apivoid provides several threat intelligence services ranging from IP, URL, and Domain reputation to domain age and website screenshots.
This document provides information about the apivoid connector, which facilitates automated interactions with apivoid using FortiSOAR™ playbooks. Add the apivoid connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving the reputation for specified email ID, IP addresses, domain names, etc, taking high-quality screenshots of the specified website, or retrieving the domain registration date and domain age, in days, for the specified domain.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 7.2.1-1021
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the apivoid Connector in version 1.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-apivoid
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the apivoid connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | IP address or FQDN of the apivoid cloud platform. |
| API Key | API key that is configured for your account from apivoid.com for using the apivoid APIs. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get ThreatLog Domain Reputation | Queries the ThreatLog.com database of malicious domains based on the domain name specified, and if a matching domain is found, then the operation retrieves its reputation from ThreatLog.com. | threatlog Investigation |
| Get Domain Reputation | Checks if the specified domain name is blacklisted by trusted sources and retrieves its reputation from apivoid. | domainbl Investigation |
| Get IP Reputation | Checks and retrieves the reputation and geolocation of the specified IPv4 address from apivoid. | iprep Investigation |
| Get URL Screenshot | Allows you to take high-quality screenshots of any specified web page or URL. | screenshot Investigation |
| Get URL Reputation | Identifies potentially unsafe and phishing URLs and retrieves the reputation of the specified URL from apivoid. | urlrep Investigation |
| Get Domain Age | Retrieves the domain registration date and domain age, in days, from apivoid based on the domain name you have specified. | domainage Investigation |
| Get Domain Trustworthiness | Retrieves important details about the specified domain from apivoid to check whether the specified domain is legit. | sitetrust Investigation |
| Get Domain Parked Status | Retrieves the parked status information, i,e, parked, for sale, or Inactive, for the specified domain from apivoid. | parkeddomain Investigation |
| Get URL Status | Retrieves the URL status information, i,e, online or offline (down or not accessible), for the specified URL from apivoid. | urlstatus Investigation |
| Get Email Reputation | Retrieves the reputation for the specified email ID from apivoid, and provides information about the email , i.e., whether the email is disposable, suspicious/risky, has a valid format, etc. | emailverify Investigation |
| Get DNS Propagation | Checks if the DNS records of the specified domain have been propagated globally. | dnspropagation Investigation |
| Get URL HTML | Captures the HTML page source after JavaScript has been executed for a specified URL. | urltohtml Investigation |
| Get SSL Info | Retrieves information about the SSL certificate, i.e., whether the certificate is valid, expired, or blacklisted from apivoid, for the specified website. | sslinfo Investigation |
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain that you want to query for in the ThreatLog.com database and whose reputation you want to retrieve from ThreatLog.com. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain that you want to check for blacklisting by trusted sources and whose reputation you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| IP Address | IP address whose geolocation and reputation you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| URL | URL for which you want to capture the screenshot. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
},
"status": "",
"_status": "",
"message": "",
"operation": "",
"request_id": ""
}
| Parameter | Description |
|---|---|
| URL | URL for which you want to retrieve reputation information from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain name whose registration date and domain age, in days, you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain whose trustworthiness (check whether or not it is legit) information you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain whose parked status information, i.e., parked, for sale, or inactive, you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| URL | URL whose status information, i.e., online or offline (down or not accessible) you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Email Address | Email ID whose reputation information you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain whose DNS records propagation you want to check in apivoid. |
| Record Type | Type of DNS records you want to check for in apivoid. You can choose from the following options: A, AAAA, NS, MX, TXT, SRV, PTR, SOA, CNAME, SPF, or CAA. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| URL | URL whose HTML page source you want to capture. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Website whose SSL information, i.e., whether the SSL certificate is valid, expired, or blacklisted, needs to be validated and retrieved from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
The Sample - apivoid - 1.0.1 playbook collection comes bundled with the apivoid connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the apivoid connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The Sample - API Void - 1.0.1 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for various indicator types. The indicator can be of any of the following types: IP address, domain, URL, or Email address. The pluggable enrichment playbooks are in the format: '<indicator type> > API Void > Enrichment' format. For example, 'URL > API Void > Enrichment'.
The 'Configuration' step in all the pluggable enrichment playbooks contains variables that have default values for calculating the 'Verdict' for various indicator types.
