Fortinet FortiGate and FortiAnalyzer Integration Slack + Microsoft Teams automated notifications

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone welcome back to the channel my name is Alex and I am a systems engineer here at Fortinet and today I am going to be covering a new feature that was released in 7.4 for 40 analyzer and that is the integration with Microsoft teams for notifications in this video I'm also going to touch on Florida Gates and their integration with Microsoft teams as well along with Florida Gates integration with slack as they are all related to each other so with that I'm going to get right into this uh share my screen with you and walk you through how to configure uh notifications to be sent to a Microsoft teams Channel or a slack Channel so let's go so as you can see here I'm logged into my fortigate my 40 analyzer here uh so let's hop over right into teams to get this going so I already have my team's Channel created here um so if you don't already you'll need to create a channel here uh once you do have this Channel created come up here into the top right and hit the settings button and in the settings button you will get the connectors drop down you'll need to go ahead and click on connectors and then what we're looking for in here is going to be uh incoming web hooks so once we have uh you can search the incoming web hooks if you need to uh should be right at the top here but we are going to click configure we need to set up a name for this web hook so you can name it anything uh I'll just name it 40 analyzer incidents notifications you can create a image that will pop up as the avatar for the messages in the in the channel or you can just keep it as default I will keep it as default here um and then we will click create um I'm not going to click create as I already have a connector created for this so I'm actually going to go under my configured connectors already and I'm just going to show you uh what mine is you can see I have two in here already um so if I click manage this is what it's going to show you after you click create and what we really need out of here is this uh URL so this is going to be our URL for the web hook so just click the copy button uh once we have the copy button uh once we have the URL sorry um we're pretty much done in teams at this point right now so we can come over to our 40 analyzer and the first thing that we want to do here is set up a fabric connector so you should see the MS teams connector here if you don't just click create new and under the itsm connectors we see Microsoft teams here so if you go ahead and click on teams you can give this a name uh we can just name this analyzer teams notifications so the the title again you can name this um anything doesn't doesn't really matter at this point right now so the title can just be anything so let's just leave me notifications [Music] and this is where we are inputting that URL that we got from teams so go ahead and paste that in there and then the httb body section um we can leave blank for this and when we leave it blank it's going to send the entire log message to our team's Channel or the slack Channel if we're doing this for slack so I'll go ahead and click ok um I'm actually just going to delete this as I already have one created for us so if we come in here and and check out my uh already created one you can see here I have my web hook URL HTTP body is blank and the status is on CE we have this fabric connector created the next thing that we need to do is come under incidents and events so the one thing to note for this integration with teams right now it is only uh integrating with incidents so if we come under uh the next thing that we need to do is create a notification profile um and then we're just going to connect this over to our fabric connector that we created which mine is called 40 analyzer incidents so this will be the name of whatever you name that connector for you so this is um we're just going to send an alert through fabric connector turn that on and then select the connector from the drop down once we have that selected click the OK button the next thing that we're going to do here is come over to our incidents and from the uh settings here we are again going to select our fabric connector and it should be listed out here you can see it's a teams connector and it is called 4D analyzer incidents so you can go ahead and select that and then what we can send notifications for is when an incident is created when an incident is updated or when an incident is deleted now the only caveat here is that when an incident is created if it is created in a new status it will not trigger a notification so any um Incident That's created needs to have a status uh anything other than new and it will get uh sent over to the team's Channel so we can click OK there and now um we should be able to test this out um so if I delete an incident if I create one if one is triggered by A playbook to create an incident as long as it's not a new status that will get sent over um so I'm just going to go ahead and manually create a new incident so we can make this anything here let's just say it's a malicious code severity