook.
b) Give the webhook an appropriate name, select the desired channel, and optionally upload an icon. (Fortinet icons are available for download here)
When the webhook is triggered by the FortiGate, the message will be displayed as a message by a Discord bot in the selected channel with the chosen name and icon.
Finally, select Copy Webhook URL, save the URL (it can be retrieved later from the same location), and select Save Changes.
c) (optional) Confirm that the webhook URL is valid.
In both cases below, replace the dummy URL with the real webhook URL.
Verification using cURL:
curl https://discord.com/api/webhooks/999999999999999999/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx... --json '{"content": "curl test message"}'
Verification using PowerShell:
Invoke-RestMethod -Uri https://discord.com/api/webhooks/999999999999999999/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx... -Method Post -Body (@{"content"="powershell test message"} | ConvertTo-Json) -ContentType "application/json"
If the webhook URL is valid, the message(s) will show in the channel:
This example uses the failed admin login event as a trigger. For other options, refer to FortiOS Administration Guide -> Fortinet Security Fabric -> Automation Stitches.
The screenshots below were taken from FortiOS version 7.0.5. The visuals may be slightly different in other versions.
a) Create the automation trigger.
In Security Fabric -> Automation -> Trigger, select Create New and select the FortiOS Event Log type.
Give the trigger a descriptive name and select the Admin login failed event in the Event field. Select OK to save the change.
b) Create the automation action
Switch to the Action tab, select Create New and select the Webhook action.
Give the action a descriptive name. Select HTTPS as the protocol, paste the webhook URL into the URL field without the http:// protocol prefix, and select the POST method. Add a Content-Type HTTP header with the value application/json. Insert the desired JSON code in the HTTP body field.
The minimal JSON body required by Discord API to send a message consists of the 'content' key with a value containing the message to be displayed.
This example uses a payload that demonstrates how to send a multi-line message and how to utilize variables from the source log event. It will send two lines of text, followed by additional lines with variables containing the time, admin username, source IP, and failure reason.
{"content" : "Sample FortiGate webhook\nAdmin login failed!\ntime: %%log.time%%\nusername: %%log.user%%\nsource IP: %%log.srcip%%\nfailure reason: %%log.reason%%\n"}
Once done, select OK to save the automation action.
c) Create the automation stitch.
Switch to the Stitch tab, and select Create New. Give the stitch a descriptive name. Select Add Trigger, select the trigger from step a, and select Apply. Select Add Action, select the action created in step b and select Apply. Finally, select OK to save the new automation stitch.
The completed automation stitch, trigger, and action are represented in the CLI as follows:
# config system automation-trigger
edit "admin_login_failed"
set event-type event-log
set logid 32002
next
end
# config system automation-action
edit "discord_admin_login_fail"
set action-type webhook
set protocol https
set uri "discord.com/api/webhooks/999999999999999999/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set http-body "{\"content\" : \"Sample FortiGate webhook\\nAdmin login failed!\\ntime: %%log.time%%\\nusername: %%log.user%%\\nsource IP: %%log.srcip%%\\nfailure reason: %%log.reason%%\\n\"}"
set port 443
set headers "Content-Type:application/json"
next
end
# config system automation-stitch
edit "discord_sample_stitch"
set trigger "admin_login_failed"
config actions
edit 1
set action "discord_admin_login_fail"
set required enable
next
end
next
end
The configuration is now complete and the stitch can be tested by performing a failed admin login. The resulting message, based on the above automation action, should look as follows:
How to include a username or user-role @mention in the webhook message?
Mentioning a specific user or user-role in the webhook message requires a specific syntax:
username: <@user-id-here>
user-role: <@&role-id-here>
These IDs can be quickly discovered by manually sending a message with the user/user-role mentioned in the channel and prefixing the @-sign with a backslash '\'. The resulting message will show the exact sequence of characters to be used in the webhook action's JSON body.
Documentation
Discord webhook API reference - https://discord.com/developers/docs/resources/webhook
FortiOS log message reference can be reviewed to learn which log fields are available as variables for each event log trigger. - https://docs.fortinet.com/document/fortigate/7.0.5/fortios-log-message-reference
How to escape various characters in JSON strings. - https://www.tutorialspoint.com/json_simple/json_simple_escape_characters.htm
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.