Infocyte automates the process of threat hunting, allowing you to dig deep into forensics and eliminate threats quickly.
This document provides information about the Infocyte connector, which facilitates automated interactions, with your Infocyte server using FortiSOAR™ playbooks. Add the Infocyte connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of hosts that are added in Infocyte, triggering a scan on a host, and retrieving scan details from Infocyte.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Infocyte connector in version 1.1.0:
Note: The configuration parameters for the Infocyte connector in version 1.1.0 is different from the earlier versions, therefore, in this case, the connector configurations of the previous version are unavailable and you will require to reconfigure this connector. For configuring Infocyte 1.1.0, you will require the API key to connect to the Infocyte server.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-infocyte
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors
page, click the Infocyte connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Infocyte server to which you will connect and perform the automated operations. |
API Key | API Key of the Infocyte server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Scans Of Target | Get scans associated with a specific target from Infocyte, based on the target ID you have specified. | get_scans_of_target Investigation |
Get Hosts Artifacts | Retrieves details of all artifacts or a specific artifact associated with hosts, based on the open query you have specified from Infocyte. | get_hosts_artifacts Investigation |
Get Host Addresses | Retrieves addresses of all the hosts, or specific hosts based on the host ID and other input parameters you have specified from Infocyte. | get_host_address Investigation |
Get Target Group Details | Retrieves details of all target groups, or specific target groups, based on the target group ID and other input parameters you have specified from Infocyte. | get_target_group Investigation |
Run Scan | Triggers a scan on a host on Infocyte based on the target ID, and optionally the host address ID and other input parameters that you have specified. | run_scan Investigation |
Get Scans | Retrieves details of all scans, or specific scans based on the input parameters that you have specified from Infocyte. | get_scans Investigation |
Get Scan Status By User Task ID | Retrieves the status of all scans, or specific scans based on the user task ID that you have specified from Infocyte. | get_scan_status_by_user_taskid Investigation |
Get Processes | Retrieves basic information, such as threat, score, etc for all processes, or specific processes based on the target ID and other input parameters that you have specified from Infocyte. | get_processes Investigation |
Get Process Details | Retrieves all details for all processes, or specific processes based on the process ID and other input parameters that you have specified from Infocyte. | get_processes_details Investigation |
Get Accounts | Retrieves details of all accounts, or specific accounts based on the target ID and other input parameters that you have specified from Infocyte. | get_accounts Investigation |
Get Modules | Retrieves basic information, such as threat, score, etc for all modules, or specific module based on the target ID and other input parameters that you have specified from Infocyte. | get_modules Investigation |
Get Module Details | Retrieves all details for all modules, or specific module based on the module ID that you have specified from Infocyte. | get_modules_details Investigation |
Get Drivers | Retrieves basic information, such as threat, score, etc for all drivers, or specific driver based on the target ID and other input parameters that you have specified from Infocyte. | get_drivers Investigation |
Get Driver Details | Retrieves details of all drivers, or specific drivers based on the driver ID that you have specified from Infocyte. | get_drivers_details Investigation |
Get Artifacts | Retrieves basic information, such as threat, score, etc for all artifacts, or specific artifact based on the target ID and other input parameters that you have specified from Infocyte. | get_artifacts Investigation |
Get Artifact Details | Retrieves details of all artifacts, or specific artifacts based on the artifact ID that you have specified from Infocyte. | get_artifacts_details Investigation |
Parameter | Description |
---|---|
Target ID | ID of the target whose associated scans details you want to retrieve from Infocyte. |
The output contains the following populated JSON schema:
[
{
"startedOn": "",
"autostartCount": "",
"moduleCount": "",
"accountCount": "",
"targetDeleted": "",
"completedOn": "",
"memoryCount": "",
"id": "",
"totalHostCount": "",
"name": "",
"applicationCount": "",
"hookCount": "",
"targetId": "",
"scriptCount": "",
"processCount": "",
"artifactCount": "",
"connectionCount": "",
"updatedOn": "",
"hostCount": "",
"targetName": "",
"driverCount": ""
}
]
Parameter | Description |
---|---|
Open Query | (Optional) A generalized query that you can enter in this field to get artifacts details for hosts on Infocyte. For example, {"where" : {"hostname":"AD"}} |
The output contains the following populated JSON schema:
[
{
"hostname": "",
"hostId": "",
"signed": "",
"path": "",
"avTotal": "",
"hasAvScan": "",
"staticAnalysis": "",
"notMalicious": "",
"hostScanId": "",
"synapse": "",
"whitelist": "",
"flagName": "",
"managed": "",
"flagColor": "",
"localWhitelist": "",
"compromised": "",
"threatWeight": "",
"localBlacklist": "",
"scannedOn": "",
"blacklist": "",
"modifiedOn": "",
"artifactType": "",
"suspicious": "",
"threatScore": "",
"avPositives": "",
"unknown": "",
"id": "",
"flagWeight": "",
"name": "",
"artifactId": "",
"scanId": "",
"hitCount": "",
"threatName": "",
"malicious": "",
"dynamicAnalysis": "",
"flagId": "",
"failed": "",
"fileRepId": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
The 'id
' field in the output is the address ID.
