FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise. The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of the dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets.
This document provides information about the Fortinet FortiRecon ACI connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 7.3.2.2150
Fortinet FortiRecon ACI Version Tested on: 23.1
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 1.0.1:
Get IOCs
action was failing to get consolidated IOCs for multiple report IDs.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-aci
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiRecon ACI connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL or IP address of the FortiRecon server to which you will connect and perform the automated operations. |
API Key | Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs. |
Organization ID | Specify the organization ID for which you will fetch the records using the Fortinet FortiRecon ACI connector. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get IOCs | Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the given organization ID and other input parameters you have specified. | get_iocs Investigation |
Get Leaked Cards | Retrieves a list of all leaked cards or specific leaked cards found for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_leaked_cards Investigation |
Get Widgets | Retrieves a list of all widgets or specific widgets for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_widgets Investigation |
Get OSINT Feeds | Retrieves a list of all OSINT feeds or specific OSINT feeds for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_osint_feeds Investigation |
Get Reports | Retrieves a list of all reports or specific reports for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data. |
get_reports Investigation |
Get Reports With IOCs | Retrieves details, including IOCs, for a specific report for the given organization ID and the report ID you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports. |
get_reports_with_iocs Investigation |
Get Stealers Log | Retrieves a list of all stealer log infections or specific stealer log infections for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_stealers_log Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all IOCs published in ACI reporting for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Report ID | Specify a comma-separated list of report IDs from which you want to fetch the IOCs. |
IOC Type | Specify a comma-separated string or single string of the type of IOCs you want to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION |
Start Date | Specify the date from when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all leaked cards found for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Type | Specify the type of leaked card you want to retrieve from Fortinet FortiRecon ACI. |
Bin | Specify the bin associated with the leaked card you want to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321 |
Start Date | Specify the date from when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all widgets for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all OSINT Feeds for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Widget ID | Specify the Widget ID using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
Keyword | Specify the keyword using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all reports for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Relevance Rating | Specify a comma-separated string or single string of the relevance ratings of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low |
Tags | Specify a comma-separated string or single string of the tags associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime |
Adversary | Specify a comma-separated string or single string of the adversary associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34 |
Source Category | Specify a comma-separated string or single string of the source category associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet |
Report Type | Specify a comma-separated string or single string of the type of reports you want to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert |
Industry | Specify a comma-separated string or single string of the industry associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology |
Geography | Specify a comma-separated string or single string of the geography of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia |
Keyword | Specify the keyword using which you want to filter the reports retrieved from Fortinet FortiRecon ACI. |
Source Reliability | Specify the source reliability of the reports you want to retrieve from Fortinet FortiRecon ACI. |
Information Reliability | Specify the information reliability of the reports you want to retrieve from Fortinet FortiRecon ACI. |
Start Date | Specify the date from when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the report whose details, including IOCs, you want to retrieve from Fortinet FortiRecon ACI. |
The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all stealer log infections for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Stealer Name | Specify a comma-separated string or single string of the names of the stealers associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Redline,Redline1 |
Domain | Specify a comma-separated string or single string of the domains associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, domain1.com,domain2.com |
Country | Specify a comma-separated string or single string of the countries associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, India,Dubai |
State | Specify a comma-separated string or single string of the states associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Haryana,Telangana |
ISP | Specify a comma-separated string or single string of the ISPs associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Hutchison Max Telecom Limited |
Marketplace | Specify a comma-separated string or single string of the marketplaces associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, russian-market,russian-market2 |
Keyword | Specify the keyword using which you want to filter the steal log infections retrieved from Fortinet FortiRecon ACI. |
Start Date | Specify the date from when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"affiliated_domains": "",
"country": "",
"discovery_date": "",
"isp": "",
"last_updated": "",
"marketplace": "",
"org_id": "",
"price": "",
"sites": "",
"state": "",
"stealer_name": "",
"vendor": ""
}
],
"page": "",
"size": "",
"total": ""
}
The Sample - Fortinet Fortirecon ACI - 1.0.1
playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise. The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of the dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets.
