About the connector
Infocyte automates the process of threat hunting, allowing you to dig deep into forensics and eliminate threats quickly.
This document provides information about the Infocyte connector, which facilitates automated interactions, with your Infocyte server using FortiSOAR™ playbooks. Add the Infocyte connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of hosts that are added in Infocyte, triggering a scan on a host, and retrieving scan details from Infocyte.
Version information
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
Release Notes for version 1.1.0
Following enhancements have been made to the Infocyte connector in version 1.1.0:
- Updated the connector configuration parameters to remove the username and password fields and replaced these fields with the API Key parameter.
Note: The configuration parameters for the Infocyte connector in version 1.1.0 is different from the earlier versions, therefore, in this case, the connector configurations of the previous version are unavailable and you will require to reconfigure this connector. For configuring Infocyte 1.1.0, you will require the API key to connect to the Infocyte server.
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-infocyte
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of Infocyte server to which you will connect and perform automated operations and credentials (API Key) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Infocyte connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Server URL |
URL of the Infocyte server to which you will connect and perform the automated operations. |
| API Key |
API Key of the Infocyte server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Get Scans Of Target |
Get scans associated with a specific target from Infocyte, based on the target ID you have specified. |
get_scans_of_target
Investigation |
| Get Hosts Artifacts |
Retrieves details of all artifacts or a specific artifact associated with hosts, based on the open query you have specified from Infocyte. |
get_hosts_artifacts
Investigation |
| Get Host Addresses |
Retrieves addresses of all the hosts, or specific hosts based on the host ID and other input parameters you have specified from Infocyte. |
get_host_address
Investigation |
| Get Target Group Details |
Retrieves details of all target groups, or specific target groups, based on the target group ID and other input parameters you have specified from Infocyte. |
get_target_group
Investigation |
| Run Scan |
Triggers a scan on a host on Infocyte based on the target ID, and optionally the host address ID and other input parameters that you have specified. |
run_scan
Investigation |
| Get Scans |
Retrieves details of all scans, or specific scans based on the input parameters that you have specified from Infocyte. |
get_scans
Investigation |
| Get Scan Status By User Task ID |
Retrieves the status of all scans, or specific scans based on the user task ID that you have specified from Infocyte. |
get_scan_status_by_user_taskid
Investigation |
| Get Processes |
Retrieves basic information, such as threat, score, etc for all processes, or specific processes based on the target ID and other input parameters that you have specified from Infocyte. |
get_processes
Investigation |
| Get Process Details |
Retrieves all details for all processes, or specific processes based on the process ID and other input parameters that you have specified from Infocyte. |
get_processes_details
Investigation |
| Get Accounts |
Retrieves details of all accounts, or specific accounts based on the target ID and other input parameters that you have specified from Infocyte. |
get_accounts
Investigation |
| Get Modules |
Retrieves basic information, such as threat, score, etc for all modules, or specific module based on the target ID and other input parameters that you have specified from Infocyte. |
get_modules
Investigation |
| Get Module Details |
Retrieves all details for all modules, or specific module based on the module ID that you have specified from Infocyte. |
get_modules_details
Investigation |
| Get Drivers |
Retrieves basic information, such as threat, score, etc for all drivers, or specific driver based on the target ID and other input parameters that you have specified from Infocyte. |
get_drivers
Investigation |
| Get Driver Details |
Retrieves details of all drivers, or specific drivers based on the driver ID that you have specified from Infocyte. |
get_drivers_details
Investigation |
| Get Artifacts |
Retrieves basic information, such as threat, score, etc for all artifacts, or specific artifact based on the target ID and other input parameters that you have specified from Infocyte. |
get_artifacts
Investigation |
| Get Artifact Details |
Retrieves details of all artifacts, or specific artifacts based on the artifact ID that you have specified from Infocyte. |
get_artifacts_details
Investigation |
operation: Get Scans Of Target
Input parameters
| Parameter |
Description |
| Target ID |
ID of the target whose associated scans details you want to retrieve from Infocyte. |
Output
The output contains the following populated JSON schema:
[
{
"startedOn": "",
"autostartCount": "",
"moduleCount": "",
"accountCount": "",
"targetDeleted": "",
"completedOn": "",
"memoryCount": "",
"id": "",
"totalHostCount": "",
"name": "",
"applicationCount": "",
"hookCount": "",
"targetId": "",
"scriptCount": "",
"processCount": "",
"artifactCount": "",
"connectionCount": "",
"updatedOn": "",
"hostCount": "",
"targetName": "",
"driverCount": ""
}
]
operation: Get Hosts Artifacts
Input parameters
| Parameter |
Description |
| Open Query |
(Optional) A generalized query that you can enter in this field to get artifacts details for hosts on Infocyte.
