Dragos WorldView industrial threat intelligence provides actionable information and recommendations on threats to operations technology (OT) environments.
This document provides information about the Dragos WorldView Threat Intelligence Connector, which facilitates automated interactions, with a Dragos WorldView Threat Intelligence server using FortiSOAR™ playbooks. Add the Dragos WorldView Threat Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with Dragos WorldView Threat Intelligence.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.3.0-2034 and later
Dragos WorldView Threat Intelligence Version Tested on: v1
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root
user to install the connector:
yum install cyops-connector-dragos-worldview-threat-intelligence
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Dragos WorldView Threat Intelligence connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | The fully qualified domain name (FQDN) of the Dragos server to connect and perform automated operations. |
Access Token | The API access token that is required to connect to the Dragos server and perform automated operations. |
Secret Key | The API secret key required to connect to the Dragos server and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Indicators | Retrieves a paginated list of all indicators from Dragos based on indicator value, type (IP, Domain, or Hostname), and other filter criteria that you have specified. | get_all_indicators Investigation |
Get All Indicators In Stix2 | Retrieves a list of stix2 (Structured Threat Information Expression) bundle of indicators from Dragos based on indicator value, type (IP, Domain, or Hostname), and other filter criteria that you have specified. | get_all_indicators_in_stix2 Investigation |
Get All Reports | Retrieves a list of all reports from Dragos based on indicator value, type (IP, Domain, or Hostname), and other filter criteria that you have specified. | get_all_reports Investigation |
Get Report Metadata | Retrieves the report metadata based on the specified serial number. | get_report_metadata Investigation |
Get Indicators Of Report | Retrieves indicators of the report from Dragos based on the report's serial number. | get_indicators_of_report Investigation |
Get All Tags | Retrieves a list of all tags from Dragos based on various parameters such as page number, page size, and tag type that you have specified. | get_all_tags Investigation |
Parameter | Description |
---|---|
Indicator Value | (Optional) Specify an indicator value to get details from Dragos. |
Indicator Type | (Optional) Specify the type of indicator whose details you want to retrieve from Dragos. Choose from the following indicator types:
|
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 1001. The default value is 500 . |
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Updated After | (Optional) Specify the date and time after which to retrieve indicators. The DateTime must be in the ISO format (UTC). |
Report Serial Number | (Optional) Specify the list of serial numbers of the report containing the indicators to retrieve. |
Tags | (Optional) Specify the list of tags for the indicators to search and retrieve. |
The output contains the following populated JSON schema:
{
"indicators": [
{
"id": "",
"value": "",
"indicator_type": "",
"category": "",
"comment": "",
"first_seen": "",
"last_seen": "",
"updated_at": "",
"confidence": "",
"kill_chain": "",
"uuid": "",
"status": "",
"severity": "",
"threat_groups": [],
"attack_techniques": [],
"ics_attack_techniques": [],
"pre_attack_techniques": [],
"products": [
{
"serial": ""
}
],
"activity_groups": []
}
],
"total": "",
"page": "",
"page_size": "",
"total_pages": ""
}
Parameter | Description |
---|---|
Indicator Value | (Optional) Specify an indicator value to get details from Dragos. |
Indicator Type | (Optional) Specify the type of indicator whose details you want to retrieve from Dragos. Choose from the following indicator types:
|
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 1001. The default value is 500 . |
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Updated After | (Optional) Specify the date and time after which to retrieve indicators. The DateTime must be in the ISO format (UTC). |
Report Serial Number | (Optional) Specify the list of serial numbers of the report containing the indicators to retrieve. |
Tags | (Optional) Specify the list of tags for the indicators to search and retrieve. |
The output contains the following populated JSON schema:
{
"type": "",
"id": "",
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"created": "",
"modified": "",
"created_by_ref": ""
}
]
}
Parameter | Description |
---|---|
Sort By | (Optional) Specify criteria to sort the reports. The default value is Release Date. Following are the available options
|
Sort Order | (Optional) Specify the sorting order of the results. |
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 1001. The default value is 500 . |
Updated After | (Optional) Specify the date and time after which to retrieve indicators. The DateTime must be in the ISO format (UTC). |
Report Serial Number | (Optional) Specify the list of serial numbers of the report, containing the indicators, to retrieve. |
Indicator | (Optional) Specify the indicator to filter the reports (exact match only). |
The output contains the following populated JSON schema:
{
"products": [
{
"tlp_level": "",
"title": "",
"executive_summary": "",
"updated_at": "",
"threat_level": "",
"serial": "",
"ioc_count": "",
"tags": [
{
"text": "",
"tag_type": ""
}