medium status anything other than new so let's do analysis and then for description we can say um this is a new incident and then you can assign it to anybody or you can leave it blank I'll just go ahead and assign it to the admin user and we should see this update sent over to our team's channel so if I come back over to my team's Channel you can see here that I have a new incident alert so you can see the incident is has an ID number the uh change type this is a brand new incident that was created um it does give you a time stamp um it's not necessarily readable um but this can be further customized if we come back to our fabric connector and we play around with the HTTP body I am not versed in HTTP language so this is outside the realm of my expertise but if you wanted the message to read differently you can just change the HTTP body here um you this you will also get updates sent to the team's Channel if an incident is updated so if we come back to the incident and we edit and we change the status from analysis to we are closing this to remediated let's change that status now we should get another notification sent over and you can see this is the new notification and you can see the revision now is set to one so there's been one edit made to this incident and it was an update here foreign this will also trigger an notification to the Microsoft teams Channel when we delete an incident so if you go ahead and delete this one we'll see that we get another notification sent over here and you can see this is our delete uh here and you can see the change type is delete so that's going to do it for the Microsoft teams integration with 4D analyzer in firmware 7.4 now I am going to move over to the Microsoft teams and slack integration Within fortigate so if we come down into the security Fabric and automation the integration is going to be within our automation stitches so if we I already have a couple uh pre-made stitches so let's go ahead and I'll create one from new and I won't save it I will just create the same thing and then come back and show you the one that I've already created so test send admin log out so a very common trigger that I see from customers is they want to get alerts When an Admin logs into the device or a admin logs out or there's a failed login attempt so on and so forth so you can accomplish that very easily by getting those from the OS event log so if we go ahead and click create and we scroll down there's the option for 40 OS event log and if you hit the plus button for event and we just search admin there are all these events related to what an admin does so for this one we're going to do that in admin log-ins was successful and you would click OK I already do have this one created so we are not going to create it I'm just going to select this one already you can see my admin login event here in the log is admin login successful so let's go ahead and select that click apply and then this is where the action is going to happen and we're going to tell it to send a team's notification to our channel so I again already have these created but if you start from scratch you click the create and you click Microsoft teams notification so this is where you're going to need to paste in that webhook URL so let's go ahead and just paste that in here now if you leave this to um the text as just log it will send the entire raw log to the team's Channel we can further customize what that message looks like for now I'm going to show you what that looks like and then I'll show you how you can further customize what the message looks like in the team's Channel so I'm going to go ahead and cancel this out completely I'm going to come back into the one that I've already created which is my admin login team notification one here so if I double click you can see that my trigger is my admin login my action is my team's integration here so if I click the edit button you can see that I have further edited this but um let's just go ahead and put in the log the entire log file just so you can get an idea of what that looks like so let's click OK here uh we do need to select this and click apply and then click ok so now when we log into the device we should see a team's notification here and there we go there is our team's message and you can see it's the entire log file here so it's going to give you the entire raw log um it does look a little messy but it does give you all of the information related to the login if you wanted to further customize um what this message actually looks like you can do that um as an example I'll come back into my automation Stitch here and I'm going to edit this again and I'm gonna edit what this uh text looks like so I'm going to say I I wanna my message to say what user logged in and what device did they actually log into so to do that we're going to pull from the log the raw log but we're going to extract what the user who the user was so you would do log dot user and then you can just type in any plain text here so we're going to say um user has logged into and then we can pull out the device ID name so if we come over here from the raw log you can pull out any information from here just by using uh the