Fortinet black logo

Endgame v1.0.0

1.0.0
Copy Link
Copy Doc ID 50719a23-1ac8-4bd2-bb7b-78a4acdc8577:1

About the connector

Endgame provides a cyber operations platform supporting the detection, exploitation, and mitigation of cyber-threats. The Endgame connector interfaces with the Endgame Endpoint Protection Platform to allow users to perform actions such as quarantining hosts.

This document provides information about the Endgame connector, which facilitates automated interactions with an Endgame server using FortiSOAR™ playbooks. Add the Endgame connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of endgame alerts, retrieving details of a specific endgame alert, and killing a specific process on specific Endgame endpoints.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-endgame

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of Endgame server to which you will connect and perform automated operations and credentials (username-password) pair to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the Endgame connector and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the Endgame server to which you will connect and perform the automated operations.
Username Username to access the Endgame server to which you will connect and perform automated operations.
Password Password to access the Endgame server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Alerts Retrieves a list of Endgame alerts. get_alerts
Containment
Get Alert Details Retrieves the details of a specific alert from Endgame based on the alert ID, you have specified. get_alert_details
Containment
Get Alert Timeline Retrieves the attack timeline of a specific alert from Endgame based on the alert ID, you have specified. get_alert_timeline
Containment
Get Endpoints Retrieves a list of Endgame endpoints. get_endpoints
Containment
Get policies Retrieves a list of Endgame policies. get_policies
Containment
Get Investigations Retrieves a list of Endgame investigations. get_investigations
Containment
Get Investigation Details Retrieves the details of a specific Endgame investigation from Endgame based on the investigation ID, you have specified. get_investigation_details
Containment
Kill Process Kills a specific process on specific endpoints on Endgame based on the process ID (PID) and hostname you have specified. kill_process
Containment
Execute File Executes a specific file on a specific endpoint on Endgame based on the file path, hostname, and arguments (optional) you have specified. execute_file
Containment
Upload File Uploads a specific file on a specific endpoint on Endgame based on the file path and hostname you have specified. upload_file
Containment
Update Investigation Updates a specific investigation on Endgame based on the investigation ID and changes in the JSON format, you have specified. update_investigation
Containment
Get Task Descriptions Retrieves a list of Endgame task descriptions get_task_descriptions
Containment
Get Users Retrieves a list of Endgame users to whom investigations can be assigned get_users
Containment
Get Devices Retrieves a list of monitored devices from Endgame on which actions can be taken. populate_devices
Containment

operation: Get Alerts

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"type": "",
"assigned_to": {
"full_name": "",
"id": ""
},
"archived": "",
"user_id": "",
"status": "",
"user_display_name": "",
"related_collections": {},
"data": {},
"endpoint": {
"updated_at": "",
"ip_address": "",
"hostname": "",
"status": "",
"mac_address": "",
"name": "",
"operating_system": "",
"id": "",
"display_operating_system": ""
},
"viewed_by": {},
"id": "",
"machine_id": "",
"family": "",
"task_id": "",
"viewed": "",
"doc_type": "",
"created_at": "",
"severity": ""
}
]
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose details you want to retrieve from Endgame.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"type": "",
"assigned_to": {
"full_name": "",
"id": ""
},
"archived": "",
"user_id": "",
"status": "",
"user_display_name": "",
"related_collections": {},
"data": {},
"endpoint": {
"updated_at": "",
"ip_address": "",
"hostname": "",
"status": "",
"mac_address": "",
"name": "",
"operating_system": "",
"id": "",
"display_operating_system": ""
},
"viewed_by": {},
"id": "",
"machine_id": "",
"family": "",
"task_id": "",
"viewed": "",
"doc_type": "",
"created_at": "",
"severity": ""
}
]
}

operation: Get Alert Timeline

Input parameters

Parameter Description
Alert ID ID of the alert whose timeline you want to retrieve from Endgame.

Output

The output contains the following populated JSON schema:
{
"data": {
"result": {
"type": "",
"alert_id": "",
"pending_event_logging_search_request": "",
"total_events_searched": "",
"status": "",
"machine_id": "",
"correlation_id": "",
"message_id": "",
"task_id": "",
"metadata": {},
"search_results": [
{}
],
"process_count": "",
"event_logging_search_request_count": "",
"results_count": "",
"endpoint": {},
"created_at": "",
"family": ""
},
"code": ""
},
"metadata": {}
}

operation: Get Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"updated_at": "",
"ip_address": "",
"error": "",
"status": "",
"status_changed_at": "",
"investigation_count": "",
"name": "",
"operating_system": "",
"tags": [
{
"name": "",
"id": ""
}
],
"domain": "",
"created_at": "",
"machine_id": "",
"display_operating_system": "",
"sensors": [
{
"sensor_type": "",
"sensor_version": "",
"id": "",
"status": ""
}
],
"core_os": "",
"hostname": "",
"mac_address": "",
"alert_count": "",
"id": ""
}
]
}

operation: Get policies

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Investigations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"user_display_name": "",
"created_by_chat": "",
"task_completion": {},
"archived": "",
"created_by": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"name": "",
"id": "",
"updated_at": "",
"created_by_user_display_name": "",
"core_os": "",
"hunt_count": "",
"assigned_to": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"created_at": ""
}
]
}

operation: Get Investigation Details

Input parameters

Parameter Description
Investigation ID ID of the investigation whose details you want to retrieve from Endgame.