],
"release_date": "",
"type": "",
"report_link": ""
}
],
"total": "",
"page": "",
"page_size": "",
"total_pages": ""
}
Parameter | Description |
---|---|
Report Serial Number | Specify the report's serial number from which to retrieve details. |
The output contains the following populated JSON schema:
{
"tlp_level": "",
"title": "",
"executive_summary": "",
"updated_at": "",
"threat_level": "",
"serial": "",
"ioc_count": "",
"tags": [
{
"text": "",
"tag_type": ""
}
],
"release_date": "",
"type": "",
"report_link": "",
"ioc_csv_link": "",
"ioc_stix2_link": ""
}
Parameter | Description |
---|---|
Process Response As | Specify the file format in which to save the indicators. Available options are:
|
Filename | Specify the name of the CSV file to be saved. |
Report Serial Number | Specify the report's serial number from which to retrieve details. |
The output contains the following populated JSON schema when you choose Process Response as Save as CSV:
{
"id":"",
"@id":"",
"file":{
"id":"",
"@id":"",
"size":"",
"uuid":"",
"@type":"",
"assignee":"",
"filename":"",
"metadata":[],
"mimeType":"",
"thumbnail":"",
"uploadDate":""
},
"name":"",
"type":"",
"uuid":"",
"@type":"",
"tasks":[],
"alerts":[],
"assets":[],
"owners":[],
"people":[],
"@context":"",
"assignee":"",
"comments":[],
"warrooms":[],
"incidents":[],
"createDate":"",
"createUser":{
"id":"",
"@id":"",
"name":"",
"uuid":"",
"@type":"",
"avatar":"",
"userId":"",
"userType":"",
"createDate":"",
"createUser":"",
"modifyDate":"",
"modifyUser":""
},
"indicators":[],
"modifyDate":"",
"modifyUser":{
"id":"",
"@id":"",
"name":"",
"uuid":"",
"@type":"",
"avatar":"",
"userId":"",
"userType":"",
"createDate":"",
"createUser":"",
"modifyDate":"",
"modifyUser":""
},
"recordTags":[],
"userOwners":[],
"description":""
}
The output contains the following populated JSON schema when you choose Process Response as STIX2.0 JSON:
{
"type": "",
"id": "",
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"created": "",
"modified": "",
"created_by_ref": ""
}
]
}
Parameter | Description |
---|---|
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 500. The default value is 100 . |
Tag Type | Specify the tag type of the tags to retrieve. |
The output contains the following populated JSON schema:
{
"content": [
{
"text": "",
"special_tag_type": "",
"special_tag": {
"description": "",
"external_uuid": "",
"long_name": "",
"url": ""
}
}
],
"total": "",
"page": "",
"page_size": "",
"total_pages": ""
}
The Sample - Dragos WorldView Threat Intelligence - 1.0.0
playbook collection comes bundled with the Dragos WorldView Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Dragos WorldView Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Dragos WorldView industrial threat intelligence provides actionable information and recommendations on threats to operations technology (OT) environments.
This document provides information about the Dragos WorldView Threat Intelligence Connector, which facilitates automated interactions, with a Dragos WorldView Threat Intelligence server using FortiSOAR™ playbooks. Add the Dragos WorldView Threat Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with Dragos WorldView Threat Intelligence.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.3.0-2034 and later
Dragos WorldView Threat Intelligence Version Tested on: v1
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root
user to install the connector:
yum install cyops-connector-dragos-worldview-threat-intelligence
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Dragos WorldView Threat Intelligence connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | The fully qualified domain name (FQDN) of the Dragos server to connect and perform automated operations. |
Access Token | The API access token that is required to connect to the Dragos server and perform automated operations. |
Secret Key | The API secret key required to connect to the Dragos server and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Indicators | Retrieves a paginated list of all indicators from Dragos based on indicator value, type (IP, Domain, or Hostname), and other filter criteria that you have specified. | get_all_indicators Investigation |
Get All Indicators In Stix2 | Retrieves a list of stix2 (Structured Threat Information Expression) bundle of indicators from Dragos based on indicator value, type (IP, Domain, or Hostname), and other filter criteria that you have specified. | get_all_indicators_in_stix2 Investigation |
Get All Reports | Retrieves a list of all reports from Dragos based on indicator value, type (IP, Domain, or Hostname), and other filter criteria that you have specified. | get_all_reports Investigation |
Get Report Metadata | Retrieves the report metadata based on the specified serial number. | get_report_metadata Investigation |
Get Indicators Of Report | Retrieves indicators of the report from Dragos based on the report's serial number. | get_indicators_of_report Investigation |
Get All Tags | Retrieves a list of all tags from Dragos based on various parameters such as page number, page size, and tag type that you have specified. | get_all_tags Investigation |
Parameter | Description |
---|---|
Indicator Value | (Optional) Specify an indicator value to get details from Dragos. |
Indicator Type | (Optional) Specify the type of indicator whose details you want to retrieve from Dragos. Choose from the following indicator types:
|
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 1001. The default value is 500 . |
