Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Fortinet FortiRecon

Fortinet FortiRecon

Support Added: FortiSIEM 7.1.0

Vendor Version Tested: FortiRecon 23.3

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/fortirecon

Configuring Generic Poller for FortiRecon API Events

FortiSIEM uses the integration type (HTTPS Advanced), otherwise known as the "Generic Log API Poller," to ingest data from FortiRecon API on a recurring interval.

To configure, you will define an HTTPS Advanced credential for each API endpoint to collect data from that endpoint.

FortiSIEM out of the box provides parsing for the following FortiRecon APIs.

  • /aci/<org_id>/iocs - Displays any indicators of compromise.
  • /aci/<org_id>/leaked_cards - Displays any detected leaked credit or debit cards for your organization.
  • /aci/<org_id>/reports - Displays latest breach/attack/campaigns/data leaks seen on web using a variety of intelligence sources - general information not specific to your org.
  • /bp/<org_id>/rogue_apps - Publicly known Rogue or Malicious app list, and the number of known downloads of that application, not specific to your org.
  • /bp/<org_id>/domain_threats - Domain threat list for the monitored organization.
  • /easm/<org_id>/exposed_services - Information on services exposed to the public internet for the monitored organization.
  • /easm/<org_id>/issues - Detected issues for scanned externally visible assets in your organization.
  • /easm/<org_id>/leaked_creds - Displays any detected leaked credentials for your organization.
  • /easm/<org_id>/scan_statistics - Statistical information on the EASM scan for the monitored organization.

    Definitions:

    ACI - Adversary Centric Intelligence

    BP - Brand Protection

    EASM - External Attack Surface Management

    <org_id> - Placeholder to be replaced by actual FortiRecon organization ID

Additional details:

https://fndn.fortinet.net/index.php?/fortiapi/2232-fortirecon/

https://docs.fortinet.com/product/fortirecon/

Preparation
  1. Login to FortiRecon and generate an API Key, which will be needed for your HTTPS Advanced credential definitions.

  2. Obtain your FortiRecon Tenant/Organization ID, which is used in the URL path of many API calls for FortiRecon.

  3. Confirm the base API hostname. As of this writing, it is: api.fortirecon.forticloud.com.

Setup in FortiSIEM

The following showcases two methods to set up a single API endpoint (Leaked Cards). This process must be repeated for each API endpoint. After following the Easy or Manual Method, proceed to Starting the Event Pulling.

Easy Method
  1. Download the following JSON file: FortiRecon_Generic_Poller_Templates.zip and unzip to your local computer.

    The file should contain the templates files:

    • FORTIRECON_ACI_IOC.json
    • FORTIRECON_ACI_LEAKED_CARDS.json
    • FORTIRECON_ACI_REPORTS.json
    • FORTIRECON_BP_ROGUE_APPS.json
    • FORTIRECON_BP_DOMAIN_THREATS.json

    • FORTIRECON_EASM_EXPOSED_SERVICES.json
    • FORTIRECON_EASM_ISSUES.json
    • FORTIRECON_EASM_LEAKED_CREDS.json
    • FORTIRECON_EASM_SCAN_STATS.json
  2. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

    1. In the Name field, enter the name of the FortiRecon API endpoint you wish to add. For example, for FORTIRECON_ACI_LEAKED_CARDS.json, you might enter the name "FortiRecon_LeakedCards".

    2. In Device Type, enter/select "Fortinet FortiRecon".

    3. Click Import Definition in the bottom window and select the appropriate json file. For example, for "Leaked cards" you would select the FORTIRECON_ACI_LEAKED_CARDS.json file, and click Import.

    4. When prompted to overwrite the definition, click Yes to overwrite the config.

    5. In the General Parameters row, click the Pencil icon.

      1. In the URI Stem field, replace <yourOrgID> with your FortiRecon organization ID.

      2. Click OK.

    6. In the Authentication Parameters row, click the Pencil icon.

      1. In the API Key Name field, ensure it is "Authorization".

      2. In the API Key Value field, enter/paste your FortiRecon API key.

      3. Click OK.

    7. Click Save at bottom of the Access Method Definition window.

  3. Repeat the instructions from step 2 for the remaining JSON files, as each of the FortiRecon API endpoints requires a separate credential to be defined. Also, make sure to change the Name field to reflect each of the FortiRecon credentials. For example, use the name "FortiRecon_IOC" for the FORTIRECON_ACI_IOC.json file.

When complete, your FortiRecon credentials should look similar to the following:

Manual Method (Defining the API Components) - Leaked Cards Walkthrough

After logging in to FortiSIEM, take the following steps.

