Description

This article describes how to send an alert message to the Slack application from FortiAnalyzer.

Scope

FortiAnalyzer, Slack.

Solution

Slack:

1. Log in to the Slack account, or create a new account and create a workspace:

2. Create a new channel to receive the alerts:

3. Create a new application from Slack:

4. Enable Incoming Webhooks:

5. Copy webhook URL to be used in FortiAnalyzer configuration:

FortiAnalyzer:

1. Use the unique URL to put in under the Slack Connector URL value:

In v7.4.x, go to Fabric View -> Fabric Connectors -> Create New -> Slack Connector.
In v7.6.x, go to Incidents & Events -> Automation -> Active Connectors -> Create New -> Slack Connector.

Note:

Paste the URL copied from the webhook URL into the configuration.

2. Create a Notification Profile from FortiSoC -> Handlers -> Notification Profile List -> Create New. 

Note:

Enable Send Alert through Fabric Connectors and select the Slack Connector created earlier.

3. Create an event handler with any rule that can trigger the alert under FortiSoC -> Handlers -> Event Handler List -> Create New.

Note:

In this documentation, the rules used to trigger the event are Level = "Critical" and Message = "Virtual cluster detected member join".

4. Trigger the event and check on Event Monitor -> Correlated Logs, the time will be slightly different than sent to the webhook alert.

To debug and check for troubleshooting, use the following CLI commands:

diagnose debug application faznotify 8

diagnose debug timestamp enable

diagnose debug enable

Sample output:

2024-02-20 13:51:06 faznotify_handle_active_channel:138: [faznotify][DEBUG]worker[7998] start to handle chan[root:FAZ Slack]
2024-02-20 13:51:06 faznotify_conn_send_channel:963: [faznotify][DEBUG]adom[root] webhook[FAZ Slack] act[send] obj:
{ "fortianalyzer_notification": { "type": "event alert", "adom": "root", "from": "FAZ-VM0000000000", "timestamp": 1708465865, "apiver": 1, "data": [ { "ackflag": "no", "alertid": "202402211000000011", "logcount": "1", "logtype": "event", "devtype": "FortiGate", "subtype": "ha", "alerttime": "1708465865", "firstlogtime": "1708465843", "lastlogtime": "1708465843", "devid": "FGVM010000000000", "devname": "Juara-kvm52", "eventtype": "ha", "groupby1": "Juara-kvm52", "groupby2": "", "groupby3": "", "indicator": "", "readflag": "no", "severity": "high", "subject": "", "tag": "", "triggername": "HA Event - Cluster member joined", "vdom": "root", "epid": "3", "euid": "3", "epip": "", "epname": "no enough info", "euname": "N\/A", "extrainfo": "{ }", "ephostname": "", "epmac": "", "eposname": "", "eposversion": "", "fctuid": "", "log-length": 376, "log-detail": "logver=0700140601 idseq=152431368901492737 itime=1708465843 devid=\"FGVM010000000000\" devname=\"Tiara-kvm37\" vd=\"root\" date=2024-02-21 time=05:50:42 eventtime=1708465843170822718 tz=\"+0800\" logid=\"0108037894\" type=\"event\" subtype=\"ha\" level=\"critical\" logdesc=\"Virtual cluster member joined\" msg=\"Virtual cluster detected member join\" vcluster=1 ha_group=0 sn=\"FGVM010000108292\"" } ] } }
2024-02-20 13:51:06 faznotify_conn_send_channel:972: [faznotify][DEBUG]wrapping message for SLACK type connector
2024-02-20 13:51:06 faznotify_conn_prepare_sender:783: [faznotify][INFO] connection stat normal
2024-02-20 13:51:07 faznotify_conn_send_channel:980: [faznotify][DEBUG]adom[root] webhook[FAZ Slack] RESPONSE:
ok

2024-02-20 13:51:07 faznotify_conn_send_channel:959: [faznotify][DEBUG]adom[root] webhook[FAZ Slack] no more message in channel
2024-02-20 13:51:07 faznotify_handle_active_channel:162: [faznotify][INFO] worker[7998] job done for [root:FAZ Slack] duration[1]seconds sent-count[0]

Related articles:

Technical Tip: FortiGate Automation use Webhook send message to Slack 

Technical Tip: How to send an alert to Microsoft Teams