Illuminate is a performance diagnostic engine that uses Machine Learning techniques to diagnose problems and provide you with solutions.
This document provides information about the Illuminate connector, which facilitates automated interactions, with a
Illuminate server using FortiSOAR™ playbooks. Add the Illuminate connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving indicator information, based on the specified indicator type (Domain, IP address, or email address, etc.) from Illuminate.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
Authored By: Analyst Platform
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-illuminate
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™ , on the Connectors page, select the Illuminate connector, and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Illuminate server to which you will connect and perform automated operations. |
API Username | API username that is configured for your account to access the Illuminate server. |
API Password | API password that is configured for your account to access the Illuminate server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from CyOPsTM release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Query Domain Indicator | Retrieves indicator information for the specified indicator type, domain for this operation, from Illuminate. | indicator_info Investigation |
Query IPv4 Indicator | Retrieves indicator information for the specified indicator type, IPv4 for this operation, from Illuminate. | indicator_info Investigation |
Query IPv6 Indicator | Retrieves indicator information for the specified indicator type, IPv6 for this operation, from Illuminate. | indicator_info Investigation |
Query Hash Indicator | Retrieves indicator information for the specified indicator type, file hash for this operation, from Illuminate. | indicator_info Investigation |
Query Email Address Indicator | Retrieves indicator information for the specified indicator type, email address for this operation, from Illuminate. | indicator_info Investigation |
Query String Indicator | Retrieves indicator information for the specified indicator type, string for this operation, from Illuminate. | indicator_info Investigation |
Query Mutex Indicator | Retrieves indicator information for the specified indicator type, mutex for this operation, from Illuminate. | indicator_info Investigation |
Query HTTP Request Indicator | Retrieves indicator information for the specified indicator type, HTTP request for this operation, from Illuminate. | indicator_info Investigation |
Parameter | Description |
---|---|
Indicator | Type of indicator, domain in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"ip_resolution": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, IPv4 in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, IPv6 in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, hash in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, email address in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, string in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, mutex in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, HTTP request in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
The Sample - Illuminate - 1.0.0 playbook collection comes bundled with the Illuminate connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Illuminate connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Illuminate is a performance diagnostic engine that uses Machine Learning techniques to diagnose problems and provide you with solutions.
This document provides information about the Illuminate connector, which facilitates automated interactions, with a
Illuminate server using FortiSOAR™ playbooks. Add the Illuminate connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving indicator information, based on the specified indicator type (Domain, IP address, or email address, etc.) from Illuminate.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.11.0-1161
Authored By: Analyst Platform
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-illuminate
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™ , on the Connectors page, select the Illuminate connector, and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Illuminate server to which you will connect and perform automated operations. |
API Username | API username that is configured for your account to access the Illuminate server. |
API Password | API password that is configured for your account to access the Illuminate server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from CyOPsTM release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Query Domain Indicator | Retrieves indicator information for the specified indicator type, domain for this operation, from Illuminate. | indicator_info Investigation |
Query IPv4 Indicator | Retrieves indicator information for the specified indicator type, IPv4 for this operation, from Illuminate. | indicator_info Investigation |
Query IPv6 Indicator | Retrieves indicator information for the specified indicator type, IPv6 for this operation, from Illuminate. | indicator_info Investigation |
Query Hash Indicator | Retrieves indicator information for the specified indicator type, file hash for this operation, from Illuminate. | indicator_info Investigation |
Query Email Address Indicator | Retrieves indicator information for the specified indicator type, email address for this operation, from Illuminate. | indicator_info Investigation |
Query String Indicator | Retrieves indicator information for the specified indicator type, string for this operation, from Illuminate. | indicator_info Investigation |
Query Mutex Indicator | Retrieves indicator information for the specified indicator type, mutex for this operation, from Illuminate. | indicator_info Investigation |
Query HTTP Request Indicator | Retrieves indicator information for the specified indicator type, HTTP request for this operation, from Illuminate. | indicator_info Investigation |
Parameter | Description |
---|---|
Indicator | Type of indicator, domain in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"ip_resolution": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, IPv4 in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, IPv6 in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, hash in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, email address in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, string in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, mutex in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
Parameter | Description |
---|---|
Indicator | Type of indicator, HTTP request in this operation, for which you want to retrieve indicator information from Illuminate. |
The output contains the following populated JSON schema:
{
"found": "",
"confidence_level": "",
"indicator_classification": "",
"link": "",
"actor_names": [],
"first_hit": "",
"illuminate_indicator_id": "",
"evidence_count": "",
"malware_names": [],
"last_hit": "",
"activity_dates": [],
"actor_ids": [],
"active": "",
"reported_dates": [],
"hit_count": "",
"malware_ids": []
}
The Sample - Illuminate - 1.0.0 playbook collection comes bundled with the Illuminate connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Illuminate connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.