Fortinet black logo

External Systems Configuration Guide

Home FortiSIEM 7.1.3 External Systems Configuration Guide
7.1.3
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0
6.6.5
6.6.4
6.6.3
6.6.2
6.6.1
6.6.0
6.5.3
6.5.2
6.5.1
6.5.0
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.3.0
6.2.1
6.2.0
6.1.2
6.1.1
6.1.0
5.4.0
5.3.3
5.3.2
5.3.1
5.3.0
5.0.0

Fortinet FortiRecon

Fortinet FortiRecon

Support Added: FortiSIEM 7.1.0

Vendor Version Tested: FortiRecon 23.2.b

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/fortirecon

Configuring Generic Poller for FortiRecon API Events

FortiSIEM uses the integration type (HTTPS Advanced), otherwise known as the "Generic Log API Poller," to ingest data from FortiRecon API on a recurring interval.

To configure, you will define an HTTPS Advanced credential for each API endpoint to collect data from that endpoint.

FortiSIEM out of the box provides parsing for the following FortiRecon APIs.

  • /aci/<org_id>/leaked_cards - Displays any detected leaked credit or debit cards for your organization.

  • /aci/<org_id>/leaked_creds - Displays any detected leaked credentials for your organization.

  • /aci/<org_id>/reports - Displays latest breach/attack/campaigns/data leaks seen on web using a variety of intelligence sources - general information not specific to your org.

  • /bp/<org_id>/rogue_apps - Publicly known Rogue or Malicious app list, and the number of known downloads of that application, not specific to your org.

  • /bp/<org_id>/typo_domains - Domains with common mispellings, similarly named domain names to your organizations domains.

  • /easm/<org_id>/issues - Detected issues for scanned externally visible assets in your organization.

    Definitions:

    BP - Brand Protection

    EASM - External Attack Surface Management

    ACI - Adversary Centric Intelligence

Additional details: https://docs.fortinet.com/document/fortirecon/23.2.b/release-notes/781448/fortirecon-23-2-b-release

Preparation

  1. Login to FortiRecon and generate an API Key, which will be needed for your HTTPS Advanced credential definitions.

  2. Obtain your FortiRecon Tenant/Organization ID, which is used in the URL path of many API calls for FortiRecon.

  3. Confirm the base API hostname. As of this writing, it is: api.fortirecon.forticloud.com.

Setup in FortiSIEM

The following showcases two methods to set up a single API endpoint (Leaked Cards). This process must be repeated for each API endpoint. After following the Easy or Manual Method, proceed to Starting the Event Pulling.

Easy Method

  1. Download the following JSON file: FortiRecon_LeakedCards_API_Credential.json

  2. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

    1. In the Name field, enter "FortiRecon_LeakedCards".

    2. In Device Type, enter/select "Fortinet FortiRecon".

    3. Click Import Definition in the bottom window and select the prior downloaded JSON file, and click Import.

    4. When prompted to overwrite the definition, click Yes to overwrite the config.

    5. In the General Parameters row, click the Pencil icon.

      1. In the URI Stem field, replace <yourOrg> with your FortiRecon organization ID.

      2. Click OK.

    6. In the Authentication Parameters row, click the Pencil icon.

      1. In the API Key Name field, ensure it is "Authorization".

      2. In the API Key Value field, enter/paste your FortiRecon API key.

      3. Click OK.

    7. Click Save at bottom of the Access Method Definition window.

Manual Method (Defining the API Components) - Leaked Cards Walkthrough

After logging in to FortiSIEM, take the following steps.

