SCADAfence provides full coverage of large-scale networks, offering best-in-class network monitoring, asset discovery, governance, remote access, and IoT device security.
This document provides information about the SCADAfence connector, which facilitates automated interactions, with a SCADAfence server using FortiSOAR™ playbooks. Add the SCADAfence connector as a step in FortiSOAR™ playbooks and perform automated operations with SCADAfence such as creating an alert in SCADAfence, updating a specific asset in SCADAfence, retrieving a list of all assets or specific assets from SCADAfence, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-scadafence
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SCADAfence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server | Specify the server URL of the SCADAfence server to which you will connect and perform automated operations. |
Account Route | Specify the account route that is configured for your account to use the SCADAfence APIs and perform automated operations |
API Key | Specify the API key that is configured for your account to use the SCADAfence APIs and perform automated operations |
Secret Key | Specify the Secret key that is configured for your account to use the SCADAfence APIs and perform automated operations |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Alert | Creates an alert in SCADAfence based on the IP address, severity, description, and other input parameters you have specified. | create_alert Investigation |
Get Alert List | Retrieves a list of all alerts or specific alerts from SCADAfence based on the input parameters you have specified. | get_alerts Investigation |
Update Alert Status | Update a specific alert in SCADAfence based on the alert ID and alert Status you have specified. | update_alert_status Investigation |
Get Asset List | Retrieves a list of all assets or specific assets from SCADAfence based on the input parameters you have specified. | get_assets Investigation |
Update Asset | Update a specific asset in SCADAfence based on the site ID, IP Address, and other input parameters you have specified. | update_asset Investigation |
Get Sites Status | Retrieves a list of statuses for all the sites or specific sites from SCADAfence based on the input parameters that you have specified. | get_sites_status Investigation |
Parameter | Description |
---|---|
IP Address | Specify the IP address of the alert based on which you want to create the alert in SCADAfence. |
Alert Severity | Select the severity of the alert that you want to create in SCADAfence. You can choose from the following options: Information, Warning, Threat, Severe, Critical, or Critical. |
Description | Specify the description for the alert that you want to create in SCADAfence. |
Is Active | Select this checkbox if you want to set the status of the alert that you want to create in SCADAfence as "Active". |
Remediation Text | (Optional) Specify the remediation text for the alert that you want to create in SCADAfence. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.
Parameter | Description |
---|---|
Alert Number | Specify the number of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
Alert Type ID | Specify the type ID of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
Site ID | Specify the site ID of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
Alert Status | Select the status of alerts you want to retrieve from SCADAfence. You can choose from the following options: Created, InProgress, or Resolved. |
Alert Severity | Select the severity of alerts you want to retrieve from SCADAfence. You can choose from the following options: Information, Warning, Threat, Severe, Critical, or Critical. |
IP Address | Specify the IP address of the asset using which you want to filter alerts retrieved alerts from SCADAfence. |
From | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been created after the specified timestamp. |
To | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been created before the specified timestamp. |
From LastSeen | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been last seen after the specified timestamp. |
To LastSeen | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been last seen before the specified timestamp. |
Order By | Select the order in which you want to filter alerts retrieved from SCADAfence. You can choose from the following options: Severity or Site ID. |
Sort By | Select the order in which you want to sort alerts retrieved from SCADAfence. You can choose from the following options: Ascending or Descending (default). |
Size | Specify the number of results, per page, you want to include in the response of this operation. |
Page | Specify the maximum number of results this operation should return, per page, in the response. By default, this is set as 1. |
The output contains the following populated JSON schema:
{
"id": "",
"site_id": "",
"original_number": "",
"number": "",
"type": "",
"status": "",
"severity": "",
"details": "",
"ip": "",
"params": {},
"createdOn": "",
"remediation": "",
"explanation": ""
}
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose status you want to update in SCADAfence. |
Alert Status | Select the status that you want to set for the specified alert whose status you want to update in SCADAfence.. You can choose from the following options: Created, InProgress, or Resolved. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all assets, is returned.
