FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise.
This document provides information about the Fortinet FortiRecon EASM Connector, which facilitates automated interactions, with a Fortinet FortiRecon EASM server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon EASM Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon EASM.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 7.3.2.2150
Fortinet FortiRecon EASM Version Tested on: Version: v23.1
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiRecon EASM Connector in version 1.0.1:
Get Domains,Get Subdomains and Get IPs actions were failing to retrieve 'Domains', 'Subdomains', and 'IPs' respectively for multiple ports.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-easm
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon EASM connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Hostname or IP address of the FortiOS endpoint server to which you will connect and perform the automated operations. |
| API Key | Specify the API key to access the Rest APIs. |
| Organization ID | The organization ID on which FortiRecon operations are to be performed. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Leaked Credentials | Retrieves a list of leaked credentials related to the organization ID based on the keyword to search, breach ID, and date-time range you have specified. | get_leaked_credentials Investigation |
| Get Scan Statistics | Retrieves statistics related to the EASM scan related to the organization ID specified in the configuration parameters. The response includes a count of the total, online, and newly discovered assets for the current and previous scans. | get_scan_statistics Investigation |
| Get Issues Discovered | Retrieves a list of security issues related to assets discovered in the most recent EASM scan based on the filter criteria like issue status, severity, and country codes (US, IN) you have specified. |
get_issues_discovered Investigation |
| Get Issue By ID | Retrieves the details about a specific security issue based on the unique issue ID you have specified. | get_issue_by_id Investigation |
| Get Issue Summary | Retrieves the statistics related to security issues discovered in the most recent EASM scan. The response includes a count of the total discovered issues, along with the severity-wise count. | get_issue_summary Investigation |
| Get Archived Issues | Retrieves a list of security issues that have been marked as either Risk Accepted or False Positive based on the asset you have specified. | get_archived_issues Investigation |
| Get Archived Assets | Retrieves a list of assets that have been marked as either Risk Accepted or False Positive. | get_archived_assets Investigation |
| Get Asset ASNs | Retrieves a list of Autonomous System Numbers (ASNs) discovered in the latest EASM scan based on the asset you have specified. | get_asset_asns Investigation |
| Get ASNs by Asset ID | Retrieves the details about a specific Autonomous System Number(ASN) based on the asset ID you have specified. | get_asns_by_asset_id Investigation |
| Get Domains | Retrieves a list of domains discovered in the latest EASM scan based on the filter criteria like ports, technologies, and assets you have specified. | get_domains Investigation |
| Get Domain by Asset ID | Retrieves domain details based on the asset ID you have specified. | get_domain_by_asset_id Investigation |
| Get IPs | Retrieves a list of IP addresses discovered in the latest EASM scan based on the filter criteria like ports, country codes, and assets you have specified. | get_ips Investigation |
| Get IP by Asset ID | Retrieves IP address details based on the asset ID you have specified. | get_domain_by_asset_id Investigation |
| Get Prefixes | Retrieves a list of IP prefixes discovered in the latest EASM scan based on the filter criteria like ASN and assets you have specified. | get_prefixes Investigation |
| Get Prefixes by Asset ID | Retrieves the details about a specific IP prefix based on the asset ID you have specified. | get_prefixes_by_asset_id Investigation |
| Get Subdomains | Retrieves a list of subdomains discovered in the latest EASM scan based on the filter criteria like ports, technologies, and assets you have specified. | get_subdomains Investigation |
| Get Subdomain by Asset ID | Retrieves subdomain details based on the asset ID you have specified. | get_prefixes_by_asset_id Investigation |
| Get Asset Statistics | Retrieves the statistics related to assets discovered in the most recent EASM scan. The response includes a count of the total discovered and online assets. | get_asset_statistics Investigation |
| Get Breaches | Retrieves a list of credential breaches related to the organization ID based on the keyword to search and other details you have specified. | get_breaches Investigation |
| Get Breaches by ID | Retrieves the details about a specific credential breach based on the breach ID you have specified. | get_breaches_by_id Investigation |
| Generate Report | Initiates the report generation for the latest EASM scan. | generate_report Investigation |
