FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise.
This document provides information about the Fortinet FortiRecon Brand Protection Connector, which facilitates automated interactions, with a Fortinet FortiRecon Brand Protection server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon Brand Protection Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon Brand Protection.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.3.0-2034 and later
Fortinet FortiRecon Brand Protection Version Tested on: v22.4.a
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum
command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-brand-protection
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon Brand Protection connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Server name or IP address to which you connect and perform the automated operations |
API Key | API key to access the endpoint server to which you connect and perform the automated operations |
Organization ID | The organization ID on which FortiRecon operations are to be performed. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Search Alerts | Retrieves a list of alerts(reports) published by FortiRecon based on the filter criteria like tags, adversary, relevance, and any other details you have specified. | search_alerts Investigation |
Get Alert Details By Alert ID | Retrieves details of an alert based on the alert ID you have specified. | get_alert_details_by_id Investigation |
Get Phishing Campaigns | Retrieves a list of phishing campaigns discovered by FortiRecon's Watermarks for the given organization. | get_phishing_campaigns Investigation |
Get Phishing Campaigns By ID | Retrieves details of a phishing attempt discovered by FortiRecon based on the ID you have specified. | get_phishing_campaigns_by_id Investigation |
Get Rogue Apps | Retrieves a list of Rogue Apps based on the status and keywords that you have specified for the query; rogue apps are mobile applications trying to look like apps from trusted brands. | get_rogue_apps Investigation |
Get Rogue App By ID | Retrieves details of a rogue app based on the Rogue App ID that you have specified. | get_rogue_app_by_id Investigation |
Get Takedown Requests | Retrieves a list of takedown requests for rogue apps and typo domains for the given organization. | get_takedown_requests Investigation |
Get Typo Domains | Retrieves a list of typo domains discovered by FortiRecon for the given organization; also called Typosquatting, URL hijacking, sting site, or a fake URL is a form of cybersquatting where malicious actors register and use an internet domain similar to an organization's trademarks, service marks, company names, or personal names. | get_typo_domains Investigation |
Get Typo Domain By ID | Retrieves details of a typo domain based on the typo domain ID you have specified. | get_typo_domain_by_id Investigation |
Parameter | Description |
---|---|
Relevance Rating | (Optional) Specify a relevance rating to filter the alerts. Separate multiple relevance ratings using a comma. For example, Medium, High, Low . |
Tags | (Optional) Specify a tag to filter the alerts. Separate multiple relevance ratings using a comma. For example, phishing, malware, exploited |
Adversary | (Optional) Specify an adversary(actor names, APT groups) to filter the alerts. Separate multiple adversaries using a comma. For example, apt35, foo, bar |
Source Category | (Optional) Select a source category from the following options to filter the alerts:
|
Report Type | (Optional) Select a report from the following options type to filter the alerts:
|
Industry | (Optional) Specify an industry to filter the alerts. Separate multiple industries using a comma. For example, manufacturing, government, and hospitality . |
Geography | (Optional) Specify a geography to filter the alerts. Separate multiple geographies using a comma. For example, South America, Western Europe, East Asia, and Africa. |
Keyword | (Optional) Specify a keyword to filter the alerts. Separate multiple geographies using a comma. Some example keywords are Report ID, Report Title, Report Summary, Report Content, Source Category. Actors, Motivation, Threats, and Industry Tags. |
Source Reliability | (Optional) Select a source reliability from the following options to filter the alerts:
|
Information Reliability | (Optional) Select an information reliability from the following options to filter the alerts:
|
Start Date | (Optional) Specify the start date of the range from when you want to retrieve the report. |
End Date | (Optional) Specify the end date of the range from when you want to retrieve the report. |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Alert ID | Specify the alert ID of the alert to get its details. |
