FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets. This connector facilitates the automated operations related to ACI
This document provides information about the Fortinet FortiRecon ACI Connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Fortinet FortiRecon ACI Version Tested on:
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortirecon-aci
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon ACI connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL or IP address of the FortiRecon server to connect and perform the automated operations. |
| API Key | Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs. |
| Organization ID | Specify the organization ID for fetch the records using the Fortinet FortiRecon ACI connector. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get IOCs | Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the given organization ID and other input parameters you have specified. | get_iocs Investigation |
| Get Leaked Cards | Retrieves a list of all leaked cards or specific leaked cards found for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_leaked_cards Investigation |
| Get Widgets | Retrieves a list of all widgets or specific widgets for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_widgets Investigation |
| Get OSINT Feeds | Retrieves a list of all OSINT feeds or specific OSINT feeds for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_osint_feeds Investigation |
| Get Reports | Retrieves a list of all reports or specific reports for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data. | get_reports Investigation |
| Get Reports With IOCs | Retrieves details, including IOCs, for a specific report for the given organization ID and the report ID you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports. | get_reports_with_iocs Investigation |
| Get Stealers Log | Retrieves a list of all stealer log infections or specific stealer log infections for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_stealers_log Investigation |
| Parameter | Description |
|---|---|
| Report ID | Specify a comma-separated list of report IDs from which to fetch the IOCs. |
| IOC Type | Specify a comma-separated string or single string of the type of IOCs to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION |
| Start Date | Specify the date from when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve the results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Type | Specify the type of leaked card to retrieve from Fortinet FortiRecon ACI. |
| Bin | Specify the bin associated with the leaked card to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321 |
| Start Date | Specify the date from when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Widget ID | Specify the Widget ID using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Keyword | Specify the keyword using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Relevance Rating | Specify a comma-separated string or single string of the relevance ratings of the reports to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low. |
| Tags | Specify a comma-separated string or single string of the tags associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime. |
| Adversary | Specify a comma-separated string or single string of the adversary associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34. |
| Source Category | Specify a comma-separated string or single string of the source category associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet. |
| Report Type | Specify a comma-separated string or single string of the type of reports to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert. |
| Industry | Specify a comma-separated string or single string of the industry associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology. |
| Geography | Specify a comma-separated string or single string of the geography of the reports to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia. |
| Keyword | Specify the keyword using which to filter the reports retrieved from Fortinet FortiRecon ACI. |
| Source Reliability | Specify the source reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Information Reliability | Specify the information reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Start Date | Specify the date from when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the ID of the report whose details, including IOCs, to retrieve from Fortinet FortiRecon ACI. |
The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Stealer Name | Specify a comma-separated string or single string of the names of the stealers associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, Redline,Redline1. |
| Domain | Specify a comma-separated string or single string of the domains associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, domain1.com,domain2.com. |
| Country | Specify a comma-separated string or single string of the countries associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, India,Dubai. |
| State | Specify a comma-separated string or single string of the states associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, California,Texas. |
| ISP | Specify a comma-separated string or single string of the ISPs associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, Hutchison Max Telecom Limited |
| Marketplace | Specify a comma-separated string or single string of the marketplaces associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, russian-market,russian-market2 |
| Keyword | Specify the keyword using which to filter the steal log infections retrieved from Fortinet FortiRecon ACI. |
| Start Date | Specify the date from when to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"affiliated_domains": "",
"country": "",
"discovery_date": "",
"isp": "",
"last_updated": "",
"marketplace": "",
"org_id": "",
"price": "",
"sites": "",
"state": "",
"stealer_name": "",
"vendor": ""
}
],
"page": "",
"size": "",
"total": ""
}
The Sample - Fortinet FortiRecon ACI - 1.1.0 playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.
NOTE: In the Threat Intel Management Solution Pack's Threat Intel Report module we fetch reports containing indicators whose source category is Technical Intelligence.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling reports from Fortinet FortiRecon ACI. Currently, reports in Fortinet FortiRecon ACI are mapped to Threat Intel Management in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming FortiRecon ACI reports to Threat Intel Management in FortiSOAR™.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiRecon ACI into FortiSOAR™. It also lets you pull some sample data from FortiRecon ACI using which you can define the mapping of data between FortiRecon ACI Reports and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiRecon ACI reports.
To begin configuring data ingestion, click Configure Data Ingestion on the FortiRecon ACI connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between FortiRecon ACI reports and FortiSOAR™ Threat Intel Management. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch reports from FortiRecon ACI. You can specify the Pull Reports Created in Past X Hours reports from FortiRecon ACI. The fetched data is used to create a mapping between the FortiRecon ACI reports and FortiSOAR™ Threat Intel Management.
Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a FortiRecon ACI reports to the fields of Threat Intel Management present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiRecon ACI, so that the content gets pulled from the FortiRecon ACI integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiRecon ACI every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., indicators will be pulled from FortiRecon ACI every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets. This connector facilitates the automated operations related to ACI
This document provides information about the Fortinet FortiRecon ACI Connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Fortinet FortiRecon ACI Version Tested on:
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortirecon-aci
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon ACI connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL or IP address of the FortiRecon server to connect and perform the automated operations. |
| API Key | Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs. |
| Organization ID | Specify the organization ID for fetch the records using the Fortinet FortiRecon ACI connector. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get IOCs | Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the given organization ID and other input parameters you have specified. | get_iocs Investigation |
| Get Leaked Cards | Retrieves a list of all leaked cards or specific leaked cards found for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_leaked_cards Investigation |
| Get Widgets | Retrieves a list of all widgets or specific widgets for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_widgets Investigation |
| Get OSINT Feeds | Retrieves a list of all OSINT feeds or specific OSINT feeds for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_osint_feeds Investigation |
| Get Reports | Retrieves a list of all reports or specific reports for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data. | get_reports Investigation |
| Get Reports With IOCs | Retrieves details, including IOCs, for a specific report for the given organization ID and the report ID you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports. | get_reports_with_iocs Investigation |
| Get Stealers Log | Retrieves a list of all stealer log infections or specific stealer log infections for the given organization ID and other input parameters you have specified from Fortinet FortiRecon ACI. | get_stealers_log Investigation |
| Parameter | Description |
|---|---|
| Report ID | Specify a comma-separated list of report IDs from which to fetch the IOCs. |
| IOC Type | Specify a comma-separated string or single string of the type of IOCs to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION |
| Start Date | Specify the date from when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve the results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Type | Specify the type of leaked card to retrieve from Fortinet FortiRecon ACI. |
| Bin | Specify the bin associated with the leaked card to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321 |
| Start Date | Specify the date from when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Widget ID | Specify the Widget ID using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Keyword | Specify the keyword using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Relevance Rating | Specify a comma-separated string or single string of the relevance ratings of the reports to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low. |
| Tags | Specify a comma-separated string or single string of the tags associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime. |
| Adversary | Specify a comma-separated string or single string of the adversary associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34. |
| Source Category | Specify a comma-separated string or single string of the source category associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet. |
| Report Type | Specify a comma-separated string or single string of the type of reports to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert. |
| Industry | Specify a comma-separated string or single string of the industry associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology. |
| Geography | Specify a comma-separated string or single string of the geography of the reports to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia. |
| Keyword | Specify the keyword using which to filter the reports retrieved from Fortinet FortiRecon ACI. |
| Source Reliability | Specify the source reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Information Reliability | Specify the information reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Start Date | Specify the date from when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the ID of the report whose details, including IOCs, to retrieve from Fortinet FortiRecon ACI. |
The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Stealer Name | Specify a comma-separated string or single string of the names of the stealers associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, Redline,Redline1. |
| Domain | Specify a comma-separated string or single string of the domains associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, domain1.com,domain2.com. |
| Country | Specify a comma-separated string or single string of the countries associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, India,Dubai. |
| State | Specify a comma-separated string or single string of the states associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, California,Texas. |
| ISP | Specify a comma-separated string or single string of the ISPs associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, Hutchison Max Telecom Limited |
| Marketplace | Specify a comma-separated string or single string of the marketplaces associated with the steal log infections to retrieve from Fortinet FortiRecon ACI. For example, russian-market,russian-market2 |
| Keyword | Specify the keyword using which to filter the steal log infections retrieved from Fortinet FortiRecon ACI. |
| Start Date | Specify the date from when to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve steal log infections from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | Specify the page number from which to retrieve results. |
| Size | Specify the maximum number of records that this operation should return for the specified page. By default, it retrieves 10 records. The specified value must be greater than 0 and less than or equal to 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"affiliated_domains": "",
"country": "",
"discovery_date": "",
"isp": "",
"last_updated": "",
"marketplace": "",
"org_id": "",
"price": "",
"sites": "",
"state": "",
"stealer_name": "",
"vendor": ""
}
],
"page": "",
"size": "",
"total": ""
}
The Sample - Fortinet FortiRecon ACI - 1.1.0 playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.
NOTE: In the Threat Intel Management Solution Pack's Threat Intel Report module we fetch reports containing indicators whose source category is Technical Intelligence.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling reports from Fortinet FortiRecon ACI. Currently, reports in Fortinet FortiRecon ACI are mapped to Threat Intel Management in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming FortiRecon ACI reports to Threat Intel Management in FortiSOAR™.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiRecon ACI into FortiSOAR™. It also lets you pull some sample data from FortiRecon ACI using which you can define the mapping of data between FortiRecon ACI Reports and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiRecon ACI reports.
To begin configuring data ingestion, click Configure Data Ingestion on the FortiRecon ACI connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between FortiRecon ACI reports and FortiSOAR™ Threat Intel Management. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch reports from FortiRecon ACI. You can specify the Pull Reports Created in Past X Hours reports from FortiRecon ACI. The fetched data is used to create a mapping between the FortiRecon ACI reports and FortiSOAR™ Threat Intel Management.
Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a FortiRecon ACI reports to the fields of Threat Intel Management present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiRecon ACI, so that the content gets pulled from the FortiRecon ACI integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiRecon ACI every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., indicators will be pulled from FortiRecon ACI every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.