Trend Micro Deep Discovery Analyzer (TM DDAN) extends the value of existing security investments from Trend Micro (TM) and third-parties (using a web services API) by providing custom sandboxing and advanced analysis. It also provides expanded sandboxing capabilities to other Trend Micro products. Suspicious objects can be sent to the Analyzer sandbox for advanced analysis using multiple detection methods. If a threat is discovered, security solutions can be updated automatically.
This document provides information about the DDAN connector, which facilitates automated interactions, with a DDAN server using FortiSOAR™ playbooks. Add the DDAN connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a sample to DDAN, retrieving reports or an OpenIOC for a submitted file. OpenIOC (Indicators of Compromise) enables you to identify a known threat, an attacker's methodology, or any other evidence of compromise.
Connector SDK Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with DDAN Versions: 5.0 and later
Following enhancements have been made to the Maxmind Connector in version 1.0.1:
Masked the text entered in the Password field on the Configuration
page.
Added a link to the online help.
Added a new configuration parameter named Verify SSL
.
For the procedure to install a connector, click here.
pycurl==7.19.5.1
and pywinrm==0.2.2
.For the procedure to configure a connector, click here.
In FortiSOAR™ , on the Connectors page, select the TM DDAN connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
DDAN Host | URL for the Trend Micro DDAN server from where the connector gets notifications. |
API Key | API key to access the Trend Micro DDAN server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
Added annotations to functions. Functions can be accessed by their annotations from FortiSOAR™ release 4.10.0 onwards.
Function | Description | Annotation and Category |
---|---|---|
Submit Sample to Trend Micro DDAN | Submits a sample file to the DDAN server for analysis. | submit_sample Investigation |
Get Sample Report Using SHA1 | Requests for retrieving the report of a submitted SHA1. | get_report Investigation |
Get OpenIOC By SHA1 Of Submitted Sample Using SHA1 | Requests for retrieving the OpenIOC for a submitted SHA1. | get_ioc Investigation |
Parameter | Description |
---|---|
Filename | Name of the file that you want to submit to DDAN for analysis. |
File IRI | The IRI of the file that you want to submit to DDAN for analysis. In a playbook, this defaults to the {{vars.file_iri}} value. |
The JSON contains the status of the file submitted to DDAN, whether the file is successfully submitted to DDAN or not.
Following image displays a sample output:
Parameter | Description |
---|---|
SHA1 | SHA1 of the file whose report you want to retrieve from DDAN. |
Report in JSON Format | If you select this check box then the output of this operation is provided in the JSON format. If this check box is not selected then the output of this operation is provided in the XML format. |
The output of this operation is either a customized JSON output that is formatted for easy reference or a JSON output containing a report in XML format, depending on what option you have specified in the Report in JSON Format parameter. Based on the information present in the report, you can decide whether the information is suspicious or not.
Following image displays a sample output:
Parameter | Description |
---|---|
SHA1 | SHA1 of the file whose OpenIOC you want to retrieve from DDAN. |
A JSON output containing a report in XML format. The report contains the indicator information based on which you can decide whether the information is suspicious or not.
Following image displays a sample output:
The Sample-Trend Micro DDAN-1.0.1
playbook collection comes bundled with the TM DDAN connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the TM DDAN connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Trend Micro Deep Discovery Analyzer (TM DDAN) extends the value of existing security investments from Trend Micro (TM) and third-parties (using a web services API) by providing custom sandboxing and advanced analysis. It also provides expanded sandboxing capabilities to other Trend Micro products. Suspicious objects can be sent to the Analyzer sandbox for advanced analysis using multiple detection methods. If a threat is discovered, security solutions can be updated automatically.
This document provides information about the DDAN connector, which facilitates automated interactions, with a DDAN server using FortiSOAR™ playbooks. Add the DDAN connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a sample to DDAN, retrieving reports or an OpenIOC for a submitted file. OpenIOC (Indicators of Compromise) enables you to identify a known threat, an attacker's methodology, or any other evidence of compromise.
Connector SDK Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with DDAN Versions: 5.0 and later
Following enhancements have been made to the Maxmind Connector in version 1.0.1:
Masked the text entered in the Password field on the Configuration
page.
Added a link to the online help.
Added a new configuration parameter named Verify SSL
.
For the procedure to install a connector, click here.
pycurl==7.19.5.1
and pywinrm==0.2.2
.For the procedure to configure a connector, click here.
In FortiSOAR™ , on the Connectors page, select the TM DDAN connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
DDAN Host | URL for the Trend Micro DDAN server from where the connector gets notifications. |
API Key | API key to access the Trend Micro DDAN server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
Added annotations to functions. Functions can be accessed by their annotations from FortiSOAR™ release 4.10.0 onwards.
Function | Description | Annotation and Category |
---|---|---|
Submit Sample to Trend Micro DDAN | Submits a sample file to the DDAN server for analysis. | submit_sample Investigation |
Get Sample Report Using SHA1 | Requests for retrieving the report of a submitted SHA1. | get_report Investigation |
Get OpenIOC By SHA1 Of Submitted Sample Using SHA1 | Requests for retrieving the OpenIOC for a submitted SHA1. | get_ioc Investigation |
Parameter | Description |
---|---|
Filename | Name of the file that you want to submit to DDAN for analysis. |
File IRI | The IRI of the file that you want to submit to DDAN for analysis. In a playbook, this defaults to the {{vars.file_iri}} value. |
The JSON contains the status of the file submitted to DDAN, whether the file is successfully submitted to DDAN or not.
Following image displays a sample output:
Parameter | Description |
---|---|
SHA1 | SHA1 of the file whose report you want to retrieve from DDAN. |
Report in JSON Format | If you select this check box then the output of this operation is provided in the JSON format. If this check box is not selected then the output of this operation is provided in the XML format. |
The output of this operation is either a customized JSON output that is formatted for easy reference or a JSON output containing a report in XML format, depending on what option you have specified in the Report in JSON Format parameter. Based on the information present in the report, you can decide whether the information is suspicious or not.
Following image displays a sample output:
Parameter | Description |
---|---|
SHA1 | SHA1 of the file whose OpenIOC you want to retrieve from DDAN. |
A JSON output containing a report in XML format. The report contains the indicator information based on which you can decide whether the information is suspicious or not.
Following image displays a sample output:
The Sample-Trend Micro DDAN-1.0.1
playbook collection comes bundled with the TM DDAN connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the TM DDAN connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.