The Attivo BOTsink solution stands guard inside your network that uses high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.
This document provides information about the Attivo BOTsink connector, which facilitates automated interactions, with your Attivo BOTsink server using FortiSOAR™ playbooks. Add the Attivo BOTsink connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving information about all network decoys on Attivo BOTsink or checking whether a user or host is deceptive using Attivo BOTsink.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-attivo-botsink
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In CyOPsTM, on the connectors page, select the Attivo BOTsink connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server Address | Server name or IP address of the Attivo BOTsink server to which you will connect and perform the automated operations. |
Username | Username used to access the Attivo BOTsink server to which you will connect and perform the automated operations. |
Password | Password used to access the Attivo BOTsink server to which you will connect and perform the automated operations. |
Port | Port number on which you want to connect to the Attivo BOTsink server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Check User | Checks whether a user is deceptive using Attivo BOTsink based on the user you have specified. | check_user Investigation |
Check Host | Checks whether a host is deceptive using Attivo BOTsink based on the hostname or IP address you have specified. | check_host Investigation |
Run Playbook | Runs a prebuilt playbook on the BOTsink appliance based on the attacker IP and prebuild playbook name you have specified. | run_playbook Investigation |
List Playbooks | Lists information about all the playbooks configured on the Attivo BOTsink device. | list_playbooks Investigation |
Deploy Decoy | Deploys a new network decoy on Attivo BOTsink based on the vulnerable IP address(subnet) you have specified. | deploy_decoy Investigation |
Get Events | Retrieves events Attivo BOTsink based on the source IP address you have specified. | get_events Investigation |
Get Host List | Lists information about all network decoys present in Attivo BOTsink. | get_host_list Investigation |
Get All VM Status | Retrieves the current status of all the management VMs, the sinkhole VMs, and the engagement VMs from Attivo BOTsink. | get_all_vm_status Investigation |
Get VM Status | Retrieves the current status of a specific management VM or a specific sinkhole VMs or a specific engagement VM from Attivo BOTsink, based on the VM ID you have specified. | get_vm_status Investigation |
Get All Vulnerabilities | Retrieves a list of all vulnerabilities defined for ThreatPath in Attivo BOTsink. This operation returns both enabled and disabled vulnerabilities. | get_all_vulnerabilities Investigation |
Get Summary of Objects | Retrieves the summary of all objects, of the specified type, which are present in Attivo BOTsink based on the object type you have specified. This operation will not contain all the details of objects but only summary information like name and count of objects. | get_summary_of_objects Investigation |
Get Details of Object | Retrieves the details of a specific input deception object from Attivo BOTsink based on the object type and ID you have specified. | get_details_of_object Investigation |
Get Manager Users | Retrieves the current manager user records from Attivo BOTsink. | get_manager_users Investigation |
Get All Faults | Retrieves a list of all faults from Attivo BOTsink. | get_all_faults Investigation |
Get Network Data | Retrieves a list of network data from Attivo BOTsink. | get_network_data Investigation |
Get MITM Configuration | Retrieves the last saved MITM configuration from Attivo BOTsink. | get_mitm_configuration Investigation |
Get MITM Events | Retrieves MITM events from Attivo BOTsink. | get_mitm_events Investigation |
Run Forensics | Triggers endpoint memory forensics for a specified endpoint on Attivo BOTsink based on the IP address you have specified. | run_endpoint_forensics Investigation |
Get Whitelisted Domains | Retrieves a list of all the domains whitelisted for the Phishing Mailbox feature from Attivo BOTsink. | get_whitelisted_domains Investigation |
Add Domain to Whitelist | Adds a domain to the whitelist for the Phishing Mailbox feature on Attivo BOTsink based on the domain name you have specified. | add_domain_to_whitelist Investigation |
Get Access Control Rules | Retrieves the current list of access control rules from Attivo BOTsink. | get_access_control_rules Investigation |
Parameter | Description |
---|---|
User | User that you want to validate on Attivo BOTsink. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hostname | Hostname or IP address that you want to validate on Attivo BOTsink. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Playbook Name | Name of the prebuilt playbook that you want to run on Attivo BOTsink. |
Attacker IP | Malicious source IP Address for which you want to run the specified playbook. |
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Vulnerable IP | Vulnerable IP address that is used to determine the subnet on which the new network decoy will be deployed in Attivo BOTsink. |