  1. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

  2. In the Name field, enter "FortiRecon_LeakedCards".

  3. In Device Type, enter/select "Fortinet FortiRecon".

  4. For Pull Interval, leave at default, or change as desired e.g. every 30 minutes.

  5. For Authentication Type, select API Key.

  6. In the General Parameters row, click the Pencil icon and configure the following fields:

    1. Host Name: api.fortirecon.forticloud.com

    2. URI Stem: /aci/<org_id>/leaked_cards

      Note: You must replace <org_id> with your FortiRecon organization ID

    3. JSON Response Log Key: hits

    4. Log Header: FORTIRECON_ACI_LEAKED_CARDS

    5. Click OK.

      Note: Leave other fields default

  7. In the Authentication Parameters row, click the Pencil icon and configure the following fields.

    1. API Key Name: Authorization

    2. API Key Value: <Enter/paste your FortiRecon API key>

    3. Send Method: Send As Header

    4. Click OK.

  8. In the Log API Parameters row, click the Pencil icon and configure the following fields.

    1. Click the Header tab, click New, and configure the following fields.

      1. Key Type: String

      2. Key Name (header name): Content-Type

      3. Key Value: application/json

    2. Click OK.

    3. Under Header, click New again, and configure the following fields.

      1. Key Type: string

      2. Key Name (header name): accept

      3. Key Value: application/json

    4. Click OK.

    5. Click the Pagination tab, and configure the following fields.

      1. Pagination Method: Offset and Limit

      2. Limit Key Name: size

      3. Limit Value: 100

      4. Offset Key Name: page

      5. Offset Start Value: 1

      6. Offset Increment Value: 1

      7. Offset Max Value: 100

    6. Click OK.

  9. Click Save for Credential.

Setup for all other API endpoints are the same. You can import the same credential above, except, under General Parameters, update the URI Stem to the correct API call for each new credential.

Starting the Event Pulling

  1. Under Step 2: Enter IP Range to Credential Associations, Click New.

  2. In Credentials, select the credential created prior for the API endpoint.

  3. Click Save.

  4. Select the credential you created in step 2, and click Test > Test Connectivity without Ping.

  5. Click Pull Events in the top navigation bar, and wait 5 minutes for first event pull to start. A green checkbox should eventually appear.

  6. Navigate to Analytics.

  7. Search for events with: Event Type CONTAIN FortiRecon-

Sample Events

Jan 13 14:55:09 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_LEAKED_CARDS: {"org_id": "xxxx1234-xx12-33c5-a7a6-97134501723", "bin": "437551", "bank_name": "Example Bank", "base_name": "DEC 14 USA MAGENTO SSN DOB EMAIL IP", "category": "VISA", "type": "CREDIT", "shop_name": "findsome", "city": "Sunnyvale", "holder_name": "Example User", "expiry": "January/2024", "country": "UNITED STATES", "price": "15.00", "state": "ca", "unique_id": "4961534989", "zip": "90210", "brand_name": "VISA", "bg_code": 2, "index_ts": "2022-12-15T15:20:40Z"}
Jan 13 12:29:25 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_EASM_ISSUES: {"id": "6284d0f7dbb73af1cab5aa40", "issue_name": "Exposed HTTP Service", "asset": "1.1.1.1", "severity": "low", "port": null, "bucket": "Exposed Insecure Service", "status": "active", "user_name": null, "issue_name_identifier": "exposed_http_service", "bucket_id": "exposed_insecure_service"}
Jan 13 14:36:16 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_BP_ROGUE_APPS: {"id": "a9db3f42-edb6-461e-ba97-5c098b276b73", "name": "Best Ringtones 1.5 by Excellente Ringtones Sounds", "size": "6.54", "download_count": "0", "index_ts": "2022-11-10T04:13:13Z", "first_seen": "2022-11-10T08:52:56Z", "source_name": "apk-watch", "ticket_id": null, "keyword": "zoom", "developer_name": "Excellente Ringtones Sounds", "status": "Unofficial"}
Jan 13 15:04:06 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_REPORTS: {"report_id": "2022080476177", "motivation": "Cyber Crime", "relevance_rating": "Medium", "status": "Published", "geography": ["south asia"], "tlp": "Amber", "source_name": "Breached aka BreachForums", "source_reliability": "B-Usually reliable", "information_reliability": "2-Probably true", "information_date": "2022-08-04T00:00:00Z", "adversary": ["leakbase"], "summary": "FortiGuard Threat Research identified two posts on the English language cybercrime forum 'Breached', where an actor who operates by the handle 'LeakBase' shared the database claiming to be from an Indian payment facilitator SecurePe, and an Indian DTH and mobile recharge service provider Click On Recharge.", "industry_tags": ["consumer services", "financial services"], "source_category": "Darknet", "report_title": "Actor 'LeakBase' shared databases claimed to be from Indian payment facilitator 'SecurePe', and Indian TV and mobile recharge service provider 'Click On Recharge'", "report_type": "Threat Alert", "threat": ["data breach", "personal information identification (pii)", "account(s) compromised", "database"], "publish_date": "2022-08-04T00:00:00Z"}
Previous
Next

Fortinet FortiRecon

Support Added: FortiSIEM 7.1.0

Vendor Version Tested: FortiRecon 23.2.b

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/fortirecon

Configuring Generic Poller for FortiRecon API Events

FortiSIEM uses the integration type (HTTPS Advanced), otherwise known as the "Generic Log API Poller," to ingest data from FortiRecon API on a recurring interval.

