ThreatCrowd is a system for finding and researching artifacts relating to cyber threats.
This document provides information about the ThreatCrowd connector, which facilitates automated interactions with ThreatCrowd using FortiSOAR™ playbooks. Add the ThreatCrowd connector as a step in FortiSOAR™ playbooks and perform automated operations, such as hunting for an IP address, an email ID, an MD5 hash, or a domain in the ThreatCrowd system.
Connector Version: 1.0.0
Authored By: Fortinet.
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-threatcrowd
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the ThreatCrowd connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the ThreatCrowd server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onward:
Function | Description | Annotation and Category |
---|---|---|
Hunt IP | Hunt IP address in ThreatCrowd system. | hunt_ip Investigation |
Hunt MD5 | Hunt MD5 hash in ThreatCrowd system. | hunt_file Investigation |
Hunt Email Address | Hunt email address in ThreatCrowd system. | hunt_email Investigation |
Hunt Domain | Hunt domain in ThreatCrowd system. | hunt_domain Investigation |
Parameter | Description |
---|---|
IP Address | Provide the IP address to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"hashes": "",
"references": "",
"votes": "",
"permalink": "",
"resolutions": "",
"response_code": ""
}
Parameter | Description |
---|---|
MD5 | Provide the MD5 hash to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"domains": "",
"sha1": "",
"references": "",
"scans": "",
"permalink": "",
"response_code": "",
"ips": "",
"md5": ""
}
Parameter | Description |
---|---|
Email Address | Provide the email address to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"references": "",
"emails": "",
"response_code": "",
"domains": "",
"permalink": ""
}
Parameter | Description |
---|---|
Domain | Provide the domain to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"hashes": "",
"resolutions": "",
"response_code": "",
"votes": "",
"permalink": "",
"references": "",
"subdomains": "",
"emails": ""
}
The Sample - ThreatCrowd - 1.0.0
playbook collection comes bundled with the ThreatCrowd connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatCrowd connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
ThreatCrowd is a system for finding and researching artifacts relating to cyber threats.
This document provides information about the ThreatCrowd connector, which facilitates automated interactions with ThreatCrowd using FortiSOAR™ playbooks. Add the ThreatCrowd connector as a step in FortiSOAR™ playbooks and perform automated operations, such as hunting for an IP address, an email ID, an MD5 hash, or a domain in the ThreatCrowd system.
Connector Version: 1.0.0
Authored By: Fortinet.
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-threatcrowd
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the connectors page, select the ThreatCrowd connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the ThreatCrowd server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onward:
Function | Description | Annotation and Category |
---|---|---|
Hunt IP | Hunt IP address in ThreatCrowd system. | hunt_ip Investigation |
Hunt MD5 | Hunt MD5 hash in ThreatCrowd system. | hunt_file Investigation |
Hunt Email Address | Hunt email address in ThreatCrowd system. | hunt_email Investigation |
Hunt Domain | Hunt domain in ThreatCrowd system. | hunt_domain Investigation |
Parameter | Description |
---|---|
IP Address | Provide the IP address to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"hashes": "",
"references": "",
"votes": "",
"permalink": "",
"resolutions": "",
"response_code": ""
}
Parameter | Description |
---|---|
MD5 | Provide the MD5 hash to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"domains": "",
"sha1": "",
"references": "",
"scans": "",
"permalink": "",
"response_code": "",
"ips": "",
"md5": ""
}
Parameter | Description |
---|---|
Email Address | Provide the email address to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"references": "",
"emails": "",
"response_code": "",
"domains": "",
"permalink": ""
}
Parameter | Description |
---|---|
Domain | Provide the domain to hunt in ThreatCrowd system. |
The output contains the following populated JSON schema:
{
"hashes": "",
"resolutions": "",
"response_code": "",
"votes": "",
"permalink": "",
"references": "",
"subdomains": "",
"emails": ""
}
The Sample - ThreatCrowd - 1.0.0
playbook collection comes bundled with the ThreatCrowd connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatCrowd connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.