Decoy Number | (Optional) Number of decoys to deploy on Attivo BOTsink. By default, this is set as "1". |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attacker IP | Source IP address based on which you want to retrieve events from Attivo BOTsink. |
Severity | (Optional) Minimum Attivo BOTsink severity level set for the events. This operation filters the search results (events) retrieved from Attivo BOTsink by this filter criteria. By default, this is set as "Medium". |
Alerts Start Date | Start date and time from when you want to start looking for events in Attivo BOTsink. For example, 2018-12-10 or 2018-12-10T13:59:05Z |
Alerts End Date | End date and time till when you want to start looking for events in Attivo BOTsink. For example, 2018-12-10 or 2018-12-10T13:59:05Z |
The output contains the following populated JSON schema:
{
"eventdata": [
{
"geoIPDestCountry2": "",
"allARPScanIPs": [],
"esID": "",
"geoIPDestCityName": "",
"attackName": "",
"geoIPDestLatititu de": "",
"details": {
"Attack Phase": "",
"VLAN": "",
"geoip_src_country_code2 ": "",
"geoip_dest_country_code 3": "",
"Server": "",
"Attacker": "",
"geoip_dest_country_name": "",
"geoip_dest_longitude": "",
"geoip_dest_city_name": "",
"Timestamp": "",
"Attack Name": "",
"Target": "",
"geoip_src_country_code3": "",
"geoip_src_longitude": "",
"Target IP": "",
"geoip_src_country_name": "",
"Service": "",
"geoip_dest_latitude": "",
"Severity": "",
"Target OS": "",
"Device": "",
"geoip_dest_country_code2": "",
"geoip_src_latitude": ""
},
"geoIPSrcCountry2": "",
"geoIPDestCountryName": "",
"djNames": "",
"alertLevel": "",
"timeStamp": "",
"geoIPDestLongitude": "",
"arpScanIPStr": "",
"geoIPSrcLongitude": "",
"geoIPSrcCountryName": "",
"geoIPDestCountry3": "",
"destIP": "",
"attackID": "",
"destVMName": "",
"geoIPSrcLatititude": "",
"sourceIP": "",
"geoIPSrcCountry3": "",
"allDJDomainNames": []
}
]
}
None.
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{
"vm_server_status": [
{
"isRunning": "",
"isRebuildInProgress": "",
"vmAliasName": "",
"vmName": "",
"vmID": ""
}
]
}
Parameter | Description |
---|---|
VM ID | ID of the VM whose current status you want to retrieve from Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"get_vm_server_status": [
{
"service": [
{
"status": "",
"state": "",
"name": ""
}
],
"os": "",
"storage_total": "",
"lastUpgradeTime": "",
"memory_total": "",
"origname": "",
"up_time": "",
"serial_number": "",
"status": "",
"isLinuxOS": "",
"alias_name": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"vulnerabilityPolicy_root": {
"id": "",
"vulnerabilityPolicy": [
{
"customized": "",
"os": "",
"help": "",
"apiType": "",
"privilegelevel": "",
"uniqueId": "",
"severity": "",
"type": "",
"enabl ed": "",
"desc": "",
"acmcustomized": ""
}
]
},
"timestamp": ""
}
Parameter | Description |
---|---|
Object Type | Object type based on which you want to retrieve summary information of all objects (belonging to the specified type) from Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"objGroup": [
{
"esDocId": "",
" obj_type": "",
"name": "",
"is_auto_generated": "",
"obj_count": "",
"esid": "",
"global_attributes": {
"is_production": ""
},
"is_default": "",
"ESId": "",
"bulk_input_count": "",
"acm_cfg": "",
"description": "",
"last_ modified_time": ""
}
]
}
Parameter | Description |
---|---|
Object Type | Object type based on which you want to retrieve detailed information of the object (belonging to the specified type) from Attivo BOTsink. |
Object ID | ID of the object whose details you want to retrieve from Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"objGroup": {
"is_auto_generated": "",
"name": "",
"esid": "",
"global_attributes": {
"is_production": ""
},
"is_default": "",
"obj_type": "",
"last_modified_time": "",
"ESId": "",
"bulk_input_count": "",
"acm_cfg": "",
"description": "",
"obj_c ount": "",
"objects": [
{
"server_ip": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"users": [
{
"objectType": "",
"defaultPasswordChanged": "",
"id": "",
"objectCN": "",
"adSSL": "",
"userName": "",
"adUserName": "",
"adServerName": "",
"type": "",
"acmuser": "",
"lastModifiedTimestamp": "",
" privileges": "",
"lastName": "",
"first Name": "",
"adPort": "",
"ssl": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"details": {
"severity": {
"WARNING": ""
},
"summary": {
"unacknowledge": "",
"total": ""
}
},
"faults": [
{
"botsinkDeviceID": "",
"id": "",
"sourceId": "",
"creationTimestamp": "",
"status": "",
"description": "",
"faultType": "",
"severity": "",
"lastUpdatedTimestamp": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"networkdata": [
{
"forwarderEvent": "",
"ipAddress": "",
"deviceID": "",
"active": "",
"vlanID": "",
"details": {
"VLAN ID": "",
"Last Seen": "",
"OS": "",
"First Seen": "",
"Device": "",
"DHCP": "",
"IP": "",
"MAC": "",
"Vendor": "",
"Port": "",
"Host Name": ""
},
"macAddress": "",
"timeStamp": "",
"port": "",
"forwar derName": "",
"uniqueID": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"timestamp": "",
"mitm_config": {
"user List": [],
"acm_flag": "",
"arpSpoofStatus": "",
"version_no": "",
"id": "",
"vlanExclusionList": [],
"protocolList": [
{
"manual_status": "",
"automatic_statu s": "",
"domainList": [],
"proto": ""
}
],
"detection_duration": ""
}
}
None.
