Fortinet Document Library

Version:


Table of Contents

Fortinet FortiGuard Labs

1.0.0
Copy Link

About the connector

FortiGuard Labs is the threat intelligence and research organization at Fortinet. FortiGuard's certified and proven security protection provides comprehensive security services, updates, and protection for the full range of Fortinet's Security Fabric solutions.

This document provides information about the Fortinet FortiGuard Labs connector, which facilitates automated interactions with Fortinet FortiGuard Labs using FortiSOAR™ playbooks. Add the Fortinet FortiGuard Labs connector as a step in FortiSOAR™ playbooks and perform automated operations, such as reviewing the domain that you have specified, or checking threats from the threat lookup in FortiGuard Labs.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortiguard-labs

Prerequisites to configuring the connector

  • You must have the URL of the Fortinet Web Filter Lookup to which you will connect and check the categorization for domain.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Labs connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Fortinet Web Filter Lookup to which you will connect and check the categorization for domain.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:

Function Description Annotation and Category
WebFilter URL Lookup Reviews the domain that you have specified by Fortinet Web Filter Lookup. web_filter_lookup
Investigation
AntiSpam Lookup Retrieves information for an IP Address record from the antispam lookup in based on the IP address you have specified. antispam_lookup
Investigation
CVE Lookup Retrieves information for a CVE record from the CVE lookup in FortiGuard Labs based on the CVE you have specified. cve_lookup
Investigation
Threat Lookup by Type Retrieves information for a threat record from the threat lookup in FortiGuard Labs based on the threat type that you have specified. threat_lookup_by_type
Investigation
Threat Lookup by ID Retrieves information for a threat record from the threat lookup in FortiGuard Labs based on the threat name and threat ID you have specified. threat_lookup_by_id
Investigation
Zero-Day Lookup Retrieves information for a zero-day record from the Zero-Day lookup in FortiGuard Labs based on the filter parameters that you have specified. zero_day_lookup
Investigation
PSIRT Lookup Retrieves information for a PSIRT lookup from FortiGuard Labs based on the filter parameter that you have specified psirt_lookup
Investigation

operation: WebFilter URL Lookup

Input parameters

Parameter Description
Submit Domain/URL Valid domain or URL that you want to get reviewed by Fortinet Web Filter Lookup.

Output

The output contains the following populated JSON schema:
{
     "url": "",
     "category": "",
     "info": ""
}

operation: AntiSpam Lookup

Input parameters

Parameter Description
IP Address IP address whose records you want to retrieve from the antispam lookup in FortiGuard Labs.
Page (Optional)Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "Title": "",
     "Content": "",
     "CVE": ""
}

operation: CVE Lookup

Input parameters

Parameter Description
CVE CVE whose records you want to retrieve from the CVE lookup in FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "Title": "",
     "Content": "",
     "CVE": ""
}

operation: Threat Lookup by Type

Input parameters

Parameter Description
Threat Type Select the threat type based on which you want to retrieve records from the threat lookup in FortiGuard Labs.
You can select from the following options: Viruses, Botnet C&C, Intrusion Prevention, Endpoint Vulnerabiliities, Mobile, or Internet Services.
Date Date on which the threat lookup was published based on which you want to retrieve threat lookup records from FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "ID": "",
     "Title": "",
     "Description": ""
}

operation: Threat Lookup by ID

Input parameters

Parameter Description
Threat Name Name of the threat whose details you want to retrieve from the threats lookup in FortiGuard Labs.
ID ID of the threat whose details you want to retrieve from the threats lookup in FortiGuard Labs.

Output

The output contains the following populated JSON schema:
{
     "ID": "",
     "Title": "",
     "Description": "",
     "Detection Availability": {
         "FortiGate": {
             "Active": "",
             "Extended": "",
             "Extreme": "",
             "Mobile": ""
         },
         "FortiClient": {
             "Active/Extended": "",
             "Extreme": ""
         },
         "FortiSandox": "",
         "FortiMail": "",
         "FortiAP-S": ""
     }
}

operation: Zero-Day Lookup

Input parameters

Parameter Description
Risk Levels Specify the level of risks whose zero-Day lookup records you want to retrieve from FortiGuard Labs. You can choose between the following risk levels: Critical, High, Medium, Low or Info.
Date (Optional) Date when the Zero-Day lookup records were published based on which you want to retrieve Zero-Day lookup records from FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
vendor (Optional) Name of the vendor based on which you want to retrieve Zero-Day lookup records from FortiGuard Labs.

Output

The output contains the following populated JSON schema:
{
     "Zero-Day ID": "",
     "Title": "",
     "Description": "",
     "Vendor": ""
}

operation: PSIRT Lookup

Input parameters

Parameter Description
Risk Level Specify the level of risks whose PSIRT lookup records you want to retrieve from FortiGuard Labs. You can choose between the following risk levels: Critical, High, Medium, Low or Info.
Date (Optional) Date when the PSIRT lookup records were published based on which you want to retrieve PSIRT lookup records from FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "PSIRT ID": "",
     "Title": "",
     "Description": ""
}

Included playbooks

The Sample - Fortinet FortiGuard Labs - 1.0.0 playbook collection comes bundled with the Fortinet FortiGuard Labs connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Labs connector.

