Fortinet Document Library

Version:


Table of Contents

TrendMicro DDAN

1.0.1
Copy Link

About the connector

Trend Micro Deep Discovery Analyzer (TM DDAN) extends the value of existing security investments from Trend Micro (TM) and third-parties (using a web services API) by providing custom sandboxing and advanced analysis. It also provides expanded sandboxing capabilities to other Trend Micro products. Suspicious objects can be sent to the Analyzer sandbox for advanced analysis using multiple detection methods. If a threat is discovered, security solutions can be updated automatically.

This document provides information about the DDAN connector, which facilitates automated interactions, with a DDAN server using FortiSOAR™ playbooks. Add the DDAN connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a sample to DDAN, retrieving reports or an OpenIOC for a submitted file. OpenIOC (Indicators of Compromise) enables you to identify a known threat, an attacker's methodology, or any other evidence of compromise.

 

Version information

Connector SDK Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with DDAN Versions: 5.0 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Maxmind Connector in version 1.0.1:

  • Masked the text entered in the Password field on the Configuration page.

  • Added a link to the online help.

  • Added a new configuration parameter named Verify SSL.

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL and credentials of the DDAN server on which you will perform the automated operations.
  • You must have the API key for the DDAN server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
  • You must install the following python modules: pycurl==7.19.5.1 and pywinrm==0.2.2.

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the TM DDAN connector and click Configure to configure the following parameters:

 

Parameter Description
DDAN Host URL for the Trend Micro DDAN server from where the connector gets notifications.
API Key API key to access the Trend Micro DDAN server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

Added annotations to functions. Functions can be accessed by their annotations from FortiSOAR™ release 4.10.0 onwards.

 

Function Description Annotation and Category
Submit Sample to Trend Micro DDAN Submits a sample file to the DDAN server for analysis. submit_sample
Investigation
Get Sample Report Using SHA1 Requests for retrieving the report of a submitted SHA1. get_report
Investigation
Get OpenIOC By SHA1 Of Submitted Sample Using SHA1 Requests for retrieving the OpenIOC for a submitted SHA1. get_ioc
Investigation

 

operation: Submit Sample to Trend Micro DDAN

Input parameters

 

Parameter Description
Filename Name of the file that you want to submit to DDAN for analysis.
File IRI The IRI of the file that you want to submit to DDAN for analysis.
In a playbook, this defaults to the {{vars.file_iri}} value.

 

Output

The JSON contains the status of the file submitted to DDAN, whether the file is successfully submitted to DDAN or not.

Following image displays a sample output:

 

Sample output of the Submit Sample to Trend Micro DDAN operation

 

operation: Get Sample Report Using SHA1

Input parameters

 

Parameter Description
SHA1 SHA1 of the file whose report you want to retrieve from DDAN.
Report in JSON Format If you select this check box then the output of this operation is provided in the JSON format.
If this check box is not selected then the output of this operation is provided in the XML format.

 

Output

The output of this operation is either a customized JSON output that is formatted for easy reference or a JSON output containing a report in XML format, depending on what option you have specified in the Report in JSON Format parameter. Based on the information present in the report, you can decide whether the information is suspicious or not.

Following image displays a sample output:

 

Sample output of the Get Sample Report Using SHA1 operation

 

operation: Get OpenIOC By SHA1 Of Submitted Sample Using SHA1

Input parameters

 

Parameter Description
SHA1 SHA1 of the file whose OpenIOC you want to retrieve from DDAN.

 

Output

A JSON output containing a report in XML format. The report contains the indicator information based on which you can decide whether the information is suspicious or not.

Following image displays a sample output:

 

Sample output of the Get OpenIOC By SHA1 Of Submitted Sample Using SHA1 operation

 

Included playbooks

The Sample-Trend Micro DDAN-1.0.1 playbook collection comes bundled with the TM DDAN connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the TM DDAN connector.

  • Submit Sample
  • Get Report & OpenIOC

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Trend Micro Deep Discovery Analyzer (TM DDAN) extends the value of existing security investments from Trend Micro (TM) and third-parties (using a web services API) by providing custom sandboxing and advanced analysis. It also provides expanded sandboxing capabilities to other Trend Micro products. Suspicious objects can be sent to the Analyzer sandbox for advanced analysis using multiple detection methods. If a threat is discovered, security solutions can be updated automatically.

This document provides information about the DDAN connector, which facilitates automated interactions, with a DDAN server using FortiSOAR™ playbooks. Add the DDAN connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting a sample to DDAN, retrieving reports or an OpenIOC for a submitted file. OpenIOC (Indicators of Compromise) enables you to identify a known threat, an attacker's methodology, or any other evidence of compromise.

 

Version information

Connector SDK Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with DDAN Versions: 5.0 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Maxmind Connector in version 1.0.1:

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the TM DDAN connector and click Configure to configure the following parameters:

 

Parameter Description
DDAN Host URL for the Trend Micro DDAN server from where the connector gets notifications.
API Key API key to access the Trend Micro DDAN server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

Added annotations to functions. Functions can be accessed by their annotations from FortiSOAR™ release 4.10.0 onwards.

 

Function Description Annotation and Category
Submit Sample to Trend Micro DDAN Submits a sample file to the DDAN server for analysis. submit_sample
Investigation
Get Sample Report Using SHA1 Requests for retrieving the report of a submitted SHA1. get_report
Investigation
Get OpenIOC By SHA1 Of Submitted Sample Using SHA1 Requests for retrieving the OpenIOC for a submitted SHA1. get_ioc
Investigation

 

operation: Submit Sample to Trend Micro DDAN

Input parameters

 

Parameter Description
Filename Name of the file that you want to submit to DDAN for analysis.
File IRI The IRI of the file that you want to submit to DDAN for analysis.
In a playbook, this defaults to the {{vars.file_iri}} value.

 

Output

The JSON contains the status of the file submitted to DDAN, whether the file is successfully submitted to DDAN or not.

Following image displays a sample output:

 

Sample output of the Submit Sample to Trend Micro DDAN operation

 

operation: Get Sample Report Using SHA1

Input parameters

 

Parameter Description
SHA1 SHA1 of the file whose report you want to retrieve from DDAN.
Report in JSON Format If you select this check box then the output of this operation is provided in the JSON format.
If this check box is not selected then the output of this operation is provided in the XML format.

 

Output

The output of this operation is either a customized JSON output that is formatted for easy reference or a JSON output containing a report in XML format, depending on what option you have specified in the Report in JSON Format parameter. Based on the information present in the report, you can decide whether the information is suspicious or not.

Following image displays a sample output:

 

Sample output of the Get Sample Report Using SHA1 operation

 

operation: Get OpenIOC By SHA1 Of Submitted Sample Using SHA1

Input parameters

 

Parameter Description
SHA1 SHA1 of the file whose OpenIOC you want to retrieve from DDAN.

 

Output

A JSON output containing a report in XML format. The report contains the indicator information based on which you can decide whether the information is suspicious or not.

Following image displays a sample output:

 

Sample output of the Get OpenIOC By SHA1 Of Submitted Sample Using SHA1 operation

 

Included playbooks

The Sample-Trend Micro DDAN-1.0.1 playbook collection comes bundled with the TM DDAN connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the TM DDAN connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.