The output contains the following populated JSON schema:
{
"mitm_events": [
{
"prev_last_timeStamp": "",
"is_current_ip_attacker": "",
"prev_first_timeStamp": "",
"prev_ip": "",
"current_mac": "",
"port": "",
"current_first_timeStamp": "",
"isSpoof": "",
"requestor_ip": "",
"prev_mac": "",
"current _ip": "",
"ESId": "",
"hostName": "",
"current_last_timeStamp": "",
"vlan": "",
"is_prev_ip_attacker": "",
"proto": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address based on which you want to run memory forensics. |
The output contains the following populated JSON schema:
{
"success": ""
}
None.
The output contains the following populated JSON schema:
{
"whitelist": [],
"id": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain that you want to add to the whitelist for the Phishing Mailbox feature on Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"whitelist": [],
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"access_control_rules": [
{
"ipAddress": "",
"id": "",
"acmrule": "",
"webAccess": "",
"sshAccess": "",
"lastModifiedTimestamp": ""
}
]
}
The Sample - Attivo BOTsink - 1.0.0
playbook collection comes bundled with the Attivo BOTsink connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Attivo BOTsink connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Attivo BOTsink solution stands guard inside your network that uses high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.
This document provides information about the Attivo BOTsink connector, which facilitates automated interactions, with your Attivo BOTsink server using FortiSOAR™ playbooks. Add the Attivo BOTsink connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving information about all network decoys on Attivo BOTsink or checking whether a user or host is deceptive using Attivo BOTsink.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-attivo-botsink
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In CyOPsTM, on the connectors page, select the Attivo BOTsink connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server Address | Server name or IP address of the Attivo BOTsink server to which you will connect and perform the automated operations. |
Username | Username used to access the Attivo BOTsink server to which you will connect and perform the automated operations. |
Password | Password used to access the Attivo BOTsink server to which you will connect and perform the automated operations. |
Port | Port number on which you want to connect to the Attivo BOTsink server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Check User | Checks whether a user is deceptive using Attivo BOTsink based on the user you have specified. | check_user Investigation |
Check Host | Checks whether a host is deceptive using Attivo BOTsink based on the hostname or IP address you have specified. | check_host Investigation |
Run Playbook | Runs a prebuilt playbook on the BOTsink appliance based on the attacker IP and prebuild playbook name you have specified. | run_playbook Investigation |
List Playbooks | Lists information about all the playbooks configured on the Attivo BOTsink device. | list_playbooks Investigation |
Deploy Decoy | Deploys a new network decoy on Attivo BOTsink based on the vulnerable IP address(subnet) you have specified. | deploy_decoy Investigation |
Get Events | Retrieves events Attivo BOTsink based on the source IP address you have specified. | get_events Investigation |
Get Host List | Lists information about all network decoys present in Attivo BOTsink. | get_host_list Investigation |
Get All VM Status | Retrieves the current status of all the management VMs, the sinkhole VMs, and the engagement VMs from Attivo BOTsink. | get_all_vm_status Investigation |
Get VM Status | Retrieves the current status of a specific management VM or a specific sinkhole VMs or a specific engagement VM from Attivo BOTsink, based on the VM ID you have specified. | get_vm_status Investigation |
Get All Vulnerabilities | Retrieves a list of all vulnerabilities defined for ThreatPath in Attivo BOTsink. This operation returns both enabled and disabled vulnerabilities. | get_all_vulnerabilities Investigation |
