Fortinet Document Library

Version:


Table of Contents

Symantec Deepsight Intelligence

1.0.1
Copy Link

About the connector

Symantec DeepSight™ Intelligence is a cloud-hosted cyber threat intelligence platform that provides an edge against cyber threats. DeepSight provides you access to both Adversary Intelligence and Technical Intelligence. The intelligence is drawn from Symantec’s broad portfolio of security products, as well as its adversary intelligence operations, which include security research and analysis teams positioned across the globe. DeepSight Intelligence data is enriched, verified, and analyzed to provide attribution and to connect seemingly disparate indicators into campaigns with known actors and motivations behind them. The finished intelligence product is actionable and is made available using a web portal, data feeds, or restful APIs.

This document provides information about the Symantec DeepSight Intelligence connector, which facilitates automated interactions, with a DeepSight server using FortiSOAR™ playbooks. Add the Symantec DeepSight Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation of specified domains, IP addresses, files, and URLs.

 

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 4.10.3-161

Symantec DeepSight Intelligence Version Tested on: v1

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following changes have been made to the Symantec DeepSight Intelligence Connector in version 1.0.0:

  • Updated the output schemas for the operations.

  • Updated the playbook names.

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-deepsight-intelligence

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the DeepSight server to which you will connect and perform the automated operations.
  • You must have the API Key used to access the DeepSight REST API.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the Symantec DeepSight Intelligence connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL IP address or Hostname of the Symantec DeepSight Intelligence server.
The Host Name is added by default as deepsightapi.symantec.com.
API Key API key configured for your account for using the DeepSight REST API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Domain Reputation Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified domain. domain_reputation
Investigation
Get File Reputation Retrieves the details, such as reputation, schema version and SHA256 of the specified file hash. file_reputation
Investigation
Get IP Reputation Retrieves the details, such as schema version, reputation values, and whitelisting status of the specified IP address. ip_reputation
Investigation
Get File Reputation Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified URL. url_reputation
Investigation

 

operation: Get Domain Reputation

Input parameters

 

Parameter Description
Domain Name of the domain for which you want to retrieve reputation information.

 

Output

The JSON output contains details such as schema version, whois server details, and whitelisting status of the specified domain name.

Following image displays a sample output:
 

Sample output of the Get Domain Reputation operation

 

operation: Get File Reputation

Input parameters

 

Parameter Description
Filehash Filehash for which you want to retrieve reputation information. MD5 and SHA256 are the supported filehash formats.

 

Output

The JSON output contains details such as schema version, reputation, and SHA256 of the specified file hash.

Following image displays a sample output:
 

Sample output of the Get File Reputation operation

 

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address for which you want to retrieve reputation information.

 

Output

The JSON output contains details such as schema version, reputation values, and whitelisting status of the specified IP address.

Following image displays a sample output:
 

Sample output of the Get IP Reputation operation

 

operation: Get URL Reputation

Input parameters

 

Parameter Description
URL URL for which you want to retrieve reputation information.

 

Output

The JSON output contains details schema version, whois server details, and whitelisting status of the specified URL.

Following image displays a sample output:
 

Sample output of the Get URL Reputation operation

 

Included playbooks

The Sample-Symantec DeepSight Intelligence-1.0.1 playbook collection comes bundled with the Symantec DeepSight Intelligence connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DeepSight Intelligence connector.

  • DS: Get Domain Reputation
  • DS: Get File Reputation
  • DS: Get IP Reputation
  • DS: Get URL Reputation

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Symantec DeepSight™ Intelligence is a cloud-hosted cyber threat intelligence platform that provides an edge against cyber threats. DeepSight provides you access to both Adversary Intelligence and Technical Intelligence. The intelligence is drawn from Symantec’s broad portfolio of security products, as well as its adversary intelligence operations, which include security research and analysis teams positioned across the globe. DeepSight Intelligence data is enriched, verified, and analyzed to provide attribution and to connect seemingly disparate indicators into campaigns with known actors and motivations behind them. The finished intelligence product is actionable and is made available using a web portal, data feeds, or restful APIs.

This document provides information about the Symantec DeepSight Intelligence connector, which facilitates automated interactions, with a DeepSight server using FortiSOAR™ playbooks. Add the Symantec DeepSight Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation of specified domains, IP addresses, files, and URLs.

 

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 4.10.3-161

Symantec DeepSight Intelligence Version Tested on: v1

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following changes have been made to the Symantec DeepSight Intelligence Connector in version 1.0.0:

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-symantec-deepsight-intelligence

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the Symantec DeepSight Intelligence connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL IP address or Hostname of the Symantec DeepSight Intelligence server.
The Host Name is added by default as deepsightapi.symantec.com.
API Key API key configured for your account for using the DeepSight REST API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Domain Reputation Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified domain. domain_reputation
Investigation
Get File Reputation Retrieves the details, such as reputation, schema version and SHA256 of the specified file hash. file_reputation
Investigation
Get IP Reputation Retrieves the details, such as schema version, reputation values, and whitelisting status of the specified IP address. ip_reputation
Investigation
Get File Reputation Retrieves the details, such as schema version, whois server details, and whitelisting status of the specified URL. url_reputation
Investigation

 

operation: Get Domain Reputation

Input parameters

 

Parameter Description
Domain Name of the domain for which you want to retrieve reputation information.

 

Output

The JSON output contains details such as schema version, whois server details, and whitelisting status of the specified domain name.

Following image displays a sample output:
 

Sample output of the Get Domain Reputation operation

 

operation: Get File Reputation

Input parameters

 

Parameter Description
Filehash Filehash for which you want to retrieve reputation information. MD5 and SHA256 are the supported filehash formats.

 

Output

The JSON output contains details such as schema version, reputation, and SHA256 of the specified file hash.

Following image displays a sample output:
 

Sample output of the Get File Reputation operation

 

operation: Get IP Reputation

Input parameters

 

Parameter Description
IP Address IP address for which you want to retrieve reputation information.

 

Output

The JSON output contains details such as schema version, reputation values, and whitelisting status of the specified IP address.

Following image displays a sample output:
 

Sample output of the Get IP Reputation operation

 

operation: Get URL Reputation

Input parameters

 

Parameter Description
URL URL for which you want to retrieve reputation information.

 

Output

The JSON output contains details schema version, whois server details, and whitelisting status of the specified URL.

Following image displays a sample output:
 

Sample output of the Get URL Reputation operation

 

Included playbooks

The Sample-Symantec DeepSight Intelligence-1.0.1 playbook collection comes bundled with the Symantec DeepSight Intelligence connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Symantec DeepSight Intelligence connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.