To configure, you will define an HTTPS Advanced credential for each API endpoint to collect data from that endpoint.

FortiSIEM out of the box provides parsing for the following FortiRecon APIs.

  • /aci/<org_id>/leaked_cards - Displays any detected leaked credit or debit cards for your organization.

  • /aci/<org_id>/leaked_creds - Displays any detected leaked credentials for your organization.

  • /aci/<org_id>/reports - Displays latest breach/attack/campaigns/data leaks seen on web using a variety of intelligence sources - general information not specific to your org.

  • /bp/<org_id>/rogue_apps - Publicly known Rogue or Malicious app list, and the number of known downloads of that application, not specific to your org.

  • /bp/<org_id>/typo_domains - Domains with common mispellings, similarly named domain names to your organizations domains.

  • /easm/<org_id>/issues - Detected issues for scanned externally visible assets in your organization.

    Definitions:

    BP - Brand Protection

    EASM - External Attack Surface Management

    ACI - Adversary Centric Intelligence

Additional details: https://docs.fortinet.com/document/fortirecon/23.2.b/release-notes/781448/fortirecon-23-2-b-release

Preparation

  1. Login to FortiRecon and generate an API Key, which will be needed for your HTTPS Advanced credential definitions.

  2. Obtain your FortiRecon Tenant/Organization ID, which is used in the URL path of many API calls for FortiRecon.

  3. Confirm the base API hostname. As of this writing, it is: api.fortirecon.forticloud.com.

Setup in FortiSIEM

The following showcases two methods to set up a single API endpoint (Leaked Cards). This process must be repeated for each API endpoint. After following the Easy or Manual Method, proceed to Starting the Event Pulling.

Easy Method

  1. Download the following JSON file: FortiRecon_LeakedCards_API_Credential.json

  2. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

    1. In the Name field, enter "FortiRecon_LeakedCards".

    2. In Device Type, enter/select "Fortinet FortiRecon".

    3. Click Import Definition in the bottom window and select the prior downloaded JSON file, and click Import.

    4. When prompted to overwrite the definition, click Yes to overwrite the config.

    5. In the General Parameters row, click the Pencil icon.

      1. In the URI Stem field, replace <yourOrg> with your FortiRecon organization ID.

      2. Click OK.

    6. In the Authentication Parameters row, click the Pencil icon.

      1. In the API Key Name field, ensure it is "Authorization".

      2. In the API Key Value field, enter/paste your FortiRecon API key.

      3. Click OK.

    7. Click Save at bottom of the Access Method Definition window.

Manual Method (Defining the API Components) - Leaked Cards Walkthrough

After logging in to FortiSIEM, take the following steps.

