Intel 471 provides actor-centric Cyber Threat Intelligence collection capabilities.
This document provides information about the Intel 471 connector, which facilitates automated interactions, with an Intel 471 server using FortiSOAR™ playbooks. Add the Intel 471 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning results based on several search criteria, like IP addresses, URLs, actors, and emails for a specified DateTime range.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.9.0.0-708
Intel 471 Version Tested on: 1.0
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-intel471
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Intel 471 connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
URL | URL of the Intel 471 server to which you will connect and perform the automated operations. |
Username | Username to access the Intel 471 server. |
Password | Password to access the Intel 471 server. |
Verify SSL | Verify SSL connection to the Intel 471 server. Defaults to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get IOCs | Gets IOCs published between a specific DateTime range from Intel 471. | fetch_intel Investigation |
Global Search | Performs a search based on a provided search query or term, that must conform with the Intel 471 query grammar. The search query operation is performed against a specified datetime range. | search_query Investigation |
Search for Actor | Gets a list of actors, published between a specific DateTime range that matches the specified search criteria. | |
Search for Actor with Forum | Gets a list of actors, along with a forum, published between a specific DateTime range from Intel 471, that match the specified search criteria. | |
Get IP Reputation | Gets the reputation of the specified IP address published between a specific DateTime range. | ip_reputation Investigation |
Get URL Reputation | Gets the reputation of the specified URL published between a specific DateTime range. | url_reputation Investigation |
Get Email Reputation | Gets the reputation of the specified email published between a specific DateTime range. | email_reputation Investigation |
Get Reports | Gets reports published between a specific DateTime range. | get_report Investigation |
Search Report by Tag | Search for reports using the report's tags, such as Card Fraud, and published between a specific DateTime range. | |
Get Report using UID | Gets reports using the report's UID published between a specific DateTime range. |
Parameter | Description |
---|---|
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON contains all the IOCs between the specified published date range.
The output contains the following populated JSON schema:
{
"Iocs": []
}
Parameter | Description |
---|---|
Global Search Query | Search query using which you want to perform a search in Intel 471. For example, "url=injectsview.com&contactInfoEmail=santinosunny1@gmail.com" . |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains results based on the specified search criteria.
No output schema is available at this time.
Parameter | Description |
---|---|
Actor Name | Actor name based on which you want to perform a search in Intel 471. |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains results based on the specified actor name.
The output contains the following populated JSON schema:
{
"Actors": []
}
Parameter | Description |
---|---|
Actor Name | Actor name based on which you want to perform a search in Intel 471. |
Forum Name | Forum name based on which you want to perform a search in Intel 471. |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains results based on the specified actor and forum name.
No output schema is available at this time.
Parameter | Description |
---|---|
IP Address | IP address whose reputation you want to retrieve from Intel 471. |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.
The JSON output contains details of the specified IP address.
No output schema is available at this time.
Parameter | Description |
---|---|
URL | URL whose reputation you want to retrieve from Intel 471. For example, info@swwatch.com |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.
The JSON output contains details of the specified URL.
No output schema is available at this time.
Parameter | Description |
---|---|
Email whose reputation you want to retrieve from Intel 471. For example, ping.ip000000@gmail.com |
|
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.
The JSON output contains details of the specified email.
No output schema is available at this time.
Parameter | Description |
---|---|
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains the reports based on the specified DateTime.
The output contains the following populated JSON schema:
{
"Reports": []
}
Parameter | Description |
---|---|
Tag Name | Name of the tag based on which you want to search for reports. For example, Credit Card Fraud . |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains the reports based on the specified tag name and DateTime.
The output contains the following populated JSON schema:
{
"Reports": []
}
Parameter | Description |
---|---|
Report UID | UID of the report based on which you want to search for reports. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
The JSON output contains the reports based on the specified Report UID and DateTime.
The output contains the following populated JSON schema:
{
"locations": [],
"actorSubjectsOfReport": [],
"similarReports": [],
"tags": [],
"portalReportUrl": "",
"subject": "",
"researcherComments": ""
}
The following playbooks come bundled with the Intel 471 connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intel 471 connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Intel 471 provides actor-centric Cyber Threat Intelligence collection capabilities.
