Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

The Attivo BOTsink solution stands guard inside your network that uses high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.

This document provides information about the Attivo BOTsink connector, which facilitates automated interactions, with your Attivo BOTsink server using FortiSOAR™ playbooks. Add the Attivo BOTsink connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving information about all network decoys on Attivo BOTsink or checking whether a user or host is deceptive using Attivo BOTsink.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-attivo-botsink

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the server name or IP address of Attivo BOTsink server to which you will connect and perform automated operations and credentials (Username-Password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In CyOPsTM, on the connectors page, select the Attivo BOTsink connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server Address Server name or IP address of the Attivo BOTsink server to which you will connect and perform the automated operations.
Username Username used to access the Attivo BOTsink server to which you will connect and perform the automated operations.
Password Password used to access the Attivo BOTsink server to which you will connect and perform the automated operations.
Port Port number on which you want to connect to the Attivo BOTsink server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Check User Checks whether a user is deceptive using Attivo BOTsink based on the user you have specified. check_user
Investigation
Check Host Checks whether a host is deceptive using Attivo BOTsink based on the hostname or IP address you have specified. check_host
Investigation
Run Playbook Runs a prebuilt playbook on the BOTsink appliance based on the attacker IP and prebuild playbook name you have specified. run_playbook
Investigation
List Playbooks Lists information about all the playbooks configured on the Attivo BOTsink device. list_playbooks
Investigation
Deploy Decoy Deploys a new network decoy on Attivo BOTsink based on the vulnerable IP address(subnet) you have specified. deploy_decoy
Investigation
Get Events Retrieves events Attivo BOTsink based on the source IP address you have specified. get_events
Investigation
Get Host List Lists information about all network decoys present in Attivo BOTsink. get_host_list
Investigation
Get All VM Status Retrieves the current status of all the management VMs, the sinkhole VMs, and the engagement VMs from Attivo BOTsink. get_all_vm_status
Investigation
Get VM Status Retrieves the current status of a specific management VM or a specific sinkhole VMs or a specific engagement VM from Attivo BOTsink, based on the VM ID you have specified. get_vm_status
Investigation
Get All Vulnerabilities Retrieves a list of all vulnerabilities defined for ThreatPath in Attivo BOTsink. This operation returns both enabled and disabled vulnerabilities. get_all_vulnerabilities
Investigation
Get Summary of Objects Retrieves the summary of all objects, of the specified type, which are present in Attivo BOTsink based on the object type you have specified. This operation will not contain all the details of objects but only summary information like name and count of objects. get_summary_of_objects
Investigation
Get Details of Object Retrieves the details of a specific input deception object from Attivo BOTsink based on the object type and ID you have specified. get_details_of_object
Investigation
Get Manager Users Retrieves the current manager user records from Attivo BOTsink. get_manager_users
Investigation
Get All Faults Retrieves a list of all faults from Attivo BOTsink. get_all_faults
Investigation
Get Network Data Retrieves a list of network data from Attivo BOTsink. get_network_data
Investigation
Get MITM Configuration Retrieves the last saved MITM configuration from Attivo BOTsink. get_mitm_configuration
Investigation
Get MITM Events Retrieves MITM events from Attivo BOTsink. get_mitm_events
Investigation
Run Forensics Triggers endpoint memory forensics for a specified endpoint on Attivo BOTsink based on the IP address you have specified. run_endpoint_forensics
Investigation
Get Whitelisted Domains Retrieves a list of all the domains whitelisted for the Phishing Mailbox feature from Attivo BOTsink. get_whitelisted_domains
Investigation
Add Domain to Whitelist Adds a domain to the whitelist for the Phishing Mailbox feature on Attivo BOTsink based on the domain name you have specified. add_domain_to_whitelist
Investigation
Get Access Control Rules Retrieves the current list of access control rules from Attivo BOTsink. get_access_control_rules
Investigation

operation: Check User

Input parameters

Parameter Description
User User that you want to validate on Attivo BOTsink.

Output

The output contains a non-dictionary value.

operation: Check Host

Input parameters

Parameter Description
Hostname Hostname or IP address that you want to validate on Attivo BOTsink.

Output

The output contains a non-dictionary value.

operation: Run Playbook

Input parameters

Parameter Description
Playbook Name Name of the prebuilt playbook that you want to run on Attivo BOTsink.
Attacker IP Malicious source IP Address for which you want to run the specified playbook.

