Stellar Cyber provides security solutions for network, SIEM, IT, internet and cloud security along with security software and analysis tools.
This document provides information about the FortiSOAR™ connector, which facilitates automated interactions, with a Stellar Cyber server using FortiSOAR™ playbooks. Add the Stellar Cyber connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving information for an elastic search query from Stellar Cyber.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-stellar-cyber
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Stellar Cyber connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Stellar Cyber server to which you will connect and perform automated operations. |
Username | Username used to access the Stellar Cyber server to which you will connect and perform the automated operations. |
Password | Password used to access the Stellar Cyber server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ version 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Query | Retrieves information for an elastic search query from Stellar Cyber based on the query and index you have specified. | search_query Investigation |
Parameter | Description |
---|---|
Index | Index of the elastic search query whose details you want to retrieve from Stellar Cyber. |
Query | Query that you are looking for in DSL (Data's Starlight). Note: This parameter only works with the "Index" parameter. |
The output contains the following populated JSON schema:
{
"aella-assets-2020.07.01": {
"aliases": {},
"mappings": {
"amsg": {
"properties": {
"apphistory": {
"properties": {
"app": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"time": {
"type": ""
}
}
},
"applist": {
"type": ""
},
"asset_class": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"asset_source": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"cve_list_str": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"d": {
"properties": {
"appid_id": {
"type": ""
},
"type": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
}
}
},
"daily_score": {
"type": ""
},
"desc": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"device_class": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"device_desc": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"discovery": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"engid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"friendly_name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"geo_point": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"geoip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"id": {
"type": ""
},
"importance": {
"type": ""
},
"ip": {
"type": ""
},
"iphistory": {
"properties": {
"ip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"time": {
"type": ""
}
}
},
"iplist": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"last_seen": {
"type": ""
},
"last_seen_date": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"location": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"locid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"mac": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"mac_list": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"netid": {
"type": ""
},
"os": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"os_version": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"reputation": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"risk_score": {
"type": ""
},
"sec_score": {
"type": ""
},
"ser": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"service": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"start_time": {
"type": ""
},
"start_time_date": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"state": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"static": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"subtype": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"t": {
"type": ""
},
"tag": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"tenantid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"timestamp": {
"type": ""
},
"user_action": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"user_sid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vendor": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vlan": {
"type": ""
},
"vuln_count": {
"type": ""
},
"vuln_ip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vuln_score": {
"type": ""
},
"vuln_time": {
"type": ""
},
"vulnerabilities": {
"properties": {
"count": {
"type": ""
},
"cpe": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"createdAt": {
"type": ""
},
"cve": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"description": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"host_id": {
"type": ""
},
"link": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"offline": {
"type": ""
},
"plugin_family": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"plugin_id": {
"type": ""
},
"plugin_name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"publishedAt": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"riskLevel": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"risk_factor": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"score": {
"type": ""
},
"severity": {
"type": ""
},
"severity_index": {
"type": ""
},
"snoozed": {
"type": ""
},
"synopsis": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"updatedAt": {
"type": ""
},
"vuln_index": {
"type": ""
}
}
}
}
}
},
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": ""
}
}
},
"search": {
"slowlog": {
"level": "",
"threshold": {
"fetch": {
"warn": "",
"trace": "",
"debug": "",
"info": ""
},
"query": {
"warn": "",
"trace": "",
"debug": "",
"info": ""
}
}
}
},
"number_of_shards": "",
"provided_name": "",
"creation_date": "",
"number_of_replicas": "",
"uuid": "",
"version": {
"created": ""
}
}
}
}
}
The Sample - Stellar Cyber - 1.0.0
playbook collection comes bundled with the Stellar Cyber connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Stellar Cyber connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Stellar Cyber provides security solutions for network, SIEM, IT, internet and cloud security along with security software and analysis tools.
This document provides information about the FortiSOAR™ connector, which facilitates automated interactions, with a Stellar Cyber server using FortiSOAR™ playbooks. Add the Stellar Cyber connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving information for an elastic search query from Stellar Cyber.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-stellar-cyber
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Stellar Cyber connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Stellar Cyber server to which you will connect and perform automated operations. |
Username | Username used to access the Stellar Cyber server to which you will connect and perform the automated operations. |
Password | Password used to access the Stellar Cyber server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ version 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Query | Retrieves information for an elastic search query from Stellar Cyber based on the query and index you have specified. | search_query Investigation |
Parameter | Description |
---|---|
Index | Index of the elastic search query whose details you want to retrieve from Stellar Cyber. |
Query | Query that you are looking for in DSL (Data's Starlight). Note: This parameter only works with the "Index" parameter. |
The output contains the following populated JSON schema:
{
"aella-assets-2020.07.01": {
"aliases": {},
"mappings": {
"amsg": {
"properties": {
"apphistory": {
"properties": {
"app": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"time": {
"type": ""
}
}
},
"applist": {
"type": ""
},
"asset_class": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"asset_source": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"cve_list_str": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"d": {
"properties": {
"appid_id": {
"type": ""
},
"type": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
}
}
},
"daily_score": {
"type": ""
},
"desc": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"device_class": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"device_desc": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"discovery": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"engid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"friendly_name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"geo_point": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"geoip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"id": {
"type": ""
},
"importance": {
"type": ""
},
"ip": {
"type": ""
},
"iphistory": {
"properties": {
"ip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"time": {
"type": ""
}
}
},
"iplist": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"last_seen": {
"type": ""
},
"last_seen_date": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"location": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"locid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"mac": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"mac_list": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"netid": {
"type": ""
},
"os": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"os_version": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"reputation": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"risk_score": {
"type": ""
},
"sec_score": {
"type": ""
},
"ser": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"service": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"start_time": {
"type": ""
},
"start_time_date": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"state": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"static": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"subtype": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"t": {
"type": ""
},
"tag": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"tenantid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"timestamp": {
"type": ""
},
"user_action": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"user_sid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vendor": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vlan": {
"type": ""
},
"vuln_count": {
"type": ""
},
"vuln_ip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vuln_score": {
"type": ""
},
"vuln_time": {
"type": ""
},
"vulnerabilities": {
"properties": {
"count": {
"type": ""
},
"cpe": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"createdAt": {
"type": ""
},
"cve": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"description": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"host_id": {
"type": ""
},
"link": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"offline": {
"type": ""
},
"plugin_family": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"plugin_id": {
"type": ""
},
"plugin_name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"publishedAt": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"riskLevel": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"risk_factor": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"score": {
"type": ""
},
"severity": {
"type": ""
},
"severity_index": {
"type": ""
},
"snoozed": {
"type": ""
},
"synopsis": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"updatedAt": {
"type": ""
},
"vuln_index": {
"type": ""
}
}
}
}
}
},
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": ""
}
}
},
"search": {
"slowlog": {
"level": "",
"threshold": {
"fetch": {
"warn": "",
"trace": "",
"debug": "",
"info": ""
},
"query": {
"warn": "",
"trace": "",
"debug": "",
"info": ""
}
}
}
},
"number_of_shards": "",
"provided_name": "",
"creation_date": "",
"number_of_replicas": "",
"uuid": "",
"version": {
"created": ""
}
}
}
}
}
The Sample - Stellar Cyber - 1.0.0
playbook collection comes bundled with the Stellar Cyber connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Stellar Cyber connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.