  • AntiSpam Lookup
  • CVE Lookup
  • PSIRT Lookup
  • Threat Lookup by ID
  • Threat Lookup by Type
  • WebFilter URL Lookup
  • Zero-Day Lookup

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

FortiGuard Labs is the threat intelligence and research organization at Fortinet. FortiGuard's certified and proven security protection provides comprehensive security services, updates, and protection for the full range of Fortinet's Security Fabric solutions.

This document provides information about the Fortinet FortiGuard Labs connector, which facilitates automated interactions with Fortinet FortiGuard Labs using FortiSOAR™ playbooks. Add the Fortinet FortiGuard Labs connector as a step in FortiSOAR™ playbooks and perform automated operations, such as reviewing the domain that you have specified, or checking threats from the threat lookup in FortiGuard Labs.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortinet-fortiguard-labs

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Labs connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Fortinet Web Filter Lookup to which you will connect and check the categorization for domain.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:

Function Description Annotation and Category
WebFilter URL Lookup Reviews the domain that you have specified by Fortinet Web Filter Lookup. web_filter_lookup
Investigation
AntiSpam Lookup Retrieves information for an IP Address record from the antispam lookup in based on the IP address you have specified. antispam_lookup
Investigation
CVE Lookup Retrieves information for a CVE record from the CVE lookup in FortiGuard Labs based on the CVE you have specified. cve_lookup
Investigation
Threat Lookup by Type Retrieves information for a threat record from the threat lookup in FortiGuard Labs based on the threat type that you have specified. threat_lookup_by_type
Investigation
Threat Lookup by ID Retrieves information for a threat record from the threat lookup in FortiGuard Labs based on the threat name and threat ID you have specified. threat_lookup_by_id
Investigation
Zero-Day Lookup Retrieves information for a zero-day record from the Zero-Day lookup in FortiGuard Labs based on the filter parameters that you have specified. zero_day_lookup
Investigation
PSIRT Lookup Retrieves information for a PSIRT lookup from FortiGuard Labs based on the filter parameter that you have specified psirt_lookup
Investigation

operation: WebFilter URL Lookup

Input parameters

Parameter Description
Submit Domain/URL Valid domain or URL that you want to get reviewed by Fortinet Web Filter Lookup.

Output

The output contains the following populated JSON schema:
{
     "url": "",
     "category": "",
     "info": ""
}

operation: AntiSpam Lookup

Input parameters

Parameter Description
IP Address IP address whose records you want to retrieve from the antispam lookup in FortiGuard Labs.
Page (Optional)Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "Title": "",
     "Content": "",
     "CVE": ""
}

operation: CVE Lookup

Input parameters

Parameter Description
CVE CVE whose records you want to retrieve from the CVE lookup in FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "Title": "",
     "Content": "",
     "CVE": ""
}

operation: Threat Lookup by Type

Input parameters

Parameter Description
Threat Type Select the threat type based on which you want to retrieve records from the threat lookup in FortiGuard Labs.
You can select from the following options: Viruses, Botnet C&C, Intrusion Prevention, Endpoint Vulnerabiliities, Mobile, or Internet Services.
Date Date on which the threat lookup was published based on which you want to retrieve threat lookup records from FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "ID": "",
     "Title": "",
     "Description": ""
}

operation: Threat Lookup by ID

Input parameters

Parameter Description
Threat Name Name of the threat whose details you want to retrieve from the threats lookup in FortiGuard Labs.
ID ID of the threat whose details you want to retrieve from the threats lookup in FortiGuard Labs.

Output

The output contains the following populated JSON schema:
{
     "ID": "",
     "Title": "",
     "Description": "",
     "Detection Availability": {
         "FortiGate": {
             "Active": "",
             "Extended": "",
             "Extreme": "",
             "Mobile": ""
         },
         "FortiClient": {
             "Active/Extended": "",
             "Extreme": ""
         },
         "FortiSandox": "",
         "FortiMail": "",
         "FortiAP-S": ""
     }
}

operation: Zero-Day Lookup

Input parameters

Parameter Description
Risk Levels Specify the level of risks whose zero-Day lookup records you want to retrieve from FortiGuard Labs. You can choose between the following risk levels: Critical, High, Medium, Low or Info.
Date (Optional) Date when the Zero-Day lookup records were published based on which you want to retrieve Zero-Day lookup records from FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
vendor (Optional) Name of the vendor based on which you want to retrieve Zero-Day lookup records from FortiGuard Labs.

Output

The output contains the following populated JSON schema:
{
     "Zero-Day ID": "",
     "Title": "",
     "Description": "",
     "Vendor": ""
}

operation: PSIRT Lookup

Input parameters

Parameter Description
Risk Level Specify the level of risks whose PSIRT lookup records you want to retrieve from FortiGuard Labs. You can choose between the following risk levels: Critical, High, Medium, Low or Info.
Date (Optional) Date when the PSIRT lookup records were published based on which you want to retrieve PSIRT lookup records from FortiGuard Labs.
Page (Optional) Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.

Output

The output contains the following populated JSON schema:
{
     "PSIRT ID": "",
     "Title": "",
     "Description": ""
}

Included playbooks

The Sample - Fortinet FortiGuard Labs - 1.0.0 playbook collection comes bundled with the Fortinet FortiGuard Labs connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Labs connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.