Fortinet black logo

Fortinet FortiRecon ACI

Fortinet FortiRecon ACI v1.0.1

1.0.1
Copy Link
Copy Doc ID 6b16f604-cc88-11ed-8e6d-fa163e15d75b:542

About the connector

FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise. The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of the dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets.

This document provides information about the Fortinet FortiRecon ACI connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 7.3.2.2150

Fortinet FortiRecon ACI Version Tested on: 23.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

The following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 1.0.1:

  • Fixed a bug where Get IOCs action was failing to get consolidated IOCs for multiple report IDs.
  • Fixed an issue with the "Authentication Mechanism" of the connector that caused the 'Health Check' of the connector to display as "Available" even when an invalid Organization ID was specified in the configuration. Due to this, whenever users tried to perform actions using the connector, they would fail since a valid organization ID is required for all actions.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-aci

Prerequisites to configuring the connector

  • You must have the URL of the Fortinet FortiRecon ACI server to which you will connect and perform automated operations and the API key configured for your account for using the Fortinet FortiRecon ACI APIs.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiRecon ACI server.

Minimum Permissions Required

  • Not applicable

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiRecon ACI connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL or IP address of the FortiRecon server to which you will connect and perform the automated operations.
API Key Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs.
Organization ID Specify the organization ID for which you will fetch the records using the Fortinet FortiRecon ACI connector.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get IOCs Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the given organization ID and other input parameters you have specified. get_iocs
Investigation
Get Leaked Cards Retrieves a list of all leaked cards or specific leaked cards found for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_leaked_cards
Investigation
Get Widgets Retrieves a list of all widgets or specific widgets for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_widgets
Investigation
Get OSINT Feeds Retrieves a list of all OSINT feeds or specific OSINT feeds for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_osint_feeds
Investigation
Get Reports Retrieves a list of all reports or specific reports for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI.
The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data.
get_reports
Investigation
Get Reports With IOCs Retrieves details, including IOCs, for a specific report for the given organization ID and the report ID you have specified from Fortinet FortiRecon ACI.
The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports.
get_reports_with_iocs
Investigation
Get Stealers Log Retrieves a list of all stealer log infections or specific stealer log infections for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_stealers_log
Investigation

operation: Get IOCs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all IOCs published in ACI reporting for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Report ID Specify a comma-separated list of report IDs from which you want to fetch the IOCs.
IOC Type Specify a comma-separated string or single string of the type of IOCs you want to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION
Start Date Specify the date from when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Leaked Cards

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all leaked cards found for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Type Specify the type of leaked card you want to retrieve from Fortinet FortiRecon ACI.
Bin Specify the bin associated with the leaked card you want to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321
Start Date Specify the date from when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Widgets

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all widgets for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get OSINT Feeds

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all OSINT Feeds for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Widget ID Specify the Widget ID using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI.
Keyword Specify the keyword using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI.
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all reports for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Relevance Rating Specify a comma-separated string or single string of the relevance ratings of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low
Tags Specify a comma-separated string or single string of the tags associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime
Adversary Specify a comma-separated string or single string of the adversary associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34
Source Category Specify a comma-separated string or single string of the source category associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet
Report Type Specify a comma-separated string or single string of the type of reports you want to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert
Industry Specify a comma-separated string or single string of the industry associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology
Geography Specify a comma-separated string or single string of the geography of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia
Keyword Specify the keyword using which you want to filter the reports retrieved from Fortinet FortiRecon ACI.
Source Reliability Specify the source reliability of the reports you want to retrieve from Fortinet FortiRecon ACI.
Information Reliability Specify the information reliability of the reports you want to retrieve from Fortinet FortiRecon ACI.
Start Date Specify the date from when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Reports With IOCs

Input parameters

Parameter Description
ID Specify the ID of the report whose details, including IOCs, you want to retrieve from Fortinet FortiRecon ACI.

Output

The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}

operation: Get Stealers Log

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all stealer log infections for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Stealer Name Specify a comma-separated string or single string of the names of the stealers associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Redline,Redline1
Domain Specify a comma-separated string or single string of the domains associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, domain1.com,domain2.com
Country Specify a comma-separated string or single string of the countries associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, India,Dubai
State Specify a comma-separated string or single string of the states associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Haryana,Telangana
ISP Specify a comma-separated string or single string of the ISPs associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Hutchison Max Telecom Limited
Marketplace Specify a comma-separated string or single string of the marketplaces associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, russian-market,russian-market2
Keyword Specify the keyword using which you want to filter the steal log infections retrieved from Fortinet FortiRecon ACI.
Start Date Specify the date from when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"affiliated_domains": "",
"country": "",
"discovery_date": "",
"isp": "",
"last_updated": "",
"marketplace": "",
"org_id": "",
"price": "",
"sites": "",
"state": "",
"stealer_name": "",
"vendor": ""
}
],
"page": "",
"size": "",
"total": ""
}

Included playbooks

The Sample - Fortinet Fortirecon ACI - 1.0.1 playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.

