Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Fortinet FortiGuard Threat Intelligence

    Home FortiSOAR Connectors Fortinet FortiGuard Threat Intelligence
    1.0.0
    3.2.0
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.0.0
    1.0.0

    Fortinet FortiGuard Threat Intelligence v1.0.0

    About the connector

    FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. It provides threat intelligence to protect them from malicious cyberattacks.

    This document provides information about the FortiGuard Threat Intelligence connector, which facilitates automated interactions with FortiGuard Threat Intelligence using FortiSOAR™ playbooks. Add the FortiGuard Threat Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about a threat and static list of threat types and names, etc. from FortiGuard Threat Intelligence.

    Version information

    Connector Version: 1.0.0

    FortiSOAR™ Version Tested on: 6.4.4-3164

    Authored By: Fortinet

    Certified: Yes

    Installing the connector

    From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
    You can also use the following yum command as a root user to install connectors from an SSH session:

    yum install cyops-connector-fortinet-fortiguard-threat-intelligence

    Prerequisites to configuring the connector

    • You must have the URL of the Fortinet FortiGuard Threat Intelligence API server to which you will connect and perform automated operations.
    • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiGuard Threat Intelligence server.

    Configuring the connector

    For the procedure to configure a connector, click here.

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Threat Intelligence connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server Name URL of the FortiGuard Threat Intelligence API server to which you will connect and perform automated operations.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

    Function Description Annotation and Category
    Threat Intel Search Retrieves information about a threat from Fortiguard Threat Intelligence based on the indicator you have specified. threat_intel_search
    Investigation
    Get Threat Categories Retrieves a static list of threat types and names from FortiGuard Threat Intelligence based on the title that you have specified. get_threat_categories
    Investigation
    Get Encyclopedia Lookup Retrieves a lookup from FortiGuard Threat Intelligence based on the threat source and the associated encyclopedia lookup ID you have specified. get_encyclopedia_lookup
    Investigation

    operation: Threat Intel Search

    Input parameters

    Parameter Description
    Indicator Indicator of the threat whose information you want to retrieve from the FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:
    {
    "reference_url": "",
    "ioc_cate": "",
    "confidence": "",
    "wf_cate": "",
    "spam_cates": [],
    "ioc_tags": [],
    "av_cate": ""
    }

    operation: Get Threat Categories

    Input parameters

    Parameter Description
    Title Title of the threat whose associated threat types and names you want to retrieve from FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:
    {
    "ctype": "",
    "title": "",
    "description": ""
    }

    operation: Get Encyclopedia Lookup

    Input parameters

    Parameter Description
    Source Source of the lookup, for example, viruses, botnet, etc., whose information you want to retrieve from FortiGuard Threat Intelligence server.
    ID ID of the encyclopedia lookup whose information you want to retrieve from the FortiGuard Threat Intelligence server.

    Output

    If you have selected the 'Source' is 'Viruses', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Intrusion Prevention', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "isActive": "",
    "Risk": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "os_list": [],
    "app_list": [],
    "SecurityRefs": [],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Released": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Botnet', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "Platform": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Endpoint Vulnerabilities', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Risk": "",
    "Summary": "",
    "Analysis": "",
    "Products": [],
    "SecurityRefs": [
    {
    "reftype": "",
    "refid": "",
    "url": ""
    }
    ],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Mobile', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Application', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Category": "",
    "Risk": "",
    "RiskID": "",
    "Popularity": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "AppPort": "",
    "References": [],
    "DeepAppCtrl": "",
    "Vendor": "",
    "Deprecated": "",
    "Language": "",
    "Technology": [],
    "os_list": [],
    "app_list": [],
    "Released": "",
    "Created": "",
    "Updated": "",
    "RequireApp": []
    }

    If you have selected the 'Source' is 'Internet Services', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Analysis": ""
    }

    Included playbooks

    The Sample - Fortinet FortiGuard Threat Intelligence - 1.0.0 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.

