Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Intel 471 provides actor-centric Cyber Threat Intelligence collection capabilities.

This document provides information about the Intel 471 connector, which facilitates automated interactions, with an Intel 471 server using FortiSOAR™ playbooks. Add the Intel 471 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning results based on several search criteria, like IP addresses, URLs, actors, and emails for a specified datetime range.

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Intel 471 Versions: 1.0 and later

Annotations associated with Functions

Annotations are added to functions and functions can be accessed by their annotations from FortiSOAR™ release 4.10.0 onwards.

Function Annotation Annotation Category
Get IOCs fetch_intel Investigation
Global Search search_query Investigation
Get IP Reputation ip_reputation Investigation
Get URL Reputation url_reputation Investigation
Get Email Reputation email_reputation Investigation
Get Reports get_report Investigation

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-intel471

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of Intel 471 server to which you will connect and perform the automated operations and the credentials to access that URL.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Intel 471 connector and click Configure to configure the following parameters:

 

Parameter Description
URL URL of the Intel 471 server to which you will connect and perform the automated operations.
Username Username to access the Intel 471 server.
Password Password to access the Intel 471 server.
Verify SSL Verify SSL connection to the Intel 471 server.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks:

  • Fetch IOCs: Gets IOCs published between a specific datetime range from Intel 471.
  • Global Search: Performs a search based on a provided search query or term, that must conform with the Intel 471 query grammar. The search query operation is performed against a specified datetime range.
  • Search for Actor: Gets a list of actors, published between a specific datetime range that match the specified search criteria.
  • Search for Actor with Forum: Gets a list of actors, along with forum, published between a specific datetime range from Intel 471, that match the specified search criteria.
  • Get IP Reputation: Gets the reputation of the specified IP address published between a specific datetime range.
  • Get URL Reputation: Gets the reputation of the specified URL published between a specific datetime range.
  • Get Email Reputation: Gets the reputation of the specified email published between a specific datetime range.
  • Get Reports: Gets reports published between a specific datetime range.
  • Search Report by Tag: Search for reports using the report's tags, such as Card Fraud, and published between a specific datetime range.
  • Get Report using UID: Gets reports using the report's UID published between a specific datetime range.

operation: Get IOCs

Input parameters

 

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

A customized json output that is formatted for easy reference is the output for all the operations.

The json contains all the IOCs between the specified published date range.

Following image displays a sample output:

Sample output of the Get IOCs operation

operation: Global Search

Input parameters

 

Parameter Description
Global Search Query Search query based on which you want to perform a search in Intel 471.
For example, "url=injectsview.com&contactInfoEmail=santinosunny1@gmail.com".
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains results based on the specified search criteria.

Following image displays a sample output:

Sample output of the Global Search operation

operation: Search for Actor

Input parameters

 

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains results based on the specified actor name.

Following image displays a sample output:

Sample output of the Search for Actor operation

operation: Search for Actor with Forum

Input parameters

 

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Forum Name Forum name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains results based on the specified actor and forum name.

Following image displays a sample output:

Sample output of the Search for Actor with Forum operation

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address whose reputation you want to retrieve from Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The json output contains details of the specified IP address.

Following image displays a sample output:

Sample output of the Get IP Reputation operation

operation: Get URL Reputation

Input parameters

 

Parameter Description
URL URL whose reputation you want to retrieve from Intel 471.
For example, info@swwatch.com
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The json output contains details of the specified URL.

Following image displays a sample output:

Sample output of the Get URL Reputation operation

operation: Get Email Reputation

Input parameters

 

Parameter Description
Email Email whose reputation you want to retrieve from Intel 471.
For example, ping.ip000000@gmail.com
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The json output contains details of the specified email.

Following image displays a sample output:

Sample output of the Get Email Reputation operation

operation: Get Reports

Input parameters

 

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains the reports based on the specified datetime.

Following image displays a sample output:

Sample output of the Get Reports operation

operation: Search Report by Tag

Input parameters

 

Parameter Description
Tag Name Name of the tag based on which you want to search for reports. For example, Credit Card Fraud.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains the reports based on the specified tag name and datetime.

Following image displays a sample output:

Sample output of the Search Report by Tag operation

operation: Get Report using UID

Input parameters

 

Parameter Description
Report UID UID of the report based on which you want to search for reports.
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Output

The json output contains the reports based on the specified Report UID and datetime.

Following image displays a sample output:

Sample output of the Get Report using UID operation

Included playbooks

The following playbooks come bundled with the Intel 471 connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intel 471 connector.

