DarkOwl allows you to access the world's largest database of darknet content to monitor for the presence of your data on the darknet and shorten the time frame taken for its detection.
This document provides information about the DarkOwl connector, which facilitates automated interactions, with a DarkOwl server using FortiSOAR™ playbooks. Add the DarkOwl connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a new score request for asynchronous processing to DarkOwl or retrieving the status and result of a completed score request from DarkOwl.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-darkowl
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the DarkOwl connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server Url | URL of the DarkOwl server to which you will connect and perform the automated operations. |
Public Key | Public key for your account that is issued by a DarkOwl Product Engineer to access the DarkOwl server to which you will connect and perform the automated operations. |
Private Key | Private key for your account that is issued by a DarkOwl Product Engineer to access the DarkOwl server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Usage Status | Retrieves Vision API usage details for your account from DarkOwl. Details retrieved include the number of valid requests you have made to DarkOwl and your subscription information. | get_usage_status Investigation |
Submit score request | Submits new score request for asynchronous processing to DarkOwl, based on the domains and email domains you have specified. | submit_score_request Investigation |
Get Score Request Status | Retrieves the status of a submitted score request from DarkOwl, based on the request ID you have specified. | get_score_request_status Investigation |
Get Score Request Result | Retrieves the result of a completed score request from DarkOwl, based on the request ID you have specified. | get_score_request_result Investigation |
Search Resource | Queries DarkOwl Vision’s DARKNET data collection based on various query parameters and response options you have specified. | search_resource Investigation |
Get Document | Retrieves an individual document from DarkOwl Vision, based on the document ID you have specified. | get_document Investigation |
None.
The output contains the following populated JSON schema:
{
"score": {
"subscription": "",
"used": "",
"message": "",
"quota": "",
"end-date": ""
},
"search": {
"subscription": "",
"used": "",
"message": "",
"quota": "",
"end-date": ""
}
}
Parameter | Description |
---|---|
Domains | List of one or more website domains and/or associated subdomains whose score request you want to submit to DarkOwl. For example, domain.com .Note: Wildcards are not allowed. |
Email Domains | List of one or more email domains and/or associated subdomains whose score request you want to submit to DarkOwl. Note: Leading wildcards can be used to match multiple subdomains, such as *.domain.com . However, such a pattern must not include the root domain (domain.com). |
The output contains the following populated JSON schema:
{
"request_id": ""
}
Parameter | Description |
---|---|
Request ID | Unique identifier of a completed score request whose status you want to retrieve from DarkOwl. |
The output contains the following populated JSON schema:
{
"code": "",
"text": "",
"time": ""
}
Parameter | Description |
---|---|
Request ID | Unique identifier of a completed score request whose result you want to retrieve from DarkOwl. |
The output contains the following populated JSON schema:z
{
"result": {
"emailDark": "",
"emailPaste": "",
"domainPaste": "",
"emailBreach": "",
"score": "",
"hackishnessDarkPaste": "",
"date": "",
"domainDark": "",
"domainBreach": "",
"hackishnessBreach": ""
},
"request": {
"domains": [],
"emailDomains": []
}
}
Parameter | Description |
---|---|
Query | Specify the query, based on which you want to search a resource in DarkOwl. The query parameter is the base search field which should be used with all searches. This field accepts letters, numbers, special characters, and operators. Wildcards are generally allowed, except for leading wildcards. You can use quotations, parentheses, and booleans. The query parameter determines relevancy. The relevancy score, i.e., how well the result matches the query submitted is determined by the content in the query parameter. Note that filters are not used in the calculation of relevancy. |
Crawl date (lower bound) | (Optional) Start datetime from when you want to filter data. This parameter is used to filter to results collected after this datetime (UTC). Input format is in Zulu: YYYY-MM-DDThh:mm:ssZ. Use this parameter in conjunction with the 'Crawl date (upper bound)' parameter to form a range. |
Crawl date (upper bound) | (Optional) End datetime till when you want to filter data. This parameter is used to filter to results collected before this datetime (UTC). Input format is in Zulu: YYYY-MM-DDThh:mm:ssZ. Use this parameter in conjunction with the 'Crawl date (lower bound)' parameter to form a range. |
Request Data | Select this option to return the request data that was used to run the search, along with the search results. By default, this is checked, i.e., set as True. |
Similar | Select this option, i.e., set it to True, to return all similar results, per request. Clearing this option, i.e., set it to False, will remove all similar results, per request. Note: Setting this parameter to False might return fewer documents than the count selected. |
Highlight | Select this option, i.e., set it to True, to return highlighted values sent in the query parameter in the body field. By default, this option is cleared, i.e., set as False. |
