Fortinet Document Library

Version:


Table of Contents

Webroot BrightCloud Threat Intelligence

1.0.0
Copy Link

About the connector

BrightCloud Threat Intelligence Services provide security vendors and others with collective threat intelligence that is always up to date, highly accurate, contextual, and actionable.

This document provides information about the BrightCloud Threat Intelligence connector, which facilitates automated interactions with BrightCloud Threat Intelligence using FortiSOAR™ playbooks. Add the BrightCloud Threat Intelligence connector as a step in CyOPs™ playbooks and perform automated operations, such as retrieving reputation for URLs, IP addresses, or files from BrightCloud Threat Intelligence.

Version information

Connector Version: 1.0.0

Authored By: Fortinet.

Certified: No

Installing the connector

All connectors provided by CyOPs™ are delivered using a CyOPs™ repository. Therefore, you must set up your CyOPs™ repository and use the yum command to install connectors:

yum install cyops-connector-brightcloud-threat-intelligence

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • You must have the URL of BrightCloud Threat Intelligence server to which you will connect and perform automated operations.
  • You must also have the OEM ID and Device ID.
  • To access the CyOPs™ UI, ensure that port 443 is open through the firewall for the CyOPs™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In CyOPs™, on the connectors page, select the BrightCloud Threat Intelligence connector and click Configure to configure the following parameters:

Parameter Description
Server URL Server address of BrightCloud Threat Intelligence.
OEM ID Specify the identifier of OEM.
Device ID Specify the identifier of Device.
UID Specify Unique identifier
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from CyOPs™ release 4.10.0 and onwards:

Function Description Annotation and Category
Check URL Reputation Retrieves the reputation details of given URL. url_reputation
Investigation
Check IP Address Reputation Retrieves the reputation details of an IP address. ip_reputation
Investigation
Check File Reputation Retrieves the reputation details of a file. file_reputation
Investigation

operation: Check URL Reputation

Input parameters

Parameter Description
URL Specify the URL of which reputation need to be fetched from BrightCloud. Multiple entries are comma separated.
For example, example1.com, example2.com

Output

The output contains the following populated JSON schema:
{
     "results": [
         {
             "queries": {
                 "getrepinfo": {
                     "threathistory": "",
                     "reputation": "",
                     "popularity": "",
                     "country": "",
                     "age": ""
                 }
             },
             "url": ""
         }
     ],
     "type": "",
     "status": ""
}

operation: Check IP Address Reputation

Input parameters

Parameter Description
IP Address Specify the IP addresses whose reputation needs to be fetched. Multiple IPs are comma separated.
For example, 127.0.0.1, 127.0.0.2.

Output

The output contains the following populated JSON schema:
{
     "results": [
         {
             "ip": "",
             "queries": {
                 "getinfo": {
                     "ipint": "",
                     "ip_status": "",
                     "reputation": ""
                 }
             }
         }
     ],
     "type": "",
     "status": ""
}

operation: Check File Reputation

Input parameters

Parameter Description
Filehash Specify the Filehashes whose reputation needs to be fetched. Multiple filehashes are comma separated.

Output

The output contains the following populated JSON schema:
{
     "results": [
         {
             "queries": {
                 "getinfo": {
                     "detdate": "",
                     "det": "",
                     "malwaregroup": "",
                     "filesize": "",
                     "md5": "",
                     "fseen": "",
                     "pccount": ""
                 }
             },
             "md5": ""
         }
     ],
     "type": "",
     "status": ""
}

Included playbooks

The Sample - Brightcloud Threat-Intelligence - 1.0.0 playbook collection comes bundled with the BrightCloud Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPs™ after importing the BrightCloud Threat Intelligence connector.

  • Check File Reputation
  • Check IP Address Reputation
  • Check URL Reputation

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

BrightCloud Threat Intelligence Services provide security vendors and others with collective threat intelligence that is always up to date, highly accurate, contextual, and actionable.

This document provides information about the BrightCloud Threat Intelligence connector, which facilitates automated interactions with BrightCloud Threat Intelligence using FortiSOAR™ playbooks. Add the BrightCloud Threat Intelligence connector as a step in CyOPs™ playbooks and perform automated operations, such as retrieving reputation for URLs, IP addresses, or files from BrightCloud Threat Intelligence.

Version information

Connector Version: 1.0.0

Authored By: Fortinet.

Certified: No

Installing the connector

All connectors provided by CyOPs™ are delivered using a CyOPs™ repository. Therefore, you must set up your CyOPs™ repository and use the yum command to install connectors:

yum install cyops-connector-brightcloud-threat-intelligence

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In CyOPs™, on the connectors page, select the BrightCloud Threat Intelligence connector and click Configure to configure the following parameters:

Parameter Description
Server URL Server address of BrightCloud Threat Intelligence.
OEM ID Specify the identifier of OEM.
Device ID Specify the identifier of Device.
UID Specify Unique identifier
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from CyOPs™ release 4.10.0 and onwards:

Function Description Annotation and Category
Check URL Reputation Retrieves the reputation details of given URL. url_reputation
Investigation
Check IP Address Reputation Retrieves the reputation details of an IP address. ip_reputation
Investigation
Check File Reputation Retrieves the reputation details of a file. file_reputation
Investigation

operation: Check URL Reputation

Input parameters

Parameter Description
URL Specify the URL of which reputation need to be fetched from BrightCloud. Multiple entries are comma separated.
For example, example1.com, example2.com

Output

The output contains the following populated JSON schema:
{
     "results": [
         {
             "queries": {
                 "getrepinfo": {
                     "threathistory": "",
                     "reputation": "",
                     "popularity": "",
                     "country": "",
                     "age": ""
                 }
             },
             "url": ""
         }
     ],
     "type": "",
     "status": ""
}

operation: Check IP Address Reputation

Input parameters

Parameter Description
IP Address Specify the IP addresses whose reputation needs to be fetched. Multiple IPs are comma separated.
For example, 127.0.0.1, 127.0.0.2.

Output

The output contains the following populated JSON schema:
{
     "results": [
         {
             "ip": "",
             "queries": {
                 "getinfo": {
                     "ipint": "",
                     "ip_status": "",
                     "reputation": ""
                 }
             }
         }
     ],
     "type": "",
     "status": ""
}

operation: Check File Reputation

Input parameters

Parameter Description
Filehash Specify the Filehashes whose reputation needs to be fetched. Multiple filehashes are comma separated.

Output

The output contains the following populated JSON schema:
{
     "results": [
         {
             "queries": {
                 "getinfo": {
                     "detdate": "",
                     "det": "",
                     "malwaregroup": "",
                     "filesize": "",
                     "md5": "",
                     "fseen": "",
                     "pccount": ""
                 }
             },
             "md5": ""
         }
     ],
     "type": "",
     "status": ""
}

Included playbooks

The Sample - Brightcloud Threat-Intelligence - 1.0.0 playbook collection comes bundled with the BrightCloud Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPs™ after importing the BrightCloud Threat Intelligence connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.