For example, {"where" : {"hostname":"AD"}} |
Output
The output contains the following populated JSON schema:
[
{
"hostname": "",
"hostId": "",
"signed": "",
"path": "",
"avTotal": "",
"hasAvScan": "",
"staticAnalysis": "",
"notMalicious": "",
"hostScanId": "",
"synapse": "",
"whitelist": "",
"flagName": "",
"managed": "",
"flagColor": "",
"localWhitelist": "",
"compromised": "",
"threatWeight": "",
"localBlacklist": "",
"scannedOn": "",
"blacklist": "",
"modifiedOn": "",
"artifactType": "",
"suspicious": "",
"threatScore": "",
"avPositives": "",
"unknown": "",
"id": "",
"flagWeight": "",
"name": "",
"artifactId": "",
"scanId": "",
"hitCount": "",
"threatName": "",
"malicious": "",
"dynamicAnalysis": "",
"flagId": "",
"failed": "",
"fileRepId": ""
}
]
operation: Get Host Addresses
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
The 'id' field in the output is the address ID.
| Parameter |
Description |
| Filter By |
Filter hosts that are retrieved from Infocyte, based on the entity that you select in this field.
You can choose from the following options: Hostname, IP Address, or TargetID. |
| Filter Value |
Value of the filter based on which you want to filter hosts from Infocyte.
The filter value that you specify will be based on the Filter By option you have chosen. |
| Offset |
Index of the first item based on which the list of hosts are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of host records to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of hosts on Infocyte.
For example, {"where": {"hostname":"AD"}}} |
Output
The output contains the following populated JSON schema:
[
{
"port135": "",
"lastScannedOn": "",
"port5986": "",
"port22": "",
"accessWmi": "",
"accessSsh": "",
"osLinux": "",
"username": "",
"latency": "",
"agentId": "",
"accessible": "",
"lastScanDate": "",
"os": "",
"taskId": "",
"hostname": "",
"accessSmb": "",
"accessPs": "",
"port445": "",
"osOther": "",
"id": "",
"osOSX": "",
"ip": "",
"deleted": "",
"targetId": "",
"port139": "",
"accessRst": "",
"queryId": "",
"osWindows": "",
"ipstring": "",
"lastAccessedOn": "",
"failed": "",
"failureReason": "",
"accessAgent": ""
}
]
operation: Get Target Group Details
Input parameters
| Parameter |
Description |
| Target Group ID |
ID of the target group whose details you want to retrieve from Infocyte. |
| Offset |
Index of the first item based on which the list of target groups are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of target groups to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of target groups from Infocyte.
For example, {"where" : {"id" : "e42e963178fb46dbfac23c197dd0116149d4e81b"}} |
Output
The output contains the following populated JSON schema:
[
{
"deleted": "",
"totalAddressCount": "",
"lastScannedOn": "",
"id": "",
"reachableAddressCount": "",
"name": "",
"accessibleAddressCount": ""
}
]
operation: Run Scan
Input parameters
| Parameter |
Description |
| Target ID |
ID of the target on which you want to run the scan on Infocyte. |
| Host Address ID |
ID of the host on which you want to run the scan on Infocyte. |
| Collect Drivers |
Select this option to collect driver information.
By default, this option is unchecked. |
| Collect Memory |
Select this option to collect memory information.
By default, this option is unchecked. |
| Collect Artifacts |
Select this option to collect artifacts information.
By default, this option is unchecked. |
| Collect Autostarts |
Select this option to collect autostarts information.
By default, this option is unchecked. |
| Collect Hooks |
Select this option to collect hooks information.
By default, this option is unchecked. |
| Collect Network Connections |
Select this option to collect network connections information.
By default, this option is unchecked. |
| Collect Applications |
Select this option to collect applications information.