  • Get IOCs
  • Global Search
  • Search for Actor
  • Search for Actor with Forum
  • Get IP Reputation
  • Get URL Reputation
  • Get Email Reputation
  • Get Reports
  • Search Report by Tag
  • Search Report using UID

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Intel 471 provides actor-centric Cyber Threat Intelligence collection capabilities.

This document provides information about the Intel 471 connector, which facilitates automated interactions, with an Intel 471 server using FortiSOAR™ playbooks. Add the Intel 471 connector as a step in FortiSOAR™ playbooks and perform automated operations, such as returning results based on several search criteria, like IP addresses, URLs, actors, and emails for a specified datetime range.

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Intel 471 Versions: 1.0 and later

Annotations associated with Functions

Annotations are added to functions and functions can be accessed by their annotations from FortiSOAR™ release 4.10.0 onwards.

Function Annotation Annotation Category
Get IOCs fetch_intel Investigation
Global Search search_query Investigation
Get IP Reputation ip_reputation Investigation
Get URL Reputation url_reputation Investigation
Get Email Reputation email_reputation Investigation
Get Reports get_report Investigation

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-intel471

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Intel 471 connector and click Configure to configure the following parameters:

 

Parameter Description
URL URL of the Intel 471 server to which you will connect and perform the automated operations.
Username Username to access the Intel 471 server.
Password Password to access the Intel 471 server.
Verify SSL Verify SSL connection to the Intel 471 server.
Defaults to True.

 

Actions supported by the connector

The following automated operations can be included in playbooks:

operation: Get IOCs

Input parameters

 

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

A customized json output that is formatted for easy reference is the output for all the operations.

The json contains all the IOCs between the specified published date range.

Following image displays a sample output:

Sample output of the Get IOCs operation

operation: Global Search

Input parameters

 

Parameter Description
Global Search Query Search query based on which you want to perform a search in Intel 471.
For example, "url=injectsview.com&contactInfoEmail=santinosunny1@gmail.com".
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains results based on the specified search criteria.

Following image displays a sample output:

Sample output of the Global Search operation

operation: Search for Actor

Input parameters

 

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains results based on the specified actor name.

Following image displays a sample output:

Sample output of the Search for Actor operation

operation: Search for Actor with Forum

Input parameters

 

Parameter Description
Actor Name Actor name based on which you want to perform a search in Intel 471.
Forum Name Forum name based on which you want to perform a search in Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains results based on the specified actor and forum name.

Following image displays a sample output:

Sample output of the Search for Actor with Forum operation

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address whose reputation you want to retrieve from Intel 471.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The json output contains details of the specified IP address.

Following image displays a sample output:

Sample output of the Get IP Reputation operation

operation: Get URL Reputation

Input parameters

 

Parameter Description
URL URL whose reputation you want to retrieve from Intel 471.
For example, info@swwatch.com
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The json output contains details of the specified URL.

Following image displays a sample output:

Sample output of the Get URL Reputation operation

operation: Get Email Reputation

Input parameters

 

Parameter Description
Email Email whose reputation you want to retrieve from Intel 471.
For example, ping.ip000000@gmail.com
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.
Interested In Result categories. You can choose to filter the results based on the various results categories, which are provided by Intel 471.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 90 days.

Output

The json output contains details of the specified email.

Following image displays a sample output:

Sample output of the Get Email Reputation operation

operation: Get Reports

Input parameters

 

Parameter Description
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains the reports based on the specified datetime.

Following image displays a sample output:

Sample output of the Get Reports operation

operation: Search Report by Tag

Input parameters

 

Parameter Description
Tag Name Name of the tag based on which you want to search for reports. For example, Credit Card Fraud.
Start Date Limits the returned data to data that is published or updated starting at this specified datetime.
End Date Limits the returned data to data that is published or updated ending at this specified datetime.
Days Select the number of days from a drop-down list for which you want to fetch the IOCs.
#date range: [7-180].
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Note: You can either provide the Start and End Dates, or choose a pre-populated date range from the Days drop-down. The default value is set to 7 days.

Output

The json output contains the reports based on the specified tag name and datetime.

Following image displays a sample output:

Sample output of the Search Report by Tag operation

operation: Get Report using UID

Input parameters

 

Parameter Description
Report UID UID of the report based on which you want to search for reports.
Sort By Sorts the results. You can choose to sort the results from the following options: Earliest, Latest, and Relevance.

 

Output

The json output contains the reports based on the specified Report UID and datetime.

Following image displays a sample output:

Sample output of the Get Report using UID operation

Included playbooks

The following playbooks come bundled with the Intel 471 connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Intel 471 connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.