| Get Report | Checks the status of the generated EASM report based on the report ID you have specified. The response contains the s3 URL of the report to download if generated. | get_report Investigation |
| Parameter | Description |
|---|---|
| Keyword | Specify the text to search in the email address and breach name. For example:user@example.com. The response filters out results and fetches credentials exposed for user@example.com. |
| Breach ID | Specify the breach ID to filter the leaked credentials received. |
| Has Password | Specify whether to filter the leaked credential list based on whether the credentials contain passwords. |
| Start Date | Specify the start date to filter the credential leak discovery date. The default is the last 6 months. |
| End Date | Specify the end date to filter the credential leak discovery date. The default is the current day's date. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"breach_id": "",
"email_addr": "",
"domain": "",
"breach_name": "",
"breach_date": "",
"added_on": "",
"has_password": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"current_scan": {
"completed_ts": "",
"assets": {
"total": "",
"live": "",
"newly_discovered": {
"domain": "",
"sub_domain": "",
"ip_address": "",
"ip_block": "",
"asn": ""
}
}
}
}
| Parameter | Description |
|---|---|
| Status | Select the status, to filter the results, from the following available options:
|
| Severity | Select the severity, to filter the results, from the following available options:
|
| Countries | Specify the country code, to filter the results, from the discovered issues. Specify the countries as comma-separated values to get all those results that have any of the specified countries. For example: IN,US |
| Bucket ID | Specify the bucket IDs, to filter the results, from the following available options:
|
| Issue Name Identifier | Specify the issue name identifiers, to filter the results, as comma-separated values. For example: ip_blacklist,cve_2019_1234 |
| Asset | Specify the asset, to filter the results. For example: test.example.com |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"issue_name": "",
"asset": "",
"severity": "",
"port": "",
"bucket": "",
"status": "",
"user_name": "",
"issue_name_identifier": "",
"bucket_id": "",
"data": [
{
"port": "",
"issue_result": "",
"additional_detail": {
"is_expired": "",
"is_invalid": "",
"is_self_signed": "",
"about_to_expire": "",
"cert_fingerprint_sha256": [],
"days_left": "",
"weak_ciphers": [],
"ssl_issues": [
{
"issue_type": "",
"port": "",
"info": ""
},
{
"issue_type": "",
"port": "",
"info": ""
}
]
}
}
]
}
]
}
| Parameter | Description |
|---|---|
| Issue ID | Specify the issue ID to get details about that specific security issue. |
The output contains the following populated JSON schema:
{
"id": "",
"issue_name": "",
"asset": "",
"severity": "",
"port": "",
"bucket": "",
"status": "",
"user_name": "",
"issue_name_identifier": "",
"bucket_id": "",
"data": [
{
"port": "",
"issue_result": "",
"additional_detail": {
"is_expired": "",
"is_invalid": "",
"is_self_signed": "",
"about_to_expire": "",
"cert_fingerprint_sha256": [],
"days_left": "",
"weak_ciphers": [],
"ssl_issues": [
{
"issue_type": "",
"port": "",
"info": ""
},
{
"issue_type": "",
"port": "",
"info": ""
}
]
}
}
]
}
None.
The output contains the following populated JSON schema:
{
"total": "",
"critical": "",
"high": "",
"low": "",
"medium": ""
}
| Parameter | Description |
|---|---|
| Status | Select the status, to filter the results from archived issues, from the following available options:
|
| Asset | Specify the asset, to filter the results, from the archived issues. For example: test.example.com |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"asset": "",
"issue_name": "",
"port": "",
"status": "",
"user_name": ""
}
]
}
| Parameter | Description |
|---|---|
| User Action | Select the user action based on which to filter the fetched archived assets. This value can be selected as False Positive or left blank. |
| Asset | Specify the asset, to filter the results, from the archived assets. For example: test.example.com |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"asset": "",
"issue_name": "",
"port": "",
"status": "",
"user_name": ""
}
]
}
| Parameter | Description |
|---|---|
| Asset | Specify the asset, to filter the results, from the retrieved ASNs. For example: AS0000 |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asset": "",
"company_name": "",
"id": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the ASN details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"id": "",
"asset": "",
"assets_linked_count": "",
"company_name": "",
"discovery_path": [
{
"from": "",
"from_type": "",
"module": "",
"type": ""
}
]
}
| Parameter | Description |
|---|---|
| Ports | Specify the ports, to filter the results, from retrieved domains. Specify the ports as comma-separated values to get only those results that have all of the specified ports. For example 8080,443. |
| Technologies | Specify the ports, to filter the results, from retrieved domains. Specify a comma-separated string or a single string. e.g MySQL,Bootstrap |
| Asset | Specify the asset, to filter the results, from the retrieved domains. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"asset": "",
