Fortinet black logo

Intel 471 v1.0.0

1.0.0
Copy Link
Copy Doc ID d83e5dfe-6099-4d40-a270-68a4078f5ed5:1

About the connector

Intel 471 provides actor-centric Cyber Threat Intelligence collection capabilities.

This document provides information about the Intel 471 connector, which facilitates automated interactions, with an Intel 471 server using FortiSOAR™ playbooks. Add the Intel 471 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning results based on several search criteria, like IP addresses, URLs, actors, and emails for a specified DateTime range.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.9.0.0-708

Intel 471 Version Tested on: 1.0

Authored By: Fortinet

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-intel471

Prerequisites to configuring the connector

  • You must have the URL of the Intel 471 server to which you will connect and perform the automated operations and the credentials (username-password pair) to access that URL.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Intel 471 connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
URL URL of the Intel 471 server to which you will connect and perform the automated operations.
Username Username to access the Intel 471 server.
Password Password to access the Intel 471 server.
Verify SSL Verify SSL connection to the Intel 471 server.
Defaults to True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get IOCs Gets IOCs published between a specific DateTime range from Intel 471. fetch_intel
Investigation
Global Search Performs a search based on a provided search query or term, that must conform with the Intel 471 query grammar. The search query operation is performed against a specified datetime range. search_query
Investigation
Search for Actor Gets a list of actors, published between a specific DateTime range that matches the specified search criteria.
Search for Actor with Forum Gets a list of actors, along with a forum, published between a specific DateTime range from Intel 471, that match the specified search criteria.
Get IP Reputation Gets the reputation of the specified IP address published between a specific DateTime range. ip_reputation
Investigation
Get URL Reputation Gets the reputation of the specified URL published between a specific DateTime range. url_reputation
Investigation
Get Email Reputation Gets the reputation of the specified email published between a specific DateTime range. email_reputation
Investigation
Get Reports Gets reports published between a specific DateTime range. get_report
Investigation
Search Report by Tag Search for reports using the report's tags, such as Card Fraud, and published between a specific DateTime range.
Get Report using UID Gets reports using the report's UID published between a specific DateTime range.

operation: Get IOCs

Input parameters

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON contains all the IOCs between the specified published date range.

The output contains the following populated JSON schema:
{
"Iocs": []
}

operation: Global Search

Input parameters

Parameter Description
Global Search Query Search query using which you want to perform a search in Intel 471.
For example, "url=injectsview.com&contactInfoEmail=santinosunny1@gmail.com".
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains results based on the specified search criteria.

No output schema is available at this time.

operation: Search for Actor

Input parameters

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains results based on the specified actor name.

The output contains the following populated JSON schema:
{
"Actors": []
}

operation: Search for Actor with Forum

Input parameters

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Forum Name Forum name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains results based on the specified actor and forum name.

No output schema is available at this time.

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address whose reputation you want to retrieve from Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The JSON output contains details of the specified IP address.

No output schema is available at this time.

operation: Get URL Reputation

Input parameters

Parameter Description
URL URL whose reputation you want to retrieve from Intel 471.
For example, info@swwatch.com
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The JSON output contains details of the specified URL.

No output schema is available at this time.

operation: Get Email Reputation

Input parameters

Parameter Description
Email Email whose reputation you want to retrieve from Intel 471.
For example, ping.ip000000@gmail.com
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The JSON output contains details of the specified email.

No output schema is available at this time.

operation: Get Reports

Input parameters

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains the reports based on the specified DateTime.

The output contains the following populated JSON schema:
{
"Reports": []
}

operation: Search Report by Tag

Input parameters

Parameter Description
Tag Name Name of the tag based on which you want to search for reports. For example, Credit Card Fraud.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains the reports based on the specified tag name and DateTime.

The output contains the following populated JSON schema:
{
"Reports": []
}

operation: Get Report using UID

Input parameters

Parameter Description
Report UID UID of the report based on which you want to search for reports.
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Output

The JSON output contains the reports based on the specified Report UID and DateTime.

The output contains the following populated JSON schema:
{
"locations": [],
"actorSubjectsOfReport": [],
"similarReports": [],
"tags": [],
"portalReportUrl": "",
"subject": "",
"researcherComments": ""
}

Included playbooks

The following playbooks come bundled with the Intel 471 connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intel 471 connector.