Parameter | Description |
---|---|
Site ID | Specify the site ID of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
IP Address | Specify the IP address of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
hostname | Specify the hostname of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
Mac Address | Specify the Mac address of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
Order By | Select the order in which you want to filter assets retrieved from SCADAfence. You can choose from the following options: Site ID, IP (default), HostName, First Seen, Last Seen, or Total Traffic Bytes. |
Sort By | Select the order in which you want to sort assets retrieved from SCADAfence. You can choose from the following options: Ascending (default) or Descending. |
Size | Specify the number of results, per page, you want to include in the response of this operation. |
Page | Specify the maximum number of results this operation should return, per page, in the response. By default, this is set as 1. |
The output contains the following populated JSON schema:
{
"ip": "",
"site_id": "",
"hostname": "",
"mac": "",
"vendor": "",
"ou": "",
"owner": "",
"location": "",
"comment": "",
"cveProduct": "",
"cveVersion": "",
"assetTypes": [],
"nicType": "",
"assetCriticality": {
"criticality": "",
"exposure": "",
"trust_level": "",
"safety_impact": "",
"process_impact": "",
"security_posture": ""
},
"plcDetails": {},
"totalBytes": "",
"eventsCount": "",
"internalIpsCount": "",
"externalIpsCount": "",
"operatingSystem": "",
"vlanId": [],
"firstSeen": "",
"lastSeen": ""
}
Parameter | Description |
---|---|
Site ID | Specify the site ID of the asset that you want to update in SCADAfence. |
IP Address | Specify the IP address of the asset that you want to update in SCADAfence. |
Override | Select this checkbox, i.e., set it to True, to override the asset that you want to update in SCADAfence. By default, this option is set as False. |
hostname | (Optional) Specify the hostname of the asset that you want to update in the specified asset in SCADAfence. |
Device Type | (Optional) Specify the type of device that you want to update in the specified asset in SCADAfence. |
Asset OS | (Optional) Specify the OS of the asset that you want to update in the specified asset in SCADAfence. |
Vendor Name | (Optional) Specify the name of the vendor that you want to update in the specified asset in SCADAfence. |
Organization Unit (OU) | (Optional) Specify the organization unit of the asset that you want to update in the specified asset in SCADAfence. |
Owner | (Optional) Specify the owner of the asset that you want to update in the specified asset in SCADAfence. |
Physical Location | (Optional) Specify the physical location of the asset that you want to update in the specified asset in SCADAfence. |
Comment | (Optional) Specify the comment for updating the specified asset in SCADAfence. |
Criticality | (Optional) Select the criticality that you want to set for the asset you want to update in SCADAfence. You can choose from the following options: Normal, Medium, High, or Critical. |
Product CVE | (Optional) Specify the CVE of the product that you want to update in the specified asset in SCADAfence. |
Version CVE | (Optional) Specify the CVE of the version that you want to update in the specified asset in SCADAfence. |
The output contains the following populated JSON schema:
{
"ip": "",
"site_id": "",
"hostname": "",
"mac": "",
"vendor": "",
"ou": "",
"owner": "",
"location": "",
"comment": "",
"cveProduct": "",
"cveVersion": "",
"assetTypes": [],
"nicType": "",
"assetCriticality": {
"criticality": "",
"exposure": "",
"trust_level": "",
"safety_impact": "",
"process_impact": "",
"security_posture": ""
},
"plcDetails": {},
"totalBytes": "",
"eventsCount": "",
"internalIpsCount": "",
"externalIpsCount": "",
"operatingSystem": "",
"vlanId": [],
"firstSeen": "",
"lastSeen": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all site statuses, is returned.
Parameter | Description |
---|---|
Site ID | Specify the ID of the site whose status you want to retrieve from SCADAfence. |
Site Name | Specify the name of the site whose status you want to retrieve from SCADAfence. |
The output contains the following populated JSON schema:
{
"site_id": "",
"site_name": "",
"connection_status": "",
"total_assets": "",
"total_alerts": "",
"alerts": [
{
"severity": "",
"total": ""
}
],
"data_received_last_hour": "",
"last_updated": ""
}
The Sample - SCADAfence - 1.0.0
playbook collection comes bundled with the SCADAfence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SCADAfence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
SCADAfence provides full coverage of large-scale networks, offering best-in-class network monitoring, asset discovery, governance, remote access, and IoT device security.