"ports": [],
"ssl_cert_org": "",
"ip_address": "",
"technologies": [],
"confidence": "",
"domain_expiry": "",
"nameserver": [],
"original_ip": []
}
]
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the domain details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"id": "",
"asset": "",
"ports": [],
"ssl_cert_org": "",
"ip_address": "",
"technologies": [],
"confidence": "",
"domain_expiry": "",
"nameserver": [],
"original_ip": [],
"issue_count": "",
"discovery_path": [
{
"module": "",
"from": "",
"from_type": "",
"type": ""
}
],
"assets_linked_count": "",
"assets_linked": []
}
| Parameter | Description |
|---|---|
| Ports | Specify the ports, to filter the results, from retrieved IP addresses. Specify the ports as comma-separated values to get only those results that have all of the specified ports. For example 8080,443. |
| Countries | Specify the country code, to filter the results, from the discovered issues. Specify the countries as comma-separated values to get all those results that have any of the specified countries. For example: IN,US |
| Asset | Specify the asset, to filter the results, from the retrieved IP addresses. |
| IP Prefix | Specify an IP address prefix, to filter the results, from retrieved IP addresses. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asset": "",
"id": "",
"ip_prefix": "",
"ports": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the IP address details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"asset": "",
"assets_linked_count": "",
"discovery_path": [
{
"from": "",
"from_type": "",
"module": "",
"type": ""
}
],
"id": "",
"ip_prefix": "",
"issue_count": "",
"ports": []
}
| Parameter | Description |
|---|---|
| Asset | Specify the asset, to filter the results, from the retrieved IP address prefix. |
| ASN | Specify the ASN, to filter the results, from retrieved IP address prefixes. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asn_number": "",
"asset": "",
"company_name": "",
"id": "",
"ip_count": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the IP address details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"asset": "",
"assets_linked_count": "",
"discovery_path": [
{
"from": "",
"from_type": "",
"module": "",
"type": ""
}
],
"id": "",
"ip_prefix": "",
"issue_count": "",
"ports": []
}
| Parameter | Description |
|---|---|
| Ports | >Specify the ports, to filter the results, from retrieved subdomains. Specify the ports as comma-separated values to get only those results that have all of the specified ports. For example 8080,443. |
| Technologies | Specify the ports, to filter the results, from retrieved subdomains. Specify a comma-separated string or a single string. e.g MySQL,Bootstrap |
| Asset | Specify the asset, to filter the results, from the retrieved subdomains. |
| Domain | Specify a domain, to filter the results, from the retrieved subdomains. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asset": "",
"domain_name": "",
"id": "",
"ip_address": "",
"ports": [],
"technologies": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the subdomain details. |
The output contains the following populated JSON schema:
{
"id": "",
"domain_name": "",
"asset": "",
"ports": [],
"ip_address": "",
"technologies": [],
"issue_count": 0,
"discovery_path": [
{
"module": "",
"from": "",
"from_type": "",
"type": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"asn_count": "",
"ip_prefix_count": "",
"live_domain_count": "",
"live_ip_address_count": "",
"live_sub_domain_count": "",
"org_name": "",
"total_domain_count": "",
"total_ip_address_count": "",
"total_sub_domain_count": ""
}
| Parameter | Description |
|---|---|
| Keyword | Specify the text to search in breach name, details, and list of compromised data. For example:testorg. The response filters out results and fetches credentials exposed for user@example.com. |
| Has Password | Specify whether to filter the leaked credential list based on whether the credentials contain passwords. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_on": "",
"affected_domains": "",
"compromised_accounts": "",
"compromised_data": "",
"date": "",
"details": "",
"has_password": "",
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Breach ID | Specify the breach ID to retrieve the breach details. |
The output contains the following populated JSON schema:
{
"added_on": "",
"affected_domains": "",
"compromised_accounts": "",
"compromised_data": "",
"date": "",
"details": "",
"has_password": "",
"id": "",
"name": ""
}
None.
The output contains the following populated JSON schema:
{
"report_id": ""
}
| Parameter | Description |
|---|---|
| Report ID | Specify the report ID to retrieve the report details. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_on": "",
"affected_domains": "",
"compromised_accounts": "",
"compromised_data": "",
"date": "",
"details": "",
"has_password": "",
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
The Sample - Fortinet FortiRecon EASM - 1.0.1 playbook collection comes bundled with the Fortinet FortiRecon EASM connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon EASM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view of the risks posed to your enterprise.