Get Summary of Objects | Retrieves the summary of all objects, of the specified type, which are present in Attivo BOTsink based on the object type you have specified. This operation will not contain all the details of objects but only summary information like name and count of objects. | get_summary_of_objects Investigation |
Get Details of Object | Retrieves the details of a specific input deception object from Attivo BOTsink based on the object type and ID you have specified. | get_details_of_object Investigation |
Get Manager Users | Retrieves the current manager user records from Attivo BOTsink. | get_manager_users Investigation |
Get All Faults | Retrieves a list of all faults from Attivo BOTsink. | get_all_faults Investigation |
Get Network Data | Retrieves a list of network data from Attivo BOTsink. | get_network_data Investigation |
Get MITM Configuration | Retrieves the last saved MITM configuration from Attivo BOTsink. | get_mitm_configuration Investigation |
Get MITM Events | Retrieves MITM events from Attivo BOTsink. | get_mitm_events Investigation |
Run Forensics | Triggers endpoint memory forensics for a specified endpoint on Attivo BOTsink based on the IP address you have specified. | run_endpoint_forensics Investigation |
Get Whitelisted Domains | Retrieves a list of all the domains whitelisted for the Phishing Mailbox feature from Attivo BOTsink. | get_whitelisted_domains Investigation |
Add Domain to Whitelist | Adds a domain to the whitelist for the Phishing Mailbox feature on Attivo BOTsink based on the domain name you have specified. | add_domain_to_whitelist Investigation |
Get Access Control Rules | Retrieves the current list of access control rules from Attivo BOTsink. | get_access_control_rules Investigation |
Parameter | Description |
---|---|
User | User that you want to validate on Attivo BOTsink. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hostname | Hostname or IP address that you want to validate on Attivo BOTsink. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Playbook Name | Name of the prebuilt playbook that you want to run on Attivo BOTsink. |
Attacker IP | Malicious source IP Address for which you want to run the specified playbook. |
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Vulnerable IP | Vulnerable IP address that is used to determine the subnet on which the new network decoy will be deployed in Attivo BOTsink. |
Decoy Number | (Optional) Number of decoys to deploy on Attivo BOTsink. By default, this is set as "1". |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attacker IP | Source IP address based on which you want to retrieve events from Attivo BOTsink. |
Severity | (Optional) Minimum Attivo BOTsink severity level set for the events. This operation filters the search results (events) retrieved from Attivo BOTsink by this filter criteria. By default, this is set as "Medium". |
Alerts Start Date | Start date and time from when you want to start looking for events in Attivo BOTsink. For example, 2018-12-10 or 2018-12-10T13:59:05Z |
Alerts End Date | End date and time till when you want to start looking for events in Attivo BOTsink. For example, 2018-12-10 or 2018-12-10T13:59:05Z |
The output contains the following populated JSON schema:
{
"eventdata": [
{
"geoIPDestCountry2": "",
"allARPScanIPs": [],
"esID": "",
"geoIPDestCityName": "",
"attackName": "",
"geoIPDestLatititu de": "",
"details": {
"Attack Phase": "",
"VLAN": "",
"geoip_src_country_code2 ": "",
"geoip_dest_country_code 3": "",
"Server": "",
"Attacker": "",
"geoip_dest_country_name": "",
"geoip_dest_longitude": "",
"geoip_dest_city_name": "",
"Timestamp": "",
"Attack Name": "",
"Target": "",
"geoip_src_country_code3": "",
"geoip_src_longitude": "",
"Target IP": "",
"geoip_src_country_name": "",
"Service": "",
"geoip_dest_latitude": "",
"Severity": "",
"Target OS": "",
"Device": "",
"geoip_dest_country_code2": "",
"geoip_src_latitude": ""
},
"geoIPSrcCountry2": "",
"geoIPDestCountryName": "",
"djNames": "",
"alertLevel": "",
"timeStamp": "",
"geoIPDestLongitude": "",
"arpScanIPStr": "",
"geoIPSrcLongitude": "",
"geoIPSrcCountryName": "",
"geoIPDestCountry3": "",
"destIP": "",
"attackID": "",
"destVMName": "",
"geoIPSrcLatititude": "",
"sourceIP": "",
"geoIPSrcCountry3": "",
"allDJDomainNames": []
}
]
}
None.
