Symantec DeepSight™ Intelligence is a cloud-hosted cyber threat intelligence platform that provides an edge against cyber threats. DeepSight provides you access to both Adversary Intelligence and Technical Intelligence. The intelligence is drawn from Symantec’s broad portfolio of security products, as well as its adversary intelligence operations, which include security research and analysis teams positioned across the globe. DeepSight Intelligence data is enriched, verified, and analyzed to provide attribution and to connect seemingly disparate indicators into campaigns with known actors and motivations behind them. The finished intelligence product is actionable and is made available using a web portal, data feeds, or restful APIs.
This document provides information about the Symantec DeepSight Intelligence connector, which facilitates automated interactions, with a DeepSight server using FortiSOAR™ playbooks. Add the Symantec DeepSight Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation of specified domains, IP addresses, files, and URLs.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 4.10.3-161
Symantec DeepSight Intelligence Version Tested on: v1
Authored By: Fortinet
Certified: Yes
Following changes have been made to the Symantec DeepSight Intelligence Connector in version 1.0.0:
Updated the output schemas for the operations.
Updated the playbook names.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-deepsight-intelligence
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™ , on the Connectors page, select the Symantec DeepSight Intelligence connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Hostname of the Symantec DeepSight Intelligence server. The Host Name is added by default as deepsightapi.symantec.com . |
API Key | API key configured for your account for using the DeepSight REST API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified domain. | domain_reputation Investigation |
Get File Reputation | Retrieves the details, such as reputation, schema version and SHA256 of the specified file hash. | file_reputation Investigation |
Get IP Reputation | Retrieves the details, such as schema version, reputation values, and whitelisting status of the specified IP address. | ip_reputation Investigation |
Get File Reputation | Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified URL. | url_reputation Investigation |
Parameter | Description |
---|---|
Domain | Name of the domain for which you want to retrieve reputation information. |
The JSON output contains details such as schema version, whois server details, and whitelisting status of the specified domain name.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash for which you want to retrieve reputation information. MD5 and SHA256 are the supported filehash formats. |
The JSON output contains details such as schema version, reputation, and SHA256 of the specified file hash.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve reputation information. |
The JSON output contains details such as schema version, reputation values, and whitelisting status of the specified IP address.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation information. |
The JSON output contains details schema version, whois server details, and whitelisting status of the specified URL.
Following image displays a sample output:
The Sample-Symantec DeepSight Intelligence-1.0.1
playbook collection comes bundled with the Symantec DeepSight Intelligence connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DeepSight Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Symantec DeepSight™ Intelligence is a cloud-hosted cyber threat intelligence platform that provides an edge against cyber threats. DeepSight provides you access to both Adversary Intelligence and Technical Intelligence. The intelligence is drawn from Symantec’s broad portfolio of security products, as well as its adversary intelligence operations, which include security research and analysis teams positioned across the globe. DeepSight Intelligence data is enriched, verified, and analyzed to provide attribution and to connect seemingly disparate indicators into campaigns with known actors and motivations behind them. The finished intelligence product is actionable and is made available using a web portal, data feeds, or restful APIs.
This document provides information about the Symantec DeepSight Intelligence connector, which facilitates automated interactions, with a DeepSight server using FortiSOAR™ playbooks. Add the Symantec DeepSight Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation of specified domains, IP addresses, files, and URLs.
Connector Version: 1.0.1
FortiSOAR™ Version Tested on: 4.10.3-161
Symantec DeepSight Intelligence Version Tested on: v1
Authored By: Fortinet
Certified: Yes
Following changes have been made to the Symantec DeepSight Intelligence Connector in version 1.0.0:
Updated the output schemas for the operations.
Updated the playbook names.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-symantec-deepsight-intelligence
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™ , on the Connectors page, select the Symantec DeepSight Intelligence connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Hostname of the Symantec DeepSight Intelligence server. The Host Name is added by default as deepsightapi.symantec.com . |
API Key | API key configured for your account for using the DeepSight REST API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified domain. | domain_reputation Investigation |
Get File Reputation | Retrieves the details, such as reputation, schema version and SHA256 of the specified file hash. | file_reputation Investigation |
Get IP Reputation | Retrieves the details, such as schema version, reputation values, and whitelisting status of the specified IP address. | ip_reputation Investigation |
Get File Reputation | Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified URL. | url_reputation Investigation |
Parameter | Description |
---|---|
Domain | Name of the domain for which you want to retrieve reputation information. |
The JSON output contains details such as schema version, whois server details, and whitelisting status of the specified domain name.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash for which you want to retrieve reputation information. MD5 and SHA256 are the supported filehash formats. |
The JSON output contains details such as schema version, reputation, and SHA256 of the specified file hash.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address for which you want to retrieve reputation information. |
The JSON output contains details such as schema version, reputation values, and whitelisting status of the specified IP address.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation information. |
The JSON output contains details schema version, whois server details, and whitelisting status of the specified URL.
Following image displays a sample output:
The Sample-Symantec DeepSight Intelligence-1.0.1
playbook collection comes bundled with the Symantec DeepSight Intelligence connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DeepSight Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.