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Updated After | (Optional) Specify the date and time after which to retrieve indicators. The DateTime must be in the ISO format (UTC). |
Report Serial Number | (Optional) Specify the list of serial numbers of the report containing the indicators to retrieve. |
Tags | (Optional) Specify the list of tags for the indicators to search and retrieve. |
The output contains the following populated JSON schema:
{
"indicators": [
{
"id": "",
"value": "",
"indicator_type": "",
"category": "",
"comment": "",
"first_seen": "",
"last_seen": "",
"updated_at": "",
"confidence": "",
"kill_chain": "",
"uuid": "",
"status": "",
"severity": "",
"threat_groups": [],
"attack_techniques": [],
"ics_attack_techniques": [],
"pre_attack_techniques": [],
"products": [
{
"serial": ""
}
],
"activity_groups": []
}
],
"total": "",
"page": "",
"page_size": "",
"total_pages": ""
}
Parameter | Description |
---|---|
Indicator Value | (Optional) Specify an indicator value to get details from Dragos. |
Indicator Type | (Optional) Specify the type of indicator whose details you want to retrieve from Dragos. Choose from the following indicator types:
|
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 1001. The default value is 500 . |
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Updated After | (Optional) Specify the date and time after which to retrieve indicators. The DateTime must be in the ISO format (UTC). |
Report Serial Number | (Optional) Specify the list of serial numbers of the report containing the indicators to retrieve. |
Tags | (Optional) Specify the list of tags for the indicators to search and retrieve. |
The output contains the following populated JSON schema:
{
"type": "",
"id": "",
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"created": "",
"modified": "",
"created_by_ref": ""
}
]
}
Parameter | Description |
---|---|
Sort By | (Optional) Specify criteria to sort the reports. The default value is Release Date. Following are the available options
|
Sort Order | (Optional) Specify the sorting order of the results. |
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 1001. The default value is 500 . |
Updated After | (Optional) Specify the date and time after which to retrieve indicators. The DateTime must be in the ISO format (UTC). |
Report Serial Number | (Optional) Specify the list of serial numbers of the report, containing the indicators, to retrieve. |
Indicator | (Optional) Specify the indicator to filter the reports (exact match only). |
The output contains the following populated JSON schema:
{
"products": [
{
"tlp_level": "",
"title": "",
"executive_summary": "",
"updated_at": "",
"threat_level": "",
"serial": "",
"ioc_count": "",
"tags": [
{
"text": "",
"tag_type": ""
}
],
"release_date": "",
"type": "",
"report_link": ""
}
],
"total": "",
"page": "",
"page_size": "",
"total_pages": ""
}
Parameter | Description |
---|---|
Report Serial Number | Specify the report's serial number from which to retrieve details. |
The output contains the following populated JSON schema:
{
"tlp_level": "",
"title": "",
"executive_summary": "",
"updated_at": "",
"threat_level": "",
"serial": "",
"ioc_count": "",
"tags": [
{
"text": "",
"tag_type": ""
}
],
"release_date": "",
"type": "",
"report_link": "",
"ioc_csv_link": "",
"ioc_stix2_link": ""
}
Parameter | Description |
---|---|
Process Response As | Specify the file format in which to save the indicators. Available options are:
|
Filename | Specify the name of the CSV file to be saved. |
Report Serial Number | Specify the report's serial number from which to retrieve details. |
The output contains the following populated JSON schema when you choose Process Response as Save as CSV:
{
"id":"",
"@id":"",
"file":{
"id":"",
"@id":"",
"size":"",
"uuid":"",
"@type":"",
"assignee":"",
"filename":"",
"metadata":[],
"mimeType":"",
"thumbnail":"",
"uploadDate":""
},
"name":"",
"type":"",
"uuid":"",
"@type":"",
"tasks":[],
"alerts":[],
"assets":[],
"owners":[],
"people":[],
"@context":"",
"assignee":"",
"comments":[],
"warrooms":[],
"incidents":[],
"createDate":"",
"createUser":{
"id":"",
"@id":"",
"name":"",
"uuid":"",
"@type":"",
"avatar":"",
"userId":"",
"userType":"",
"createDate":"",
"createUser":"",
"modifyDate":"",
"modifyUser":""
},
"indicators":[],
"modifyDate":"",
"modifyUser":{
"id":"",
"@id":"",
"name":"",
"uuid":"",
"@type":"",
"avatar":"",
"userId":"",
"userType":"",
"createDate":"",
"createUser":"",
"modifyDate":"",
"modifyUser":""
},
"recordTags":[],
"userOwners":[],
"description":""
}
The output contains the following populated JSON schema when you choose Process Response as STIX2.0 JSON:
{
"type": "",
"id": "",
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"created": "",
"modified": "",
"created_by_ref": ""
}
]
}
Parameter | Description |
---|---|
Page Number | (Optional) Specify the page number from which to retrieve the records. The default value is 1 |
Page Size | (Optional) Specify the count of records that the operation should include per page. Page size must be less than 500. The default value is 100 . |
Tag Type | Specify the tag type of the tags to retrieve. |
The output contains the following populated JSON schema:
{
"content": [
{
"text": "",
"special_tag_type": "",
"special_tag": {
"description": "",
"external_uuid": "",
"long_name": "",
"url": ""
}
}
],
"total": "",
"page": "",
"page_size": "",
"total_pages": ""
}
The Sample - Dragos WorldView Threat Intelligence - 1.0.0
playbook collection comes bundled with the Dragos WorldView Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Dragos WorldView Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.