This document provides information about the SCADAfence connector, which facilitates automated interactions, with a SCADAfence server using FortiSOAR™ playbooks. Add the SCADAfence connector as a step in FortiSOAR™ playbooks and perform automated operations with SCADAfence such as creating an alert in SCADAfence, updating a specific asset in SCADAfence, retrieving a list of all assets or specific assets from SCADAfence, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-scadafence
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SCADAfence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server | Specify the server URL of the SCADAfence server to which you will connect and perform automated operations. |
Account Route | Specify the account route that is configured for your account to use the SCADAfence APIs and perform automated operations |
API Key | Specify the API key that is configured for your account to use the SCADAfence APIs and perform automated operations |
Secret Key | Specify the Secret key that is configured for your account to use the SCADAfence APIs and perform automated operations |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Alert | Creates an alert in SCADAfence based on the IP address, severity, description, and other input parameters you have specified. | create_alert Investigation |
Get Alert List | Retrieves a list of all alerts or specific alerts from SCADAfence based on the input parameters you have specified. | get_alerts Investigation |
Update Alert Status | Update a specific alert in SCADAfence based on the alert ID and alert Status you have specified. | update_alert_status Investigation |
Get Asset List | Retrieves a list of all assets or specific assets from SCADAfence based on the input parameters you have specified. | get_assets Investigation |
Update Asset | Update a specific asset in SCADAfence based on the site ID, IP Address, and other input parameters you have specified. | update_asset Investigation |
Get Sites Status | Retrieves a list of statuses for all the sites or specific sites from SCADAfence based on the input parameters that you have specified. | get_sites_status Investigation |
Parameter | Description |
---|---|
IP Address | Specify the IP address of the alert based on which you want to create the alert in SCADAfence. |
Alert Severity | Select the severity of the alert that you want to create in SCADAfence. You can choose from the following options: Information, Warning, Threat, Severe, Critical, or Critical. |
Description | Specify the description for the alert that you want to create in SCADAfence. |
Is Active | Select this checkbox if you want to set the status of the alert that you want to create in SCADAfence as "Active". |
Remediation Text | (Optional) Specify the remediation text for the alert that you want to create in SCADAfence. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.
Parameter | Description |
---|---|
Alert Number | Specify the number of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
Alert Type ID | Specify the type ID of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
Site ID | Specify the site ID of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
Alert Status | Select the status of alerts you want to retrieve from SCADAfence. You can choose from the following options: Created, InProgress, or Resolved. |
Alert Severity | Select the severity of alerts you want to retrieve from SCADAfence. You can choose from the following options: Information, Warning, Threat, Severe, Critical, or Critical. |
IP Address | Specify the IP address of the asset using which you want to filter alerts retrieved alerts from SCADAfence. |
From | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been created after the specified timestamp. |
To | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been created before the specified timestamp. |
From LastSeen | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been last seen after the specified timestamp. |
To LastSeen | Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been last seen before the specified timestamp. |
Order By | Select the order in which you want to filter alerts retrieved from SCADAfence. You can choose from the following options: Severity or Site ID. |
Sort By | Select the order in which you want to sort alerts retrieved from SCADAfence. You can choose from the following options: Ascending or Descending (default). |
Size | Specify the number of results, per page, you want to include in the response of this operation. |
Page | Specify the maximum number of results this operation should return, per page, in the response. By default, this is set as 1. |
The output contains the following populated JSON schema:
{
"id": "",
"site_id": "",
"original_number": "",
"number": "",
"type": "",
"status": "",
"severity": "",
"details": "",
"ip": "",
"params": {},
"createdOn": "",
"remediation": "",
"explanation": ""
}
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose status you want to update in SCADAfence. |
Alert Status | Select the status that you want to set for the specified alert whose status you want to update in SCADAfence.. You can choose from the following options: Created, InProgress, or Resolved. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all assets, is returned.
