Add Automation Connector (Webhook)

Add Automation Connector (Webhook)#

Create a new automation connector (webhook) for incident and event management integrations.

✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.

Overview#

This endpoint creates automation connectors - useful for:

Integrating FortiAnalyzer with SIEM platforms (Splunk, QRadar, Sentinel)
Connecting to SOAR platforms (Palo Alto XSOAR, Splunk Phantom)
Creating ticketing system integrations (ServiceNow, Jira)
Setting up chat notifications (Slack, Microsoft Teams)
Building custom webhook integrations
Automating incident response workflows

Automation connectors enable FortiAnalyzer to send real-time security events and alerts to external systems.

Endpoint Details#

Method: POST URL: /jsonrpc API Path: /config/adom/{adom}/system/webhook ADOM Support: Yes Requires Authentication: Yes Minimum Version: 7.4.0

Prerequisites#

Active session or valid API key
Administrative access to system configuration in specified ADOM
Target webhook URL accessible from FortiAnalyzer
Authentication credentials for target system (if required)

Request Format#

Parameters#

Parameter	Type	Required	Default	Description
`adom`	`string`	Yes	-	ADOM name (e.g., “root”)
`name`	`string`	Yes	-	Unique connector name
`uri`	`string`	Yes	-	Webhook endpoint URL
`protocol`	`string`	Yes	-	Protocol: “HTTPS” or “HTTP”
`port`	`integer`	Yes	-	Port number (e.g., 443, 8088)
`title`	`string`	Yes	-	Display title
`description`	`string`	Yes	-	Connector description
`method`	`integer`	No	`0`	HTTP method: 0=POST, 1=GET, 2=PUT
`conn-type`	`integer`	No	`0`	Connection type
`auth-status`	`integer`	No	`0`	Authentication: 0=disabled, 1=enabled
`status`	`integer`	No	`1`	Status: 0=disabled, 1=enabled
`color`	`string`	No	`"#FFFFFF"`	UI color code (hex)

Request Example#

REQUEST

{
    "method": "add",
    "params": [{
        "url": "/config/adom/root/system/webhook",
        "data": {
            "name": "Splunk_HEC",
            "uri": "https://splunk.example.com:8088/services/collector",
            "protocol": "HTTPS",
            "port": 8088,
            "title": "Splunk SIEM",
            "description": "Splunk HTTP Event Collector Integration",
            "method": 0,
            "conn-type": 0,
            "auth-status": 1,
            "status": 1,
            "color": "#00AA00"
        }
    }],
    "session": "{{session_id}}",
    "id": 1
}

RESPONSE

{
    "result": [{
        "data": {
            "name": "Splunk_HEC"
        },
        "status": {
            "code": 0,
            "message": "OK"
        },
        "url": "/config/adom/root/system/webhook"
    }],
    "session": "{{session_id}}",
    "id": 1
}

Complete Python Example#

import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def add_automation_connector(session_id, adom, name, uri, port, protocol="HTTPS",
                             title=None, description=None, enabled=True):
    """
    Add automation connector (webhook)

    Args:
        session_id: Active session ID
        adom: ADOM name
        name: Unique connector name
        uri: Webhook URL
        port: Port number
        protocol: "HTTPS" or "HTTP" (default: HTTPS)
        title: Display title (default: same as name)
        description: Connector description (default: empty)
        enabled: Enable connector (default: True)

    Returns:
        str: Created connector name
    """
    url = "https://faz.example.com/jsonrpc"

    payload = {
        "method": "add",
        "params": [{
            "url": f"/config/adom/{adom}/system/webhook",
            "data": {
                "name": name,
                "uri": uri,
                "protocol": protocol,
                "port": port,
                "title": title or name,
                "description": description or f"{name} integration",
                "method": 0,  # POST
                "conn-type": 0,
                "auth-status": 0,  # Disabled by default
                "status": 1 if enabled else 0,
                "color": "#FFFFFF"
            }
        }],
        "session": session_id,
        "id": 1
    }

    response = requests.post(url, json=payload, verify=False)
    result = response.json()

    if result['result'][0]['status']['code'] == 0:
        print(f"✓ Automation connector '{name}' created successfully")
        return result['result'][0]['data']['name']
    else:
        raise Exception(f"API error: {result['result'][0]['status']['message']}")

# Example: Create Splunk integration
connector_name = add_automation_connector(
    session_id="your_session_id",
    adom="root",
    name="Splunk_HEC",
    uri="https://splunk.example.com:8088/services/collector",
    port=8088,
    protocol="HTTPS",
    title="Splunk SIEM",
    description="Splunk HTTP Event Collector Integration",
    enabled=True
)

Use Cases#

SIEM Integration - Splunk#

# Create Splunk HEC webhook connector
add_automation_connector(
    session_id=session,
    adom="root",
    name="Splunk_HEC",
    uri="https://splunk.example.com:8088/services/collector",
    port=8088,
    title="Splunk SIEM",
    description="Forward security events to Splunk",
    enabled=True
)

SIEM Integration - QRadar#

# Create IBM QRadar webhook connector
add_automation_connector(
    session_id=session,
    adom="root",
    name="QRadar_API",
    uri="https://qradar.example.com/api/siem/offenses",
    port=443,
    title="IBM QRadar",
    description="Forward security events to QRadar",
    enabled=True
)

Ticketing Integration - ServiceNow#

# Create ServiceNow incident webhook
add_automation_connector(
    session_id=session,
    adom="root",
    name="ServiceNow_Incidents",
    uri="https://instance.service-now.com/api/now/table/incident",
    port=443,
    title="ServiceNow",
    description="Create incidents for critical alerts",
    enabled=True
)

Chat Notifications - Slack#

# Create Slack webhook for security alerts
add_automation_connector(
    session_id=session,
    adom="root",
    name="Slack_Security_Channel",
    uri="https://hooks.slack.com/services/YOUR/WEBHOOK/URL",
    port=443,
    title="Slack Notifications",
    description="Send critical alerts to Slack #security channel",
    enabled=True
)

Chat Notifications - Microsoft Teams#

# Create Microsoft Teams webhook
add_automation_connector(
    session_id=session,
    adom="root",
    name="Teams_SOC_Channel",
    uri="https://outlook.office.com/webhook/YOUR_WEBHOOK_ID",
    port=443,
    title="Microsoft Teams",
    description="Send alerts to Teams SOC channel",
    enabled=True
)

Best Practices#

💡 Tip: Always use HTTPS protocol for webhook connectors to ensure secure transmission of security event data.

💡 Tip: Use descriptive names and titles to clearly identify the purpose of each connector.

⚠️ Warning: Test webhook connectivity before enabling the connector to ensure successful event delivery.

💡 Tip: Create separate connectors for different severity levels or event types for better organization.