Custom webhook alert channel
Create a custom webhook that receives FortiCNAPP alert notifications from an alert channel and forwards those alerts to another application.
After you configure a webhook alert channel, when FortiCNAPP generates an alert, it automatically sends that alert to the URL endpoint you configure in the webhook channel.
Creating a custom webhook
The Webhook URL endpoint must be https. FortiCNAPP does not support webhooks over http.
FortiCNAPP generates a new alert by sending an HTTP POST request with the following payload as shown in the following example.
{
"event_title": "Compliance Changed",
"event_link": "https://myLacework.lacework.net/ui/investigate/Event/120884?startTime=1565370000000&endTime=1565373600000",
"lacework_account": "myLacework",
"event_source": "AzureCompliance",
"event_description":"Azure Account myLacework Pay-As-You-Go: Azure_CIS_2_1 Ensure that standard pricing tier is selected changed from compliant to non-compliant",
"event_timestamp":"27 May 2021 17:00 GMT",
"event_type": "Compliance",
"event_id": "120884",
"event_severity": "4",
"rec_id": "Azure_CIS_2_1"
}
The following table describes payload elements.
| Field name | Description |
|---|---|
| event_title | The title of the FortiCNAPP event. |
| event_link | The link to the event in the console. |
| lacework_account | The Lacework application where the event occurred. The myLacework part of the FortiCNAPP application URL: myLacework.lacework.net. |
| event_source | The source of the event or where the event occurred. |
| event_description | A description of the event including a description of why the event occurred. |
| event_timestamp | The timestamp of when the event occurred. |
| event_type | The type (or category) of the event. |
| event_id | The FortiCNAPP ID for the event. |
| event_severity | The severity of the event between numbers 1 and 5. The number 1 is the highest severity and 5 is the lowest severity. |
| rec_id | The recommendation ID. Only compliance events have the recommendation ID field. |
Create a webhook to receive the HTTP POST request from FortiCNAPP and then perform some action. For example, your webhook could read the payload from the FortiCNAPP HTTP POST request, parse the properties from the incoming payload, generate another alert with the properties in a different format, and send that alert to another application such as Opsgenie.
Creating a webhook alert channel
To create a webhook alert channel:
- Log in to the console as a user with administrative privileges.
- Go to Settings > Notifications > Channels.
- Click + Add new.
- Select Webhook.
- Click Next.
- Verify that you have created a webhook to receive the HTTP POST request from FortiCNAPP as described in Create a Custom Webhook.
- Specify a name to the channel.
- In the Webhook URL, enter the URL of your webhook that will receive the HTTP POST request from FortiCNAPP . If the third-party that is receiving the HTTP POST request requires an API token, enter the API Token as part of the URL. For example:
https://mySampleEnv.live.dynatrace.com/apiZvl/time?api-token=abcdefjhij1234567890
- Select Save.
- Select Alert rules and configure your required alert routing details by leveraging the alert channel you created.
Creating a FortiCNAPP webhook alert channel using Terraform
You can use this resource to create a custom webhook that receives FortiCNAPP alert notifications from an alert channel and forwards those alerts to a third-party application.
If the third-party application receiving the HTTP POST request requires an API token, enter the API token as part of the URL, such as https://webhook.com?api-token=123.
resource "lacework_alert_channel_webhook" "ops_critical" {
name = "OPS Critical Alerts"
webhook_url = "https://webhook.com?api-token=123"
}
Additional information on the lacework_alert_channel_webhook resource can be found on the Terraform Registry.