By default, this option is unchecked. |
| Delete survey after execution |
Select this option to delete the survey after the scan is executed.
By default, this option is unchecked. |
| Delete log after execution |
Select this option to delete the logs after the scan is executed.
By default, this option is unchecked. |
Output
The output contains the following populated JSON schema:
[
{
"userTaskId": ""
}
]
operation: Get Scans
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Offset |
Index of the first item based on which the details of scans are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of scan records to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of scans from Infocyte.
For example,{"where": {"scanId":"306eb731-215b-1f1f-6c07-257d632d5687"}}} |
Output
The output contains the following populated JSON schema:
[
{
"ip": "",
"remediated": "",
"remediatedByUserId": "",
"boxId": "",
"id": "",
"completedOn": "",
"compromised": "",
"addressId": "",
"failed": "",
"scanId": "",
"remediatedOn": "",
"hostId": ""
}
]
operation: Get Scan Status By User Task ID
Input parameters
| Parameter |
Description |
| User Task ID |
(Optional) ID of the user task whose scan status you want to retrieve from Infocyte. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"jobId": "",
"createdOn": "",
"progress": "",
"endedOn": "",
"message": "",
"type": "",
"userId": "",
"id": "",
"itemCount": "",
"archived": "",
"stats": "",
"data": {
"scanName": "",
"scanId": "",
"updatedOn": ""
},
"name": "",
"startedOn": "",
"relatedId": ""
}
operation: Get Processes
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Target ID |
ID of the target whose basic process information you want to retrieve from Infocyte. |
| Duration |
Duration for which you want to retrieve basic process information from Infocyte.
You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days.
|
| Scan ID On Target |
ID of the scan on target whose basic process information you want to retrieve from Infocyte. |
| Verified Good |
Select this option to collect verified good processes.
By default, this option is unchecked. |
| Probably Good |
Select this option to collect probably good processes.
By default, this option is unchecked. |
| Probably Bad |
Select this option to collect probably bad processes.
By default, this option is unchecked. |
| Verified Bad |
Select this option to collect verified bad processes.
By default, this option is unchecked. |
| Good |
Select this option to collect good processes.
By default, this option is unchecked. |
| Low Risk |
Select this option to collect low risk processes.
By default, this option is unchecked. |
| Bad |
Select this option to collect bad processes.
By default, this option is unchecked. |
| Suspicious |
Select this option to collect suspicious processes.
By default, this option is unchecked. |
| Unknown |
Select this option to collect unknown processes.
By default, this option is unchecked. |
| Whitelist |
Select this option to collect whitelist processes.
By default, this option is unchecked. |
| Blacklist |
Select this option to collect blacklist processes.
By default, this option is unchecked. |
| Process Score |
Score operator based on which you want to collect processes from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Score Value |
Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect processes from Infocyte. |
| Count |
Count operator based on which you want to collect processes from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Count Value |
Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect processes from Infocyte. |
| Signed |
Select this option to collect signed processes.
By default, this option is unchecked. |
| Not Signed |
Select this option to collect not signed processes.
By default, this option is unchecked. |
| Package Manager |
Select this option to collect package managed processes.
By default, this option is unchecked. |
| No Package Manager |
Select this option to collect not package managed processes.
By default, this option is unchecked. |
| Antivirus Data |
Select this option to collect antivirus data for processes.
By default, this option is unchecked. |
| No Antivirus Data |
Select this option to collect no antivirus data for processes.
By default, this option is unchecked. |
| Static Analysis |
Select this option to collect static analysis data for processes.
By default, this option is unchecked. |
| No Static Analysis |
Select this option to collect no static analysis data for processes.
By default, this option is unchecked. |
| Sandbox Analysis |
Select this option to collect sandbox analysis data for processes.
By default, this option is unchecked. |
| No Sandbox Analysis |
Select this option to collect no sandbox analysis data for processes.
By default, this option is unchecked. |
| Exclude Failures |
Select this option to exclude failures for processes.
By default, this option is unchecked. |
| Sort Order |
Orders the search results retrieved from Infocyte.
You can choose either Ascending or Descending. |
| Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified.
You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
| Offset |
Offset, i.e., the index of the first item, based on which the basic information for processes are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of process records to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of processes from Infocyte.
