Cyberint provides Intelligence-Driven Digital Risk Protection that monitors, investigates, and analyzes data from the web, social media, and cyber sources to identify threats and make better security decisions.
This document provides information about the Cyberint connector, which facilitates automated interactions, with a Cyberint server using FortiSOAR™ playbooks. Add the Cyberint connector as a step in FortiSOAR™ playbooks and perform automated operations related to alerts in Cyberint.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-cyberint
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Cyberint connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Environment URL of the Cyberint server to which you will connect and perform the automated operations |
API Access Token | API access token to access the Cyberint endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list of alerts from Cyberint based on the filter criteria you have specified. Note: If you do not specify and filter criteria, then all alerts modified in the past 24 hours from all Cyberint environments will be retrieved. |
get_alerts Investigation |
Update Alerts Status | Updates the status of one or more alerts in Cyberint based on the alert reference IDs and status you have specified. | update_alerts_status Investigation |
Get Alert Attachment | Downloads the attachments of a specific alert from Cyberint based on the alert reference ID and the attachment internal ID you have specified. The downloaded attachment is then stored in the 'Attachments' module in FortiSOAR. | get_alert_attachment Investigation |
Get Alert Analysis Report | Downloads the analysis report of a specific alert from Cyberint based on the alert reference ID you have specified. The downloaded report is then stored in the 'Attachments' module in FortiSOAR. | get_alert_analysis_report Investigation |
Parameter | Description |
---|---|
filters | Select this checkbox, if you want to filter alerts retrieved from Cyberint. If you do not specify and filter criteria, then all alerts modified in the past 24 hours from all Cyberint environments will be retrieved. If you select this checkbox, then you can specify the following filters:
|
Page | Page number from which you want to retrieve records. |
Size | The maximum number of alerts, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"total": "",
"alerts": [
{
"environment": "",
"ref_id": "",
"confidence": "",
"status": "",
"severity": "",
"created_date": "",
"created_by": {
"email": ""
},
"category": "",
"type": "",
"source_category": "",
"source": "",
"targeted_vectors": [],
"targeted_brands": [],
"related_entities": [],
"impacts": [],
"acknowledged_date": "",
"acknowledged_by": {
"email": ""
},
"publish_date": "",
"title": "",
"alert_data": {
"url": "",
"screenshot": {
"id": "",
"name": "",
"mimetype": ""
},
"detection_reasons": [],
"url_reputation": "",
"a_record": "",
"ip_reputation": "",
"mx_records": [],
"site_status": "",
"registrar": "",
"whois_created_date": "",
"registrant_name": "",
"registrant_email": "",
"nameservers": [],
"whois_record": ""
},
"iocs": [],
"ticket_id": "",
"threat_actor": "",
"modification_date": "",
"closure_date": "",
"closed_by": {
"email": ""
},
"closure_reason": "",
"description": "",
"recommendation": "",
"tags": [],
"analysis_report": {
"id": "",
"name": "",
"mimetype": ""
},
"attachments": []
}
]
}
Parameter | Description |
---|---|
Alert Reference IDs | Specify a CSV list of reference IDs for the alert(s) whose status you want to update in Cyberint. Note: The maximum number of alerts that you can update in a single operation is 100. |
Status | Choose the status that you want to update for all the specified alerts in Cyberint. You can choose between Open, Acknowledged, or Closed If you choose 'Closed', then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
Parameter | Description |
---|---|
Alert Reference ID | Specify the reference ID for the alert whose associated attachments you want to download from Cyberint. |
Attachment ID | The ID of the attachment that you want to download from Cyberint. |
Attachment File Name | Specify the name that you want to give to the attachment when it is stored in the 'Attachment' module in FortiSOAR. This is the attachment that is downloaded using this operation from Cyberint. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
Parameter | Description |
---|---|
Alert Reference ID | Specify the reference ID for the alert whose analysis report you want to download from Cyberint. |
Analysis Report File Name | Specify the name that you want to give to the analysis report when it is stored in the 'Attachment' module in FortiSOAR. This is the report that is downloaded using this operation from Cyberint. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
The Sample - Cyberint - 1.0.0
playbook collection comes bundled with the Cyberint connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cyberint connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Cyberint provides Intelligence-Driven Digital Risk Protection that monitors, investigates, and analyzes data from the web, social media, and cyber sources to identify threats and make better security decisions.
