About the connector
SCADAfence provides full coverage of large-scale networks, offering best-in-class network monitoring, asset discovery, governance, remote access, and IoT device security.
This document provides information about the SCADAfence connector, which facilitates automated interactions, with a SCADAfence server using FortiSOAR™ playbooks. Add the SCADAfence connector as a step in FortiSOAR™ playbooks and perform automated operations with SCADAfence such as creating an alert in SCADAfence, updating a specific asset in SCADAfence, retrieving a list of all assets or specific assets from SCADAfence, etc.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-scadafence
Prerequisites to configuring the connector
- You must have the URL of the SCADAfence server to which you will connect and perform automated operations.
- You must have the account route, secret key, and API key, which are configured for your account for using the SCADAfence APIs.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the SCADAfence server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SCADAfence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter |
Description |
| Server |
Specify the server URL of the SCADAfence server to which you will connect and perform automated operations. |
| Account Route |
Specify the account route that is configured for your account to use the SCADAfence APIs and perform automated operations |
| API Key |
Specify the API key that is configured for your account to use the SCADAfence APIs and perform automated operations |
| Secret Key |
Specify the Secret key that is configured for your account to use the SCADAfence APIs and perform automated operations |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Create Alert |
Creates an alert in SCADAfence based on the IP address, severity, description, and other input parameters you have specified. |
create_alert
Investigation |
| Get Alert List |
Retrieves a list of all alerts or specific alerts from SCADAfence based on the input parameters you have specified. |
get_alerts
Investigation |
| Update Alert Status |
Update a specific alert in SCADAfence based on the alert ID and alert Status you have specified. |
update_alert_status
Investigation |
| Get Asset List |
Retrieves a list of all assets or specific assets from SCADAfence based on the input parameters you have specified. |
get_assets
Investigation |
| Update Asset |
Update a specific asset in SCADAfence based on the site ID, IP Address, and other input parameters you have specified. |
update_asset
Investigation |
| Get Sites Status |
Retrieves a list of statuses for all the sites or specific sites from SCADAfence based on the input parameters that you have specified. |
get_sites_status
Investigation |
operation: Create Alert
Input parameters
| Parameter |
Description |
| IP Address |
Specify the IP address of the alert based on which you want to create the alert in SCADAfence. |
| Alert Severity |
Select the severity of the alert that you want to create in SCADAfence. You can choose from the following options: Information, Warning, Threat, Severe, Critical, or Critical. |
| Description |
Specify the description for the alert that you want to create in SCADAfence. |
| Is Active |
Select this checkbox if you want to set the status of the alert that you want to create in SCADAfence as "Active". |
| Remediation Text |
(Optional) Specify the remediation text for the alert that you want to create in SCADAfence. |
Output
The output contains a non-dictionary value.
operation: Get Alert List
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all alerts, is returned.
| Parameter |
Description |
| Alert Number |
Specify the number of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
| Alert Type ID |
Specify the type ID of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
| Site ID |
Specify the site ID of the alert you want to retrieve from SCADAfence. This parameter filters the report results down to specific alerts and returns all matching reports for those alerts. |
| Alert Status |
Select the status of alerts you want to retrieve from SCADAfence. You can choose from the following options: Created, InProgress, or Resolved. |
| Alert Severity |
Select the severity of alerts you want to retrieve from SCADAfence. You can choose from the following options: Information, Warning, Threat, Severe, Critical, or Critical. |
| IP Address |
Specify the IP address of the asset using which you want to filter alerts retrieved alerts from SCADAfence. |
| From |
Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been created after the specified timestamp. |
| To |
Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been created before the specified timestamp. |
| From LastSeen |
Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been last seen after the specified timestamp. |
| To LastSeen |
Specify the starting Datetime using which you want to filter alerts retrieved alerts from SCADAfence. This parameter filters the result set to only include only those items that have been last seen before the specified timestamp. |
| Order By |
Select the order in which you want to filter alerts retrieved from SCADAfence. You can choose from the following options: Severity or Site ID. |
| Sort By |
Select the order in which you want to sort alerts retrieved from SCADAfence. You can choose from the following options: Ascending or Descending (default). |
| Size |
Specify the number of results, per page, you want to include in the response of this operation. |
| Page |
Specify the maximum number of results this operation should return, per page, in the response. By default, this is set as 1. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"site_id": "",
"original_number": "",
"number": "",
"type": "",
"status": "",
"severity": "",
"details": "",
"ip": "",
"params": {},
"createdOn": "",
"remediation": "",
"explanation": ""
}
operation: Update Alert Status
Input parameters
| Parameter |
Description |
| Alert ID |
Specify the ID of the alert whose status you want to update in SCADAfence. |
| Alert Status |
Select the status that you want to set for the specified alert whose status you want to update in SCADAfence.. You can choose from the following options: Created, InProgress, or Resolved. |
Output
The output contains a non-dictionary value.
