About the connector
Cyberint provides Intelligence-Driven Digital Risk Protection that monitors, investigates, and analyzes data from the web, social media, and cyber sources to identify threats and make better security decisions.
This document provides information about the Cyberint connector, which facilitates automated interactions, with a Cyberint server using FortiSOAR™ playbooks. Add the Cyberint connector as a step in FortiSOAR™ playbooks and perform automated operations related to alerts in Cyberint.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-cyberint
Prerequisites to configuring the connector
- You must have the environment URL of the Cyberint server and the API access token to access the Cyberint endpoint to which you will connect and perform automated operations.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Cyberint server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Cyberint connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
Environment URL of the Cyberint server to which you will connect and perform the automated operations |
| API Access Token |
API access token to access the Cyberint endpoint to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Get Alerts |
Retrieves a list of alerts from Cyberint based on the filter criteria you have specified.
Note: If you do not specify and filter criteria, then all alerts modified in the past 24 hours from all Cyberint environments will be retrieved. |
get_alerts
Investigation |
| Update Alerts Status |
Updates the status of one or more alerts in Cyberint based on the alert reference IDs and status you have specified. |
update_alerts_status
Investigation |
| Get Alert Attachment |
Downloads the attachments of a specific alert from Cyberint based on the alert reference ID and the attachment internal ID you have specified. The downloaded attachment is then stored in the 'Attachments' module in FortiSOAR. |
get_alert_attachment
Investigation |
| Get Alert Analysis Report |
Downloads the analysis report of a specific alert from Cyberint based on the alert reference ID you have specified. The downloaded report is then stored in the 'Attachments' module in FortiSOAR. |
get_alert_analysis_report
Investigation |
operation: Get Alerts
Input parameters
| Parameter |
Description |
| filters |
Select this checkbox, if you want to filter alerts retrieved from Cyberint. If you do not specify and filter criteria, then all alerts modified in the past 24 hours from all Cyberint environments will be retrieved.
If you select this checkbox, then you can specify the following filters:
- Created Date: Select this checkbox, if you want to filter alerts based on the date they were created.
- If you select this checkbox, then you must specify the following parameters:
- From: Start DateTime from when you want to retrieve alerts from the Cyberint environment.
- To: End DateTime from when you want to retrieve alerts from the Cyberint environment.
- Modification Date: Select this checkbox, if you want to filter alerts based on the date they were modified.
- If you select this checkbox, then you must specify the following parameters:
- From: Start DateTime from when you want to retrieve alerts from the Cyberint environment.
- To: End DateTime from when you want to retrieve alerts from the Cyberint environment.
- Environments: Specify a comma-separated list of Cyberint environments from which you want to retrieve alerts. If nothing is specified, then alerts from all available environments are retrieved.
- Status: Select the status based on which you want to filter alerts to be retrieved from Cyberint. You can select one or more of the following options: Open, Acknowledged, or Closed.
- Severity: Select the severity based on which you want to filter alerts to be retrieved from Cyberint. You can select one or more of the following options: Very High, High, Medium, or Low.
- Type: Select the alert type based on which you want to filter alerts to be retrieved from Cyberint. You can select one or more of the alert types such as refund_fraud, carding, phishing_kit, email_security_issues, etc.
|
| Page |
Page number from which you want to retrieve records. |
| Size |
The maximum number of alerts, per page, that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"total": "",
"alerts": [
{
"environment": "",
"ref_id": "",
"confidence": "",
"status": "",
"severity": "",
"created_date": "",
"created_by": {
"email": ""
},
"category": "",
"type": "",
"source_category": "",
"source": "",
"targeted_vectors": [],
"targeted_brands": [],
"related_entities": [],
"impacts": [],
"acknowledged_date": "",
"acknowledged_by": {
"email": ""
},
"publish_date": "",
"title": "",
"alert_data": {
"url": "",
"screenshot": {
"id": "",
"name": "",
"mimetype": ""
},
"detection_reasons": [],
"url_reputation": "",
"a_record": "",
"ip_reputation": "",
"mx_records": [],
"site_status": "",
"registrar": "",
"whois_created_date": "",
"registrant_name": "",
"registrant_email": "",
"nameservers": [],
"whois_record": ""
},
"iocs": [],
"ticket_id": "",
"threat_actor": "",
"modification_date": "",
"closure_date": "",
"closed_by": {
"email": ""
},
"closure_reason": "",
"description": "",
"recommendation": "",
"tags": [],
"analysis_report": {
"id": "",
"name": "",
"mimetype": ""
},
"attachments": []
}
]
}
operation: Update Alerts Status
Input parameters
| Parameter |
Description |
| Alert Reference IDs |
Specify a CSV list of reference IDs for the alert(s) whose status you want to update in Cyberint.
Note: The maximum number of alerts that you can update in a single operation is 100. |
| Status |
Choose the status that you want to update for all the specified alerts in Cyberint. You can choose between Open, Acknowledged, or Closed
If you choose 'Closed', then you must specify the following parameter:
- Closure Reason: State the reason for updating the status of the alerts to Closed.
|
Output
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
operation: Get Alert Attachment
Input parameters
| Parameter |
Description |
| Alert Reference ID |
Specify the reference ID for the alert whose associated attachments you want to download from Cyberint. |
| Attachment ID |
The ID of the attachment that you want to download from Cyberint. |
| Attachment File Name |
Specify the name that you want to give to the attachment when it is stored in the 'Attachment' module in FortiSOAR. This is the attachment that is downloaded using this operation from Cyberint. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
operation: Get Alert Analysis Report
Input parameters
| Parameter |
Description |
| Alert Reference ID |
Specify the reference ID for the alert whose analysis report you want to download from Cyberint. |
| Analysis Report File Name |
Specify the name that you want to give to the analysis report when it is stored in the 'Attachment' module in FortiSOAR. This is the report that is downloaded using this operation from Cyberint. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
Included playbooks
The Sample - Cyberint - 1.0.0 playbook collection comes bundled with the Cyberint connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cyberint connector.
- Get Alert Analysis Report
- Get Alert Attachment
- Get Alerts
- Update Alert Status
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
