Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

ThreatConnect combines external threat data from trusted sources with your in-house data to eliminate false positives and discover relevant threats. It leverages automation to gain context and enhance your data with enrichment tools quickly. It also uses visualization to hunt for patterns and trends to uncover threat actor capabilities and techniques.

This document provides information about the ThreatConnect connector, which facilitates automated interactions with the ThreatConnect API using FortiSOAR™ playbooks. Add the ThreatConnect connector as a step in FortiSOAR™ playbooks and perform automated operations, such as hunting specified IP addresses, files, or email addresses.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-threatconnect

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of the ThreatConnect server to which you will connect and perform the automated operations.
  • You must know the default organization that is configured for your account to access the ThreatConnect API and the API access ID and API secret key used to access the ThreatConnect API.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the connectors page, select the ThreatConnector connector and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the ThreatConnect server to which you will connect and perform the automated operations.
API Default Org Default organization that is configured for your account to access the ThreatConnect API to which you will connect and perform the automated operations.
API Access ID Access ID that is configured for your account to access the ThreatConnect API to which you will connect and perform the automated operations.
API Secret Key Secret Key that is configured for your account to access the ThreatConnect API to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Hunt IP Address Searches for and displays information for the IP address that you have specified using the ThreatConnect API. hunt_ip
Investigation
Hunt File Hash Searches for and displays information for the file hash that you have specified using the ThreatConnect API. hunt_file
Investigation
Hunt Email Address Searches for and displays information for the email address that you have specified using the ThreatConnect API. hunt_email
Investigation
Hunt URL Searches for and displays information for the URL that you have specified using the ThreatConnect API. hunt_url
Investigation
Hunt Host Searches for and displays information for the host that you have specified using the ThreatConnect API. hunt_host
Investigation

operation: Hunt IP Address

Input parameters

Parameter Description
IP Address IP address that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the IP address that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified IP address retrieved from ThreatConnect, and a Success message if the indicator of the specified IP address is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt File Hash

Input parameters

Parameter Description
File Hash File hash that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the file hash that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified file hash retrieved from ThreatConnect, and a Success message if the indicator of the specified file hash is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt Email Address

Input parameters

Parameter Description
Email Address Email address that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the email address that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified email address retrieved from ThreatConnect, and a Success message if the indicator of the specified email address is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt URL 

Input parameters

Parameter Description
URL Address of the URL that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the URL that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified URL address retrieved from ThreatConnect, and a Success message if the indicator of the specified URL is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt Host

Input parameters

Parameter Description
Hosts Hosts that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the hosts that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified hosts retrieved from ThreatConnect, and a Success message if the indicator of the specified hosts is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

Included playbooks

The Sample - ThreatConnect - 1.0.0 playbook collection comes bundled with the ThreatConnect connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatConnect connector.

  • Hunt Email
  • Hunt File Hash
  • Hunt Host
  • Hunt IP
  • Hunt URL

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

ThreatConnect combines external threat data from trusted sources with your in-house data to eliminate false positives and discover relevant threats. It leverages automation to gain context and enhance your data with enrichment tools quickly. It also uses visualization to hunt for patterns and trends to uncover threat actor capabilities and techniques.

This document provides information about the ThreatConnect connector, which facilitates automated interactions with the ThreatConnect API using FortiSOAR™ playbooks. Add the ThreatConnect connector as a step in FortiSOAR™ playbooks and perform automated operations, such as hunting specified IP addresses, files, or email addresses.

Version information

Connector Version: 1.0.0

Authored By: Fortinet

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-threatconnect

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the connectors page, select the ThreatConnector connector and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the ThreatConnect server to which you will connect and perform the automated operations.
API Default Org Default organization that is configured for your account to access the ThreatConnect API to which you will connect and perform the automated operations.
API Access ID Access ID that is configured for your account to access the ThreatConnect API to which you will connect and perform the automated operations.
API Secret Key Secret Key that is configured for your account to access the ThreatConnect API to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Hunt IP Address Searches for and displays information for the IP address that you have specified using the ThreatConnect API. hunt_ip
Investigation
Hunt File Hash Searches for and displays information for the file hash that you have specified using the ThreatConnect API. hunt_file
Investigation
Hunt Email Address Searches for and displays information for the email address that you have specified using the ThreatConnect API. hunt_email
Investigation
Hunt URL Searches for and displays information for the URL that you have specified using the ThreatConnect API. hunt_url
Investigation
Hunt Host Searches for and displays information for the host that you have specified using the ThreatConnect API. hunt_host
Investigation

operation: Hunt IP Address

Input parameters

Parameter Description
IP Address IP address that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the IP address that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified IP address retrieved from ThreatConnect, and a Success message if the indicator of the specified IP address is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt File Hash

Input parameters

Parameter Description
File Hash File hash that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the file hash that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified file hash retrieved from ThreatConnect, and a Success message if the indicator of the specified file hash is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt Email Address

Input parameters

Parameter Description
Email Address Email address that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the email address that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified email address retrieved from ThreatConnect, and a Success message if the indicator of the specified email address is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt URL 

Input parameters

Parameter Description
URL Address of the URL that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the URL that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified URL address retrieved from ThreatConnect, and a Success message if the indicator of the specified URL is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

operation: Hunt Host

Input parameters

Parameter Description
Hosts Hosts that you want to search for and retrieve information about using the ThreatConnect API.
Owner Owner of the hosts that you want to search for using the ThreatConnect API.

Output

The JSON output displays the information for the specified hosts retrieved from ThreatConnect, and a Success message if the indicator of the specified hosts is successfully looked up on your ThreatConnect instance.

The output contains the following populated JSON schema:
{
     "status": "",
     "result": ""
}

Included playbooks

The Sample - ThreatConnect - 1.0.0 playbook collection comes bundled with the ThreatConnect connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatConnect connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.