About the connector
Stellar Cyber provides security solutions for network, SIEM, IT, internet and cloud security along with security software and analysis tools.
This document provides information about the FortiSOAR™ connector, which facilitates automated interactions, with a Stellar Cyber server using FortiSOAR™ playbooks. Add the Stellar Cyber connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving information for an elastic search query from Stellar Cyber.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-stellar-cyber
Prerequisites to configuring the connector
- You must have the URL of Stellar Cyber server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Stellar Cyber connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Stellar Cyber server to which you will connect and perform automated operations. |
| Username |
Username used to access the Stellar Cyber server to which you will connect and perform the automated operations. |
| Password |
Password used to access the Stellar Cyber server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ version 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Search Query |
Retrieves information for an elastic search query from Stellar Cyber based on the query and index you have specified. |
search_query
Investigation |
operation: Search Query
Input parameters
| Parameter |
Description |
| Index |
Index of the elastic search query whose details you want to retrieve from Stellar Cyber. |
| Query |
Query that you are looking for in DSL (Data's Starlight).
Note: This parameter only works with the "Index" parameter. |
Output
The output contains the following populated JSON schema:
{
"aella-assets-2020.07.01": {
"aliases": {},
"mappings": {
"amsg": {
"properties": {
"apphistory": {
"properties": {
"app": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"time": {
"type": ""
}
}
},
"applist": {
"type": ""
},
"asset_class": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"asset_source": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"cve_list_str": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"d": {
"properties": {
"appid_id": {
"type": ""
},
"type": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
}
}
},
"daily_score": {
"type": ""
},
"desc": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"device_class": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"device_desc": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"discovery": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"engid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"friendly_name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"geo_point": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"geoip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"id": {
"type": ""
},
"importance": {
"type": ""
},
"ip": {
"type": ""
},
"iphistory": {
"properties": {
"ip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"time": {
"type": ""
}
}
},
"iplist": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"last_seen": {
"type": ""
},
"last_seen_date": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"location": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"locid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"mac": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"mac_list": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"netid": {
"type": ""
},
"os": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"os_version": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"reputation": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"risk_score": {
"type": ""
},
"sec_score": {
"type": ""
},
"ser": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"service": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"start_time": {
"type": ""
},
"start_time_date": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"state": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"static": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"subtype": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"t": {
"type": ""
},
"tag": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"tenantid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"timestamp": {
"type": ""
},
"user_action": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"user_sid": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vendor": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vlan": {
"type": ""
},
"vuln_count": {
"type": ""
},
"vuln_ip": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"vuln_score": {
"type": ""
},
"vuln_time": {
"type": ""
},
"vulnerabilities": {
"properties": {
"count": {
"type": ""
},
"cpe": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"createdAt": {
"type": ""
},
"cve": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"description": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"host_id": {
"type": ""
},
"link": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"offline": {
"type": ""
},
"plugin_family": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"plugin_id": {
"type": ""
},
"plugin_name": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"publishedAt": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"riskLevel": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"risk_factor": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"score": {
"type": ""
},
"severity": {
"type": ""
},
"severity_index": {
"type": ""
},
"snoozed": {
"type": ""
},
"synopsis": {
"type": "",
"fields": {
"keyword": {
"type": "",
"ignore_above": ""
}
}
},
"updatedAt": {
"type": ""
},
"vuln_index": {
"type": ""
}
}
}
}
}
},
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": ""
}
}
},
"search": {
"slowlog": {
"level": "",
"threshold": {
"fetch": {
"warn": "",
"trace": "",
"debug": "",
"info": ""
},
"query": {
"warn": "",
"trace": "",
"debug": "",
"info": ""
}
}
}
},
"number_of_shards": "",
"provided_name": "",
"creation_date": "",
"number_of_replicas": "",
"uuid": "",
"version": {
"created": ""
}
}
}
}
}
Included playbooks
The Sample - Stellar Cyber - 1.0.0 playbook collection comes bundled with the Stellar Cyber connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Stellar Cyber connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
