Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

ThreatCrowd is a system for finding and researching artifacts relating to cyber threats. 

This document provides information about the ThreatCrowd connector, which facilitates automated interactions with ThreatCrowd using FortiSOAR™ playbooks. Add the ThreatCrowd connector as a step in FortiSOAR™ playbooks and perform automated operations, such as hunting for an IP address, an email ID, an MD5 hash, or a domain in the ThreatCrowd system.

Version information

Connector Version: 1.0.0

Authored By: Fortinet.

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-threatcrowd

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of ThreatCrowd server to which you will connect and perform automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™  instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the connectors page, select the ThreatCrowd connector and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the ThreatCrowd server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onward:

Function Description Annotation and Category
Hunt IP Hunt IP address in ThreatCrowd system. hunt_ip
Investigation
Hunt MD5 Hunt MD5 hash in ThreatCrowd system. hunt_file
Investigation
Hunt Email Address Hunt email address in ThreatCrowd system. hunt_email
Investigation
Hunt Domain Hunt domain in ThreatCrowd system. hunt_domain
Investigation

operation: Hunt IP

Input parameters

Parameter Description
IP Address Provide the IP address to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "hashes": "",
     "references": "",
     "votes": "",
     "permalink": "",
     "resolutions": "",
     "response_code": ""
}

operation: Hunt MD5

Input parameters

Parameter Description
MD5 Provide the MD5 hash to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "domains": "",
     "sha1": "",
     "references": "",
     "scans": "",
     "permalink": "",
     "response_code": "",
     "ips": "",
     "md5": ""
}

operation: Hunt Email Address

Input parameters

Parameter Description
Email Address Provide the email address to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "references": "",
     "emails": "",
     "response_code": "",
     "domains": "",
     "permalink": ""
}

operation: Hunt Domain

Input parameters

Parameter Description
Domain Provide the domain to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "hashes": "",
     "resolutions": "",
     "response_code": "",
     "votes": "",
     "permalink": "",
     "references": "",
     "subdomains": "",
     "emails": ""
}

Included playbooks

The Sample - ThreatCrowd - 1.0.0 playbook collection comes bundled with the ThreatCrowd connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatCrowd connector.

  • Hunt Domain
  • Hunt Email Address
  • Hunt IP
  • Hunt MD5

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

ThreatCrowd is a system for finding and researching artifacts relating to cyber threats. 

This document provides information about the ThreatCrowd connector, which facilitates automated interactions with ThreatCrowd using FortiSOAR™ playbooks. Add the ThreatCrowd connector as a step in FortiSOAR™ playbooks and perform automated operations, such as hunting for an IP address, an email ID, an MD5 hash, or a domain in the ThreatCrowd system.

Version information

Connector Version: 1.0.0

Authored By: Fortinet.

Certified: No

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-threatcrowd

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the connectors page, select the ThreatCrowd connector and click Configure to configure the following parameters:

Parameter Description
Server URL URL of the ThreatCrowd server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onward:

Function Description Annotation and Category
Hunt IP Hunt IP address in ThreatCrowd system. hunt_ip
Investigation
Hunt MD5 Hunt MD5 hash in ThreatCrowd system. hunt_file
Investigation
Hunt Email Address Hunt email address in ThreatCrowd system. hunt_email
Investigation
Hunt Domain Hunt domain in ThreatCrowd system. hunt_domain
Investigation

operation: Hunt IP

Input parameters

Parameter Description
IP Address Provide the IP address to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "hashes": "",
     "references": "",
     "votes": "",
     "permalink": "",
     "resolutions": "",
     "response_code": ""
}

operation: Hunt MD5

Input parameters

Parameter Description
MD5 Provide the MD5 hash to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "domains": "",
     "sha1": "",
     "references": "",
     "scans": "",
     "permalink": "",
     "response_code": "",
     "ips": "",
     "md5": ""
}

operation: Hunt Email Address

Input parameters

Parameter Description
Email Address Provide the email address to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "references": "",
     "emails": "",
     "response_code": "",
     "domains": "",
     "permalink": ""
}

operation: Hunt Domain

Input parameters

Parameter Description
Domain Provide the domain to hunt in ThreatCrowd system.

Output

The output contains the following populated JSON schema:
{
     "hashes": "",
     "resolutions": "",
     "response_code": "",
     "votes": "",
     "permalink": "",
     "references": "",
     "subdomains": "",
     "emails": ""
}

Included playbooks

The Sample - ThreatCrowd - 1.0.0 playbook collection comes bundled with the ThreatCrowd connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ThreatCrowd connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.