Output

The output contains a non-dictionary value.

operation: List Playbooks

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Deploy Decoy

Input parameters

Parameter Description
Vulnerable IP Vulnerable IP address that is used to determine the subnet on which the new network decoy will be deployed in Attivo BOTsink.
Decoy Number (Optional) Number of decoys to deploy on Attivo BOTsink.
By default, this is set as "1".

Output

The output contains a non-dictionary value.

operation: Get Events

Input parameters

Parameter Description
Attacker IP Source IP address based on which you want to retrieve events from Attivo BOTsink.
Severity (Optional) Minimum Attivo BOTsink severity level set for the events. This operation filters the search results (events) retrieved from Attivo BOTsink by this filter criteria.
By default, this is set as "Medium".
Alerts Start Date Start date and time from when you want to start looking for events in Attivo BOTsink.
For example, 2018-12-10 or 2018-12-10T13:59:05Z
Alerts End Date End date and time till when you want to start looking for events in Attivo BOTsink.
For example, 2018-12-10 or 2018-12-10T13:59:05Z

Output

The output contains the following populated JSON schema:
{
     "eventdata": [
         {
             "geoIPDestCountry2": "",
             "allARPScanIPs": [],
             "esID": "",
             "geoIPDestCityName": "",
             "attackName": "",
             "geoIPDestLatititu de": "",
             "details": {
                 "Attack Phase": "",
                 "VLAN": "",
                 "geoip_src_country_code2 ": "",
                 "geoip_dest_country_code 3": "",
                 "Server": "",
                 "Attacker": "",
                 "geoip_dest_country_name": "",
                 "geoip_dest_longitude": "",
                 "geoip_dest_city_name": "",
                 "Timestamp": "",
                 "Attack Name": "",
                 "Target": "",
                 "geoip_src_country_code3": "",
                 "geoip_src_longitude": "",
                 "Target IP": "",
                 "geoip_src_country_name": "",
                 "Service": "",
                 "geoip_dest_latitude": "",
                 "Severity": "",
                 "Target OS": "",
                 "Device": "",
                 "geoip_dest_country_code2": "",
                 "geoip_src_latitude": ""
             },
             "geoIPSrcCountry2": "",
             "geoIPDestCountryName": "",
             "djNames": "",
             "alertLevel": "",
             "timeStamp": "",
             "geoIPDestLongitude": "",
             "arpScanIPStr": "",
             "geoIPSrcLongitude": "",
             "geoIPSrcCountryName": "",
             "geoIPDestCountry3": "",
             "destIP": "",
             "attackID": "",
             "destVMName": "",
             "geoIPSrcLatititude": "",
             "sourceIP": "",
             "geoIPSrcCountry3": "",
             "allDJDomainNames": []
         }
     ]
}

operation: Get Host List

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get All VM Status

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "vm_server_status": [
         {
             "isRunning": "",
             "isRebuildInProgress": "",
             "vmAliasName": "",
             "vmName": "",
             "vmID": ""
         }
     ]
}

operation: Get VM Status

Input parameters

Parameter Description
VM ID ID of the VM whose current status you want to retrieve from Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "get_vm_server_status": [
         {
             "service": [
                 {
                     "status": "",
                     "state": "",
                     "name": ""
                 }
             ],
             "os": "",
             "storage_total": "",
             "lastUpgradeTime": "",
             "memory_total": "",
             "origname": "",
             "up_time": "",
             "serial_number": "",
             "status": "",
             "isLinuxOS": "",
             "alias_name": ""
         }
     ]
}

operation: Get All Vulnerabilities

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "vulnerabilityPolicy_root": {
         "id": "",
         "vulnerabilityPolicy": [
             {
                 "customized": "",
                 "os": "",
                 "help": "",
                 "apiType": "",
                 "privilegelevel": "",
                 "uniqueId": "",
                 "severity": "",
                 "type": "",
                 "enabl ed": "",
                 "desc": "",
                 "acmcustomized": ""
             }
         ]
     },
     "timestamp": ""
}

operation: Get Summary of Objects

Input parameters

Parameter Description
Object Type Object type based on which you want to retrieve summary information of all objects (belonging to the specified type) from Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "objGroup": [
         {
             "esDocId": "",
             " obj_type": "",
             "name": "",
             "is_auto_generated": "",
             "obj_count": "",
             "esid": "",
             "global_attributes": {
                 "is_production": ""
             },
             "is_default": "",
             "ESId": "",
             "bulk_input_count": "",
             "acm_cfg": "",
             "description": "",
             "last_ modified_time": ""
         }
     ]
}

