Created on 06-21-2022 11:59 AM Edited on 09-04-2024 10:03 PM By Anthony_E
Description
This article describes real-time event notifications using EDR Custom Connector and Action Scripts.
Scope
FortiEDR.
Solution
FortiEDR Custom Integration Connector: Security Event Push Notification.
FortiEDR features adding a Custom Connector with actions set by Python scripts. These scrips are called 'Action Scripts' and are ran on customer's Jumpbox.
In this example, event data will be sent to a Discord Webhook and will generate a real-time Event notification sent to the Discord logged in user.
This article shows how to create the Custom Connector and an Action Script using Python's requests library to send out event data as soon as an event comes in.
Third party systems can then take actions using the provided event data.
The Webhook link should be similar to this:
Take note of the number and the unique string.
These will be the Username and Password used in the Custom Connector.
For this Webhook link it is:
Username: 98319xxxxxxxxxx
Password: 2rTPCXdxxxxxxxxx
FortiEDR features adding a Custom Connector with actions set by Python scripts. These scrips are called 'Action Scripts' and are ran on customer's Jumpbox.
In this example, event data will be sent to a Discord Webhook and will generate a real-time Event notification sent to the Discord logged in user.
This article shows how to create the Custom Connector and an Action Script using python's requests library to send out event data as soon as an event comes in.
Third party systems can then take actions using the provided event data.
import json import platform import requests # imports requests library used for creating HTTP/S connections with open('config.json') as json_file: conf = json.load(json_file) PARAMS = conf.get('PARAMS', {}) TEST_MODE = conf.get('TestMode', {}) if __name__ == "__main__": # Grabs host, port, username and password from Custom Connector Configuration Screen mUrl = 'https://' + PARAMS['ConnectorHost'] + ':' + PARAMS['ConnectorPort'] + '/api/webhooks/' + PARAMS['ConnectorUsername'] + '/' + PARAMS['ConnectorPassword'] # Set headers and prepare eventdata variable. headers = {'Content-type': 'application/json'} eventdata = '' # entireEvent key only exists for real Events. if(TEST_MODE): # Because we are testing we just convert PARAMS keys to plain string, truncate values at 90 chars. for key, val in PARAMS.items(): eventdata = eventdata + '**' + key + '**: ' + str(val)[:90] + '\n' # For testing the connector in the Custom Connector configuration screen we use the entie PARAMS contents because entireEvent does not exist (testing does not use a real event). else: #EVENT = json.loads(PARAMS.get('entireEvent', {})) EVENT = PARAMS # AutomationData key content is too long. Summarize it with AutomationData comment only. EVENT['AutomationData'] = EVENT['AutomationData']['comment'] # Convert EVENT keys to plain string, truncate values at 90 chars. for key, val in EVENT.items(): eventdata = eventdata + '**' + key + '**: ' + str(val)[:90] + '\n' # Format response content for Discord. We have to also truncate the message with 2047 characters because thats Discord's limit. webhookdata = { "content": None, "embeds": [ { "title": "FortiEDR Notification", "description": eventdata.replace("u'", "'")[:2047], "color": 5814783 } ] } # Sends webhook with real time notification to Discord. response = requests.post(mUrl, headers=headers, json=webhookdata) # Prints to stdout success or failure. if(response.status_code == 204) : print('Successfully sent webhook.') exit(0) else : print('Failed sending webhook.') print(response.content) exit(1)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.