Output

The output contains the following populated JSON schema:
{
"data": {
"created_by_chat": "",
"assigned_to": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"task_completion": {},
"sensors": [
""
],
"user_id": "",
"created_by": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"name": "",
"id": "",
"task_completions_by_type": {},
"updated_at": "",
"created_at": "",
"task_types": [
""
],
"endpoints": [
""
],
"core_os": "",
"created_by_user_id": "",
"hunt_count": "",
"created_by_user_display_name": "",
"tasks": [
""
]
}
}

operation: Kill Process

Input parameters

Parameter Description
Endpoint Hostname Hostname of the endpoint on which you want to kill the specified process.
Process ID ID of the process that you want to kill on Endgame.

Output

The output contains a non-dictionary value.

operation: Execute File

Input parameters

Parameter Description
Endpoint Hostname Hostname of the endpoint on which you want to execute the file.
File Path File path of the process that you want to execute on Endgame.
Arguments (Optional) Arguments that you want to send with the execute command. You can specify the arguments in the list format, or as a newline-delimited string.

Output

The output contains a non-dictionary value.

operation: Upload File

Input parameters

Parameter Description
Endpoint Hostname Hostname of the endpoint on which you want to upload the file.
File Path File path of the file that you want to upload on Endgame.
File Data Contents of the file that you want to upload on Endgame.

Output

The output contains a non-dictionary value.

operation: Update Investigation

Input parameters

Parameter Description
Investigation ID ID of the investigation that you want to update on Endgame.
Changes Changes, in the JSON format, that you want to update in the investigation on Endgame.

Output

The output contains the following populated JSON schema:
{
"data": {
"status": ""
}
}

operation: Get Task Descriptions

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"display_name": "",
"updated_at": "",
"semantic_version": "",
"sensor_type": "",
"name": "",
"plugin": "",
"task_version": "",
"created_at": "",
"json_description": {}
}
]
}

operation: Get Users

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitored": [],
"unmonitored": []
}

Included playbooks

The Sample - Endgame - 1.0.0 playbook collection comes bundled with the Endgame connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Endgame connector.

  • Execute File
  • Get Alerts
  • Get Alert Details
  • Get Alert Timeline
  • Get Endpoints
  • Get Devices
  • Get Investigation Details
  • Get Investigations
  • Get Policies
  • Get Task Descriptions
  • Get Users
  • Kill Process
  • Upload File
  • Update Investigation

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

Endgame provides a cyber operations platform supporting the detection, exploitation, and mitigation of cyber-threats. The Endgame connector interfaces with the Endgame Endpoint Protection Platform to allow users to perform actions such as quarantining hosts.

This document provides information about the Endgame connector, which facilitates automated interactions with an Endgame server using FortiSOAR™ playbooks. Add the Endgame connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list of endgame alerts, retrieving details of a specific endgame alert, and killing a specific process on specific Endgame endpoints.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-endgame

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the Endgame connector and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the Endgame server to which you will connect and perform the automated operations.
Username Username to access the Endgame server to which you will connect and perform automated operations.
Password Password to access the Endgame server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Alerts Retrieves a list of Endgame alerts. get_alerts
Containment
Get Alert Details Retrieves the details of a specific alert from Endgame based on the alert ID, you have specified. get_alert_details
Containment
Get Alert Timeline Retrieves the attack timeline of a specific alert from Endgame based on the alert ID, you have specified. get_alert_timeline
Containment
Get Endpoints Retrieves a list of Endgame endpoints. get_endpoints
Containment
Get policies Retrieves a list of Endgame policies. get_policies
Containment
Get Investigations Retrieves a list of Endgame investigations. get_investigations
Containment
Get Investigation Details Retrieves the details of a specific Endgame investigation from Endgame based on the investigation ID, you have specified. get_investigation_details
Containment
Kill Process Kills a specific process on specific endpoints on Endgame based on the process ID (PID) and hostname you have specified. kill_process
Containment
Execute File Executes a specific file on a specific endpoint on Endgame based on the file path, hostname, and arguments (optional) you have specified. execute_file
Containment
Upload File Uploads a specific file on a specific endpoint on Endgame based on the file path and hostname you have specified. upload_file
Containment
Update Investigation Updates a specific investigation on Endgame based on the investigation ID and changes in the JSON format, you have specified. update_investigation
Containment
Get Task Descriptions Retrieves a list of Endgame task descriptions get_task_descriptions
Containment
Get Users Retrieves a list of Endgame users to whom investigations can be assigned get_users
Containment
Get Devices Retrieves a list of monitored devices from Endgame on which actions can be taken. populate_devices
Containment