operation: Get Details of Object

Input parameters

Parameter Description
Object Type Object type based on which you want to retrieve detailed information of the object (belonging to the specified type) from Attivo BOTsink.
Object ID ID of the object whose details you want to retrieve from Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "objGroup": {
         "is_auto_generated": "",
         "name": "",
         "esid": "",
         "global_attributes": {
             "is_production": ""
         },
         "is_default": "",
         "obj_type": "",
         "last_modified_time": "",
         "ESId": "",
         "bulk_input_count": "",
         "acm_cfg": "",
         "description": "",
         "obj_c ount": "",
         "objects": [
             {
                 "server_ip": ""
             }
         ]
     }
}

operation: Get Manager Users

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "users": [
         {
             "objectType": "",
             "defaultPasswordChanged": "",
             "id": "",
             "objectCN": "",
             "adSSL": "",
             "userName": "",
             "adUserName": "",
             "adServerName": "",
             "type": "",
             "acmuser": "",
             "lastModifiedTimestamp": "",
             " privileges": "",
             "lastName": "",
             "first Name": "",
             "adPort": "",
             "ssl": ""
         }
     ]
}

operation: Get All Faults

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "details": {
         "severity": {
             "WARNING": ""
         },
         "summary": {
             "unacknowledge": "",
             "total": ""
         }
     },
     "faults": [
         {
             "botsinkDeviceID": "",
             "id": "",
             "sourceId": "",
             "creationTimestamp": "",
             "status": "",
             "description": "",
             "faultType": "",
             "severity": "",
             "lastUpdatedTimestamp": ""
         }
     ]
}

operation: Get Network Data

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "networkdata": [
         {
             "forwarderEvent": "",
             "ipAddress": "",
             "deviceID": "",
             "active": "",
             "vlanID": "",
             "details": {
                 "VLAN ID": "",
                 "Last Seen": "",
                 "OS": "",
                 "First Seen": "",
                 "Device": "",
                 "DHCP": "",
                 "IP": "",
                 "MAC": "",
                 "Vendor": "",
                 "Port": "",
                 "Host Name": ""
             },
             "macAddress": "",
             "timeStamp": "",
             "port": "",
             "forwar derName": "",
             "uniqueID": ""
         }
     ]
}

operation: Get MITM Configuration

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "timestamp": "",
     "mitm_config": {
         "user List": [],
         "acm_flag": "",
         "arpSpoofStatus": "",
         "version_no": "",
         "id": "",
         "vlanExclusionList": [],
         "protocolList": [
             {
                 "manual_status": "",
                 "automatic_statu s": "",
                 "domainList": [],
                 "proto": ""
             }
         ],
         "detection_duration": ""
     }
}

operation: Get MITM Events

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "mitm_events": [
         {
             "prev_last_timeStamp": "",
             "is_current_ip_attacker": "",
             "prev_first_timeStamp": "",
             "prev_ip": "",
             "current_mac": "",
             "port": "",
             "current_first_timeStamp": "",
             "isSpoof": "",
             "requestor_ip": "",
             "prev_mac": "",
             "current _ip": "",
             "ESId": "",
             "hostName": "",
             "current_last_timeStamp": "",
             "vlan": "",
             "is_prev_ip_attacker": "",
             "proto": ""
         }
     ]
}

operation: Run Forensics

Input parameters

Parameter Description
IP Address IP address based on which you want to run memory forensics.

Output

The output contains the following populated JSON schema:
{
     "success": ""
}

operation: Get Whitelisted Domains

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "whitelist": [],
     "id": ""
}

operation: Add Domain to Whitelist

Input parameters

Parameter Description
Domain Name of the domain that you want to add to the whitelist for the Phishing Mailbox feature on Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "whitelist": [],
     "id": ""
}

operation: Get Access Control Rules

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "access_control_rules": [
         {
             "ipAddress": "",
             "id": "",
             "acmrule": "",
             "webAccess": "",
             "sshAccess": "",
             "lastModifiedTimestamp": ""
         }
     ]
}

Included playbooks

The Sample - Attivo BOTsink - 1.0.0 playbook collection comes bundled with the Attivo BOTsink connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Attivo BOTsink connector.