operation: Get Asset List
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all assets, is returned.
| Parameter |
Description |
| Site ID |
Specify the site ID of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
| IP Address |
Specify the IP address of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
| hostname |
Specify the hostname of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
| Mac Address |
Specify the Mac address of the asset you want to retrieve from SCADAfence. This parameter filters the report results down to specific assets and returns all matching reports for those assets. |
| Order By |
Select the order in which you want to filter assets retrieved from SCADAfence. You can choose from the following options: Site ID, IP (default), HostName, First Seen, Last Seen, or Total Traffic Bytes. |
| Sort By |
Select the order in which you want to sort assets retrieved from SCADAfence. You can choose from the following options: Ascending (default) or Descending. |
| Size |
Specify the number of results, per page, you want to include in the response of this operation. |
| Page |
Specify the maximum number of results this operation should return, per page, in the response. By default, this is set as 1. |
Output
The output contains the following populated JSON schema:
{
"ip": "",
"site_id": "",
"hostname": "",
"mac": "",
"vendor": "",
"ou": "",
"owner": "",
"location": "",
"comment": "",
"cveProduct": "",
"cveVersion": "",
"assetTypes": [],
"nicType": "",
"assetCriticality": {
"criticality": "",
"exposure": "",
"trust_level": "",
"safety_impact": "",
"process_impact": "",
"security_posture": ""
},
"plcDetails": {},
"totalBytes": "",
"eventsCount": "",
"internalIpsCount": "",
"externalIpsCount": "",
"operatingSystem": "",
"vlanId": [],
"firstSeen": "",
"lastSeen": ""
}
operation: Update Asset
Input parameters
| Parameter |
Description |
| Site ID |
Specify the site ID of the asset that you want to update in SCADAfence. |
| IP Address |
Specify the IP address of the asset that you want to update in SCADAfence. |
| Override |
Select this checkbox, i.e., set it to True, to override the asset that you want to update in SCADAfence. By default, this option is set as False. |
| hostname |
(Optional) Specify the hostname of the asset that you want to update in the specified asset in SCADAfence. |
| Device Type |
(Optional) Specify the type of device that you want to update in the specified asset in SCADAfence. |
| Asset OS |
(Optional) Specify the OS of the asset that you want to update in the specified asset in SCADAfence. |
| Vendor Name |
(Optional) Specify the name of the vendor that you want to update in the specified asset in SCADAfence. |
| Organization Unit (OU) |
(Optional) Specify the organization unit of the asset that you want to update in the specified asset in SCADAfence. |
| Owner |
(Optional) Specify the owner of the asset that you want to update in the specified asset in SCADAfence. |
| Physical Location |
(Optional) Specify the physical location of the asset that you want to update in the specified asset in SCADAfence. |
| Comment |
(Optional) Specify the comment for updating the specified asset in SCADAfence. |
| Criticality |
(Optional) Select the criticality that you want to set for the asset you want to update in SCADAfence. You can choose from the following options: Normal, Medium, High, or Critical. |
| Product CVE |
(Optional) Specify the CVE of the product that you want to update in the specified asset in SCADAfence. |
| Version CVE |
(Optional) Specify the CVE of the version that you want to update in the specified asset in SCADAfence. |
Output
The output contains the following populated JSON schema:
{
"ip": "",
"site_id": "",
"hostname": "",
"mac": "",
"vendor": "",
"ou": "",
"owner": "",
"location": "",
"comment": "",
"cveProduct": "",
"cveVersion": "",
"assetTypes": [],
"nicType": "",
"assetCriticality": {
"criticality": "",
"exposure": "",
"trust_level": "",
"safety_impact": "",
"process_impact": "",
"security_posture": ""
},
"plcDetails": {},
"totalBytes": "",
"eventsCount": "",
"internalIpsCount": "",
"externalIpsCount": "",
"operatingSystem": "",
"vlanId": [],
"firstSeen": "",
"lastSeen": ""
}
operation: Get Sites Status
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all site statuses, is returned.
| Parameter |
Description |
| Site ID |
Specify the ID of the site whose status you want to retrieve from SCADAfence. |
| Site Name |
Specify the name of the site whose status you want to retrieve from SCADAfence. |
Output
The output contains the following populated JSON schema:
{
"site_id": "",
"site_name": "",
"connection_status": "",
"total_assets": "",
"total_alerts": "",
"alerts": [
{
"severity": "",
"total": ""
}
],
"data_received_last_hour": "",
"last_updated": ""
}
Included playbooks
The Sample - SCADAfence - 1.0.0 playbook collection comes bundled with the SCADAfence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SCADAfence connector.
- Create Alert
- Get Alert List
- Get Asset List
- Get Sites Status
- Update Alert Status
- Update Asset
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