Sort | Field by which you want to sort the results of this operation. You can choose from the following options: Relevancy, Hackishnes, or Date Crawled. By default, this is set to Relevancy. |
Detail | Specify the detail level about the result you want to retrieve from DarkOwl. You can choose from the following options: Full, Non Body, or Snippet. By default, this is set to Full. |
Has | Select the attribute(s) based on which you want to filter results retrieved from DarkOwl. You can choose the following attributes: CCN, SSN, or Email. Important: If you select any attribute, then you must specify the value of that attribute. For example, if you select CCN, then in the CCN field, you must specify the credit card number that will be searched in the body of the result and accordingly the results will be filtered. |
Email Domain | Specify the email domain, whose associated email addresses will be searched in the body of a result, based on which you want to filter results retrieved from DarkOwl. Input format of this parameter is domain.com or subdomain.domain.com, without special characters such as the @ symbol. |
Location | Specify the country/countries based on which you want to filter results retrieved from DarkOwl to match only those resources that are registered in certain countries. Country is determined by a geolocation lookup on the target IP (if available). A list of country values is available at darkowl.com/docs/vision-resources. Exclude countries by prefixing their values with a hyphen (-). |
Languages | Specify the language(s) based on which you want to filter results retrieved from DarkOwl to match only those resources that match the specified languages. Language is assigned by DarkOwl Vision at the time of ingestion. A list of language values is available at darkowl.com/docs/vision-resources. Exclude languages by prefixing their values with a hyphen (-). |
Domain | Specify the domain(s) based on which you want to filter results retrieved from DarkOwl to match only those resources that match the results that are collected from one or more specified domains. Exclude domains by prefixing their values with a hyphen (-). |
IP | Specify the IP address based on which you want to filter results retrieved from DarkOwl to match only those resources that match the specified IP address. The IP address that you specify in this parameter is searched in the body of a result. Use this parameter in conjunction with the query parameter and highlight="true" to highlight the IP address in the body of a result. Use quotations around the IP address in the query parameter. |
Leak | Specify the data leak or breach based on which you want to filter results retrieved from DarkOwl to match only those resources that match the specified data leak. A list of acceptable leak values is available at darkowl.com/docs/vision-resources. Exclude leaks by prefixing their values with a hyphen (-). |
Offset | A maximum of 20 results is returned per request, with maximum pagination of 1000 results returned per query. Offset is used to ‘skip’ a number of results. In this parameter, you can specify any integer between 1 and 980. By default, this value is set as 0. |
Count | Specify the number of results returned per request. By default, this is set as 20, which is the maximum number of results allowed per request. |
Credit Card Count Range | Range (minimum-maximum) of credit card numbers that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0 and 999999. For example, 0-10000. |
Social Security Number Count Range | Range (minimum-maximum) of social security numbers that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0 and 999999. |
Email Count Range | Range (minimum-maximum) of email addresses that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0 and 999999. |
Hackishness Range | Range (minimum-maximum) of hackishness rating that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0.0 and 1.0. For example, 0.5. |
The output contains the following populated JSON schema:
{
"total": "",
"resultCount": "",
"results": [
{
"body": "",
"hackishness": "",
"id": "",
"domain": "",
"country": "",
"headers": [],
"fileSize": "",
"ip": "",
"title": "",
"ccns": [],
"crawlDate": "",
"emails": [],
"ssns": [],
"snippet": "",
"url": ""
}
],
"request": {
"email": [],
"leak": [],
"ssn": [],
"cssn_max": "",
"lang": [],
"emailDomain": [],
"has": [],
"sort": "",
"ip": [],
"offset": "",
"loc": [],
"detail": "",
"cemail_min": "",
"cccn_max": "",
"from": "",
"similar": "",
"hack_min": "",
"domain": [],
"hack_max": "",
"q": "",
"cemail_max": "",
"to": "",
"req": "",
"ccn": [],
"count": "",
"highlight": "",
"cccn_min": "",
"cssn_min": ""
}
}
Parameter | Description |
---|---|
Document ID | ID of the document that you want to retrieve from DarkOwl. Note: You can enter letters and numbers as the document identifier. |
The output contains the following populated JSON schema:
{
"query": {
"id": ""
},
"result": {
"body": "",
"hackishness": "",
"id": "",
"domain": "",
"country": "",
"headers": [],
"fileSize": "",
"ip": "",
"title": "",
"ccns": [],
"crawlDate": "",
"emails": [],
"ssns": [],
"snippet": "",
"url": ""
}
}
The Sample - DarkOwl - 1.0.0
playbook collection comes bundled with the DarkOwl connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DarkOwl connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
DarkOwl allows you to access the world's largest database of darknet content to monitor for the presence of your data on the darknet and shorten the time frame taken for its detection.