For example, {"where" : {"id" : "013a30d953c16d2313956b76503532a542e1b8ac"}}
Following is an example of a complex open query
{"where":{"and":[{"and":[{"signed":true},{"hasAvScan":false}]},{"hitCount":{"gte":5}},{"boxId":"f0a14878-2012-4b8f-bf1c-f6922034686a"}]},"order":["threatWeight desc","id"],"limit":25,"skip":0} |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
operation: Get Process Details
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Process ID |
ID of the process whose details you want to retrieve from Infocyte. |
| Pagination Limit |
Maximum number of process records to be retrieved from Infocyte by this operation. |
| Offset |
Offset, i.e., the index of the first item, based on which the details for the processes are retrieved from Infocyte.
By default, this is set to 0. |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
operation: Get Accounts
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Target ID |
ID of the target whose accounts details you want to retrieve from Infocyte. |
| Duration |
Duration for which you want to retrieve account details from Infocyte.
You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days.
|
| Scan ID On Target |
ID of the scan on the target whose account information you want to retrieve from Infocyte. |
| Admin |
Select this option to collect admin privilege accounts.
By default, this option is unchecked. |
| User |
Select this option to collect user privilege accounts.
By default, this option is unchecked. |
| Guest |
Select this option to collect guest privilege accounts.
By default, this option is unchecked. |
| Sort Order |
Orders the search results retrieved from Infocyte.
You can choose either Ascending or Descending. |
| Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified.
You can choose from the following options: Name, Domain, Privileges, Hit Count, Logon Count, or Compromised. |
| Offset |
Offset, i.e., the index of the first item, based on which the details of accounts are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of account records to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of accounts from Infocyte.
For example, {"where" : {"id" : "0033240e-0612-40f0-8f5a-0bb891c53624"}} |
Output
The output contains the following populated JSON schema:
[
{
"boxId": "",
"flagWeight": "",
"domain": "",
"remediatedBy": "",
"hitCount": "",
"remediatedByUserId": "",
"flagName": "",
"name": "",
"logonCount": "",
"remediatedOn": "",
"flagId": "",
"uid": "",
"id": "",
"compromised": "",
"priv": "",
"accountId": "",
"flagColor": "",
"remediated": ""
}
]
operation: Get Modules
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Target ID |
ID of the target whose module basic information you want to retrieve from Infocyte. |
| Duration |
Duration for which you want to retrieve basic module information details from Infocyte.
You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days.
|
| Scan ID On Target |
ID of the scan on the target whose basic module information you want to retrieve from Infocyte. |
| Verified Good |
Select this option to collect verified good modules.
By default, this option is unchecked. |
| Probably Good |
Select this option to collect probably good modules.
By default, this option is unchecked. |
| Probably Bad |
Select this option to collect probably bad modules.
By default, this option is unchecked. |
| Verified Bad |
Select this option to collect verified bad modules.
By default, this option is unchecked. |
| Good |
Select this option to collect good modules.
By default, this option is unchecked. |
| Low Risk |
Select this option to collect low risk modules.
By default, this option is unchecked. |
| Bad |
Select this option to collect bad modules.
By default, this option is unchecked. |
| Suspicious |
Select this option to collect suspicious modules.
By default, this option is unchecked. |
| Unknown |
Select this option to collect unknown modules.
By default, this option is unchecked. |
| Whitelist |
Select this option to collect whitelist modules.
By default, this option is unchecked. |
| Blacklist |
Select this option to collect blacklist modules.
By default, this option is unchecked. |
| Module Score |
Score operator based on which you want to collect modules from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Score Value |
Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect modules from Infocyte. |
| Count |
Count operator based on which you want to collect modules from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Count Value |
Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect modules from Infocyte. |
| Signed |
Select this option to collect signed modules.
By default, this option is unchecked. |
| Not Signed |
Select this option to collect not signed modules. By default, this option is unchecked. |
| Package Manager |
Select this option to collect package managed modules. By default, this option is unchecked. |
| No Package Manager |
Select this option to collect not package managed modules.
By default, this option is unchecked. |
| Antivirus Data |
Select this option to collect antivirus data for modules.
By default, this option is unchecked. |
| No Antivirus Data |
Select this option to collect no antivirus data for modules.
By default, this option is unchecked. |
| Static Analysis |
Select this option to collect static analysis data for modules.