  • Add Domain to Whitelist
  • Check Host
  • Check User
  • Deploy Decoy
  • Get Access Control Rules
  • Get All Faults
  • Get All VM Status
  • Get All Vulnerabilities
  • Get Details of Object
  • Get Events
  • Get Host List
  • Get Manager Users
  • Get MITM Configuration
  • Get MITM Events
  • Get Network Data
  • Get Summary of Objects
  • Get VM Status
  • Get Whitelisted Domains
  • List Playbooks
  • Run Forensics
  • Run Playbook

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

The Attivo BOTsink solution stands guard inside your network that uses high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.

This document provides information about the Attivo BOTsink connector, which facilitates automated interactions, with your Attivo BOTsink server using FortiSOAR™ playbooks. Add the Attivo BOTsink connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving information about all network decoys on Attivo BOTsink or checking whether a user or host is deceptive using Attivo BOTsink.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-attivo-botsink

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In CyOPsTM, on the connectors page, select the Attivo BOTsink connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server Address Server name or IP address of the Attivo BOTsink server to which you will connect and perform the automated operations.
Username Username used to access the Attivo BOTsink server to which you will connect and perform the automated operations.
Password Password used to access the Attivo BOTsink server to which you will connect and perform the automated operations.
Port Port number on which you want to connect to the Attivo BOTsink server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Check User Checks whether a user is deceptive using Attivo BOTsink based on the user you have specified. check_user
Investigation
Check Host Checks whether a host is deceptive using Attivo BOTsink based on the hostname or IP address you have specified. check_host
Investigation
Run Playbook Runs a prebuilt playbook on the BOTsink appliance based on the attacker IP and prebuild playbook name you have specified. run_playbook
Investigation
List Playbooks Lists information about all the playbooks configured on the Attivo BOTsink device. list_playbooks
Investigation
Deploy Decoy Deploys a new network decoy on Attivo BOTsink based on the vulnerable IP address(subnet) you have specified. deploy_decoy
Investigation
Get Events Retrieves events Attivo BOTsink based on the source IP address you have specified. get_events
Investigation
Get Host List Lists information about all network decoys present in Attivo BOTsink. get_host_list
Investigation
Get All VM Status Retrieves the current status of all the management VMs, the sinkhole VMs, and the engagement VMs from Attivo BOTsink. get_all_vm_status
Investigation
Get VM Status Retrieves the current status of a specific management VM or a specific sinkhole VMs or a specific engagement VM from Attivo BOTsink, based on the VM ID you have specified. get_vm_status
Investigation
Get All Vulnerabilities Retrieves a list of all vulnerabilities defined for ThreatPath in Attivo BOTsink. This operation returns both enabled and disabled vulnerabilities. get_all_vulnerabilities
Investigation
Get Summary of Objects Retrieves the summary of all objects, of the specified type, which are present in Attivo BOTsink based on the object type you have specified. This operation will not contain all the details of objects but only summary information like name and count of objects. get_summary_of_objects
Investigation
Get Details of Object Retrieves the details of a specific input deception object from Attivo BOTsink based on the object type and ID you have specified. get_details_of_object
Investigation
Get Manager Users Retrieves the current manager user records from Attivo BOTsink. get_manager_users
Investigation
Get All Faults Retrieves a list of all faults from Attivo BOTsink. get_all_faults
Investigation
Get Network Data Retrieves a list of network data from Attivo BOTsink. get_network_data
Investigation
Get MITM Configuration Retrieves the last saved MITM configuration from Attivo BOTsink. get_mitm_configuration
Investigation
Get MITM Events Retrieves MITM events from Attivo BOTsink. get_mitm_events
Investigation
Run Forensics Triggers endpoint memory forensics for a specified endpoint on Attivo BOTsink based on the IP address you have specified. run_endpoint_forensics
Investigation
Get Whitelisted Domains Retrieves a list of all the domains whitelisted for the Phishing Mailbox feature from Attivo BOTsink. get_whitelisted_domains
Investigation
Add Domain to Whitelist Adds a domain to the whitelist for the Phishing Mailbox feature on Attivo BOTsink based on the domain name you have specified. add_domain_to_whitelist
Investigation
Get Access Control Rules Retrieves the current list of access control rules from Attivo BOTsink. get_access_control_rules
Investigation

operation: Check User

Input parameters

Parameter Description
User User that you want to validate on Attivo BOTsink.

Output

The output contains a non-dictionary value.

operation: Check Host

Input parameters

Parameter Description
Hostname Hostname or IP address that you want to validate on Attivo BOTsink.

Output

The output contains a non-dictionary value.

operation: Run Playbook

Input parameters

Parameter Description
Playbook Name Name of the prebuilt playbook that you want to run on Attivo BOTsink.
Attacker IP Malicious source IP Address for which you want to run the specified playbook.