The following table lists the variable names and their default values:
| Variable Name | Default value (risk_score) |
|---|---|
good_score |
0 |
suspicious_score |
89-1 |
malicious_score |
100-90 |
NOTE: The range of default values must be in the <Upper Bound>-<Lower Bound> format, For example, 89-1 |
|
Based on the above default values, the API Void integration API response returns the verdict, cti_score, and enrichment_summary (all the other variables are common, which is listed in the Common Variable Table).
verdict, cti_score, and enrichment_summary variables for indicator type IP, Domain, and URL| Variable Name | Description | Return Value |
|---|---|---|
verdict for IP address, Domain, and URL |
This connector returns a high-reliability value called 'verdict'. Use this verdict to find the reputation of the various types of indicators. |
If the |
cti_score for IP address, Domain, and URL |
The verdict value returned by the integration API. |
|
enrichment_summary for IP Address |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record:  |
enrichment_summary for Domain |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record:  |
enrichment_summary for URL |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record:  |
The following table lists the variable names and their default values:
| Variable Name | Default value (score) |
|---|---|
good_score |
0 |
suspicious_score |
69-1 |
malicious_score |
100-70 |
NOTE: The range of default values must be in the <Upper Bound>-<Lower Bound> format, For example, 89-1 |
|
Based on the above default values, the API Void integration API response returns the verdict, cti_score, and enrichment_summary (all the other variables are common, which is listed in the Common Variable Table).
verdict, cti_score, and enrichment_summary variables for indicator type Email Address| Variable Name | Description | Return Value |
|---|---|---|
verdict for Email address |
This connector returns a high-reliability value called 'verdict'. Use this verdict to find the reputation of the various types of indicators. |
If the |
cti_score |
The verdict value returned by the integration API. |
|
enrichment_summary |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record: |
This table lists the variables, returned by the API Void integration response API, common to all indicators.
| Variable Name | Description | Return Value |
|---|---|---|
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | API Void |
source_data |
The source_data response returned by the integration API. | A JSON response object containing the source data of the threat intelligence integration. |
field_mapping |
The mapping of the FortiSOAR 'indicator' module fields with the API Void response fields. | A JSON response object containing the field mapping of the threat intelligence integration. |
You can change the default values of the 'Verdict' parameter to suit your requirements as follows:
<indicator type> > API Void > Enrichment' format. For example, URL > API Void > Enrichment.good_scoresuspicious_scoremalicious_score0 to 10.apivoid provides several threat intelligence services ranging from IP, URL, and Domain reputation to domain age and website screenshots.
This document provides information about the apivoid connector, which facilitates automated interactions with apivoid using FortiSOAR™ playbooks. Add the apivoid connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving the reputation for specified email ID, IP addresses, domain names, etc, taking high-quality screenshots of the specified website, or retrieving the domain registration date and domain age, in days, for the specified domain.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 7.2.1-1021
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the apivoid Connector in version 1.0.1:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-apivoid
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the apivoid connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | IP address or FQDN of the apivoid cloud platform. |
| API Key | API key that is configured for your account from apivoid.com for using the apivoid APIs. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get ThreatLog Domain Reputation | Queries the ThreatLog.com database of malicious domains based on the domain name specified, and if a matching domain is found, then the operation retrieves its reputation from ThreatLog.com. | threatlog Investigation |
| Get Domain Reputation | Checks if the specified domain name is blacklisted by trusted sources and retrieves its reputation from apivoid. | domainbl Investigation |
| Get IP Reputation | Checks and retrieves the reputation and geolocation of the specified IPv4 address from apivoid. | iprep Investigation |
| Get URL Screenshot | Allows you to take high-quality screenshots of any specified web page or URL. | screenshot Investigation |
| Get URL Reputation | Identifies potentially unsafe and phishing URLs and retrieves the reputation of the specified URL from apivoid. | urlrep Investigation |
| Get Domain Age | Retrieves the domain registration date and domain age, in days, from apivoid based on the domain name you have specified. | domainage Investigation |
| Get Domain Trustworthiness | Retrieves important details about the specified domain from apivoid to check whether the specified domain is legit. | sitetrust Investigation |
| Get Domain Parked Status | Retrieves the parked status information, i,e, parked, for sale, or Inactive, for the specified domain from apivoid. | parkeddomain Investigation |
| Get URL Status | Retrieves the URL status information, i,e, online or offline (down or not accessible), for the specified URL from apivoid. | urlstatus Investigation |
| Get Email Reputation | Retrieves the reputation for the specified email ID from apivoid, and provides information about the email , i.e., whether the email is disposable, suspicious/risky, has a valid format, etc. | emailverify Investigation |
| Get DNS Propagation | Checks if the DNS records of the specified domain have been propagated globally. | dnspropagation Investigation |
| Get URL HTML | Captures the HTML page source after JavaScript has been executed for a specified URL. | urltohtml Investigation |