    • Get Encyclopedia Lookup
    • Get Threat Categories
    • Threat Intel Search

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Previous
    Next

    Fortinet FortiGuard Threat Intelligence v1.0.0

    About the connector

    FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. It provides threat intelligence to protect them from malicious cyberattacks.

    This document provides information about the FortiGuard Threat Intelligence connector, which facilitates automated interactions with FortiGuard Threat Intelligence using FortiSOAR™ playbooks. Add the FortiGuard Threat Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about a threat and static list of threat types and names, etc. from FortiGuard Threat Intelligence.

    Version information

    Connector Version: 1.0.0

    FortiSOAR™ Version Tested on: 6.4.4-3164

    Authored By: Fortinet

    Certified: Yes

    Installing the connector

    From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
    You can also use the following yum command as a root user to install connectors from an SSH session:

    yum install cyops-connector-fortinet-fortiguard-threat-intelligence

    Prerequisites to configuring the connector

    Configuring the connector

    For the procedure to configure a connector, click here.

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Threat Intelligence connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server Name URL of the FortiGuard Threat Intelligence API server to which you will connect and perform automated operations.
    Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

    Function Description Annotation and Category
    Threat Intel Search Retrieves information about a threat from Fortiguard Threat Intelligence based on the indicator you have specified. threat_intel_search
    Investigation
    Get Threat Categories Retrieves a static list of threat types and names from FortiGuard Threat Intelligence based on the title that you have specified. get_threat_categories
    Investigation
    Get Encyclopedia Lookup Retrieves a lookup from FortiGuard Threat Intelligence based on the threat source and the associated encyclopedia lookup ID you have specified. get_encyclopedia_lookup
    Investigation

    operation: Threat Intel Search

    Input parameters

    Parameter Description
    Indicator Indicator of the threat whose information you want to retrieve from the FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:
    {
    "reference_url": "",
    "ioc_cate": "",
    "confidence": "",
    "wf_cate": "",
    "spam_cates": [],
    "ioc_tags": [],
    "av_cate": ""
    }

    operation: Get Threat Categories

    Input parameters

    Parameter Description
    Title Title of the threat whose associated threat types and names you want to retrieve from FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:
    {
    "ctype": "",
    "title": "",
    "description": ""
    }

    operation: Get Encyclopedia Lookup

    Input parameters

    Parameter Description
    Source Source of the lookup, for example, viruses, botnet, etc., whose information you want to retrieve from FortiGuard Threat Intelligence server.
    ID ID of the encyclopedia lookup whose information you want to retrieve from the FortiGuard Threat Intelligence server.

    Output

    If you have selected the 'Source' is 'Viruses', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Intrusion Prevention', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "isActive": "",
    "Risk": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "os_list": [],
    "app_list": [],
    "SecurityRefs": [],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Released": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Botnet', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "Platform": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Endpoint Vulnerabilities', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Risk": "",
    "Summary": "",
    "Analysis": "",
    "Products": [],
    "SecurityRefs": [
    {
    "reftype": "",
    "refid": "",
    "url": ""
    }
    ],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Mobile', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
    {
    "product": "",
    "sigdb": "",
    "status": ""
    }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
    }

    If you have selected the 'Source' is 'Application', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Category": "",
    "Risk": "",
    "RiskID": "",
    "Popularity": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "AppPort": "",
    "References": [],
    "DeepAppCtrl": "",
    "Vendor": "",
    "Deprecated": "",
    "Language": "",
    "Technology": [],
    "os_list": [],
    "app_list": [],
    "Released": "",
    "Created": "",
    "Updated": "",
    "RequireApp": []
    }

    If you have selected the 'Source' is 'Internet Services', then the output contains the following populated JSON schema:
    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Analysis": ""
    }

    Included playbooks

    The Sample - Fortinet FortiGuard Threat Intelligence - 1.0.0 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Previous
    Next