For this example, I am using HTTP log forwarding along with IFTTT to get a push notification on my iPhone every time there is a Critical Threat event.
Install IFTTT and sign up for an account on your desktop at ifttt.com
Once you are logged in through your browser, go to https://ifttt.com/maker and connect Maker to your account. Next, click on the settings icon, and follow the link to your Maker URL
Take note of the example URL, as it contains your API key.
Create a new IFTTT applet
Click on the My Applets menu item, then click the New Applet button. The first half of the applet is If This – click on “+this” and search for the Maker service. Under the Maker service, select the Web Request Trigger and configure it as shown below
Complete your applet by setting the action to a Notification
Configure the firewall log forwarding settings
Create a new HTTP log server profile. Add a new server, setting the Address to maker.ifttt.com. Configure the server to use either HTTP or HTTPS, and set the HTTP Method to POST. Under Payload Format, edit the Threat format as shown below
The URL format should be set to:
trigger/Critical_Threat/with/key/<<YOUR KEY HERE>>
Note – this is from the URL you got from the Maker service settings in step 1.
Set the Payload to:
value1="$device_name"&value2="$threatid"&value3="$receive_time"
Then send a Test log – your IFTTT app should notify you at this point.
Configure a log profile for critical threats to use the push service
Create a new log forwarding profile, or edit your existing one to forward Threat logs with the Filter set to (severity eq critical), then add your new HTTP server under forwarding method. Apply this log forwarding profile to any security policies with Threat Prevention to trigger push notifications automatically.
Created by Darren Rogers.