  1. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

  2. In the Name field, enter "FortiRecon_LeakedCards".

  3. In Device Type, enter/select "Fortinet FortiRecon".

  4. For Pull Interval, leave at default, or change as desired e.g. every 30 minutes.

  5. For Authentication Type, select API Key.

  6. In the General Parameters row, click the Pencil icon and configure the following fields:

    1. Host Name: api.fortirecon.forticloud.com

    2. URI Stem: /aci/<yourOrgID>/leaked_cards

      Note: You must replace <yourOrgID> with your FortiRecon organization ID

    3. JSON Response Log Key: hits

    4. Log Header: FORTIRECON_ACI_LEAKED_CARDS

    5. Click OK.

      Note: Leave other fields default

  7. In the Authentication Parameters row, click the Pencil icon and configure the following fields.

    1. API Key Name: Authorization

    2. API Key Value: <Enter/paste your FortiRecon API key>

    3. Send Method: Send As Header

    4. Click OK.

  8. In the Log API Parameters row, click the Pencil icon and configure the following fields.

    1. Click the Header tab, click New, and configure the following fields.

      1. Key Type: String

      2. Key Name (header name): Content-Type

      3. Key Value: application/json

    2. Click OK.

    3. Under Header, click New again, and configure the following fields.

      1. Key Type: string

      2. Key Name (header name): accept

      3. Key Value: application/json

    4. Click OK.

    5. Click the Pagination tab, and configure the following fields.

      1. Pagination Method: Offset and Limit

      2. Limit Key Name: size

      3. Limit Value: 100

      4. Offset Key Name: page

      5. Offset Start Value: 1

      6. Offset Increment Value: 1

      7. Offset Max Value: 100

    6. Click OK.

  9. Click Save for Credential.

Setup for all other API endpoints are the same. You can import the same credential above, except, under General Parameters, update the URI Stem to the correct API call for each new credential.

URI Stem

Log Header

Template file

/aci/<yourOrgID>/iocs

FORTIRECON_ACI_IOC

FORTIRECON_ACI_IOC.json

/aci/<yourOrgID>/leaked_cards

FORTIRECON_ACI_LEAKED_CARDS

FORTIRECON_ACI_LEAKED_CARDS.json

/easm/<yourOrgID>/leaked_creds

FORTIRECON_EASM_LEAKED_CREDS

FORTIRECON_EASM_LEAKED_CREDS.json

/bp/<yourOrgID>/rogue_apps

FORTIRECON_BP_ROGUE_APPS

FORTIRECON_BP_ROGUE_APPS.json

/bp/<yourOrgID>/stats/domain_threats

FORTIRECON_BP_DOMAIN_THREATS

FORTIRECON_BP_DOMAIN_THREATS.json

/easm/<yourOrgID>/issues

FORTIRECON_EASM_ISSUES

FORTIRECON_EASM_ISSUES.json

/aci/<yourOrgID>/reports

FORTIRECON_ACI_REPORTS

FORTIRECON_ACI_REPORTS.json

/easm/<yourOrgID>/exposed_services

FORTIRECON_EASM_EXPOSED_SERVICES

FORTIRECON_ EASM_EXPOSED_SERVICES.json

/easm/<yourOrgID>/scan_statistics

FORTIRECON_EASM_SCAN_STATS

FORTIRECON_EASM_SCAN_STATS.json

Starting the Event Pulling
  1. Under Step 2: Enter IP Range to Credential Associations, Click New.

  2. In Credentials, select the credential created prior for the API endpoint.

  3. Click Save.

  4. Select the credential you created in step 2, and click Test > Test Connectivity without Ping.

  5. Click Pull Events in the top navigation bar, and wait 5 minutes for first event pull to start. A green checkbox should eventually appear.