Output

The output contains a non-dictionary value.

operation: List Playbooks

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Deploy Decoy

Input parameters

Parameter Description
Vulnerable IP Vulnerable IP address that is used to determine the subnet on which the new network decoy will be deployed in Attivo BOTsink.
Decoy Number (Optional) Number of decoys to deploy on Attivo BOTsink.
By default, this is set as "1".

Output

The output contains a non-dictionary value.

operation: Get Events

Input parameters

Parameter Description
Attacker IP Source IP address based on which you want to retrieve events from Attivo BOTsink.
Severity (Optional) Minimum Attivo BOTsink severity level set for the events. This operation filters the search results (events) retrieved from Attivo BOTsink by this filter criteria.
By default, this is set as "Medium".
Alerts Start Date Start date and time from when you want to start looking for events in Attivo BOTsink.
For example, 2018-12-10 or 2018-12-10T13:59:05Z
Alerts End Date End date and time till when you want to start looking for events in Attivo BOTsink.
For example, 2018-12-10 or 2018-12-10T13:59:05Z

Output

The output contains the following populated JSON schema:
{
     "eventdata": [
         {
             "geoIPDestCountry2": "",
             "allARPScanIPs": [],
             "esID": "",
             "geoIPDestCityName": "",
             "attackName": "",
             "geoIPDestLatititu de": "",
             "details": {
                 "Attack Phase": "",
                 "VLAN": "",
                 "geoip_src_country_code2 ": "",
                 "geoip_dest_country_code 3": "",
                 "Server": "",
                 "Attacker": "",
                 "geoip_dest_country_name": "",
                 "geoip_dest_longitude": "",
                 "geoip_dest_city_name": "",
                 "Timestamp": "",
                 "Attack Name": "",
                 "Target": "",
                 "geoip_src_country_code3": "",
                 "geoip_src_longitude": "",
                 "Target IP": "",
                 "geoip_src_country_name": "",
                 "Service": "",
                 "geoip_dest_latitude": "",
                 "Severity": "",
                 "Target OS": "",
                 "Device": "",
                 "geoip_dest_country_code2": "",
                 "geoip_src_latitude": ""
             },
             "geoIPSrcCountry2": "",
             "geoIPDestCountryName": "",
             "djNames": "",
             "alertLevel": "",
             "timeStamp": "",
             "geoIPDestLongitude": "",
             "arpScanIPStr": "",
             "geoIPSrcLongitude": "",
             "geoIPSrcCountryName": "",
             "geoIPDestCountry3": "",
             "destIP": "",
             "attackID": "",
             "destVMName": "",
             "geoIPSrcLatititude": "",
             "sourceIP": "",
             "geoIPSrcCountry3": "",
             "allDJDomainNames": []
         }
     ]
}

operation: Get Host List

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get All VM Status

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "vm_server_status": [
         {
             "isRunning": "",
             "isRebuildInProgress": "",
             "vmAliasName": "",
             "vmName": "",
             "vmID": ""
         }
     ]
}

operation: Get VM Status

Input parameters

Parameter Description
VM ID ID of the VM whose current status you want to retrieve from Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "get_vm_server_status": [
         {
             "service": [
                 {
                     "status": "",
                     "state": "",
                     "name": ""
                 }
             ],
             "os": "",
             "storage_total": "",
             "lastUpgradeTime": "",
             "memory_total": "",
             "origname": "",
             "up_time": "",
             "serial_number": "",
             "status": "",
             "isLinuxOS": "",
             "alias_name": ""
         }
     ]
}

operation: Get All Vulnerabilities

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "vulnerabilityPolicy_root": {
         "id": "",
         "vulnerabilityPolicy": [
             {
                 "customized": "",
                 "os": "",
                 "help": "",
                 "apiType": "",
                 "privilegelevel": "",
                 "uniqueId": "",
                 "severity": "",
                 "type": "",
                 "enabl ed": "",
                 "desc": "",
                 "acmcustomized": ""
             }
         ]
     },
     "timestamp": ""
}

operation: Get Summary of Objects

Input parameters

Parameter Description
Object Type Object type based on which you want to retrieve summary information of all objects (belonging to the specified type) from Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "objGroup": [
         {
             "esDocId": "",
             " obj_type": "",
             "name": "",
             "is_auto_generated": "",
             "obj_count": "",
             "esid": "",
             "global_attributes": {
                 "is_production": ""
             },
             "is_default": "",
             "ESId": "",
             "bulk_input_count": "",
             "acm_cfg": "",
             "description": "",
             "last_ modified_time": ""
         }
     ]
}