This document provides information about the Cyberint connector, which facilitates automated interactions, with a Cyberint server using FortiSOAR™ playbooks. Add the Cyberint connector as a step in FortiSOAR™ playbooks and perform automated operations related to alerts in Cyberint.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-cyberint
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Cyberint connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Environment URL of the Cyberint server to which you will connect and perform the automated operations |
API Access Token | API access token to access the Cyberint endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts | Retrieves a list of alerts from Cyberint based on the filter criteria you have specified. Note: If you do not specify and filter criteria, then all alerts modified in the past 24 hours from all Cyberint environments will be retrieved. |
get_alerts Investigation |
Update Alerts Status | Updates the status of one or more alerts in Cyberint based on the alert reference IDs and status you have specified. | update_alerts_status Investigation |
Get Alert Attachment | Downloads the attachments of a specific alert from Cyberint based on the alert reference ID and the attachment internal ID you have specified. The downloaded attachment is then stored in the 'Attachments' module in FortiSOAR. | get_alert_attachment Investigation |
Get Alert Analysis Report | Downloads the analysis report of a specific alert from Cyberint based on the alert reference ID you have specified. The downloaded report is then stored in the 'Attachments' module in FortiSOAR. | get_alert_analysis_report Investigation |
Parameter | Description |
---|---|
filters | Select this checkbox, if you want to filter alerts retrieved from Cyberint. If you do not specify and filter criteria, then all alerts modified in the past 24 hours from all Cyberint environments will be retrieved. If you select this checkbox, then you can specify the following filters:
|
Page | Page number from which you want to retrieve records. |
Size | The maximum number of alerts, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"total": "",
"alerts": [
{
"environment": "",
"ref_id": "",
"confidence": "",
"status": "",
"severity": "",
"created_date": "",
"created_by": {
"email": ""
},
"category": "",
"type": "",
"source_category": "",
"source": "",
"targeted_vectors": [],
"targeted_brands": [],
"related_entities": [],
"impacts": [],
"acknowledged_date": "",
"acknowledged_by": {
"email": ""
},
"publish_date": "",
"title": "",
"alert_data": {
"url": "",
"screenshot": {
"id": "",
"name": "",
"mimetype": ""
},
"detection_reasons": [],
"url_reputation": "",
"a_record": "",
"ip_reputation": "",
"mx_records": [],
"site_status": "",
"registrar": "",
"whois_created_date": "",
"registrant_name": "",
"registrant_email": "",
"nameservers": [],
"whois_record": ""
},
"iocs": [],
"ticket_id": "",
"threat_actor": "",
"modification_date": "",
"closure_date": "",
"closed_by": {
"email": ""
},
"closure_reason": "",
"description": "",
"recommendation": "",
"tags": [],
"analysis_report": {
"id": "",
"name": "",
"mimetype": ""
},
"attachments": []
}
]
}
Parameter | Description |
---|---|
Alert Reference IDs | Specify a CSV list of reference IDs for the alert(s) whose status you want to update in Cyberint. Note: The maximum number of alerts that you can update in a single operation is 100. |
Status | Choose the status that you want to update for all the specified alerts in Cyberint. You can choose between Open, Acknowledged, or Closed If you choose 'Closed', then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
Parameter | Description |
---|---|
Alert Reference ID | Specify the reference ID for the alert whose associated attachments you want to download from Cyberint. |
Attachment ID | The ID of the attachment that you want to download from Cyberint. |
Attachment File Name | Specify the name that you want to give to the attachment when it is stored in the 'Attachment' module in FortiSOAR. This is the attachment that is downloaded using this operation from Cyberint. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
Parameter | Description |
---|---|
Alert Reference ID | Specify the reference ID for the alert whose analysis report you want to download from Cyberint. |
Analysis Report File Name | Specify the name that you want to give to the analysis report when it is stored in the 'Attachment' module in FortiSOAR. This is the report that is downloaded using this operation from Cyberint. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
The Sample - Cyberint - 1.0.0
playbook collection comes bundled with the Cyberint connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cyberint connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.