This document provides information about the Fortinet FortiRecon EASM Connector, which facilitates automated interactions, with a Fortinet FortiRecon EASM server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon EASM Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon EASM.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 7.3.2.2150
Fortinet FortiRecon EASM Version Tested on: Version: v23.1
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiRecon EASM Connector in version 1.0.1:
Get Domains,Get Subdomains and Get IPs actions were failing to retrieve 'Domains', 'Subdomains', and 'IPs' respectively for multiple ports.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortirecon-easm
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon EASM connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Hostname or IP address of the FortiOS endpoint server to which you will connect and perform the automated operations. |
| API Key | Specify the API key to access the Rest APIs. |
| Organization ID | The organization ID on which FortiRecon operations are to be performed. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Leaked Credentials | Retrieves a list of leaked credentials related to the organization ID based on the keyword to search, breach ID, and date-time range you have specified. | get_leaked_credentials Investigation |
| Get Scan Statistics | Retrieves statistics related to the EASM scan related to the organization ID specified in the configuration parameters. The response includes a count of the total, online, and newly discovered assets for the current and previous scans. | get_scan_statistics Investigation |
| Get Issues Discovered | Retrieves a list of security issues related to assets discovered in the most recent EASM scan based on the filter criteria like issue status, severity, and country codes (US, IN) you have specified. |
get_issues_discovered Investigation |
| Get Issue By ID | Retrieves the details about a specific security issue based on the unique issue ID you have specified. | get_issue_by_id Investigation |
| Get Issue Summary | Retrieves the statistics related to security issues discovered in the most recent EASM scan. The response includes a count of the total discovered issues, along with the severity-wise count. | get_issue_summary Investigation |
| Get Archived Issues | Retrieves a list of security issues that have been marked as either Risk Accepted or False Positive based on the asset you have specified. | get_archived_issues Investigation |
| Get Archived Assets | Retrieves a list of assets that have been marked as either Risk Accepted or False Positive. | get_archived_assets Investigation |
| Get Asset ASNs | Retrieves a list of Autonomous System Numbers (ASNs) discovered in the latest EASM scan based on the asset you have specified. | get_asset_asns Investigation |
| Get ASNs by Asset ID | Retrieves the details about a specific Autonomous System Number(ASN) based on the asset ID you have specified. | get_asns_by_asset_id Investigation |
| Get Domains | Retrieves a list of domains discovered in the latest EASM scan based on the filter criteria like ports, technologies, and assets you have specified. | get_domains Investigation |
| Get Domain by Asset ID | Retrieves domain details based on the asset ID you have specified. | get_domain_by_asset_id Investigation |
| Get IPs | Retrieves a list of IP addresses discovered in the latest EASM scan based on the filter criteria like ports, country codes, and assets you have specified. | get_ips Investigation |
| Get IP by Asset ID | Retrieves IP address details based on the asset ID you have specified. | get_domain_by_asset_id Investigation |
| Get Prefixes | Retrieves a list of IP prefixes discovered in the latest EASM scan based on the filter criteria like ASN and assets you have specified. | get_prefixes Investigation |
| Get Prefixes by Asset ID | Retrieves the details about a specific IP prefix based on the asset ID you have specified. | get_prefixes_by_asset_id Investigation |
| Get Subdomains | Retrieves a list of subdomains discovered in the latest EASM scan based on the filter criteria like ports, technologies, and assets you have specified. | get_subdomains Investigation |
| Get Subdomain by Asset ID | Retrieves subdomain details based on the asset ID you have specified. | get_prefixes_by_asset_id Investigation |
| Get Asset Statistics | Retrieves the statistics related to assets discovered in the most recent EASM scan. The response includes a count of the total discovered and online assets. | get_asset_statistics Investigation |
| Get Breaches | Retrieves a list of credential breaches related to the organization ID based on the keyword to search and other details you have specified. | get_breaches Investigation |
| Get Breaches by ID | Retrieves the details about a specific credential breach based on the breach ID you have specified. | get_breaches_by_id Investigation |
| Generate Report | Initiates the report generation for the latest EASM scan. | generate_report Investigation |
| Get Report | Checks the status of the generated EASM report based on the report ID you have specified. The response contains the s3 URL of the report to download if generated. | get_report Investigation |
| Parameter | Description |
|---|---|
