Webhooks
Webhooks allow you to integrate FortiDLP with third-party systems, which subscribe to detection, incident, and audit log events. When these events occur, FortiDLP sends a POST payload to the webhook's configured URL.
To optimize your workflow, FortiDLP lets you choose how often payloads are sent and filter events by tags, risk scores, and labels.
|
FortiDLP detection events can be sent through webhooks to FortiAnalyzer 7.6.3+ using the FortiAnalyzer event collector service. For more information, see Event collectors and Configuring the webhook in the FortiAnalyzer Administration Guide. |
Preconfigured payload formats
FortiDLP supports the following preconfigured payload formats:
- JSON: For use with webhooks for any third party that will accept payloads formatted as JSON.
- MS Teams: For use with webhooks for the MS Teams collaboration tool. Payloads are formatted to meet MS Teams' specifications.
- SentinelOne: For use with webhooks for the SentinelOne security tool. Payloads are formatted to meet SentinelOne's specifications. For guidance on setting up a SentinelOne webhook integration, see Setting up SentinelOne webhooks.
- Slack: For use with webhooks for the Slack collaboration tool. Payloads are formatted to meet Slack's specifications.
When you choose one of these formats, each payload will consist of a set of predefined fields which summarize key event information.
Our Slack and MS Teams integrations make it easy to notify security analyst groups about important activity in a messaging platform external to FortiDLP. You just need to create a Slack or MS Teams channel, add the relevant members to it, and then configure the webhook to send payloads to the channel's associated webhook URL.
|
For example, the following is a Slack detection message about a user who has attempted to send an email to an unauthorized email address.
|
Custom payload format
FortiDLP's Custom payload format lets you create templates by tailoring payloads using any of the Custom field values detailed in Webhook payload fields. Always consult the third party's documentation to ensure you structure payloads in a suitable format, and refer to Creating custom webhook templates for guidance.
Authorization
FortiDLP provides webhook authorization capabilities, offering an additional layer of verification to third parties receiving requests. To use this functionality, you can add custom headers to be sent along with POST requests that the third party can use to validate connections from FortiDLP. The method for configuring custom webhook headers for authorization is dependent on the third-party application verifying the request.
Rate limiting
FortiDLP uses the token bucket algorithm to control the rate at which payloads are sent to a webhook's URL. This algorithm consists of a bucket with a maximum capacity of tokens, where tokens are removed each time a request is made, and slowly added back into the bucket at regular intervals of time. If the bucket is empty, payloads cannot be sent. You can read more about this algorithm here.
If you want to limit the rate at which payloads are delivered to a webhook's URL, you can set the Token replenish rate per hour and Max tokens fields, as described in Creating webhooks.
When the number of events exceeds a rate limit, this is indicated as follows.
{
"dropped_events": 12,
"dropped_since": "2024-02-26T09:23:59.753225Z",
"dropped_until": "2024-02-26T10:27:41.753221Z"
}
Filtering
FortiDLP gives you fine-grained control over the detections and incidents sent to a webhook URL. You can filter all event types by specific tags and risk scores. You can also filter incidents by when they are created, when related detections are generated by a new user or node, and when they are resolved.
|
|
For example, to be alerted to tampering attempts of the FortiDLP Agent and its components, you could filter for detections that have the |