The output contains the following populated JSON schema:
{
"adversary": [],
"customer_tag": "",
"geography": [],
"industry_tags": [],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [],
"tlp": ""
}
Parameter | Description |
---|---|
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"acknowledged_by": "",
"acknowledged_on": "",
"campaign_number": "",
"domain": "",
"id": "",
"is_acknowledged": "",
"is_malicious": "",
"org_id": "",
"ticket_id": "",
"url": "",
"visitor_ip": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Phishing Campaign ID | Specify the ID of the phishing attempt to get its details. |
The output contains the following populated JSON schema:
{
"acknowledged_by": "",
"acknowledged_on": "",
"campaign_number": "",
"domain": "",
"id": "",
"is_acknowledged": "",
"is_malicious": "",
"org_id": "",
"ticket_id": "",
"url": "",
"visitor_ip": ""
}
Parameter | Description |
---|---|
Status | (Optional) Select the rogue app's status type from the following options to filter the results:
|
Keyword | (Optional) Specify the keywords to filter the results. For example: Source Name, Developer Name, App Name |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"developer_name": "",
"download_count": "",
"first_seen": "",
"id": "",
"index_ts": "",
"keyword": "",
"name": "",
"size": "",
"source_name": "",
"status": "",
"ticket_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Rogue App ID | Specify an ID of the rogue app to get its details. |
The output contains the following populated JSON schema:
{
"developer_name": "",
"download_count": "",
"first_seen": "",
"id": "",
"index_ts": "",
"keyword": "",
"name": "",
"size": "",
"source_name": "",
"status": "",
"ticket_id": ""
}
Parameter | Description |
---|---|
Status | (Optional) Select the take-down request status from the following options to filter the results:
|
Category | (Optional) Select the take-down request category from the following options to filter the results:
|
Keyword | (Optional) Specify the keywords to filter the results. For example: ticketId , entity (It may be a domain name, the title of a report, Phished Domain, etc) |
Start Date | (Optional) Specify the start date of the range when the takedown was requested; default is last 6 months. |
End Date | (Optional) Specify the end date of the range when the takedown was requested; default is today's date. |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"category": "",
"comment": "",
"comment_at": "",
"comment_by": "",
"created_at": "",
"entity": "",
"is_client": "",
"org_name": "",
"progress": "",
"requested_at": "",
"requested_by_user": "",
"requested_by_volon": "",
"sla": "",
"status": "",
"takedown_request_id": "",
"ticket_id": "",
"ttr": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Status | (Optional) Select the domain status from the following options to filter the results:
|
Original Domain | (Optional) Specify the original domain name to filter the results. Multiple domains should be comma separated. For example, example.com, test.com |
Keyword | (Optional) Specify keywords to filter the results. For example, example |
Severity | (Optional) Specify the severity of the request to filter the results. Severity can range from 0 to 100 . For example: 50to80 , 0to80S . |
Start Date | (Optional) Specify the start date of the date range to filter the results based on the date found in the whois record for that domain. Default is last 6 months. |
End Date | (Optional) Specify the end date of the date range to filter the results based on the date found in the whois record for that domain. Default is the current date. |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"dns_a": "",
"dns_screenshot": "",
"fuzzer": "",
"id": "",
"is_checked": "",
"is_moniter": "",
"keyword": "",
"original_domain": "",
"score": "",
"similar_domain": "",
"status": "",
"suspicious_category": "",
"suspicious_kayword": "",
"suspicious_status": "",
"ticket_id": "",
"whoiser_created_date": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Typo Domain ID | Specify the ID of the typo domain to get its details. |
The output contains the following populated JSON schema:
{
"dns_a": "",
"dns_screenshot": "",
"fuzzer": "",
"id": "",
"is_checked": "",
"is_moniter": "",
"keyword": "",
"original_domain": "",
"score": "",
"similar_domain": "",
"status": "",
"suspicious_category": "",
"suspicious_kayword": "",
"suspicious_status": "",
"ticket_id": "",
"whoiser_created_date": ""
}
The Sample - Fortinet FortiRecon Brand Protection - 1.0.0
playbook collection comes bundled with the Fortinet FortiRecon Brand Protection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon Brand Protection connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise.