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{
"vm_server_status": [
{
"isRunning": "",
"isRebuildInProgress": "",
"vmAliasName": "",
"vmName": "",
"vmID": ""
}
]
}
Parameter | Description |
---|---|
VM ID | ID of the VM whose current status you want to retrieve from Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"get_vm_server_status": [
{
"service": [
{
"status": "",
"state": "",
"name": ""
}
],
"os": "",
"storage_total": "",
"lastUpgradeTime": "",
"memory_total": "",
"origname": "",
"up_time": "",
"serial_number": "",
"status": "",
"isLinuxOS": "",
"alias_name": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"vulnerabilityPolicy_root": {
"id": "",
"vulnerabilityPolicy": [
{
"customized": "",
"os": "",
"help": "",
"apiType": "",
"privilegelevel": "",
"uniqueId": "",
"severity": "",
"type": "",
"enabl ed": "",
"desc": "",
"acmcustomized": ""
}
]
},
"timestamp": ""
}
Parameter | Description |
---|---|
Object Type | Object type based on which you want to retrieve summary information of all objects (belonging to the specified type) from Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"objGroup": [
{
"esDocId": "",
" obj_type": "",
"name": "",
"is_auto_generated": "",
"obj_count": "",
"esid": "",
"global_attributes": {
"is_production": ""
},
"is_default": "",
"ESId": "",
"bulk_input_count": "",
"acm_cfg": "",
"description": "",
"last_ modified_time": ""
}
]
}
Parameter | Description |
---|---|
Object Type | Object type based on which you want to retrieve detailed information of the object (belonging to the specified type) from Attivo BOTsink. |
Object ID | ID of the object whose details you want to retrieve from Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"objGroup": {
"is_auto_generated": "",
"name": "",
"esid": "",
"global_attributes": {
"is_production": ""
},
"is_default": "",
"obj_type": "",
"last_modified_time": "",
"ESId": "",
"bulk_input_count": "",
"acm_cfg": "",
"description": "",
"obj_c ount": "",
"objects": [
{
"server_ip": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"users": [
{
"objectType": "",
"defaultPasswordChanged": "",
"id": "",
"objectCN": "",
"adSSL": "",
"userName": "",
"adUserName": "",
"adServerName": "",
"type": "",
"acmuser": "",
"lastModifiedTimestamp": "",
" privileges": "",
"lastName": "",
"first Name": "",
"adPort": "",
"ssl": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"details": {
"severity": {
"WARNING": ""
},
"summary": {
"unacknowledge": "",
"total": ""
}
},
"faults": [
{
"botsinkDeviceID": "",
"id": "",
"sourceId": "",
"creationTimestamp": "",
"status": "",
"description": "",
"faultType": "",
"severity": "",
"lastUpdatedTimestamp": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"networkdata": [
{
"forwarderEvent": "",
"ipAddress": "",
"deviceID": "",
"active": "",
"vlanID": "",
"details": {
"VLAN ID": "",
"Last Seen": "",
"OS": "",
"First Seen": "",
"Device": "",
"DHCP": "",
"IP": "",
"MAC": "",
"Vendor": "",
"Port": "",
"Host Name": ""
},
"macAddress": "",
"timeStamp": "",
"port": "",
"forwar derName": "",
"uniqueID": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"timestamp": "",
"mitm_config": {
"user List": [],
"acm_flag": "",
"arpSpoofStatus": "",
"version_no": "",
"id": "",
"vlanExclusionList": [],
"protocolList": [
{
"manual_status": "",
"automatic_statu s": "",
"domainList": [],
"proto": ""
}
],
"detection_duration": ""
}
}
None.
The output contains the following populated JSON schema:
{
"mitm_events": [
{
"prev_last_timeStamp": "",
"is_current_ip_attacker": "",
"prev_first_timeStamp": "",
"prev_ip": "",
"current_mac": "",
"port": "",
"current_first_timeStamp": "",
"isSpoof": "",
"requestor_ip": "",
"prev_mac": "",
"current _ip": "",
"ESId": "",
"hostName": "",
"current_last_timeStamp": "",
"vlan": "",
"is_prev_ip_attacker": "",
"proto": ""
}
]
}
Parameter | Description |
---|---|
IP Address | IP address based on which you want to run memory forensics. |
The output contains the following populated JSON schema:
{
"success": ""
}
None.
The output contains the following populated JSON schema:
{
"whitelist": [],
"id": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain that you want to add to the whitelist for the Phishing Mailbox feature on Attivo BOTsink. |
The output contains the following populated JSON schema:
{
"whitelist": [],
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"access_control_rules": [
{
"ipAddress": "",
"id": "",
"acmrule": "",
"webAccess": "",
"sshAccess": "",
"lastModifiedTimestamp": ""
}
]
}
The Sample - Attivo BOTsink - 1.0.0
playbook collection comes bundled with the Attivo BOTsink connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Attivo BOTsink connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.