  6. Navigate to Analytics.

  7. Search for events with: Event Type CONTAIN FortiRecon-

Sample Events

Jan 13 14:55:09 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_LEAKED_CARDS: {"org_id": "xxxx1234-xx12-33c5-a7a6-97134501723", "bin": "437551", "bank_name": "Example Bank", "base_name": "DEC 14 USA MAGENTO SSN DOB EMAIL IP", "category": "VISA", "type": "CREDIT", "shop_name": "findsome", "city": "Sunnyvale", "holder_name": "Example User", "expiry": "January/2024", "country": "UNITED STATES", "price": "15.00", "state": "ca", "unique_id": "4961534989", "zip": "90210", "brand_name": "VISA", "bg_code": 2, "index_ts": "2022-12-15T15:20:40Z"}
Jan 13 12:29:25 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_EASM_ISSUES: {"id": "6284d0f7dbb73af1cab5aa40", "issue_name": "Exposed HTTP Service", "asset": "1.1.1.1", "severity": "low", "port": null, "bucket": "Exposed Insecure Service", "status": "active", "user_name": null, "issue_name_identifier": "exposed_http_service", "bucket_id": "exposed_insecure_service"}
Jan 13 14:36:16 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_BP_ROGUE_APPS: {"id": "a9db3f42-edb6-461e-ba97-5c098b276b73", "name": "Best Ringtones 1.5 by Excellente Ringtones Sounds", "size": "6.54", "download_count": "0", "index_ts": "2022-11-10T04:13:13Z", "first_seen": "2022-11-10T08:52:56Z", "source_name": "apk-watch", "ticket_id": null, "keyword": "zoom", "developer_name": "Excellente Ringtones Sounds", "status": "Unofficial"}
Jan 13 15:04:06 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_REPORTS: {"report_id": "2022080476177", "motivation": "Cyber Crime", "relevance_rating": "Medium", "status": "Published", "geography": ["south asia"], "tlp": "Amber", "source_name": "Breached aka BreachForums", "source_reliability": "B-Usually reliable", "information_reliability": "2-Probably true", "information_date": "2022-08-04T00:00:00Z", "adversary": ["leakbase"], "summary": "FortiGuard Threat Research identified two posts on the English language cybercrime forum 'Breached', where an actor who operates by the handle 'LeakBase' shared the database claiming to be from an Indian payment facilitator SecurePe, and an Indian DTH and mobile recharge service provider Click On Recharge.", "industry_tags": ["consumer services", "financial services"], "source_category": "Darknet", "report_title": "Actor 'LeakBase' shared databases claimed to be from Indian payment facilitator 'SecurePe', and Indian TV and mobile recharge service provider 'Click On Recharge'", "report_type": "Threat Alert", "threat": ["data breach", "personal information identification (pii)", "account(s) compromised", "database"], "publish_date": "2022-08-04T00:00:00Z"}

Fortinet FortiRecon

Fortinet FortiRecon

Support Added: FortiSIEM 7.1.0

Vendor Version Tested: FortiRecon 23.3

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/fortirecon

Configuring Generic Poller for FortiRecon API Events

FortiSIEM uses the integration type (HTTPS Advanced), otherwise known as the "Generic Log API Poller," to ingest data from FortiRecon API on a recurring interval.

To configure, you will define an HTTPS Advanced credential for each API endpoint to collect data from that endpoint.

FortiSIEM out of the box provides parsing for the following FortiRecon APIs.

  • /aci/<org_id>/iocs - Displays any indicators of compromise.
  • /aci/<org_id>/leaked_cards - Displays any detected leaked credit or debit cards for your organization.
  • /aci/<org_id>/reports - Displays latest breach/attack/campaigns/data leaks seen on web using a variety of intelligence sources - general information not specific to your org.
  • /bp/<org_id>/rogue_apps - Publicly known Rogue or Malicious app list, and the number of known downloads of that application, not specific to your org.
  • /bp/<org_id>/domain_threats - Domain threat list for the monitored organization.
  • /easm/<org_id>/exposed_services - Information on services exposed to the public internet for the monitored organization.
  • /easm/<org_id>/issues - Detected issues for scanned externally visible assets in your organization.
  • /easm/<org_id>/leaked_creds - Displays any detected leaked credentials for your organization.
  • /easm/<org_id>/scan_statistics - Statistical information on the EASM scan for the monitored organization.

    Definitions:

    ACI - Adversary Centric Intelligence

    BP - Brand Protection

    EASM - External Attack Surface Management

    <org_id> - Placeholder to be replaced by actual FortiRecon organization ID

Additional details:

https://fndn.fortinet.net/index.php?/fortiapi/2232-fortirecon/

https://docs.fortinet.com/product/fortirecon/

Preparation
  1. Login to FortiRecon and generate an API Key, which will be needed for your HTTPS Advanced credential definitions.

  2. Obtain your FortiRecon Tenant/Organization ID, which is used in the URL path of many API calls for FortiRecon.

  3. Confirm the base API hostname. As of this writing, it is: api.fortirecon.forticloud.com.

Setup in FortiSIEM

The following showcases two methods to set up a single API endpoint (Leaked Cards). This process must be repeated for each API endpoint. After following the Easy or Manual Method, proceed to Starting the Event Pulling.

