Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Cyware Threat Intelligence Exchange (CTIX) uses the Cyware threat intelligence feed and automatically aggregates tactical intelligence from various STIX/TAXII feeds to provide you with a consolidated, easily readable, and actionable intel.

This document provides information about the Cyware CTIX connector, which facilitates automated interactions with a CTIX server using FortiSOAR™ playbooks. Add the Cyware CTIX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically searching and retrieving information for IP addresses, domains, URLs etc from CTIX.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-cyware-ctix

Prerequisites to configuring the connector

  • You must have the URL of Cyware CTIX server to which you will connect and perform automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Cyware CTIX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the CTIX server to which you will connect and perform the automated operations.
Access ID Access ID configured for your CTIX server to which you will connect and perform the automated operations.
Secret Key Secret Key configured for your CTIX server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks. and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Search Domain Searches for a domain in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the domain name you have specified. search_domain
Investigation
Search IP Searches for an IP address in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the IP address you have specified. search_ip
Investigation
Search URL Searches for a URL in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the URL you have specified. search_url
Investigation
Search Hash Searches for a hash in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the hash value you have specified. search_hash
Investigation
Search CVE ID Searches for a CVE ID in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the ID of the CVE you have specified. search_cve_id
Investigation

operation: Search Domain

Input parameters

Parameter Description
Domain Name of the domain whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "result": {
         "domain_data": "",
         "whois_domain_report": "",
         "updated": "",
         "stix_object_id": "",
         "domain_tld_data": ".",
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "created": "",
         "packages_list": [],
         "score": "",
         "package_count": "",
         "url_data": []
     }
}

operation: Search IP

Input parameters

Parameter Description
IP Address IP address whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:


     "message": "",
     "result": {
         "maxmind_geoip_ip_report": "",
         "updated": "",
         "stix_object_id": "",
         "whois_ip_report": "",
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "created": "",
         "score": "",
         "ip_data": "",
         "packages_list": [],
         "geoip_report": {
             "city": {
                 "longitude": "",
                 "country_code": "",
                 "latitude": "",
                 "continent_name": "",
                 "region": "",
                 "city": "",
                 "time_zone": "",
                 "country_name": "",
                 "postal_code": "",
                 "dma_code": null,
                 "continent_code": ""
             },
             "country": {
                 "country_code": "",
                 "country_name": ""
             }
         },
         "package_count": ""
     }
}

operation: Search URL

Input parameters

Parameter Description
URL URL whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": "",
         "result": {
             "domain_data": "",
             "package_details": [
                 {
                     "package_title": "",
                     "source_name": "",
                     "package_timestamp": "",
                     "package_id": "",
                     "collection_name": ""
                 }
             ],
             "updated": "",
             "domain_tld_data": "",
             "created": "",
             "packages_list": [],
             "package_count": "",
             "url_data": []
         }
     },
     "status": ""
}

operation: Search Hash

Input parameters

Parameter Description
Hash Value of the hash whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "result": {
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "updated": "",
         "stix_object_id": "",
         "packages_list": [],
         "created": "",
         "hash_data": "",
         "score": "",
         "package_count": ""
     }
}

operation: Search CVE ID

Input parameters

Parameter Description
CVE ID ID of the CVE whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "result": {
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             },
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "updated": "",
         "stix_object_id": "",
         "created": "",
         "packages_list": [],
         "cve_id": "",
         "score": "",
         "package_count": ""
     }
}

Included playbooks

The Sample - Cyware CTIX - 1.0.0 playbook collection comes bundled with the Cyware CTIX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cyware CTIX connector.

  • Search CVE ID
  • Search Hash
  • Search Domain
  • Search IP
  • Search URL

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Cyware Threat Intelligence Exchange (CTIX) uses the Cyware threat intelligence feed and automatically aggregates tactical intelligence from various STIX/TAXII feeds to provide you with a consolidated, easily readable, and actionable intel.

This document provides information about the Cyware CTIX connector, which facilitates automated interactions with a CTIX server using FortiSOAR™ playbooks. Add the Cyware CTIX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically searching and retrieving information for IP addresses, domains, URLs etc from CTIX.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-cyware-ctix

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Cyware CTIX connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the CTIX server to which you will connect and perform the automated operations.
Access ID Access ID configured for your CTIX server to which you will connect and perform the automated operations.
Secret Key Secret Key configured for your CTIX server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks. and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Search Domain Searches for a domain in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the domain name you have specified. search_domain
Investigation
Search IP Searches for an IP address in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the IP address you have specified. search_ip
Investigation
Search URL Searches for a URL in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the URL you have specified. search_url
Investigation
Search Hash Searches for a hash in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the hash value you have specified. search_hash
Investigation
Search CVE ID Searches for a CVE ID in the Cyware threat intelligence platform and retrieves relevant details from CTIX based on the ID of the CVE you have specified. search_cve_id
Investigation

operation: Search Domain

Input parameters

Parameter Description
Domain Name of the domain whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "result": {
         "domain_data": "",
         "whois_domain_report": "",
         "updated": "",
         "stix_object_id": "",
         "domain_tld_data": ".",
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "created": "",
         "packages_list": [],
         "score": "",
         "package_count": "",
         "url_data": []
     }
}

operation: Search IP

Input parameters

Parameter Description
IP Address IP address whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:


     "message": "",
     "result": {
         "maxmind_geoip_ip_report": "",
         "updated": "",
         "stix_object_id": "",
         "whois_ip_report": "",
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "created": "",
         "score": "",
         "ip_data": "",
         "packages_list": [],
         "geoip_report": {
             "city": {
                 "longitude": "",
                 "country_code": "",
                 "latitude": "",
                 "continent_name": "",
                 "region": "",
                 "city": "",
                 "time_zone": "",
                 "country_name": "",
                 "postal_code": "",
                 "dma_code": null,
                 "continent_code": ""
             },
             "country": {
                 "country_code": "",
                 "country_name": ""
             }
         },
         "package_count": ""
     }
}

operation: Search URL

Input parameters

Parameter Description
URL URL whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "message": "",
         "result": {
             "domain_data": "",
             "package_details": [
                 {
                     "package_title": "",
                     "source_name": "",
                     "package_timestamp": "",
                     "package_id": "",
                     "collection_name": ""
                 }
             ],
             "updated": "",
             "domain_tld_data": "",
             "created": "",
             "packages_list": [],
             "package_count": "",
             "url_data": []
         }
     },
     "status": ""
}

operation: Search Hash

Input parameters

Parameter Description
Hash Value of the hash whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "result": {
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "updated": "",
         "stix_object_id": "",
         "packages_list": [],
         "created": "",
         "hash_data": "",
         "score": "",
         "package_count": ""
     }
}

operation: Search CVE ID

Input parameters

Parameter Description
CVE ID ID of the CVE whose information you want to retrieve from CTIX.
Page Size (Optional) Number of record requests that should be included per page. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "result": {
         "package_details": [
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             },
             {
                 "intl_grading": "",
                 "source_name": "",
                 "package_id": "",
                 "source_grading": "",
                 "package_title": "",
                 "collection_name": "",
                 "package_timestamp": ""
             }
         ],
         "updated": "",
         "stix_object_id": "",
         "created": "",
         "packages_list": [],
         "cve_id": "",
         "score": "",
         "package_count": ""
     }
}

Included playbooks

The Sample - Cyware CTIX - 1.0.0 playbook collection comes bundled with the Cyware CTIX connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cyware CTIX connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.