This document provides information about the Intel 471 connector, which facilitates automated interactions, with an Intel 471 server using FortiSOAR™ playbooks. Add the Intel 471 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning results based on several search criteria, like IP addresses, URLs, actors, and emails for a specified DateTime range.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.9.0.0-708
Intel 471 Version Tested on: 1.0
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-intel471
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Intel 471 connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
URL | URL of the Intel 471 server to which you will connect and perform the automated operations. |
Username | Username to access the Intel 471 server. |
Password | Password to access the Intel 471 server. |
Verify SSL | Verify SSL connection to the Intel 471 server. Defaults to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get IOCs | Gets IOCs published between a specific DateTime range from Intel 471. | fetch_intel Investigation |
Global Search | Performs a search based on a provided search query or term, that must conform with the Intel 471 query grammar. The search query operation is performed against a specified datetime range. | search_query Investigation |
Search for Actor | Gets a list of actors, published between a specific DateTime range that matches the specified search criteria. | |
Search for Actor with Forum | Gets a list of actors, along with a forum, published between a specific DateTime range from Intel 471, that match the specified search criteria. | |
Get IP Reputation | Gets the reputation of the specified IP address published between a specific DateTime range. | ip_reputation Investigation |
Get URL Reputation | Gets the reputation of the specified URL published between a specific DateTime range. | url_reputation Investigation |
Get Email Reputation | Gets the reputation of the specified email published between a specific DateTime range. | email_reputation Investigation |
Get Reports | Gets reports published between a specific DateTime range. | get_report Investigation |
Search Report by Tag | Search for reports using the report's tags, such as Card Fraud, and published between a specific DateTime range. | |
Get Report using UID | Gets reports using the report's UID published between a specific DateTime range. |
Parameter | Description |
---|---|
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON contains all the IOCs between the specified published date range.
The output contains the following populated JSON schema:
{
"Iocs": []
}
Parameter | Description |
---|---|
Global Search Query | Search query using which you want to perform a search in Intel 471. For example, "url=injectsview.com&contactInfoEmail=santinosunny1@gmail.com" . |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains results based on the specified search criteria.
No output schema is available at this time.
Parameter | Description |
---|---|
Actor Name | Actor name based on which you want to perform a search in Intel 471. |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains results based on the specified actor name.
The output contains the following populated JSON schema:
{
"Actors": []
}
Parameter | Description |
---|---|
Actor Name | Actor name based on which you want to perform a search in Intel 471. |
Forum Name | Forum name based on which you want to perform a search in Intel 471. |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains results based on the specified actor and forum name.
No output schema is available at this time.
Parameter | Description |
---|---|
IP Address | IP address whose reputation you want to retrieve from Intel 471. |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.
The JSON output contains details of the specified IP address.
No output schema is available at this time.
Parameter | Description |
---|---|
URL | URL whose reputation you want to retrieve from Intel 471. For example, info@swwatch.com |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.
The JSON output contains details of the specified URL.
No output schema is available at this time.
Parameter | Description |
---|---|
Email whose reputation you want to retrieve from Intel 471. For example, ping.ip000000@gmail.com |
|
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Interested In | Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.
The JSON output contains details of the specified email.
No output schema is available at this time.
Parameter | Description |
---|---|
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains the reports based on the specified DateTime.
The output contains the following populated JSON schema:
{
"Reports": []
}
Parameter | Description |
---|---|
Tag Name | Name of the tag based on which you want to search for reports. For example, Credit Card Fraud . |
Start Date | Limits the returned data to data that is published or updated starting at this specified DateTime. |
End Date | Limits the returned data to data that is published or updated ending at this specified DateTime. |
Days | Select the number of days from a drop-down list for which you want to fetch the IOCs. #date range: [7-180]. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
Note: You can either provide the Start and End Dates or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.
The JSON output contains the reports based on the specified tag name and DateTime.
The output contains the following populated JSON schema:
{
"Reports": []
}
Parameter | Description |
---|---|
Report UID | UID of the report based on which you want to search for reports. |
Sort By | Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance. |
The JSON output contains the reports based on the specified Report UID and DateTime.
The output contains the following populated JSON schema:
{
"locations": [],
"actorSubjectsOfReport": [],
"similarReports": [],
"tags": [],
"portalReportUrl": "",
"subject": "",
"researcherComments": ""
}
The following playbooks come bundled with the Intel 471 connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intel 471 connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.