FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pminarik
Staff
Staff

Description

This article describes how to configure a webhook automation stitch that posts a message into a chosen Discord channel when the stitch is triggered.

 

Scope

This guide is applicable to any FortiOS version that supports webhook automation action (6.0+).

The FortiGate needs to be able to resolve and communicate with the discord.com server.

The user creating the webhook for the Discord channel must have access permissions to manage webhooks.

 

Solution

1) Create the webhook in Discord

a) Select the gear icon next to the channel name to edit the channel, then go to Integrations and select Create Webhook.

 

edit channeledit channel

 

b) Give the webhook an appropriate name, select the desired channel, and optionally upload an icon. (Fortinet icons are available for download here)

 

webhook creationwebhook creation

 

When the webhook is triggered by the FortiGate, the message will be displayed as a message by a Discord bot in the selected channel with the chosen name and icon.

Finally, select Copy Webhook URL, save the URL (it can be retrieved later from the same location), and select Save Changes.

 

c) (optional) Confirm that the webhook URL is valid.

In both cases below, replace the dummy URL with the real webhook URL.

 

Verification using cURL:

 

curl https://discord.com/api/webhooks/999999999999999999/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx... --json '{"content": "curl test message"}'

 

Verification using PowerShell:

 

Invoke-RestMethod -Uri https://discord.com/api/webhooks/999999999999999999/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx... -Method Post -Body (@{"content"="powershell test message"} | ConvertTo-Json) -ContentType "application/json"

 

If the webhook URL is valid, the message(s) will show in the channel:

 

test resultstest results

 

2) Create the automation stitch in FortiGate

This example uses the failed admin login event as a trigger. For other options, refer to FortiOS Administration Guide -> Fortinet Security Fabric -> Automation Stitches.

 

The screenshots below were taken from FortiOS version 7.0.5. The visuals may be slightly different in other versions.

 

a) Create the automation trigger.

In Security Fabric -> Automation -> Trigger, select Create New and select the FortiOS Event Log type.

 

Give the trigger a descriptive name and select the Admin login failed event in the Event field. Select OK to save the change.

 

automation triggerautomation trigger

 

 

b) Create the automation action

Switch to the Action tab, select Create New and select the Webhook action.

Give the action a descriptive name. Select HTTPS as the protocol, paste the webhook URL into the URL field without the http:// protocol prefix, and select the POST method. Add a Content-Type HTTP header with the value application/json. Insert the desired JSON code in the HTTP body field.

 

The minimal JSON body required by Discord API to send a message consists of the 'content' key with a value containing the message to be displayed.

This example uses a payload that demonstrates how to send a multi-line message and how to utilize variables from the source log event. It will send two lines of text, followed by additional lines with variables containing the time, admin username, source IP, and failure reason.

 

{"content" : "Sample FortiGate webhook\nAdmin login failed!\ntime: %%log.time%%\nusername: %%log.user%%\nsource IP: %%log.srcip%%\nfailure reason: %%log.reason%%\n"}

 

Once done, select OK to save the automation action.

 

automation actionautomation action

 

c) Create the automation stitch.

Switch to the Stitch tab, and select Create New. Give the stitch a descriptive name. Select  Add Trigger, select the trigger from step a, and select Apply. Select Add Action, select the action created in step b and select Apply. Finally, select OK to save the new automation stitch.

 

automation stitchautomation stitch


The completed automation stitch, trigger, and action are represented in the CLI as follows:

 

# config system automation-trigger

edit "admin_login_failed"

set event-type event-log

set logid 32002

next

end

 

# config system automation-action

edit "discord_admin_login_fail"

set action-type webhook

set protocol https

set uri "discord.com/api/webhooks/999999999999999999/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

set http-body "{\"content\" : \"Sample FortiGate webhook\\nAdmin login failed!\\ntime: %%log.time%%\\nusername: %%log.user%%\\nsource IP: %%log.srcip%%\\nfailure reason: %%log.reason%%\\n\"}"

set port 443

set headers "Content-Type:application/json"

next

end

 

# config system automation-stitch

edit "discord_sample_stitch"

set trigger "admin_login_failed"

config actions

edit 1

set action "discord_admin_login_fail"

set required enable

next

end

next

end

 

3) Final confirmation

The configuration is now complete and the stitch can be tested by performing a failed admin login. The resulting message, based on the above automation action, should look as follows:

 

pminarik_2-1653492251638.png

 

Additional information and references

How to include a username or user-role @mention in the webhook message?
Mentioning a specific user or user-role in the webhook message requires a specific syntax:


username: <@user-id-here>
user-role: <@&role-id-here>

 

These IDs can be quickly discovered by manually sending a message with the user/user-role mentioned in the channel and prefixing the @-sign with a backslash '\'. The resulting message will show the exact sequence of characters to be used in the webhook action's JSON body.

 

user/user-role ID retrievaluser/user-role ID retrieval

 

@mention JSON payload and result@mention JSON payload and result

 

Documentation

Discord webhook API reference - https://discord.com/developers/docs/resources/webhook

FortiOS log message reference can be reviewed to learn which log fields are available as variables for each event log trigger. - https://docs.fortinet.com/document/fortigate/7.0.5/fortios-log-message-reference

How to escape various characters in JSON strings. - https://www.tutorialspoint.com/json_simple/json_simple_escape_characters.htm

Contributors