Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers worldwide and uses them to analyze attack trends. It is used as the data collection engine behind the SANS Internet Storm Center (ISC).

This document provides information about the DShield connector, which facilitates automated interactions, with a DShield server using FortiSOAR™ playbooks. Add the DShield connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving IP address details and open threat feeds from the DShield server.

 

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

DShield Version Tested on: 1.3

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the DShield server to which you will connect and perform the automated operations.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the DShield connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the DShield server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Lookup IP Retrieves the details of the IP address that you specify from the DShield server. lookup_ip
Investigation
Get Threat Feeds Retrieves open threat feeds from the DShield server. get_threat_feeds
Investigation

 

operation: Lookup IP

Input parameters

 

Parameter Description
IP Address IPv4 or IPv6 address for which you want to retrieve details from the DShield server.

 

Output

The JSON output contains details of the IP address that you have specified retrieved from the DShield server.

Following image displays a sample output:

 

Sample output of the Lookup IP operation

 

operation: Get Threat Feeds

Input parameters

None.

Output

The JSON output contains details of the open threat feeds retrieved from the DShield server.

Following image displays a sample output:
 

Sample output of the Get Threat Feeds operation
 

Included playbooks

The Sample - DShield - 1.0.0 playbook collection comes bundled with the DShield connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DShield connector.

  • Get Threat Feeds
  • Lookup IP

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers worldwide and uses them to analyze attack trends. It is used as the data collection engine behind the SANS Internet Storm Center (ISC).

This document provides information about the DShield connector, which facilitates automated interactions, with a DShield server using FortiSOAR™ playbooks. Add the DShield connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving IP address details and open threat feeds from the DShield server.

 

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

DShield Version Tested on: 1.3

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the DShield connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the DShield server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Lookup IP Retrieves the details of the IP address that you specify from the DShield server. lookup_ip
Investigation
Get Threat Feeds Retrieves open threat feeds from the DShield server. get_threat_feeds
Investigation

 

operation: Lookup IP

Input parameters

 

Parameter Description
IP Address IPv4 or IPv6 address for which you want to retrieve details from the DShield server.

 

Output

The JSON output contains details of the IP address that you have specified retrieved from the DShield server.

Following image displays a sample output:

 

Sample output of the Lookup IP operation

 

operation: Get Threat Feeds

Input parameters

None.

Output

The JSON output contains details of the open threat feeds retrieved from the DShield server.

Following image displays a sample output:
 

Sample output of the Get Threat Feeds operation
 

Included playbooks

The Sample - DShield - 1.0.0 playbook collection comes bundled with the DShield connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DShield connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.