By default, this option is unchecked. |
| No Static Analysis |
Select this option to collect no static analysis data for modules.
By default, this option is unchecked. |
| Sandbox Analysis |
Select this option to collect sandbox analysis data for modules.
By default, this option is unchecked. |
| No Sandbox Analysis |
Select this option to collect no sandbox analysis data for modules.
By default, this option is unchecked. |
| Exclude Failures |
Select this option to exclude failures for modules.
By default, this option is unchecked. |
| Sort Order |
Orders the search results retrieved from Infocyte.
You can choose either Ascending or Descending. |
| Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified.
You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight.
|
| Offset |
Offset, i.e., the index of the first item, based on which the basic information for modules are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of module records to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of modules from Infocyte.
For example, {"where" : {"id" : "1443b55832f5499cd5989bc69115674371d877f7"}} |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
operation: Get Module Details
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Module ID |
ID of the module whose details you want to retrieve from Infocyte. |
| Offset |
Offset, i.e., the index of the first item, based on which the details for modules are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of module records to be retrieved from Infocyte by this operation. |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
operation: Get Drivers
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Target ID |
ID of the target whose driver basic information you want to retrieve from Infocyte. |
| Duration |
Duration for which you want to retrieve driver basic information from Infocyte.
You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days.
|
| Scan ID On Target |
ID of the scan on the target whose driver basic information you want to retrieve from Infocyte. |
| Verified Good |
Select this option to collect verified good drivers.
By default, this option is unchecked. |
| Probably Good |
Select this option to collect probably good drivers.
By default, this option is unchecked. |
| Probably Bad |
Select this option to collect probably bad drivers.
By default, this option is unchecked. |
| Verified Bad |
Select this option to collect verified bad drivers.
By default, this option is unchecked. |
| Good |
Select this option to collect good drivers.
By default, this option is unchecked. |
| Low Risk |
Select this option to collect low risk drivers.
By default, this option is unchecked. |
| Bad |
Select this option to collect bad drivers.
By default, this option is unchecked. |
| Suspicious |
Select this option to collect suspicious drivers.
By default, this option is unchecked. |
| Unknown |
Select this option to collect unknown drivers.
By default, this option is unchecked. |
| Whitelist |
Select this option to collect whitelist drivers.
By default, this option is unchecked. |
| Blacklist |
Select this option to collect blacklist drivers.
By default, this option is unchecked. |
| Driver Score |
Score operator based on which you want to collect divers from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Score Value |
Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect drivers from Infocyte. |
| Count |
Count operator based on which you want to collect drivers from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Count Value |
Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect drivers from Infocyte. |
| Signed |
Select this option to collect signed drivers.
By default, this option is unchecked. |
| Not Signed |
Select this option to collect not signed drivers.
By default, this option is unchecked. |
| Package Manager |
Select this option to collect package managed drivers.
By default, this option is unchecked. |
| No Package Manager |
Select this option to collect not package managed drivers.
By default, this option is unchecked. |
| Antivirus Data |
Select this option to collect antivirus data for drivers.
By default, this option is unchecked. |
| No Antivirus Data |
Select this option to collect no antivirus data for drivers.
By default, this option is unchecked. |
| Static Analysis |
Select this option to collect static analysis data for drivers.
By default, this option is unchecked. |
| No Static Analysis |
Select this option to collect no static analysis data for drivers.
By default, this option is unchecked. |
| Sandbox Analysis |
Select this option to collect sandbox analysis data for drivers.
By default, this option is unchecked. |
| No Sandbox Analysis |
Select this option to collect no sandbox analysis data for drivers.
By default, this option is unchecked. |
| Exclude Failures |
Select this option to exclude failures for drivers.
By default, this option is unchecked. |
| Sort Order |
Orders the search results retrieved from Infocyte.
You can choose either Ascending or Descending. |
| Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified.
You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight.
|
| Offset |
Offset, i.e., the index of the first item, based on which the basic information for drivers are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of driver records to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of drivers from Infocyte.
For example, {"where" : {"id" : "019b92c309e1e700e94e6d9bf7710d6f868db650"}} |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
operation: Get Driver Details
Input parameters
| Parameter |
Description |
| Driver ID |
ID of the driver whose details you want to retrieve from Infocyte. |
| Offset |
Offset, i.e., the index of the first item, based on which the details for drivers are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of driver records to be retrieved from Infocyte by this operation. |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
operation: Get Artifacts
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Target ID |
ID of the target whose basic artifact information you want to retrieve from Infocyte. |
| Duration |
Duration for which you want to retrieve basic artifact information from Infocyte.