| Keyword | Specify the text to search in the email address and breach name. For example:user@example.com. The response filters out results and fetches credentials exposed for user@example.com. |
| Breach ID | Specify the breach ID to filter the leaked credentials received. |
| Has Password | Specify whether to filter the leaked credential list based on whether the credentials contain passwords. |
| Start Date | Specify the start date to filter the credential leak discovery date. The default is the last 6 months. |
| End Date | Specify the end date to filter the credential leak discovery date. The default is the current day's date. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"breach_id": "",
"email_addr": "",
"domain": "",
"breach_name": "",
"breach_date": "",
"added_on": "",
"has_password": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"current_scan": {
"completed_ts": "",
"assets": {
"total": "",
"live": "",
"newly_discovered": {
"domain": "",
"sub_domain": "",
"ip_address": "",
"ip_block": "",
"asn": ""
}
}
}
}
| Parameter | Description |
|---|---|
| Status | Select the status, to filter the results, from the following available options:
|
| Severity | Select the severity, to filter the results, from the following available options:
|
| Countries | Specify the country code, to filter the results, from the discovered issues. Specify the countries as comma-separated values to get all those results that have any of the specified countries. For example: IN,US |
| Bucket ID | Specify the bucket IDs, to filter the results, from the following available options:
|
| Issue Name Identifier | Specify the issue name identifiers, to filter the results, as comma-separated values. For example: ip_blacklist,cve_2019_1234 |
| Asset | Specify the asset, to filter the results. For example: test.example.com |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"issue_name": "",
"asset": "",
"severity": "",
"port": "",
"bucket": "",
"status": "",
"user_name": "",
"issue_name_identifier": "",
"bucket_id": "",
"data": [
{
"port": "",
"issue_result": "",
"additional_detail": {
"is_expired": "",
"is_invalid": "",
"is_self_signed": "",
"about_to_expire": "",
"cert_fingerprint_sha256": [],
"days_left": "",
"weak_ciphers": [],
"ssl_issues": [
{
"issue_type": "",
"port": "",
"info": ""
},
{
"issue_type": "",
"port": "",
"info": ""
}
]
}
}
]
}
]
}
| Parameter | Description |
|---|---|
| Issue ID | Specify the issue ID to get details about that specific security issue. |
The output contains the following populated JSON schema:
{
"id": "",
"issue_name": "",
"asset": "",
"severity": "",
"port": "",
"bucket": "",
"status": "",
"user_name": "",
"issue_name_identifier": "",
"bucket_id": "",
"data": [
{
"port": "",
"issue_result": "",
"additional_detail": {
"is_expired": "",
"is_invalid": "",
"is_self_signed": "",
"about_to_expire": "",
"cert_fingerprint_sha256": [],
"days_left": "",
"weak_ciphers": [],
"ssl_issues": [
{
"issue_type": "",
"port": "",
"info": ""
},
{
"issue_type": "",
"port": "",
"info": ""
}
]
}
}
]
}
None.
The output contains the following populated JSON schema:
{
"total": "",
"critical": "",
"high": "",
"low": "",
"medium": ""
}
| Parameter | Description |
|---|---|
| Status | Select the status, to filter the results from archived issues, from the following available options:
|
| Asset | Specify the asset, to filter the results, from the archived issues. For example: test.example.com |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"asset": "",
"issue_name": "",
"port": "",
"status": "",
"user_name": ""
}
]
}
| Parameter | Description |
|---|---|
| User Action | Select the user action based on which to filter the fetched archived assets. This value can be selected as False Positive or left blank. |
| Asset | Specify the asset, to filter the results, from the archived assets. For example: test.example.com |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"asset": "",
"issue_name": "",
"port": "",
"status": "",
"user_name": ""
}
]
}
| Parameter | Description |
|---|---|
| Asset | Specify the asset, to filter the results, from the retrieved ASNs. For example: AS0000 |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asset": "",
"company_name": "",
"id": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the ASN details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"id": "",
"asset": "",
"assets_linked_count": "",
"company_name": "",
"discovery_path": [
{
"from": "",
"from_type": "",
"module": "",
"type": ""
}
]
}
| Parameter | Description |
|---|---|
| Ports | Specify the ports, to filter the results, from retrieved domains. Specify the ports as comma-separated values to get only those results that have all of the specified ports. For example 8080,443. |
| Technologies | Specify the ports, to filter the results, from retrieved domains. Specify a comma-separated string or a single string. e.g MySQL,Bootstrap |
| Asset | Specify the asset, to filter the results, from the retrieved domains. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"total": "",
"page": "",
"size": "",
"hits": [
{
"id": "",
"asset": "",
"ports": [],
"ssl_cert_org": "",
"ip_address": "",
"technologies": [],
"confidence": "",
"domain_expiry": "",
"nameserver": [],
"original_ip": []
}
]
