Fortinet FortiRecon Brand Protection v1.0.0

About the connector

FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise.

This document provides information about the Fortinet FortiRecon Brand Protection Connector, which facilitates automated interactions, with a Fortinet FortiRecon Brand Protection server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon Brand Protection Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon Brand Protection.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 7.3.0-2034 and later

Fortinet FortiRecon Brand Protection Version Tested on: v22.4.a

Authored By: Fortinet

Certified: Yes

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-fortinet-fortirecon-brand-protection

Prerequisites to configuring the connector

• You must have the URL of the Fortinet FortiRecon Brand Protection server to which you connect and perform automated operations, and credentials to access that server.
• The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiRecon Brand Protection server.

Minimum Permissions Required

• Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon Brand Protection connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	Server name or IP address to which you connect and perform the automated operations
API Key	API key to access the endpoint server to which you connect and perform the automated operations
Organization ID	The organization ID on which FortiRecon operations are to be performed.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function	Description	Annotation and Category
Search Alerts	Retrieves a list of alerts(reports) published by FortiRecon based on the filter criteria like tags, adversary, relevance, and any other details you have specified.	search_alerts Investigation
Get Alert Details By Alert ID	Retrieves details of an alert based on the alert ID you have specified.	get_alert_details_by_id Investigation
Get Phishing Campaigns	Retrieves a list of phishing campaigns discovered by FortiRecon's Watermarks for the given organization.	get_phishing_campaigns Investigation
Get Phishing Campaigns By ID	Retrieves details of a phishing attempt discovered by FortiRecon based on the ID you have specified.	get_phishing_campaigns_by_id Investigation
Get Rogue Apps	Retrieves a list of Rogue Apps based on the status and keywords that you have specified for the query; rogue apps are mobile applications trying to look like apps from trusted brands.	get_rogue_apps Investigation
Get Rogue App By ID	Retrieves details of a rogue app based on the Rogue App ID that you have specified.	get_rogue_app_by_id Investigation
Get Takedown Requests	Retrieves a list of takedown requests for rogue apps and typo domains for the given organization.	get_takedown_requests Investigation
Get Typo Domains	Retrieves a list of typo domains discovered by FortiRecon for the given organization; also called Typosquatting, URL hijacking, sting site, or a fake URL is a form of cybersquatting where malicious actors register and use an internet domain similar to an organization's trademarks, service marks, company names, or personal names.	get_typo_domains Investigation
Get Typo Domain By ID	Retrieves details of a typo domain based on the typo domain ID you have specified.	get_typo_domain_by_id Investigation

operation: Search Alerts

Input parameters

Parameter	Description
Relevance Rating	(Optional) Specify a relevance rating to filter the alerts. Separate multiple relevance ratings using a comma. For example, Medium, High, Low.
Tags	(Optional) Specify a tag to filter the alerts. Separate multiple relevance ratings using a comma. For example, phishing, malware, exploited
Adversary	(Optional) Specify an adversary(actor names, APT groups) to filter the alerts. Separate multiple adversaries using a comma. For example, apt35, foo, bar
Source Category	(Optional) Select a source category from the following options to filter the alerts: Darknet OSINT Technical Intelligence
Report Type	(Optional) Select a report from the following options type to filter the alerts: Flash Report Flash Alert
Industry	(Optional) Specify an industry to filter the alerts. Separate multiple industries using a comma. For example, manufacturing, government, and hospitality.
Geography	(Optional) Specify a geography to filter the alerts. Separate multiple geographies using a comma. For example, South America, Western Europe, East Asia, and Africa.
Keyword	(Optional) Specify a keyword to filter the alerts. Separate multiple geographies using a comma. Some example keywords are Report ID, Report Title, Report Summary, Report Content, Source Category. Actors, Motivation, Threats, and Industry Tags.
Source Reliability	(Optional) Select a source reliability from the following options to filter the alerts: A-Reliable B-Usually reliable C-Fairly reliable D-Not usually reliable E-Unreliable F-Cannot be judged
Information Reliability	(Optional) Select an information reliability from the following options to filter the alerts: 1-Confirmed 2-Probably true 3-Possibly true 4-Doubtfully true 5-Improbable 6-Cannot be judged
Start Date	(Optional) Specify the start date of the range from when you want to retrieve the report.
End Date	(Optional) Specify the end date of the range from when you want to retrieve the report.
Page	(Optional) Specify the page number from which to retrieve the records.
Size	(Optional) Specify the count of records that the operation should include for the current page.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Alert Details By Alert ID

Input parameters

Parameter	Description
Alert ID	Specify the alert ID of the alert to get its details.

Output

The output contains the following populated JSON schema:
{
"adversary": [],
"customer_tag": "",
"geography": [],
"industry_tags": [],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [],
"tlp": ""
}

operation: Get Phishing Campaigns

Input parameters

Parameter	Description
Page	(Optional) Specify the page number from which to retrieve the records.
Size	(Optional) Specify the count of records that the operation should include for the current page.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"acknowledged_by": "",
"acknowledged_on": "",
"campaign_number": "",
"domain": "",
"id": "",
"is_acknowledged": "",
"is_malicious": "",
"org_id": "",
"ticket_id": "",
"url": "",
"visitor_ip": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Phishing Campaigns By ID

Input parameters

Parameter	Description
Phishing Campaign ID	Specify the ID of the phishing attempt to get its details.

