About the connector
BrightCloud Threat Intelligence Services provide security vendors and others with collective threat intelligence that is always up to date, highly accurate, contextual, and actionable.
This document provides information about the BrightCloud Threat Intelligence connector, which facilitates automated interactions with BrightCloud Threat Intelligence using FortiSOAR™ playbooks. Add the BrightCloud Threat Intelligence connector as a step in CyOPs™ playbooks and perform automated operations, such as retrieving reputation for URLs, IP addresses, or files from BrightCloud Threat Intelligence.
Version information
Connector Version: 1.0.0
Authored By: Fortinet.
Certified: No
Installing the connector
All connectors provided by CyOPs™ are delivered using a CyOPs™ repository. Therefore, you must set up your CyOPs™ repository and use the yum command to install connectors:
yum install cyops-connector-brightcloud-threat-intelligence
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of BrightCloud Threat Intelligence server to which you will connect and perform automated operations.
- You must also have the OEM ID and Device ID.
- To access the CyOPs™ UI, ensure that port 443 is open through the firewall for the CyOPs™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In CyOPs™, on the connectors page, select the BrightCloud Threat Intelligence connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
Server address of BrightCloud Threat Intelligence. |
| OEM ID |
Specify the identifier of OEM. |
| Device ID |
Specify the identifier of Device. |
| UID |
Specify Unique identifier |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from CyOPs™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Check URL Reputation |
Retrieves the reputation details of given URL. |
url_reputation
Investigation |
| Check IP Address Reputation |
Retrieves the reputation details of an IP address. |
ip_reputation
Investigation |
| Check File Reputation |
Retrieves the reputation details of a file. |
file_reputation
Investigation |
operation: Check URL Reputation
Input parameters
| Parameter |
Description |
| URL |
Specify the URL of which reputation need to be fetched from BrightCloud. Multiple entries are comma separated.
For example, example1.com, example2.com |
Output
The output contains the following populated JSON schema:
{
"results": [
{
"queries": {
"getrepinfo": {
"threathistory": "",
"reputation": "",
"popularity": "",
"country": "",
"age": ""
}
},
"url": ""
}
],
"type": "",
"status": ""
}
operation: Check IP Address Reputation
Input parameters
| Parameter |
Description |
| IP Address |
Specify the IP addresses whose reputation needs to be fetched. Multiple IPs are comma separated.
For example, 127.0.0.1, 127.0.0.2. |
Output
The output contains the following populated JSON schema:
{
"results": [
{
"ip": "",
"queries": {
"getinfo": {
"ipint": "",
"ip_status": "",
"reputation": ""
}
}
}
],
"type": "",
"status": ""
}
operation: Check File Reputation
Input parameters
| Parameter |
Description |
| Filehash |
Specify the Filehashes whose reputation needs to be fetched. Multiple filehashes are comma separated. |
Output
The output contains the following populated JSON schema:
{
"results": [
{
"queries": {
"getinfo": {
"detdate": "",
"det": "",
"malwaregroup": "",
"filesize": "",
"md5": "",
"fseen": "",
"pccount": ""
}
},
"md5": ""
}
],
"type": "",
"status": ""
}
Included playbooks
The Sample - Brightcloud Threat-Intelligence - 1.0.0 playbook collection comes bundled with the BrightCloud Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPs™ after importing the BrightCloud Threat Intelligence connector.
- Check File Reputation
- Check IP Address Reputation
- Check URL Reputation
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