This document provides information about the Fortinet FortiRecon ACI connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 7.3.2.2150
Fortinet FortiRecon ACI Version Tested on: 23.1
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 1.0.1:
Get IOCs
action was failing to get consolidated IOCs for multiple report IDs.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-aci
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiRecon ACI connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL or IP address of the FortiRecon server to which you will connect and perform the automated operations. |
API Key | Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs. |
Organization ID | Specify the organization ID for which you will fetch the records using the Fortinet FortiRecon ACI connector. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get IOCs | Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the given organization ID and other input parameters you have specified. | get_iocs Investigation |
Get Leaked Cards | Retrieves a list of all leaked cards or specific leaked cards found for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_leaked_cards Investigation |
Get Widgets | Retrieves a list of all widgets or specific widgets for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_widgets Investigation |
Get OSINT Feeds | Retrieves a list of all OSINT feeds or specific OSINT feeds for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_osint_feeds Investigation |
Get Reports | Retrieves a list of all reports or specific reports for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data. |
get_reports Investigation |
Get Reports With IOCs | Retrieves details, including IOCs, for a specific report for the given organization ID and the report ID you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports. |
get_reports_with_iocs Investigation |
Get Stealers Log | Retrieves a list of all stealer log infections or specific stealer log infections for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_stealers_log Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all IOCs published in ACI reporting for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Report ID | Specify a comma-separated list of report IDs from which you want to fetch the IOCs. |
IOC Type | Specify a comma-separated string or single string of the type of IOCs you want to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION |
Start Date | Specify the date from when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all leaked cards found for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Type | Specify the type of leaked card you want to retrieve from Fortinet FortiRecon ACI. |
Bin | Specify the bin associated with the leaked card you want to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321 |
Start Date | Specify the date from when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all widgets for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all OSINT Feeds for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Widget ID | Specify the Widget ID using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
Keyword | Specify the keyword using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all reports for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Relevance Rating | Specify a comma-separated string or single string of the relevance ratings of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low |
Tags | Specify a comma-separated string or single string of the tags associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime |
Adversary | Specify a comma-separated string or single string of the adversary associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34 |
Source Category | Specify a comma-separated string or single string of the source category associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet |
Report Type | Specify a comma-separated string or single string of the type of reports you want to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert |
Industry | Specify a comma-separated string or single string of the industry associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology |
Geography | Specify a comma-separated string or single string of the geography of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia |
Keyword | Specify the keyword using which you want to filter the reports retrieved from Fortinet FortiRecon ACI. |
Source Reliability | Specify the source reliability of the reports you want to retrieve from Fortinet FortiRecon ACI. |
Information Reliability | Specify the information reliability of the reports you want to retrieve from Fortinet FortiRecon ACI. |
Start Date | Specify the date from when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the report whose details, including IOCs, you want to retrieve from Fortinet FortiRecon ACI. |
The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all stealer log infections for the given organization ID are fetched from Fortinet FortiRecon ACI.
Parameter | Description |
---|---|
Stealer Name | Specify a comma-separated string or single string of the names of the stealers associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Redline,Redline1 |
Domain | Specify a comma-separated string or single string of the domains associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, domain1.com,domain2.com |
Country | Specify a comma-separated string or single string of the countries associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, India,Dubai |
State | Specify a comma-separated string or single string of the states associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Haryana,Telangana |
ISP | Specify a comma-separated string or single string of the ISPs associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Hutchison Max Telecom Limited |
Marketplace | Specify a comma-separated string or single string of the marketplaces associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, russian-market,russian-market2 |
Keyword | Specify the keyword using which you want to filter the steal log infections retrieved from Fortinet FortiRecon ACI. |
Start Date | Specify the date from when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD) . |
End Date | Specify the date until when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD) . |
Page | Specify the page number from which to retrieve results. |
Size | Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"affiliated_domains": "",
"country": "",
"discovery_date": "",
"isp": "",
"last_updated": "",
"marketplace": "",
"org_id": "",
"price": "",
"sites": "",
"state": "",
"stealer_name": "",
"vendor": ""
}
],
"page": "",
"size": "",
"total": ""
}
The Sample - Fortinet Fortirecon ACI - 1.0.1
playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.