operation: Get Alerts

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"type": "",
"assigned_to": {
"full_name": "",
"id": ""
},
"archived": "",
"user_id": "",
"status": "",
"user_display_name": "",
"related_collections": {},
"data": {},
"endpoint": {
"updated_at": "",
"ip_address": "",
"hostname": "",
"status": "",
"mac_address": "",
"name": "",
"operating_system": "",
"id": "",
"display_operating_system": ""
},
"viewed_by": {},
"id": "",
"machine_id": "",
"family": "",
"task_id": "",
"viewed": "",
"doc_type": "",
"created_at": "",
"severity": ""
}
]
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose details you want to retrieve from Endgame.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"type": "",
"assigned_to": {
"full_name": "",
"id": ""
},
"archived": "",
"user_id": "",
"status": "",
"user_display_name": "",
"related_collections": {},
"data": {},
"endpoint": {
"updated_at": "",
"ip_address": "",
"hostname": "",
"status": "",
"mac_address": "",
"name": "",
"operating_system": "",
"id": "",
"display_operating_system": ""
},
"viewed_by": {},
"id": "",
"machine_id": "",
"family": "",
"task_id": "",
"viewed": "",
"doc_type": "",
"created_at": "",
"severity": ""
}
]
}

operation: Get Alert Timeline

Input parameters

Parameter Description
Alert ID ID of the alert whose timeline you want to retrieve from Endgame.

Output

The output contains the following populated JSON schema:
{
"data": {
"result": {
"type": "",
"alert_id": "",
"pending_event_logging_search_request": "",
"total_events_searched": "",
"status": "",
"machine_id": "",
"correlation_id": "",
"message_id": "",
"task_id": "",
"metadata": {},
"search_results": [
{}
],
"process_count": "",
"event_logging_search_request_count": "",
"results_count": "",
"endpoint": {},
"created_at": "",
"family": ""
},
"code": ""
},
"metadata": {}
}

operation: Get Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"updated_at": "",
"ip_address": "",
"error": "",
"status": "",
"status_changed_at": "",
"investigation_count": "",
"name": "",
"operating_system": "",
"tags": [
{
"name": "",
"id": ""
}
],
"domain": "",
"created_at": "",
"machine_id": "",
"display_operating_system": "",
"sensors": [
{
"sensor_type": "",
"sensor_version": "",
"id": "",
"status": ""
}
],
"core_os": "",
"hostname": "",
"mac_address": "",
"alert_count": "",
"id": ""
}
]
}

operation: Get policies

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Investigations

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"user_display_name": "",
"created_by_chat": "",
"task_completion": {},
"archived": "",
"created_by": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"name": "",
"id": "",
"updated_at": "",
"created_by_user_display_name": "",
"core_os": "",
"hunt_count": "",
"assigned_to": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"created_at": ""
}
]
}

operation: Get Investigation Details

Input parameters

Parameter Description
Investigation ID ID of the investigation whose details you want to retrieve from Endgame.

Output

The output contains the following populated JSON schema:
{
"data": {
"created_by_chat": "",
"assigned_to": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"task_completion": {},
"sensors": [
""
],
"user_id": "",
"created_by": {
"is_superuser": "",
"username": "",
"first_name": "",
"is_active": "",
"role": {
"permissions": {},
"role": "",
"id": ""
},
"last_name": "",
"is_removable": "",
"id": ""
},
"name": "",
"id": "",
"task_completions_by_type": {},
"updated_at": "",
"created_at": "",
"task_types": [
""
],
"endpoints": [
""
],
"core_os": "",
"created_by_user_id": "",
"hunt_count": "",
"created_by_user_display_name": "",
"tasks": [
""
]
}
}

operation: Kill Process

Input parameters

Parameter Description
Endpoint Hostname Hostname of the endpoint on which you want to kill the specified process.
Process ID ID of the process that you want to kill on Endgame.

Output

The output contains a non-dictionary value.

operation: Execute File

Input parameters

Parameter Description
Endpoint Hostname Hostname of the endpoint on which you want to execute the file.
File Path File path of the process that you want to execute on Endgame.
Arguments (Optional) Arguments that you want to send with the execute command. You can specify the arguments in the list format, or as a newline-delimited string.

Output

The output contains a non-dictionary value.

operation: Upload File

Input parameters

Parameter Description
Endpoint Hostname Hostname of the endpoint on which you want to upload the file.
File Path File path of the file that you want to upload on Endgame.
File Data Contents of the file that you want to upload on Endgame.

Output

The output contains a non-dictionary value.

operation: Update Investigation

Input parameters

Parameter Description
Investigation ID ID of the investigation that you want to update on Endgame.
Changes Changes, in the JSON format, that you want to update in the investigation on Endgame.

Output

The output contains the following populated JSON schema:
{
"data": {
"status": ""
}
}

operation: Get Task Descriptions

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"display_name": "",
"updated_at": "",
"semantic_version": "",
"sensor_type": "",
"name": "",
"plugin": "",
"task_version": "",
"created_at": "",
"json_description": {}
}
]
}

operation: Get Users

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Devices

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"monitored": [],
"unmonitored": []
}

Included playbooks

The Sample - Endgame - 1.0.0 playbook collection comes bundled with the Endgame connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Endgame connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next