Easy Method
  1. Download the following JSON file: FortiRecon_Generic_Poller_Templates.zip and unzip to your local computer.

    The file should contain the templates files:

    • FORTIRECON_ACI_IOC.json
    • FORTIRECON_ACI_LEAKED_CARDS.json
    • FORTIRECON_ACI_REPORTS.json
    • FORTIRECON_BP_ROGUE_APPS.json
    • FORTIRECON_BP_DOMAIN_THREATS.json

    • FORTIRECON_EASM_EXPOSED_SERVICES.json
    • FORTIRECON_EASM_ISSUES.json
    • FORTIRECON_EASM_LEAKED_CREDS.json
    • FORTIRECON_EASM_SCAN_STATS.json
  2. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

    1. In the Name field, enter the name of the FortiRecon API endpoint you wish to add. For example, for FORTIRECON_ACI_LEAKED_CARDS.json, you might enter the name "FortiRecon_LeakedCards".

    2. In Device Type, enter/select "Fortinet FortiRecon".

    3. Click Import Definition in the bottom window and select the appropriate json file. For example, for "Leaked cards" you would select the FORTIRECON_ACI_LEAKED_CARDS.json file, and click Import.

    4. When prompted to overwrite the definition, click Yes to overwrite the config.

    5. In the General Parameters row, click the Pencil icon.

      1. In the URI Stem field, replace <yourOrgID> with your FortiRecon organization ID.

      2. Click OK.

    6. In the Authentication Parameters row, click the Pencil icon.

      1. In the API Key Name field, ensure it is "Authorization".

      2. In the API Key Value field, enter/paste your FortiRecon API key.

      3. Click OK.

    7. Click Save at bottom of the Access Method Definition window.

  3. Repeat the instructions from step 2 for the remaining JSON files, as each of the FortiRecon API endpoints requires a separate credential to be defined. Also, make sure to change the Name field to reflect each of the FortiRecon credentials. For example, use the name "FortiRecon_IOC" for the FORTIRECON_ACI_IOC.json file.

When complete, your FortiRecon credentials should look similar to the following:

Manual Method (Defining the API Components) - Leaked Cards Walkthrough

After logging in to FortiSIEM, take the following steps.

  1. Navigate to Admin > Setup > Credentials, and under Step 1: Enter Credentials, click New.

  2. In the Name field, enter "FortiRecon_LeakedCards".

  3. In Device Type, enter/select "Fortinet FortiRecon".

  4. For Pull Interval, leave at default, or change as desired e.g. every 30 minutes.

  5. For Authentication Type, select API Key.

  6. In the General Parameters row, click the Pencil icon and configure the following fields:

    1. Host Name: api.fortirecon.forticloud.com

    2. URI Stem: /aci/<yourOrgID>/leaked_cards

      Note: You must replace <yourOrgID> with your FortiRecon organization ID

    3. JSON Response Log Key: hits

    4. Log Header: FORTIRECON_ACI_LEAKED_CARDS

    5. Click OK.

      Note: Leave other fields default

  7. In the Authentication Parameters row, click the Pencil icon and configure the following fields.

    1. API Key Name: Authorization

    2. API Key Value: <Enter/paste your FortiRecon API key>

    3. Send Method: Send As Header

    4. Click OK.

  8. In the Log API Parameters row, click the Pencil icon and configure the following fields.

    1. Click the Header tab, click New, and configure the following fields.

      1. Key Type: String

      2. Key Name (header name): Content-Type

      3. Key Value: application/json

    2. Click OK.

    3. Under Header, click New again, and configure the following fields.

      1. Key Type: string

      2. Key Name (header name): accept

      3. Key Value: application/json

    4. Click OK.

    5. Click the Pagination tab, and configure the following fields.

      1. Pagination Method: Offset and Limit

      2. Limit Key Name: size

      3. Limit Value: 100

      4. Offset Key Name: page

      5. Offset Start Value: 1

      6. Offset Increment Value: 1

      7. Offset Max Value: 100

    6. Click OK.

  9. Click Save for Credential.

Setup for all other API endpoints are the same. You can import the same credential above, except, under General Parameters, update the URI Stem to the correct API call for each new credential.

