About the connector
Trend Micro Deep Discovery Analyzer (TM DDAN) extends the value of existing security investments from Trend Micro (TM) and third-parties (using a web services API) by providing custom sandboxing and advanced analysis. It also provides expanded sandboxing capabilities to other Trend Micro products. Suspicious objects can be sent to the Analyzer sandbox for advanced analysis using multiple detection methods. If a threat is discovered, security solutions can be updated automatically.
This document provides information about the DDAN connector, which facilitates automated interactions, with a DDAN server using FortiSOAR™ playbooks. Add the DDAN connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a sample to DDAN, retrieving reports or an OpenIOC for a submitted file. OpenIOC (Indicators of Compromise) enables you to identify a known threat, an attacker's methodology, or any other evidence of compromise.
Version information
Connector SDK Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with DDAN Versions: 5.0 and later
Release Notes for version 1.0.1
Following enhancements have been made to the Maxmind Connector in version 1.0.1:
-
Masked the text entered in the Password field on the Configuration page.
-
Added a link to the online help.
-
Added a new configuration parameter named Verify SSL.
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL and credentials of the DDAN server on which you will perform the automated operations.
- You must have the API key for the DDAN server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
- You must install the following python modules:
pycurl==7.19.5.1 and pywinrm==0.2.2.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™ , on the Connectors page, select the TM DDAN connector and click Configure to configure the following parameters:
| Parameter |
Description |
| DDAN Host |
URL for the Trend Micro DDAN server from where the connector gets notifications. |
| API Key |
API key to access the Trend Micro DDAN server. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
Added annotations to functions. Functions can be accessed by their annotations from FortiSOAR™ release 4.10.0 onwards.
| Function |
Description |
Annotation and Category |
| Submit Sample to Trend Micro DDAN |
Submits a sample file to the DDAN server for analysis. |
submit_sample
Investigation |
| Get Sample Report Using SHA1 |
Requests for retrieving the report of a submitted SHA1. |
get_report
Investigation |
| Get OpenIOC By SHA1 Of Submitted Sample Using SHA1 |
Requests for retrieving the OpenIOC for a submitted SHA1. |
get_ioc
Investigation |
operation: Submit Sample to Trend Micro DDAN
Input parameters
| Parameter |
Description |
| Filename |
Name of the file that you want to submit to DDAN for analysis. |
| File IRI |
The IRI of the file that you want to submit to DDAN for analysis.
In a playbook, this defaults to the {{vars.file_iri}} value. |
Output
The JSON contains the status of the file submitted to DDAN, whether the file is successfully submitted to DDAN or not.
Following image displays a sample output:
operation: Get Sample Report Using SHA1
Input parameters
| Parameter |
Description |
| SHA1 |
SHA1 of the file whose report you want to retrieve from DDAN. |
| Report in JSON Format |
If you select this check box then the output of this operation is provided in the JSON format.
If this check box is not selected then the output of this operation is provided in the XML format. |
Output
The output of this operation is either a customized JSON output that is formatted for easy reference or a JSON output containing a report in XML format, depending on what option you have specified in the Report in JSON Format parameter. Based on the information present in the report, you can decide whether the information is suspicious or not.
Following image displays a sample output:
operation: Get OpenIOC By SHA1 Of Submitted Sample Using SHA1
Input parameters
| Parameter |
Description |
| SHA1 |
SHA1 of the file whose OpenIOC you want to retrieve from DDAN. |
Output
A JSON output containing a report in XML format. The report contains the indicator information based on which you can decide whether the information is suspicious or not.
Following image displays a sample output:
Included playbooks
The Sample-Trend Micro DDAN-1.0.1 playbook collection comes bundled with the TM DDAN connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the TM DDAN connector.
- Submit Sample
- Get Report & OpenIOC
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