You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days.
|
| Scan ID On Target |
ID of the scan on the target whose basic artifact information you want to retrieve from Infocyte. |
| Verified Good |
Select this option to collect verified good artifacts.
By default, this option is unchecked. |
| Probably Good |
Select this option to collect probably good artifacts.
By default, this option is unchecked. |
| Probably Bad |
Select this option to collect probably bad artifacts.
By default, this option is unchecked. |
| Verified Bad |
Select this option to collect verified bad artifacts.
By default, this option is unchecked. |
| Good |
Select this option to collect good artifacts.
By default, this option is unchecked. |
| Low Risk |
Select this option to collect low risk artifacts.
By default, this option is unchecked. |
| Bad |
Select this option to collect bad artifacts.
By default, this option is unchecked. |
| Suspicious |
Select this option to collect suspicious artifacts.
By default, this option is unchecked. |
| Unknown |
Select this option to collect unknown artifacts.
By default, this option is unchecked. |
| Whitelist |
Select this option to collect whitelist artifacts.
By default, this option is unchecked. |
| Blacklist |
Select this option to collect blacklist artifacts.
By default, this option is unchecked. |
| Artifact Score |
Score operator based on which you want to collect artifacts from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Score Value |
Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect artifacts from Infocyte.
|
| Count |
Count operator based on which you want to collect artifacts from Infocyte.
You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal.
|
| Count Value |
Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect artifacts from Infocyte. |
| Signed |
Select this option to collect signed artifacts.
By default, this option is unchecked. |
| Not Signed |
Select this option to collect not signed artifacts.
By default, this option is unchecked. |
| Package Manager |
Select this option to collect package managed artifacts.
By default, this option is unchecked. |
| No Package Manager |
Select this option to collect not package managed artifacts.
By default, this option is unchecked. |
| Antivirus Data |
Select this option to collect antivirus data for artifacts.
By default, this option is unchecked. |
| No Antivirus Data |
Select this option to collect no antivirus data for artifacts.
By default, this option is unchecked. |
| Static Analysis |
Select this option to collect static analysis data for artifacts.
By default, this option is unchecked. |
| No Static Analysis |
Select this option to collect no static analysis data for artifacts.
By default, this option is unchecked. |
| Sandbox Analysis |
Select this option to collect sandbox analysis data for artifacts.
By default, this option is unchecked. |
| No Sandbox Analysis |
Select this option to collect no sandbox analysis data for artifacts.
By default, this option is unchecked. |
| Exclude Failures |
Select this option to exclude failures for artifacts.
By default, this option is unchecked. |
| Sort Order |
Orders the search results retrieved from Infocyte.
You can choose either Ascending or Descending. |
| Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified.
You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight.
|
| Offset |
Offset, i.e., the index of the first item, based on which the basic information of the artifacts are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of artifact records to be retrieved from Infocyte by this operation. |
| Open Query |
A generalized query that you can enter in this field to get details of artifacts from Infocyte.
For example, {"where" : {"id" : "000c5fa0548fe249b5e1f37d496ea6078aaf6301"}} |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
operation: Get Artifact Details
Input parameters
| Parameter |
Description |
| Artifact ID |
ID of the artifact whose details you want to retrieve from Infocyte. |
| Offset |
Offset, i.e., the index of the first item, based on which the details of the artifacts are retrieved from Infocyte.
By default, this is set to 0. |
| Pagination Limit |
Maximum number of artifact records to be retrieved from Infocyte by this operation. |
Output
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Included playbooks
The Sample - Infocyte - 1.1.0 playbook collection comes bundled with the Infocyte connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Infocyte connector.
- Get Accounts
- Get Artifact Details
- Get Artifacts
- Get Driver Details
- Get Drivers
- Get Host Addresses
- Get Host Artifacts
- Get Module Details
- Get Modules
- Get Process Details
- Get Processes
- Get Scans
- Get Scans Of Target
- Get Scan Status By User Task ID
- Get Target Group Details
- Run Scan
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
