BrightCloud Threat Intelligence Services provide security vendors and others with collective threat intelligence that is always up to date, highly accurate, contextual, and actionable.
This document provides information about the BrightCloud Threat Intelligence connector, which facilitates automated interactions with BrightCloud Threat Intelligence using FortiSOAR™ playbooks. Add the BrightCloud Threat Intelligence connector as a step in CyOPs™ playbooks and perform automated operations, such as retrieving reputation for URLs, IP addresses, or files from BrightCloud Threat Intelligence.
Connector Version: 1.0.0
Authored By: Fortinet.
Certified: No
All connectors provided by CyOPs™ are delivered using a CyOPs™ repository. Therefore, you must set up your CyOPs™ repository and use the yum command to install connectors:
yum install cyops-connector-brightcloud-threat-intelligence
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In CyOPs™, on the connectors page, select the BrightCloud Threat Intelligence connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | Server address of BrightCloud Threat Intelligence. |
OEM ID | Specify the identifier of OEM. |
Device ID | Specify the identifier of Device. |
UID | Specify Unique identifier |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from CyOPs™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Check URL Reputation | Retrieves the reputation details of given URL. | url_reputation Investigation |
Check IP Address Reputation | Retrieves the reputation details of an IP address. | ip_reputation Investigation |
Check File Reputation | Retrieves the reputation details of a file. | file_reputation Investigation |
Parameter | Description |
---|---|
URL | Specify the URL of which reputation need to be fetched from BrightCloud. Multiple entries are comma separated. For example, example1.com, example2.com |
The output contains the following populated JSON schema:
{
"results": [
{
"queries": {
"getrepinfo": {
"threathistory": "",
"reputation": "",
"popularity": "",
"country": "",
"age": ""
}
},
"url": ""
}
],
"type": "",
"status": ""
}
Parameter | Description |
---|---|
IP Address | Specify the IP addresses whose reputation needs to be fetched. Multiple IPs are comma separated. For example, 127.0.0.1, 127.0.0.2. |
The output contains the following populated JSON schema:
{
"results": [
{
"ip": "",
"queries": {
"getinfo": {
"ipint": "",
"ip_status": "",
"reputation": ""
}
}
}
],
"type": "",
"status": ""
}
Parameter | Description |
---|---|
Filehash | Specify the Filehashes whose reputation needs to be fetched. Multiple filehashes are comma separated. |
The output contains the following populated JSON schema:
{
"results": [
{
"queries": {
"getinfo": {
"detdate": "",
"det": "",
"malwaregroup": "",
"filesize": "",
"md5": "",
"fseen": "",
"pccount": ""
}
},
"md5": ""
}
],
"type": "",
"status": ""
}
The Sample - Brightcloud Threat-Intelligence - 1.0.0
playbook collection comes bundled with the BrightCloud Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPs™ after importing the BrightCloud Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
BrightCloud Threat Intelligence Services provide security vendors and others with collective threat intelligence that is always up to date, highly accurate, contextual, and actionable.
This document provides information about the BrightCloud Threat Intelligence connector, which facilitates automated interactions with BrightCloud Threat Intelligence using FortiSOAR™ playbooks. Add the BrightCloud Threat Intelligence connector as a step in CyOPs™ playbooks and perform automated operations, such as retrieving reputation for URLs, IP addresses, or files from BrightCloud Threat Intelligence.
Connector Version: 1.0.0
Authored By: Fortinet.
Certified: No
All connectors provided by CyOPs™ are delivered using a CyOPs™ repository. Therefore, you must set up your CyOPs™ repository and use the yum command to install connectors:
yum install cyops-connector-brightcloud-threat-intelligence
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In CyOPs™, on the connectors page, select the BrightCloud Threat Intelligence connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | Server address of BrightCloud Threat Intelligence. |
OEM ID | Specify the identifier of OEM. |
Device ID | Specify the identifier of Device. |
UID | Specify Unique identifier |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from CyOPs™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Check URL Reputation | Retrieves the reputation details of given URL. | url_reputation Investigation |
Check IP Address Reputation | Retrieves the reputation details of an IP address. | ip_reputation Investigation |
Check File Reputation | Retrieves the reputation details of a file. | file_reputation Investigation |
Parameter | Description |
---|---|
URL | Specify the URL of which reputation need to be fetched from BrightCloud. Multiple entries are comma separated. For example, example1.com, example2.com |
The output contains the following populated JSON schema:
{
"results": [
{
"queries": {
"getrepinfo": {
"threathistory": "",
"reputation": "",
"popularity": "",
"country": "",
"age": ""
}
},
"url": ""
}
],
"type": "",
"status": ""
}
Parameter | Description |
---|---|
IP Address | Specify the IP addresses whose reputation needs to be fetched. Multiple IPs are comma separated. For example, 127.0.0.1, 127.0.0.2. |
The output contains the following populated JSON schema:
{
"results": [
{
"ip": "",
"queries": {
"getinfo": {
"ipint": "",
"ip_status": "",
"reputation": ""
}
}
}
],
"type": "",
"status": ""
}
Parameter | Description |
---|---|
Filehash | Specify the Filehashes whose reputation needs to be fetched. Multiple filehashes are comma separated. |
The output contains the following populated JSON schema:
{
"results": [
{
"queries": {
"getinfo": {
"detdate": "",
"det": "",
"malwaregroup": "",
"filesize": "",
"md5": "",
"fseen": "",
"pccount": ""
}
},
"md5": ""
}
],
"type": "",
"status": ""
}
The Sample - Brightcloud Threat-Intelligence - 1.0.0
playbook collection comes bundled with the BrightCloud Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPs™ after importing the BrightCloud Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.