| Get SSL Info | Retrieves information about the SSL certificate, i.e., whether the certificate is valid, expired, or blacklisted from apivoid, for the specified website. | sslinfo Investigation |
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain that you want to query for in the ThreatLog.com database and whose reputation you want to retrieve from ThreatLog.com. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain that you want to check for blacklisting by trusted sources and whose reputation you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| IP Address | IP address whose geolocation and reputation you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| URL | URL for which you want to capture the screenshot. |
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
},
"status": "",
"_status": "",
"message": "",
"operation": "",
"request_id": ""
}
| Parameter | Description |
|---|---|
| URL | URL for which you want to retrieve reputation information from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain name whose registration date and domain age, in days, you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain whose trustworthiness (check whether or not it is legit) information you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain whose parked status information, i.e., parked, for sale, or inactive, you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| URL | URL whose status information, i.e., online or offline (down or not accessible) you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Email Address | Email ID whose reputation information you want to retrieve from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Name of the domain whose DNS records propagation you want to check in apivoid. |
| Record Type | Type of DNS records you want to check for in apivoid. You can choose from the following options: A, AAAA, NS, MX, TXT, SRV, PTR, SOA, CNAME, SPF, or CAA. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| URL | URL whose HTML page source you want to capture. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
| Parameter | Description |
|---|---|
| Domain Name | Website whose SSL information, i.e., whether the SSL certificate is valid, expired, or blacklisted, needs to be validated and retrieved from apivoid. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
The Sample - apivoid - 1.0.1 playbook collection comes bundled with the apivoid connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the apivoid connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The Sample - API Void - 1.0.1 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for various indicator types. The indicator can be of any of the following types: IP address, domain, URL, or Email address. The pluggable enrichment playbooks are in the format: '<indicator type> > API Void > Enrichment' format. For example, 'URL > API Void > Enrichment'.
The 'Configuration' step in all the pluggable enrichment playbooks contains variables that have default values for calculating the 'Verdict' for various indicator types.
The following table lists the variable names and their default values:
| Variable Name | Default value (risk_score) |
|---|---|
good_score |
0 |
suspicious_score |
89-1 |
malicious_score |
100-90 |
NOTE: The range of default values must be in the <Upper Bound>-<Lower Bound> format, For example, 89-1 |
|
Based on the above default values, the API Void integration API response returns the verdict, cti_score, and enrichment_summary (all the other variables are common, which is listed in the Common Variable Table).
verdict, cti_score, and enrichment_summary variables for indicator type IP, Domain, and URL| Variable Name | Description | Return Value |
|---|---|---|
verdict for IP address, Domain, and URL |
This connector returns a high-reliability value called 'verdict'. Use this verdict to find the reputation of the various types of indicators. |
If the |
cti_score for IP address, Domain, and URL |
The verdict value returned by the integration API. |
|
enrichment_summary for IP Address |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record: |
enrichment_summary for Domain |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record: |
enrichment_summary for URL |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record: |
The following table lists the variable names and their default values:
| Variable Name | Default value (score) |
|---|---|
good_score |
0 |
suspicious_score |
69-1 |
malicious_score |
100-70 |
NOTE: The range of default values must be in the <Upper Bound>-<Lower Bound> format, For example, 89-1 |
|
Based on the above default values, the API Void integration API response returns the verdict, cti_score, and enrichment_summary (all the other variables are common, which is listed in the Common Variable Table).
verdict, cti_score, and enrichment_summary variables for indicator type Email Address| Variable Name | Description | Return Value |
|---|---|---|
verdict for Email address |
This connector returns a high-reliability value called 'verdict'. Use this verdict to find the reputation of the various types of indicators. |
If the |
cti_score |
The verdict value returned by the integration API. |
|
enrichment_summary |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record: |
This table lists the variables, returned by the API Void integration response API, common to all indicators.
| Variable Name | Description | Return Value |
|---|---|---|
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | API Void |
source_data |
The source_data response returned by the integration API. | A JSON response object containing the source data of the threat intelligence integration. |
field_mapping |
The mapping of the FortiSOAR 'indicator' module fields with the API Void response fields. | A JSON response object containing the field mapping of the threat intelligence integration. |
You can change the default values of the 'Verdict' parameter to suit your requirements as follows:
<indicator type> > API Void > Enrichment' format. For example, URL > API Void > Enrichment.good_scoresuspicious_scoremalicious_score0 to 10.