Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Illuminate is a performance diagnostic engine that uses Machine Learning techniques to diagnose problems and provide you with solutions.

This document provides information about the Illuminate connector, which facilitates automated interactions, with a

Illuminate server using FortiSOAR™ playbooks. Add the Illuminate connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving indicator information, based on the specified indicator type (Domain, IP address, or email address, etc.) from Illuminate.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

Authored By: Analyst Platform

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-illuminate

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of Illuminate server to which you will connect and perform automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the Illuminate connector, and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the Illuminate server to which you will connect and perform automated operations.
API Username API username that is configured for your account to access the Illuminate server.
API Password API password that is configured for your account to access the Illuminate server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from CyOPsTM release 4.10.0 and onwards:

Function Description Annotation and Category
Query Domain Indicator Retrieves indicator information for the specified indicator type, domain for this operation, from Illuminate. indicator_info
Investigation
Query IPv4 Indicator Retrieves indicator information for the specified indicator type, IPv4 for this operation, from Illuminate. indicator_info
Investigation
Query IPv6 Indicator Retrieves indicator information for the specified indicator type, IPv6 for this operation, from Illuminate. indicator_info
Investigation
Query Hash Indicator Retrieves indicator information for the specified indicator type, file hash for this operation, from Illuminate. indicator_info
Investigation
Query Email Address Indicator Retrieves indicator information for the specified indicator type, email address for this operation, from Illuminate. indicator_info
Investigation
Query String Indicator Retrieves indicator information for the specified indicator type, string for this operation, from Illuminate. indicator_info
Investigation
Query Mutex Indicator Retrieves indicator information for the specified indicator type, mutex for this operation, from Illuminate. indicator_info
Investigation
Query HTTP Request Indicator Retrieves indicator information for the specified indicator type, HTTP request for this operation, from Illuminate. indicator_info
Investigation

operation: Query Domain Indicator

Input parameters

Parameter Description
Indicator Type of indicator, domain in this operation, for which you want to retrieve indicator information from Illuminate. 

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "ip_resolution": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query IPv4 Indicator

Input parameters

Parameter Description
Indicator Type of indicator, IPv4 in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query IPv6 Indicator

Input parameters

Parameter Description
Indicator Type of indicator, IPv6 in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query Hash Indicator

Input parameters

Parameter Description
Indicator Type of indicator, hash in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query Email Address Indicator

Input parameters

Parameter Description
Indicator Type of indicator, email address in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query String Indicator

Input parameters

Parameter Description
Indicator Type of indicator, string in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query Mutex Indicator

Input parameters

Parameter Description
Indicator Type of indicator, mutex in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query HTTP Request Indicator

Input parameters

Parameter Description
Indicator Type of indicator, HTTP request in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

Included playbooks

The Sample - Illuminate - 1.0.0 playbook collection comes bundled with the Illuminate connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Illuminate connector.

  • Query Domain Indicator
  • Query Email Address Indicator
  • Query Hash Indicator
  • Query HTTP Request Indicator
  • Query IPv4 Indicator
  • Query IPv6 Indicator
  • Query Mutex Indicator
  • Query String Indicator

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Illuminate is a performance diagnostic engine that uses Machine Learning techniques to diagnose problems and provide you with solutions.

This document provides information about the Illuminate connector, which facilitates automated interactions, with a

Illuminate server using FortiSOAR™ playbooks. Add the Illuminate connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving indicator information, based on the specified indicator type (Domain, IP address, or email address, etc.) from Illuminate.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.11.0-1161

Authored By: Analyst Platform

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-illuminate

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the Illuminate connector, and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the Illuminate server to which you will connect and perform automated operations.
API Username API username that is configured for your account to access the Illuminate server.
API Password API password that is configured for your account to access the Illuminate server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from CyOPsTM release 4.10.0 and onwards:

Function Description Annotation and Category
Query Domain Indicator Retrieves indicator information for the specified indicator type, domain for this operation, from Illuminate. indicator_info
Investigation
Query IPv4 Indicator Retrieves indicator information for the specified indicator type, IPv4 for this operation, from Illuminate. indicator_info
Investigation
Query IPv6 Indicator Retrieves indicator information for the specified indicator type, IPv6 for this operation, from Illuminate. indicator_info
Investigation
Query Hash Indicator Retrieves indicator information for the specified indicator type, file hash for this operation, from Illuminate. indicator_info
Investigation
Query Email Address Indicator Retrieves indicator information for the specified indicator type, email address for this operation, from Illuminate. indicator_info
Investigation
Query String Indicator Retrieves indicator information for the specified indicator type, string for this operation, from Illuminate. indicator_info
Investigation
Query Mutex Indicator Retrieves indicator information for the specified indicator type, mutex for this operation, from Illuminate. indicator_info
Investigation
Query HTTP Request Indicator Retrieves indicator information for the specified indicator type, HTTP request for this operation, from Illuminate. indicator_info
Investigation

operation: Query Domain Indicator

Input parameters

Parameter Description
Indicator Type of indicator, domain in this operation, for which you want to retrieve indicator information from Illuminate. 

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "ip_resolution": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query IPv4 Indicator

Input parameters

Parameter Description
Indicator Type of indicator, IPv4 in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query IPv6 Indicator

Input parameters

Parameter Description
Indicator Type of indicator, IPv6 in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query Hash Indicator

Input parameters

Parameter Description
Indicator Type of indicator, hash in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query Email Address Indicator

Input parameters

Parameter Description
Indicator Type of indicator, email address in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query String Indicator

Input parameters

Parameter Description
Indicator Type of indicator, string in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query Mutex Indicator

Input parameters

Parameter Description
Indicator Type of indicator, mutex in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

operation: Query HTTP Request Indicator

Input parameters

Parameter Description
Indicator Type of indicator, HTTP request in this operation, for which you want to retrieve indicator information from Illuminate.

Output

The output contains the following populated JSON schema:
{
     "found": "",
     "confidence_level": "",
     "indicator_classification": "",
     "link": "",
     "actor_names": [],
     "first_hit": "",
     "illuminate_indicator_id": "",
     "evidence_count": "",
     "malware_names": [],
     "last_hit": "",
     "activity_dates": [],
     "actor_ids": [],
     "active": "",
     "reported_dates": [],
     "hit_count": "",
     "malware_ids": []
}

Included playbooks

The Sample - Illuminate - 1.0.0 playbook collection comes bundled with the Illuminate connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Illuminate connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.