Handler whatever whatever the Handler is called so if we want to do it by device ID we'll do log dot device ID and then I will save this click apply and click OK and let's go ahead and test that again and now you can see the message that was created admin has logged into and this is my device ID name so that's how you would further customize what that message actually looks like in the team's Channel you can see I also have created an automation stitch for When an Admin logs out and this will be my log out notification and again I just pulled from the event log When an Admin logs out now I'm going to move over into uh configuring slack notifications which is going to be very very similar so um first thing that we need to do is get our setup the channel for web Hooks and then grab our webhook URL so if we come over into in your slack um application Commander more and then click apps and then you search for webhook and then from web hooks click add and it will bring you to the uh web browser for adding web Hooks and you would click add to Slack and then you're going to select whatever channel that you want to post messages to I'm just going to choose my own personal Channel which is um direct messages to myself and then I would click ADD web hooks integration now again I've already done this so I'm going to close out of this page but just move over to the one that I've already created here and this is really what we want here so this is the webhook URL and then if we click create new it's going to look exactly the same as what we did just switching up the action on here so we do admin login and from our action we would click create and then select notification and paste in our webhook URL and then whatever we want that message to look like so if we keep it at log it's going to be our raw log you can further customize uh what that looks like so again I already have this created so I'm going to cancel out of this and just show you the one that I've already created so slack admin notification and you can just see kind of what mine looks like so I have user has logged into device ID same as before and now let's go ahead and log out and we will log back in and if I come under my channel here you can see that I have messages relating to uh when I just logged into admin has logged into and then my device ID name and then you can see how I had it before where it's just the entire raw log here so that's going to do it for this demonstration let me stop sharing here so that is the integration with fortigate and 40 analyzer sending notifications to A team's Channel within slack or Microsoft teams um I hope this is useful um this is something that a lot of my customers that I work with are looking for they want a notifications sent to them for anything that happens really um anything that their organization feels is uh pertinent to them um a lot of times they are looking for admin logins it could be um that they want a team's notification sent when um let's say a compromised host was detected or in any virus log was generated on the fortigate um so you can also configure emails which I can show in a later video um a lot of times companies in their I.T have issues with people not checking emails so that's why they like these uh teams Channel notifications and those can be sent directly as uh push notifications to your phone if you have those uh turned on for teams or slacks so um thought this was a useful video a lot of my customers are looking for this as always if anybody has questions or need help go ahead and just post in the comments and I am happy to help thanks everyone for sticking around
Info
Channel: Alex Pavlock
Views: 1,109
Rating: undefined out of 5
Keywords: Fortinet, FortiGate, FortiAnalyzer, Automation Stitch, Microsoft Teams, Teams, Slack, Channel Notification
Id: lzXTXzi3mgo
Channel Id: undefined
Length: 20min 2sec (1202 seconds)
Published: Wed Sep 06 2023
Related Videos
IPSec VPN Tunnel Between Fortinet FortiGate and Cisco Meraki MX - Configuration and Troubleshooting
Alex Pavlock
4.5K
Fortinet FortiClient / FortiEMS / FortiGate - Paid vs Free VPN
Alex Pavlock
3.1K
How to Improve Teams Meetings with Loop!
Scott Brant
66K
FortiGate Initial Setup - FortiSwitch and FortiAP
Gregabyte
3.7K
Fortinet FortiClient/FortiEMS/FortiGate using ZTNA tags to reach RDP server how to guide
Alex Pavlock
14K
FortiSwitch FortiAP demo
Alex Pavlock
2.4K
Fortinet FortiZTP how to setup guide / FortiLAN Cloud / FortiGate Cloud / FortiManager
Alex Pavlock
1.3K
Enable FortiAnalyzer Logging on FortiGate (v7.2.6)
FortiWizard
667
FortiManager and FortiAnalyzer Overview (FortiOS 6.2.3)
Fortinet Guru
69K
Quarantine Compromised Hosts with the Automation Stitch | Security Fabric
Fortinet
2.2K
FortiGate Automation-Send Microsoft Teams Notification
SinaOnline
2.5K
How to use Microsoft Teams for a Meeting | Tutorial 🥷
Jeremy Chapman
79K
FortiCloud IAM Users and User Groups - Tackling least privilege with IAM Users
Alex Pavlock
170
Fortinet Automation: High CPU + Quarantine Example
ToThePoint Fortinet
2.7K
Connecting Fortinet FortiAP to FortiLAN Cloud
Alex Pavlock
3.3K
FortiGate Firewall: Automation Stitch
FortiBytes
1K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.