About the connector
FortiGuard Labs is the threat intelligence and research organization at Fortinet. FortiGuard's certified and proven security protection provides comprehensive security services, updates, and protection for the full range of Fortinet's Security Fabric solutions.
This document provides information about the Fortinet FortiGuard Labs connector, which facilitates automated interactions with Fortinet FortiGuard Labs using FortiSOAR™ playbooks. Add the Fortinet FortiGuard Labs connector as a step in FortiSOAR™ playbooks and perform automated operations, such as reviewing the domain that you have specified, or checking threats from the threat lookup in FortiGuard Labs.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-fortinet-fortiguard-labs
Prerequisites to configuring the connector
- You must have the URL of the Fortinet Web Filter Lookup to which you will connect and check the categorization for domain.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Labs connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Fortinet Web Filter Lookup to which you will connect and check the categorization for domain. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| WebFilter URL Lookup |
Reviews the domain that you have specified by Fortinet Web Filter Lookup. |
web_filter_lookup
Investigation |
| AntiSpam Lookup |
Retrieves information for an IP Address record from the antispam lookup in based on the IP address you have specified. |
antispam_lookup
Investigation |
| CVE Lookup |
Retrieves information for a CVE record from the CVE lookup in FortiGuard Labs based on the CVE you have specified. |
cve_lookup
Investigation |
| Threat Lookup by Type |
Retrieves information for a threat record from the threat lookup in FortiGuard Labs based on the threat type that you have specified. |
threat_lookup_by_type
Investigation |
| Threat Lookup by ID |
Retrieves information for a threat record from the threat lookup in FortiGuard Labs based on the threat name and threat ID you have specified. |
threat_lookup_by_id
Investigation |
| Zero-Day Lookup |
Retrieves information for a zero-day record from the Zero-Day lookup in FortiGuard Labs based on the filter parameters that you have specified. |
zero_day_lookup
Investigation |
| PSIRT Lookup |
Retrieves information for a PSIRT lookup from FortiGuard Labs based on the filter parameter that you have specified |
psirt_lookup
Investigation |
operation: WebFilter URL Lookup
Input parameters
| Parameter |
Description |
| Submit Domain/URL |
Valid domain or URL that you want to get reviewed by Fortinet Web Filter Lookup. |
Output
The output contains the following populated JSON schema:
{
"url": "",
"category": "",
"info": ""
}
operation: AntiSpam Lookup
Input parameters
| Parameter |
Description |
| IP Address |
IP address whose records you want to retrieve from the antispam lookup in FortiGuard Labs. |
| Page |
(Optional)Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Output
The output contains the following populated JSON schema:
{
"Title": "",
"Content": "",
"CVE": ""
}
operation: CVE Lookup
Input parameters
| Parameter |
Description |
| CVE |
CVE whose records you want to retrieve from the CVE lookup in FortiGuard Labs. |
| Page |
(Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Output
The output contains the following populated JSON schema:
{
"Title": "",
"Content": "",
"CVE": ""
}
operation: Threat Lookup by Type
Input parameters
| Parameter |
Description |
| Threat Type |
Select the threat type based on which you want to retrieve records from the threat lookup in FortiGuard Labs.
You can select from the following options: Viruses, Botnet C&C, Intrusion Prevention, Endpoint Vulnerabiliities, Mobile, or Internet Services. |
| Date |
Date on which the threat lookup was published based on which you want to retrieve threat lookup records from FortiGuard Labs. |
| Page |
(Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Output
The output contains the following populated JSON schema:
{
"ID": "",
"Title": "",
"Description": ""
}
operation: Threat Lookup by ID
Input parameters
| Parameter |
Description |
| Threat Name |
Name of the threat whose details you want to retrieve from the threats lookup in FortiGuard Labs. |
| ID |
ID of the threat whose details you want to retrieve from the threats lookup in FortiGuard Labs. |
Output
The output contains the following populated JSON schema:
{
"ID": "",
"Title": "",
"Description": "",
"Detection Availability": {
"FortiGate": {
"Active": "",
"Extended": "",
"Extreme": "",
"Mobile": ""
},
"FortiClient": {
"Active/Extended": "",
"Extreme": ""
},
"FortiSandox": "",
"FortiMail": "",
"FortiAP-S": ""
}
}
operation: Zero-Day Lookup
Input parameters
| Parameter |
Description |
| Risk Levels |
Specify the level of risks whose zero-Day lookup records you want to retrieve from FortiGuard Labs. You can choose between the following risk levels: Critical, High, Medium, Low or Info. |
| Date |
(Optional) Date when the Zero-Day lookup records were published based on which you want to retrieve Zero-Day lookup records from FortiGuard Labs. |
| Page |
(Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| vendor |
(Optional) Name of the vendor based on which you want to retrieve Zero-Day lookup records from FortiGuard Labs. |
Output
The output contains the following populated JSON schema:
{
"Zero-Day ID": "",
"Title": "",
"Description": "",
"Vendor": ""
}
operation: PSIRT Lookup
Input parameters
| Parameter |
Description |
| Risk Level |
Specify the level of risks whose PSIRT lookup records you want to retrieve from FortiGuard Labs. You can choose between the following risk levels: Critical, High, Medium, Low or Info. |
| Date |
(Optional) Date when the PSIRT lookup records were published based on which you want to retrieve PSIRT lookup records from FortiGuard Labs. |
| Page |
(Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Output
The output contains the following populated JSON schema:
{
"PSIRT ID": "",
"Title": "",
"Description": ""
}
Included playbooks
The Sample - Fortinet FortiGuard Labs - 1.0.0 playbook collection comes bundled with the Fortinet FortiGuard Labs connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Labs connector.
- AntiSpam Lookup
- CVE Lookup
- PSIRT Lookup
- Threat Lookup by ID
- Threat Lookup by Type
- WebFilter URL Lookup
- Zero-Day Lookup
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