  1. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

  2. In the Name field, enter "FortiRecon_LeakedCards".

  3. In Device Type, enter/select "Fortinet FortiRecon".

  4. For Pull Interval, leave at default, or change as desired e.g. every 30 minutes.

  5. For Authentication Type, select API Key.

  6. In the General Parameters row, click the Pencil icon and configure the following fields:

    1. Host Name: api.fortirecon.forticloud.com

    2. URI Stem: /aci/<org_id>/leaked_cards

      Note: You must replace <org_id> with your FortiRecon organization ID

    3. JSON Response Log Key: hits

    4. Log Header: FORTIRECON_ACI_LEAKED_CARDS

    5. Click OK.

      Note: Leave other fields default

  7. In the Authentication Parameters row, click the Pencil icon and configure the following fields.

    1. API Key Name: Authorization

    2. API Key Value: <Enter/paste your FortiRecon API key>

    3. Send Method: Send As Header

    4. Click OK.

  8. In the Log API Parameters row, click the Pencil icon and configure the following fields.

    1. Click the Header tab, click New, and configure the following fields.

      1. Key Type: String

      2. Key Name (header name): Content-Type

      3. Key Value: application/json

    2. Click OK.

    3. Under Header, click New again, and configure the following fields.

      1. Key Type: string

      2. Key Name (header name): accept

      3. Key Value: application/json

    4. Click OK.

    5. Click the Pagination tab, and configure the following fields.

      1. Pagination Method: Offset and Limit

      2. Limit Key Name: size

      3. Limit Value: 100

      4. Offset Key Name: page

      5. Offset Start Value: 1

      6. Offset Increment Value: 1

      7. Offset Max Value: 100

    6. Click OK.

  9. Click Save for Credential.

Setup for all other API endpoints are the same. You can import the same credential above, except, under General Parameters, update the URI Stem to the correct API call for each new credential.

Starting the Event Pulling

  1. Under Step 2: Enter IP Range to Credential Associations, Click New.

  2. In Credentials, select the credential created prior for the API endpoint.

  3. Click Save.

  4. Select the credential you created in step 2, and click Test > Test Connectivity without Ping.

  5. Click Pull Events in the top navigation bar, and wait 5 minutes for first event pull to start. A green checkbox should eventually appear.

  6. Navigate to Analytics.

  7. Search for events with: Event Type CONTAIN FortiRecon-

Sample Events

Jan 13 14:55:09 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_LEAKED_CARDS: {"org_id": "xxxx1234-xx12-33c5-a7a6-97134501723", "bin": "437551", "bank_name": "Example Bank", "base_name": "DEC 14 USA MAGENTO SSN DOB EMAIL IP", "category": "VISA", "type": "CREDIT", "shop_name": "findsome", "city": "Sunnyvale", "holder_name": "Example User", "expiry": "January/2024", "country": "UNITED STATES", "price": "15.00", "state": "ca", "unique_id": "4961534989", "zip": "90210", "brand_name": "VISA", "bg_code": 2, "index_ts": "2022-12-15T15:20:40Z"}
Jan 13 12:29:25 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_EASM_ISSUES: {"id": "6284d0f7dbb73af1cab5aa40", "issue_name": "Exposed HTTP Service", "asset": "1.1.1.1", "severity": "low", "port": null, "bucket": "Exposed Insecure Service", "status": "active", "user_name": null, "issue_name_identifier": "exposed_http_service", "bucket_id": "exposed_insecure_service"}
Jan 13 14:36:16 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_BP_ROGUE_APPS: {"id": "a9db3f42-edb6-461e-ba97-5c098b276b73", "name": "Best Ringtones 1.5 by Excellente Ringtones Sounds", "size": "6.54", "download_count": "0", "index_ts": "2022-11-10T04:13:13Z", "first_seen": "2022-11-10T08:52:56Z", "source_name": "apk-watch", "ticket_id": null, "keyword": "zoom", "developer_name": "Excellente Ringtones Sounds", "status": "Unofficial"}
Jan 13 15:04:06 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_REPORTS: {"report_id": "2022080476177", "motivation": "Cyber Crime", "relevance_rating": "Medium", "status": "Published", "geography": ["south asia"], "tlp": "Amber", "source_name": "Breached aka BreachForums", "source_reliability": "B-Usually reliable", "information_reliability": "2-Probably true", "information_date": "2022-08-04T00:00:00Z", "adversary": ["leakbase"], "summary": "FortiGuard Threat Research identified two posts on the English language cybercrime forum 'Breached', where an actor who operates by the handle 'LeakBase' shared the database claiming to be from an Indian payment facilitator SecurePe, and an Indian DTH and mobile recharge service provider Click On Recharge.", "industry_tags": ["consumer services", "financial services"], "source_category": "Darknet", "report_title": "Actor 'LeakBase' shared databases claimed to be from Indian payment facilitator 'SecurePe', and Indian TV and mobile recharge service provider 'Click On Recharge'", "report_type": "Threat Alert", "threat": ["data breach", "personal information identification (pii)", "account(s) compromised", "database"], "publish_date": "2022-08-04T00:00:00Z"}
Previous
Next