This document provides information about the Fortinet FortiRecon Brand Protection Connector, which facilitates automated interactions, with a Fortinet FortiRecon Brand Protection server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon Brand Protection Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon Brand Protection.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.3.0-2034 and later
Fortinet FortiRecon Brand Protection Version Tested on: v22.4.a
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum
command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-brand-protection
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon Brand Protection connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Server name or IP address to which you connect and perform the automated operations |
API Key | API key to access the endpoint server to which you connect and perform the automated operations |
Organization ID | The organization ID on which FortiRecon operations are to be performed. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Search Alerts | Retrieves a list of alerts(reports) published by FortiRecon based on the filter criteria like tags, adversary, relevance, and any other details you have specified. | search_alerts Investigation |
Get Alert Details By Alert ID | Retrieves details of an alert based on the alert ID you have specified. | get_alert_details_by_id Investigation |
Get Phishing Campaigns | Retrieves a list of phishing campaigns discovered by FortiRecon's Watermarks for the given organization. | get_phishing_campaigns Investigation |
Get Phishing Campaigns By ID | Retrieves details of a phishing attempt discovered by FortiRecon based on the ID you have specified. | get_phishing_campaigns_by_id Investigation |
Get Rogue Apps | Retrieves a list of Rogue Apps based on the status and keywords that you have specified for the query; rogue apps are mobile applications trying to look like apps from trusted brands. | get_rogue_apps Investigation |
Get Rogue App By ID | Retrieves details of a rogue app based on the Rogue App ID that you have specified. | get_rogue_app_by_id Investigation |
Get Takedown Requests | Retrieves a list of takedown requests for rogue apps and typo domains for the given organization. | get_takedown_requests Investigation |
Get Typo Domains | Retrieves a list of typo domains discovered by FortiRecon for the given organization; also called Typosquatting, URL hijacking, sting site, or a fake URL is a form of cybersquatting where malicious actors register and use an internet domain similar to an organization's trademarks, service marks, company names, or personal names. | get_typo_domains Investigation |
Get Typo Domain By ID | Retrieves details of a typo domain based on the typo domain ID you have specified. | get_typo_domain_by_id Investigation |
Parameter | Description |
---|---|
Relevance Rating | (Optional) Specify a relevance rating to filter the alerts. Separate multiple relevance ratings using a comma. For example, Medium, High, Low . |
Tags | (Optional) Specify a tag to filter the alerts. Separate multiple relevance ratings using a comma. For example, phishing, malware, exploited |
Adversary | (Optional) Specify an adversary(actor names, APT groups) to filter the alerts. Separate multiple adversaries using a comma. For example, apt35, foo, bar |
Source Category | (Optional) Select a source category from the following options to filter the alerts:
|
Report Type | (Optional) Select a report from the following options type to filter the alerts:
|
Industry | (Optional) Specify an industry to filter the alerts. Separate multiple industries using a comma. For example, manufacturing, government, and hospitality . |
Geography | (Optional) Specify a geography to filter the alerts. Separate multiple geographies using a comma. For example, South America, Western Europe, East Asia, and Africa. |
Keyword | (Optional) Specify a keyword to filter the alerts. Separate multiple geographies using a comma. Some example keywords are Report ID, Report Title, Report Summary, Report Content, Source Category. Actors, Motivation, Threats, and Industry Tags. |
Source Reliability | (Optional) Select a source reliability from the following options to filter the alerts:
|
Information Reliability | (Optional) Select an information reliability from the following options to filter the alerts:
|
Start Date | (Optional) Specify the start date of the range from when you want to retrieve the report. |
End Date | (Optional) Specify the end date of the range from when you want to retrieve the report. |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Alert ID | Specify the alert ID of the alert to get its details. |
The output contains the following populated JSON schema:
{
"adversary": [],
"customer_tag": "",