  • Get IOCs
  • Global Search
  • Search for Actor
  • Search for Actor with Forum
  • Get IP Reputation
  • Get URL Reputation
  • Get Email Reputation
  • Get Reports
  • Search Report by Tag
  • Search Report using UID

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

Intel 471 provides actor-centric Cyber Threat Intelligence collection capabilities.

This document provides information about the Intel 471 connector, which facilitates automated interactions, with an Intel 471 server using FortiSOAR™ playbooks. Add the Intel 471 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning results based on several search criteria, like IP addresses, URLs, actors, and emails for a specified DateTime range.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.9.0.0-708

Intel 471 Version Tested on: 1.0

Authored By: Fortinet

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-intel471

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Intel 471 connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
URL URL of the Intel 471 server to which you will connect and perform the automated operations.
Username Username to access the Intel 471 server.
Password Password to access the Intel 471 server.
Verify SSL Verify SSL connection to the Intel 471 server.
Defaults to True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get IOCs Gets IOCs published between a specific DateTime range from Intel 471. fetch_intel
Investigation
Global Search Performs a search based on a provided search query or term, that must conform with the Intel 471 query grammar. The search query operation is performed against a specified datetime range. search_query
Investigation
Search for Actor Gets a list of actors, published between a specific DateTime range that matches the specified search criteria.
Search for Actor with Forum Gets a list of actors, along with a forum, published between a specific DateTime range from Intel 471, that match the specified search criteria.
Get IP Reputation Gets the reputation of the specified IP address published between a specific DateTime range. ip_reputation
Investigation
Get URL Reputation Gets the reputation of the specified URL published between a specific DateTime range. url_reputation
Investigation
Get Email Reputation Gets the reputation of the specified email published between a specific DateTime range. email_reputation
Investigation
Get Reports Gets reports published between a specific DateTime range. get_report
Investigation
Search Report by Tag Search for reports using the report's tags, such as Card Fraud, and published between a specific DateTime range.
Get Report using UID Gets reports using the report's UID published between a specific DateTime range.

operation: Get IOCs

Input parameters

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON contains all the IOCs between the specified published date range.

The output contains the following populated JSON schema:
{
"Iocs": []
}

operation: Global Search

Input parameters

Parameter Description
Global Search Query Search query using which you want to perform a search in Intel 471.
For example, "url=injectsview.com&contactInfoEmail=santinosunny1@gmail.com".
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains results based on the specified search criteria.

No output schema is available at this time.

operation: Search for Actor

Input parameters

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains results based on the specified actor name.

The output contains the following populated JSON schema:
{
"Actors": []
}

operation: Search for Actor with Forum

Input parameters

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Forum Name Forum name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains results based on the specified actor and forum name.

No output schema is available at this time.

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address whose reputation you want to retrieve from Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The JSON output contains details of the specified IP address.

No output schema is available at this time.

operation: Get URL Reputation

Input parameters

Parameter Description
URL URL whose reputation you want to retrieve from Intel 471.
For example, info@swwatch.com
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The JSON output contains details of the specified URL.

No output schema is available at this time.

operation: Get Email Reputation

Input parameters

Parameter Description
Email Email whose reputation you want to retrieve from Intel 471.
For example, ping.ip000000@gmail.com
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The JSON output contains details of the specified email.

No output schema is available at this time.

operation: Get Reports

Input parameters

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains the reports based on the specified DateTime.

The output contains the following populated JSON schema:
{
"Reports": []
}

operation: Search Report by Tag

Input parameters

Parameter Description
Tag Name Name of the tag based on which you want to search for reports. For example, Credit Card Fraud.
Start Date Limits the returned data to data that is published or updated starting at this specified DateTime.
End Date Limits the returned data to data that is published or updated ending at this specified DateTime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The JSON output contains the reports based on the specified tag name and DateTime.

The output contains the following populated JSON schema:
{
"Reports": []
}

operation: Get Report using UID

Input parameters

Parameter Description
Report UID UID of the report based on which you want to search for reports.
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

Output

The JSON output contains the reports based on the specified Report UID and DateTime.

The output contains the following populated JSON schema:
{
"locations": [],
"actorSubjectsOfReport": [],
"similarReports": [],
"tags": [],
"portalReportUrl": "",
"subject": "",
"researcherComments": ""
}

Included playbooks

The following playbooks come bundled with the Intel 471 connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intel 471 connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next