Parameter | Description |
---|---|
Site ID | Specify the site ID of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
IP Address | Specify the IP address of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
hostname | Specify the hostname of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
Mac Address | Specify the Mac address of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
Order By | Select the order in which you want to filter assets retrieved from SCADAfence. You can choose from the following options: Site ID, IP (default), HostName, First Seen, Last Seen, or Total Traffic Bytes. |
Sort By | Select the order in which you want to sort assets retrieved from SCADAfence. You can choose from the following options: Ascending (default) or Descending. |
Size | Specify the number of results, per page, you want to include in the response of this operation. |
Page | Specify the maximum number of results this operation should return, per page, in the response. By default, this is set as 1. |
The output contains the following populated JSON schema:
{
"ip": "",
"site_id": "",
"hostname": "",
"mac": "",
"vendor": "",
"ou": "",
"owner": "",
"location": "",
"comment": "",
"cveProduct": "",
"cveVersion": "",
"assetTypes": [],
"nicType": "",
"assetCriticality": {
"criticality": "",
"exposure": "",
"trust_level": "",
"safety_impact": "",
"process_impact": "",
"security_posture": ""
},
"plcDetails": {},
"totalBytes": "",
"eventsCount": "",
"internalIpsCount": "",
"externalIpsCount": "",
"operatingSystem": "",
"vlanId": [],
"firstSeen": "",
"lastSeen": ""
}
Parameter | Description |
---|---|
Site ID | Specify the site ID of the asset that you want to update in SCADAfence. |
IP Address | Specify the IP address of the asset that you want to update in SCADAfence. |
Override | Select this checkbox, i.e., set it to True, to override the asset that you want to update in SCADAfence. By default, this option is set as False. |
hostname | (Optional) Specify the hostname of the asset that you want to update in the specified asset in SCADAfence. |
Device Type | (Optional) Specify the type of device that you want to update in the specified asset in SCADAfence. |
Asset OS | (Optional) Specify the OS of the asset that you want to update in the specified asset in SCADAfence. |
Vendor Name | (Optional) Specify the name of the vendor that you want to update in the specified asset in SCADAfence. |
Organization Unit (OU) | (Optional) Specify the organization unit of the asset that you want to update in the specified asset in SCADAfence. |
Owner | (Optional) Specify the owner of the asset that you want to update in the specified asset in SCADAfence. |
Physical Location | (Optional) Specify the physical location of the asset that you want to update in the specified asset in SCADAfence. |
Comment | (Optional) Specify the comment for updating the specified asset in SCADAfence. |
Criticality | (Optional) Select the criticality that you want to set for the asset you want to update in SCADAfence. You can choose from the following options: Normal, Medium, High, or Critical. |
Product CVE | (Optional) Specify the CVE of the product that you want to update in the specified asset in SCADAfence. |
Version CVE | (Optional) Specify the CVE of the version that you want to update in the specified asset in SCADAfence. |
The output contains the following populated JSON schema:
{
"ip": "",
"site_id": "",
"hostname": "",
"mac": "",
"vendor": "",
"ou": "",
"owner": "",
"location": "",
"comment": "",
"cveProduct": "",
"cveVersion": "",
"assetTypes": [],
"nicType": "",
"assetCriticality": {
"criticality": "",
"exposure": "",
"trust_level": "",
"safety_impact": "",
"process_impact": "",
"security_posture": ""
},
"plcDetails": {},
"totalBytes": "",
"eventsCount": "",
"internalIpsCount": "",
"externalIpsCount": "",
"operatingSystem": "",
"vlanId": [],
"firstSeen": "",
"lastSeen": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all site statuses, is returned.
Parameter | Description |
---|---|
Site ID | Specify the ID of the site whose status you want to retrieve from SCADAfence. |
Site Name | Specify the name of the site whose status you want to retrieve from SCADAfence. |
The output contains the following populated JSON schema:
{
"site_id": "",
"site_name": "",
"connection_status": "",
"total_assets": "",
"total_alerts": "",
"alerts": [
{
"severity": "",
"total": ""
}
],
"data_received_last_hour": "",
"last_updated": ""
}
The Sample - SCADAfence - 1.0.0
playbook collection comes bundled with the SCADAfence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SCADAfence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.