URI Stem

Log Header

Template file

/aci/<yourOrgID>/iocs

FORTIRECON_ACI_IOC

FORTIRECON_ACI_IOC.json

/aci/<yourOrgID>/leaked_cards

FORTIRECON_ACI_LEAKED_CARDS

FORTIRECON_ACI_LEAKED_CARDS.json

/easm/<yourOrgID>/leaked_creds

FORTIRECON_EASM_LEAKED_CREDS

FORTIRECON_EASM_LEAKED_CREDS.json

/bp/<yourOrgID>/rogue_apps

FORTIRECON_BP_ROGUE_APPS

FORTIRECON_BP_ROGUE_APPS.json

/bp/<yourOrgID>/stats/domain_threats

FORTIRECON_BP_DOMAIN_THREATS

FORTIRECON_BP_DOMAIN_THREATS.json

/easm/<yourOrgID>/issues

FORTIRECON_EASM_ISSUES

FORTIRECON_EASM_ISSUES.json

/aci/<yourOrgID>/reports

FORTIRECON_ACI_REPORTS

FORTIRECON_ACI_REPORTS.json

/easm/<yourOrgID>/exposed_services

FORTIRECON_EASM_EXPOSED_SERVICES

FORTIRECON_ EASM_EXPOSED_SERVICES.json

/easm/<yourOrgID>/scan_statistics

FORTIRECON_EASM_SCAN_STATS

FORTIRECON_EASM_SCAN_STATS.json

Starting the Event Pulling
  1. Under Step 2: Enter IP Range to Credential Associations, Click New.

  2. In Credentials, select the credential created prior for the API endpoint.

  3. Click Save.

  4. Select the credential you created in step 2, and click Test > Test Connectivity without Ping.

  5. Click Pull Events in the top navigation bar, and wait 5 minutes for first event pull to start. A green checkbox should eventually appear.

  6. Navigate to Analytics.

  7. Search for events with: Event Type CONTAIN FortiRecon-

Sample Events

Jan 13 14:55:09 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_LEAKED_CARDS: {"org_id": "xxxx1234-xx12-33c5-a7a6-97134501723", "bin": "437551", "bank_name": "Example Bank", "base_name": "DEC 14 USA MAGENTO SSN DOB EMAIL IP", "category": "VISA", "type": "CREDIT", "shop_name": "findsome", "city": "Sunnyvale", "holder_name": "Example User", "expiry": "January/2024", "country": "UNITED STATES", "price": "15.00", "state": "ca", "unique_id": "4961534989", "zip": "90210", "brand_name": "VISA", "bg_code": 2, "index_ts": "2022-12-15T15:20:40Z"}
Jan 13 12:29:25 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_EASM_ISSUES: {"id": "6284d0f7dbb73af1cab5aa40", "issue_name": "Exposed HTTP Service", "asset": "1.1.1.1", "severity": "low", "port": null, "bucket": "Exposed Insecure Service", "status": "active", "user_name": null, "issue_name_identifier": "exposed_http_service", "bucket_id": "exposed_insecure_service"}
Jan 13 14:36:16 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_BP_ROGUE_APPS: {"id": "a9db3f42-edb6-461e-ba97-5c098b276b73", "name": "Best Ringtones 1.5 by Excellente Ringtones Sounds", "size": "6.54", "download_count": "0", "index_ts": "2022-11-10T04:13:13Z", "first_seen": "2022-11-10T08:52:56Z", "source_name": "apk-watch", "ticket_id": null, "keyword": "zoom", "developer_name": "Excellente Ringtones Sounds", "status": "Unofficial"}
Jan 13 15:04:06 2023 api.fortirecon.forticloud.com 192.0.2.0 FORTIRECON_ACI_REPORTS: {"report_id": "2022080476177", "motivation": "Cyber Crime", "relevance_rating": "Medium", "status": "Published", "geography": ["south asia"], "tlp": "Amber", "source_name": "Breached aka BreachForums", "source_reliability": "B-Usually reliable", "information_reliability": "2-Probably true", "information_date": "2022-08-04T00:00:00Z", "adversary": ["leakbase"], "summary": "FortiGuard Threat Research identified two posts on the English language cybercrime forum 'Breached', where an actor who operates by the handle 'LeakBase' shared the database claiming to be from an Indian payment facilitator SecurePe, and an Indian DTH and mobile recharge service provider Click On Recharge.", "industry_tags": ["consumer services", "financial services"], "source_category": "Darknet", "report_title": "Actor 'LeakBase' shared databases claimed to be from Indian payment facilitator 'SecurePe', and Indian TV and mobile recharge service provider 'Click On Recharge'", "report_type": "Threat Alert", "threat": ["data breach", "personal information identification (pii)", "account(s) compromised", "database"], "publish_date": "2022-08-04T00:00:00Z"}