This document provides information about the DarkOwl connector, which facilitates automated interactions, with a DarkOwl server using FortiSOAR™ playbooks. Add the DarkOwl connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a new score request for asynchronous processing to DarkOwl or retrieving the status and result of a completed score request from DarkOwl.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-darkowl
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the DarkOwl connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server Url | URL of the DarkOwl server to which you will connect and perform the automated operations. |
Public Key | Public key for your account that is issued by a DarkOwl Product Engineer to access the DarkOwl server to which you will connect and perform the automated operations. |
Private Key | Private key for your account that is issued by a DarkOwl Product Engineer to access the DarkOwl server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Usage Status | Retrieves Vision API usage details for your account from DarkOwl. Details retrieved include the number of valid requests you have made to DarkOwl and your subscription information. | get_usage_status Investigation |
Submit score request | Submits new score request for asynchronous processing to DarkOwl, based on the domains and email domains you have specified. | submit_score_request Investigation |
Get Score Request Status | Retrieves the status of a submitted score request from DarkOwl, based on the request ID you have specified. | get_score_request_status Investigation |
Get Score Request Result | Retrieves the result of a completed score request from DarkOwl, based on the request ID you have specified. | get_score_request_result Investigation |
Search Resource | Queries DarkOwl Vision’s DARKNET data collection based on various query parameters and response options you have specified. | search_resource Investigation |
Get Document | Retrieves an individual document from DarkOwl Vision, based on the document ID you have specified. | get_document Investigation |
None.
The output contains the following populated JSON schema:
{
"score": {
"subscription": "",
"used": "",
"message": "",
"quota": "",
"end-date": ""
},
"search": {
"subscription": "",
"used": "",
"message": "",
"quota": "",
"end-date": ""
}
}
Parameter | Description |
---|---|
Domains | List of one or more website domains and/or associated subdomains whose score request you want to submit to DarkOwl. For example, domain.com .Note: Wildcards are not allowed. |
Email Domains | List of one or more email domains and/or associated subdomains whose score request you want to submit to DarkOwl. Note: Leading wildcards can be used to match multiple subdomains, such as *.domain.com . However, such a pattern must not include the root domain (domain.com). |
The output contains the following populated JSON schema:
{
"request_id": ""
}
Parameter | Description |
---|---|
Request ID | Unique identifier of a completed score request whose status you want to retrieve from DarkOwl. |
The output contains the following populated JSON schema:
{
"code": "",
"text": "",
"time": ""
}
Parameter | Description |
---|---|
Request ID | Unique identifier of a completed score request whose result you want to retrieve from DarkOwl. |
The output contains the following populated JSON schema:z
{
"result": {
"emailDark": "",
"emailPaste": "",
"domainPaste": "",
"emailBreach": "",
"score": "",
"hackishnessDarkPaste": "",
"date": "",
"domainDark": "",
"domainBreach": "",
"hackishnessBreach": ""
},
"request": {
"domains": [],
"emailDomains": []
}
}
Parameter | Description |
---|---|
Query | Specify the query, based on which you want to search a resource in DarkOwl. The query parameter is the base search field which should be used with all searches. This field accepts letters, numbers, special characters, and operators. Wildcards are generally allowed, except for leading wildcards. You can use quotations, parentheses, and booleans. The query parameter determines relevancy. The relevancy score, i.e., how well the result matches the query submitted is determined by the content in the query parameter. Note that filters are not used in the calculation of relevancy. |
Crawl date (lower bound) | (Optional) Start datetime from when you want to filter data. This parameter is used to filter to results collected after this datetime (UTC). Input format is in Zulu: YYYY-MM-DDThh:mm:ssZ. Use this parameter in conjunction with the 'Crawl date (upper bound)' parameter to form a range. |
Crawl date (upper bound) | (Optional) End datetime till when you want to filter data. This parameter is used to filter to results collected before this datetime (UTC). Input format is in Zulu: YYYY-MM-DDThh:mm:ssZ. Use this parameter in conjunction with the 'Crawl date (lower bound)' parameter to form a range. |
Request Data | Select this option to return the request data that was used to run the search, along with the search results. By default, this is checked, i.e., set as True. |
Similar | Select this option, i.e., set it to True, to return all similar results, per request. Clearing this option, i.e., set it to False, will remove all similar results, per request. Note: Setting this parameter to False might return fewer documents than the count selected. |
Highlight | Select this option, i.e., set it to True, to return highlighted values sent in the query parameter in the body field. By default, this option is cleared, i.e., set as False. |