"geography": [],
"industry_tags": [],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [],
"tlp": ""
}
Parameter | Description |
---|---|
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"acknowledged_by": "",
"acknowledged_on": "",
"campaign_number": "",
"domain": "",
"id": "",
"is_acknowledged": "",
"is_malicious": "",
"org_id": "",
"ticket_id": "",
"url": "",
"visitor_ip": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Phishing Campaign ID | Specify the ID of the phishing attempt to get its details. |
The output contains the following populated JSON schema:
{
"acknowledged_by": "",
"acknowledged_on": "",
"campaign_number": "",
"domain": "",
"id": "",
"is_acknowledged": "",
"is_malicious": "",
"org_id": "",
"ticket_id": "",
"url": "",
"visitor_ip": ""
}
Parameter | Description |
---|---|
Status | (Optional) Select the rogue app's status type from the following options to filter the results:
|
Keyword | (Optional) Specify the keywords to filter the results. For example: Source Name, Developer Name, App Name |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"developer_name": "",
"download_count": "",
"first_seen": "",
"id": "",
"index_ts": "",
"keyword": "",
"name": "",
"size": "",
"source_name": "",
"status": "",
"ticket_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Rogue App ID | Specify an ID of the rogue app to get its details. |
The output contains the following populated JSON schema:
{
"developer_name": "",
"download_count": "",
"first_seen": "",
"id": "",
"index_ts": "",
"keyword": "",
"name": "",
"size": "",
"source_name": "",
"status": "",
"ticket_id": ""
}
Parameter | Description |
---|---|
Status | (Optional) Select the take-down request status from the following options to filter the results:
|
Category | (Optional) Select the take-down request category from the following options to filter the results:
|
Keyword | (Optional) Specify the keywords to filter the results. For example: ticketId , entity (It may be a domain name, the title of a report, Phished Domain, etc) |
Start Date | (Optional) Specify the start date of the range when the takedown was requested; default is last 6 months. |
End Date | (Optional) Specify the end date of the range when the takedown was requested; default is today's date. |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"category": "",
"comment": "",
"comment_at": "",
"comment_by": "",
"created_at": "",
"entity": "",
"is_client": "",
"org_name": "",
"progress": "",
"requested_at": "",
"requested_by_user": "",
"requested_by_volon": "",
"sla": "",
"status": "",
"takedown_request_id": "",
"ticket_id": "",
"ttr": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Status | (Optional) Select the domain status from the following options to filter the results:
|
Original Domain | (Optional) Specify the original domain name to filter the results. Multiple domains should be comma separated. For example, example.com, test.com |
Keyword | (Optional) Specify keywords to filter the results. For example, example |
Severity | (Optional) Specify the severity of the request to filter the results. Severity can range from 0 to 100 . For example: 50to80 , 0to80S . |
Start Date | (Optional) Specify the start date of the date range to filter the results based on the date found in the whois record for that domain. Default is last 6 months. |
End Date | (Optional) Specify the end date of the date range to filter the results based on the date found in the whois record for that domain. Default is the current date. |
Page | (Optional) Specify the page number from which to retrieve the records. |
Size | (Optional) Specify the count of records that the operation should include for the current page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"dns_a": "",
"dns_screenshot": "",
"fuzzer": "",
"id": "",
"is_checked": "",
"is_moniter": "",
"keyword": "",
"original_domain": "",
"score": "",
"similar_domain": "",
"status": "",
"suspicious_category": "",
"suspicious_kayword": "",
"suspicious_status": "",
"ticket_id": "",
"whoiser_created_date": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
Typo Domain ID | Specify the ID of the typo domain to get its details. |
The output contains the following populated JSON schema:
{
"dns_a": "",
"dns_screenshot": "",
"fuzzer": "",
"id": "",
"is_checked": "",
"is_moniter": "",
"keyword": "",
"original_domain": "",
"score": "",
"similar_domain": "",
"status": "",
"suspicious_category": "",
"suspicious_kayword": "",
"suspicious_status": "",
"ticket_id": "",
"whoiser_created_date": ""
}
The Sample - Fortinet FortiRecon Brand Protection - 1.0.0
playbook collection comes bundled with the Fortinet FortiRecon Brand Protection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon Brand Protection connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.