operation: Get Details of Object

Input parameters

Parameter Description
Object Type Object type based on which you want to retrieve detailed information of the object (belonging to the specified type) from Attivo BOTsink.
Object ID ID of the object whose details you want to retrieve from Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "objGroup": {
         "is_auto_generated": "",
         "name": "",
         "esid": "",
         "global_attributes": {
             "is_production": ""
         },
         "is_default": "",
         "obj_type": "",
         "last_modified_time": "",
         "ESId": "",
         "bulk_input_count": "",
         "acm_cfg": "",
         "description": "",
         "obj_c ount": "",
         "objects": [
             {
                 "server_ip": ""
             }
         ]
     }
}

operation: Get Manager Users

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "users": [
         {
             "objectType": "",
             "defaultPasswordChanged": "",
             "id": "",
             "objectCN": "",
             "adSSL": "",
             "userName": "",
             "adUserName": "",
             "adServerName": "",
             "type": "",
             "acmuser": "",
             "lastModifiedTimestamp": "",
             " privileges": "",
             "lastName": "",
             "first Name": "",
             "adPort": "",
             "ssl": ""
         }
     ]
}

operation: Get All Faults

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "details": {
         "severity": {
             "WARNING": ""
         },
         "summary": {
             "unacknowledge": "",
             "total": ""
         }
     },
     "faults": [
         {
             "botsinkDeviceID": "",
             "id": "",
             "sourceId": "",
             "creationTimestamp": "",
             "status": "",
             "description": "",
             "faultType": "",
             "severity": "",
             "lastUpdatedTimestamp": ""
         }
     ]
}

operation: Get Network Data

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "networkdata": [
         {
             "forwarderEvent": "",
             "ipAddress": "",
             "deviceID": "",
             "active": "",
             "vlanID": "",
             "details": {
                 "VLAN ID": "",
                 "Last Seen": "",
                 "OS": "",
                 "First Seen": "",
                 "Device": "",
                 "DHCP": "",
                 "IP": "",
                 "MAC": "",
                 "Vendor": "",
                 "Port": "",
                 "Host Name": ""
             },
             "macAddress": "",
             "timeStamp": "",
             "port": "",
             "forwar derName": "",
             "uniqueID": ""
         }
     ]
}

operation: Get MITM Configuration

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "timestamp": "",
     "mitm_config": {
         "user List": [],
         "acm_flag": "",
         "arpSpoofStatus": "",
         "version_no": "",
         "id": "",
         "vlanExclusionList": [],
         "protocolList": [
             {
                 "manual_status": "",
                 "automatic_statu s": "",
                 "domainList": [],
                 "proto": ""
             }
         ],
         "detection_duration": ""
     }
}

operation: Get MITM Events

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "mitm_events": [
         {
             "prev_last_timeStamp": "",
             "is_current_ip_attacker": "",
             "prev_first_timeStamp": "",
             "prev_ip": "",
             "current_mac": "",
             "port": "",
             "current_first_timeStamp": "",
             "isSpoof": "",
             "requestor_ip": "",
             "prev_mac": "",
             "current _ip": "",
             "ESId": "",
             "hostName": "",
             "current_last_timeStamp": "",
             "vlan": "",
             "is_prev_ip_attacker": "",
             "proto": ""
         }
     ]
}

operation: Run Forensics

Input parameters

Parameter Description
IP Address IP address based on which you want to run memory forensics.

Output

The output contains the following populated JSON schema:
{
     "success": ""
}

operation: Get Whitelisted Domains

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "whitelist": [],
     "id": ""
}

operation: Add Domain to Whitelist

Input parameters

Parameter Description
Domain Name of the domain that you want to add to the whitelist for the Phishing Mailbox feature on Attivo BOTsink.

Output

The output contains the following populated JSON schema:
{
     "whitelist": [],
     "id": ""
}

operation: Get Access Control Rules

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "access_control_rules": [
         {
             "ipAddress": "",
             "id": "",
             "acmrule": "",
             "webAccess": "",
             "sshAccess": "",
             "lastModifiedTimestamp": ""
         }
     ]
}

Included playbooks

The Sample - Attivo BOTsink - 1.0.0 playbook collection comes bundled with the Attivo BOTsink connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Attivo BOTsink connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.