Sort | Field by which you want to sort the results of this operation. You can choose from the following options: Relevancy, Hackishnes, or Date Crawled. By default, this is set to Relevancy. |
Detail | Specify the detail level about the result you want to retrieve from DarkOwl. You can choose from the following options: Full, Non Body, or Snippet. By default, this is set to Full. |
Has | Select the attribute(s) based on which you want to filter results retrieved from DarkOwl. You can choose the following attributes: CCN, SSN, or Email. Important: If you select any attribute, then you must specify the value of that attribute. For example, if you select CCN, then in the CCN field, you must specify the credit card number that will be searched in the body of the result and accordingly the results will be filtered. |
Email Domain | Specify the email domain, whose associated email addresses will be searched in the body of a result, based on which you want to filter results retrieved from DarkOwl. Input format of this parameter is domain.com or subdomain.domain.com, without special characters such as the @ symbol. |
Location | Specify the country/countries based on which you want to filter results retrieved from DarkOwl to match only those resources that are registered in certain countries. Country is determined by a geolocation lookup on the target IP (if available). A list of country values is available at darkowl.com/docs/vision-resources. Exclude countries by prefixing their values with a hyphen (-). |
Languages | Specify the language(s) based on which you want to filter results retrieved from DarkOwl to match only those resources that match the specified languages. Language is assigned by DarkOwl Vision at the time of ingestion. A list of language values is available at darkowl.com/docs/vision-resources. Exclude languages by prefixing their values with a hyphen (-). |
Domain | Specify the domain(s) based on which you want to filter results retrieved from DarkOwl to match only those resources that match the results that are collected from one or more specified domains. Exclude domains by prefixing their values with a hyphen (-). |
IP | Specify the IP address based on which you want to filter results retrieved from DarkOwl to match only those resources that match the specified IP address. The IP address that you specify in this parameter is searched in the body of a result. Use this parameter in conjunction with the query parameter and highlight="true" to highlight the IP address in the body of a result. Use quotations around the IP address in the query parameter. |
Leak | Specify the data leak or breach based on which you want to filter results retrieved from DarkOwl to match only those resources that match the specified data leak. A list of acceptable leak values is available at darkowl.com/docs/vision-resources. Exclude leaks by prefixing their values with a hyphen (-). |
Offset | A maximum of 20 results is returned per request, with maximum pagination of 1000 results returned per query. Offset is used to ‘skip’ a number of results. In this parameter, you can specify any integer between 1 and 980. By default, this value is set as 0. |
Count | Specify the number of results returned per request. By default, this is set as 20, which is the maximum number of results allowed per request. |
Credit Card Count Range | Range (minimum-maximum) of credit card numbers that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0 and 999999. For example, 0-10000. |
Social Security Number Count Range | Range (minimum-maximum) of social security numbers that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0 and 999999. |
Email Count Range | Range (minimum-maximum) of email addresses that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0 and 999999. |
Hackishness Range | Range (minimum-maximum) of hackishness rating that should be contained in the results retrieved from DarkOwl. In this parameter, you can specify integer values between 0.0 and 1.0. For example, 0.5. |
The output contains the following populated JSON schema:
{
"total": "",
"resultCount": "",
"results": [
{
"body": "",
"hackishness": "",
"id": "",
"domain": "",
"country": "",
"headers": [],
"fileSize": "",
"ip": "",
"title": "",
"ccns": [],
"crawlDate": "",
"emails": [],
"ssns": [],
"snippet": "",
"url": ""
}
],
"request": {
"email": [],
"leak": [],
"ssn": [],
"cssn_max": "",
"lang": [],
"emailDomain": [],
"has": [],
"sort": "",
"ip": [],
"offset": "",
"loc": [],
"detail": "",
"cemail_min": "",
"cccn_max": "",
"from": "",
"similar": "",
"hack_min": "",
"domain": [],
"hack_max": "",
"q": "",
"cemail_max": "",
"to": "",
"req": "",
"ccn": [],
"count": "",
"highlight": "",
"cccn_min": "",
"cssn_min": ""
}
}
Parameter | Description |
---|---|
Document ID | ID of the document that you want to retrieve from DarkOwl. Note: You can enter letters and numbers as the document identifier. |
The output contains the following populated JSON schema:
{
"query": {
"id": ""
},
"result": {
"body": "",
"hackishness": "",
"id": "",
"domain": "",
"country": "",
"headers": [],
"fileSize": "",
"ip": "",
"title": "",
"ccns": [],
"crawlDate": "",
"emails": [],
"ssns": [],
"snippet": "",
"url": ""
}
}
The Sample - DarkOwl - 1.0.0
playbook collection comes bundled with the DarkOwl connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DarkOwl connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.