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the domain details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"id": "",
"asset": "",
"ports": [],
"ssl_cert_org": "",
"ip_address": "",
"technologies": [],
"confidence": "",
"domain_expiry": "",
"nameserver": [],
"original_ip": [],
"issue_count": "",
"discovery_path": [
{
"module": "",
"from": "",
"from_type": "",
"type": ""
}
],
"assets_linked_count": "",
"assets_linked": []
}
| Parameter | Description |
|---|---|
| Ports | Specify the ports, to filter the results, from retrieved IP addresses. Specify the ports as comma-separated values to get only those results that have all of the specified ports. For example 8080,443. |
| Countries | Specify the country code, to filter the results, from the discovered issues. Specify the countries as comma-separated values to get all those results that have any of the specified countries. For example: IN,US |
| Asset | Specify the asset, to filter the results, from the retrieved IP addresses. |
| IP Prefix | Specify an IP address prefix, to filter the results, from retrieved IP addresses. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asset": "",
"id": "",
"ip_prefix": "",
"ports": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the IP address details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"asset": "",
"assets_linked_count": "",
"discovery_path": [
{
"from": "",
"from_type": "",
"module": "",
"type": ""
}
],
"id": "",
"ip_prefix": "",
"issue_count": "",
"ports": []
}
| Parameter | Description |
|---|---|
| Asset | Specify the asset, to filter the results, from the retrieved IP address prefix. |
| ASN | Specify the ASN, to filter the results, from retrieved IP address prefixes. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asn_number": "",
"asset": "",
"company_name": "",
"id": "",
"ip_count": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the IP address details. |
| Linked Assets | Select to retrieve the linked assets. By default, it is unchecked and set to False. |
The output contains the following populated JSON schema:
{
"asset": "",
"assets_linked_count": "",
"discovery_path": [
{
"from": "",
"from_type": "",
"module": "",
"type": ""
}
],
"id": "",
"ip_prefix": "",
"issue_count": "",
"ports": []
}
| Parameter | Description |
|---|---|
| Ports | >Specify the ports, to filter the results, from retrieved subdomains. Specify the ports as comma-separated values to get only those results that have all of the specified ports. For example 8080,443. |
| Technologies | Specify the ports, to filter the results, from retrieved subdomains. Specify a comma-separated string or a single string. e.g MySQL,Bootstrap |
| Asset | Specify the asset, to filter the results, from the retrieved subdomains. |
| Domain | Specify a domain, to filter the results, from the retrieved subdomains. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"asset": "",
"domain_name": "",
"id": "",
"ip_address": "",
"ports": [],
"technologies": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Asset ID | Specify the asset ID to retrieve the subdomain details. |
The output contains the following populated JSON schema:
{
"id": "",
"domain_name": "",
"asset": "",
"ports": [],
"ip_address": "",
"technologies": [],
"issue_count": 0,
"discovery_path": [
{
"module": "",
"from": "",
"from_type": "",
"type": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"asn_count": "",
"ip_prefix_count": "",
"live_domain_count": "",
"live_ip_address_count": "",
"live_sub_domain_count": "",
"org_name": "",
"total_domain_count": "",
"total_ip_address_count": "",
"total_sub_domain_count": ""
}
| Parameter | Description |
|---|---|
| Keyword | Specify the text to search in breach name, details, and list of compromised data. For example:testorg. The response filters out results and fetches credentials exposed for user@example.com. |
| Has Password | Specify whether to filter the leaked credential list based on whether the credentials contain passwords. |
| Page | Specify the page number from which you want to retrieve records. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, this operation retrieves 10 records. You must set a value greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_on": "",
"affected_domains": "",
"compromised_accounts": "",
"compromised_data": "",
"date": "",
"details": "",
"has_password": "",
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Breach ID | Specify the breach ID to retrieve the breach details. |
The output contains the following populated JSON schema:
{
"added_on": "",
"affected_domains": "",
"compromised_accounts": "",
"compromised_data": "",
"date": "",
"details": "",
"has_password": "",
"id": "",
"name": ""
}
None.
The output contains the following populated JSON schema:
{
"report_id": ""
}
| Parameter | Description |
|---|---|
| Report ID | Specify the report ID to retrieve the report details. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_on": "",
"affected_domains": "",
"compromised_accounts": "",
"compromised_data": "",
"date": "",
"details": "",
"has_password": "",
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
The Sample - Fortinet FortiRecon EASM - 1.0.1 playbook collection comes bundled with the Fortinet FortiRecon EASM connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon EASM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.