  • Get IOCs
  • Get Leaked Cards
  • Get OSINT Feeds
  • Get Reports
  • Get Reports With IOCs
  • Get Stealers Log
  • Get Widgets

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise. The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of the dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets.

This document provides information about the Fortinet FortiRecon ACI connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 7.3.2.2150

Fortinet FortiRecon ACI Version Tested on: 23.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

The following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 1.0.1:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-aci

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiRecon ACI connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL or IP address of the FortiRecon server to which you will connect and perform the automated operations.
API Key Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs.
Organization ID Specify the organization ID for which you will fetch the records using the Fortinet FortiRecon ACI connector.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get IOCs Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the given organization ID and other input parameters you have specified. get_iocs
Investigation
Get Leaked Cards Retrieves a list of all leaked cards or specific leaked cards found for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_leaked_cards
Investigation
Get Widgets Retrieves a list of all widgets or specific widgets for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_widgets
Investigation
Get OSINT Feeds Retrieves a list of all OSINT feeds or specific OSINT feeds for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_osint_feeds
Investigation
Get Reports Retrieves a list of all reports or specific reports for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI.
The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data.
get_reports
Investigation
Get Reports With IOCs Retrieves details, including IOCs, for a specific report for the given organization ID and the report ID you have specified from Fortinet FortiRecon ACI.
The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports.
get_reports_with_iocs
Investigation
Get Stealers Log Retrieves a list of all stealer log infections or specific stealer log infections for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. get_stealers_log
Investigation

operation: Get IOCs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all IOCs published in ACI reporting for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Report ID Specify a comma-separated list of report IDs from which you want to fetch the IOCs.
IOC Type Specify a comma-separated string or single string of the type of IOCs you want to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION
Start Date Specify the date from when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Leaked Cards

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all leaked cards found for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Type Specify the type of leaked card you want to retrieve from Fortinet FortiRecon ACI.
Bin Specify the bin associated with the leaked card you want to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321
Start Date Specify the date from when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Widgets

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all widgets for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get OSINT Feeds

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all OSINT Feeds for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Widget ID Specify the Widget ID using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI.
Keyword Specify the keyword using which you want to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI.
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all reports for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Relevance Rating Specify a comma-separated string or single string of the relevance ratings of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low
Tags Specify a comma-separated string or single string of the tags associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime
Adversary Specify a comma-separated string or single string of the adversary associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34
Source Category Specify a comma-separated string or single string of the source category associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet
Report Type Specify a comma-separated string or single string of the type of reports you want to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert
Industry Specify a comma-separated string or single string of the industry associated with the reports you want to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology
Geography Specify a comma-separated string or single string of the geography of the reports you want to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia
Keyword Specify the keyword using which you want to filter the reports retrieved from Fortinet FortiRecon ACI.
Source Reliability Specify the source reliability of the reports you want to retrieve from Fortinet FortiRecon ACI.
Information Reliability Specify the information reliability of the reports you want to retrieve from Fortinet FortiRecon ACI.
Start Date Specify the date from when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}

operation: Get Reports With IOCs

Input parameters

Parameter Description
ID Specify the ID of the report whose details, including IOCs, you want to retrieve from Fortinet FortiRecon ACI.

Output

The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}

operation: Get Stealers Log

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., all stealer log infections for the given organization ID are fetched from Fortinet FortiRecon ACI.

Parameter Description
Stealer Name Specify a comma-separated string or single string of the names of the stealers associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Redline,Redline1
Domain Specify a comma-separated string or single string of the domains associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, domain1.com,domain2.com
Country Specify a comma-separated string or single string of the countries associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, India,Dubai
State Specify a comma-separated string or single string of the states associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Haryana,Telangana
ISP Specify a comma-separated string or single string of the ISPs associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, Hutchison Max Telecom Limited
Marketplace Specify a comma-separated string or single string of the marketplaces associated with the steal log infections you want to retrieve from Fortinet FortiRecon ACI. For example, russian-market,russian-market2
Keyword Specify the keyword using which you want to filter the steal log infections retrieved from Fortinet FortiRecon ACI.
Start Date Specify the date from when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD).
End Date Specify the date until when you want to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD).
Page Specify the page number from which to retrieve results.
Size Specify the maximum number of results, per page, that you want to include in the response of this operation. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500.

Output

The output contains the following populated JSON schema:
{
"hits": [
{
"affiliated_domains": "",
"country": "",
"discovery_date": "",
"isp": "",
"last_updated": "",
"marketplace": "",
"org_id": "",
"price": "",
"sites": "",
"state": "",
"stealer_name": "",
"vendor": ""
}
],
"page": "",
"size": "",
"total": ""
}

Included playbooks

The Sample - Fortinet Fortirecon ACI - 1.0.1 playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next