Output

The output contains the following populated JSON schema:
{
"acknowledged_by": "",
"acknowledged_on": "",
"campaign_number": "",
"domain": "",
"id": "",
"is_acknowledged": "",
"is_malicious": "",
"org_id": "",
"ticket_id": "",
"url": "",
"visitor_ip": ""
}

operation: Get Rogue Apps

Input parameters

Parameter	Description
Status	(Optional) Select the rogue app's status type from the following options to filter the results: Official: Apps published by officially recognized users Unofficial:Apps published by users that are not recognized officially RogueApps: Apps published by known malicious actors or deemed to be potentially malicious.
Keyword	(Optional) Specify the keywords to filter the results. For example: Source Name, Developer Name, App Name
Page	(Optional) Specify the page number from which to retrieve the records.
Size	(Optional) Specify the count of records that the operation should include for the current page.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"developer_name": "",
"download_count": "",
"first_seen": "",
"id": "",
"index_ts": "",
"keyword": "",
"name": "",
"size": "",
"source_name": "",
"status": "",
"ticket_id": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Rogue App By ID

Input parameters

Parameter	Description
Rogue App ID	Specify an ID of the rogue app to get its details.

Output

The output contains the following populated JSON schema:
{
"developer_name": "",
"download_count": "",
"first_seen": "",
"id": "",
"index_ts": "",
"keyword": "",
"name": "",
"size": "",
"source_name": "",
"status": "",
"ticket_id": ""
}

operation: Get Takedown Requests

Input parameters

Parameter	Description
Status	(Optional) Select the take-down request status from the following options to filter the results: Requested Acknowledged Initiated Closed
Category	(Optional) Select the take-down request category from the following options to filter the results: Phishing Fraudulentdomains Typosquatting RogueApps Alert
Keyword	(Optional) Specify the keywords to filter the results. For example: ticketId, entity (It may be a domain name, the title of a report, Phished Domain, etc)
Start Date	(Optional) Specify the start date of the range when the takedown was requested; default is last 6 months.
End Date	(Optional) Specify the end date of the range when the takedown was requested; default is today's date.
Page	(Optional) Specify the page number from which to retrieve the records.
Size	(Optional) Specify the count of records that the operation should include for the current page.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"category": "",
"comment": "",
"comment_at": "",
"comment_by": "",
"created_at": "",
"entity": "",
"is_client": "",
"org_name": "",
"progress": "",
"requested_at": "",
"requested_by_user": "",
"requested_by_volon": "",
"sla": "",
"status": "",
"takedown_request_id": "",
"ticket_id": "",
"ttr": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Typo Domains

Input parameters

Parameter	Description
Status	(Optional) Select the domain status from the following options to filter the results: Non-Functional Offline Online
Original Domain	(Optional) Specify the original domain name to filter the results. Multiple domains should be comma separated. For example, example.com, test.com
Keyword	(Optional) Specify keywords to filter the results. For example, example
Severity	(Optional) Specify the severity of the request to filter the results. Severity can range from 0 to 100. For example: 50to80, 0to80S.
Start Date	(Optional) Specify the start date of the date range to filter the results based on the date found in the whois record for that domain. Default is last 6 months.
End Date	(Optional) Specify the end date of the date range to filter the results based on the date found in the whois record for that domain. Default is the current date.
Page	(Optional) Specify the page number from which to retrieve the records.
Size	(Optional) Specify the count of records that the operation should include for the current page.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"dns_a": "",
"dns_screenshot": "",
"fuzzer": "",
"id": "",
"is_checked": "",
"is_moniter": "",
"keyword": "",
"original_domain": "",
"score": "",
"similar_domain": "",
"status": "",
"suspicious_category": "",
"suspicious_kayword": "",
"suspicious_status": "",
"ticket_id": "",
"whoiser_created_date": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Typo Domain By ID

Input parameters

Parameter	Description
Typo Domain ID	Specify the ID of the typo domain to get its details.

Output

The output contains the following populated JSON schema:
{
"dns_a": "",
"dns_screenshot": "",
"fuzzer": "",
"id": "",
"is_checked": "",
"is_moniter": "",
"keyword": "",
"original_domain": "",
"score": "",
"similar_domain": "",
"status": "",
"suspicious_category": "",
"suspicious_kayword": "",
"suspicious_status": "",
"ticket_id": "",
"whoiser_created_date": ""
}

Included playbooks

The Sample - Fortinet FortiRecon Brand Protection - 1.0.0 playbook collection comes bundled with the Fortinet FortiRecon Brand Protection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon Brand Protection connector.

• Get Alert Details By Alert ID
• Get Phishing Campaigns
• Get Phishing Campaigns By ID
• Get Rogue App By ID
• Get Rogue Apps
• Get Takedown Requests
• Get Typo Domain By ID
• Get Typo Domains
• Search Alerts

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.