Parameter | Description |
---|---|
Filter By | Filter hosts that are retrieved from Infocyte, based on the entity that you select in this field. You can choose from the following options: Hostname, IP Address, or TargetID. |
Filter Value | Value of the filter based on which you want to filter hosts from Infocyte. The filter value that you specify will be based on the Filter By option you have chosen. |
Offset | Index of the first item based on which the list of hosts are retrieved from Infocyte. By default, this is set to 0. |
Pagination Limit | Maximum number of host records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of hosts on Infocyte. For example, {"where": {"hostname":"AD"}}} |
The output contains the following populated JSON schema:
[
{
"port135": "",
"lastScannedOn": "",
"port5986": "",
"port22": "",
"accessWmi": "",
"accessSsh": "",
"osLinux": "",
"username": "",
"latency": "",
"agentId": "",
"accessible": "",
"lastScanDate": "",
"os": "",
"taskId": "",
"hostname": "",
"accessSmb": "",
"accessPs": "",
"port445": "",
"osOther": "",
"id": "",
"osOSX": "",
"ip": "",
"deleted": "",
"targetId": "",
"port139": "",
"accessRst": "",
"queryId": "",
"osWindows": "",
"ipstring": "",
"lastAccessedOn": "",
"failed": "",
"failureReason": "",
"accessAgent": ""
}
]
Parameter | Description |
---|---|
Target Group ID | ID of the target group whose details you want to retrieve from Infocyte. |
Offset | Index of the first item based on which the list of target groups are retrieved from Infocyte. By default, this is set to 0. |
Pagination Limit | Maximum number of target groups to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of target groups from Infocyte. For example, {"where" : {"id" : "e42e963178fb46dbfac23c197dd0116149d4e81b"}} |
The output contains the following populated JSON schema:
[
{
"deleted": "",
"totalAddressCount": "",
"lastScannedOn": "",
"id": "",
"reachableAddressCount": "",
"name": "",
"accessibleAddressCount": ""
}
]
Parameter | Description |
---|---|
Target ID | ID of the target on which you want to run the scan on Infocyte. |
Host Address ID | ID of the host on which you want to run the scan on Infocyte. |
Collect Drivers | Select this option to collect driver information. By default, this option is unchecked. |
Collect Memory | Select this option to collect memory information. By default, this option is unchecked. |
Collect Artifacts | Select this option to collect artifacts information. By default, this option is unchecked. |
Collect Autostarts | Select this option to collect autostarts information. By default, this option is unchecked. |
Collect Hooks | Select this option to collect hooks information. By default, this option is unchecked. |
Collect Network Connections | Select this option to collect network connections information. By default, this option is unchecked. |
Collect Applications | Select this option to collect applications information. By default, this option is unchecked. |
Delete survey after execution | Select this option to delete the survey after the scan is executed. By default, this option is unchecked. |
Delete log after execution | Select this option to delete the logs after the scan is executed. By default, this option is unchecked. |
The output contains the following populated JSON schema:
[
{
"userTaskId": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Offset | Index of the first item based on which the details of scans are retrieved from Infocyte. By default, this is set to 0. |
Pagination Limit | Maximum number of scan records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of scans from Infocyte. For example, {"where": {"scanId":"306eb731-215b-1f1f-6c07-257d632d5687"}}} |
The output contains the following populated JSON schema:
[
{
"ip": "",
"remediated": "",
"remediatedByUserId": "",
"boxId": "",
"id": "",
"completedOn": "",
"compromised": "",
"addressId": "",
"failed": "",
"scanId": "",
"remediatedOn": "",
"hostId": ""
}
]
Parameter | Description |
---|---|
User Task ID | (Optional) ID of the user task whose scan status you want to retrieve from Infocyte. |
The output contains the following populated JSON schema:
{
"status": "",
"jobId": "",
"createdOn": "",
"progress": "",
"endedOn": "",
"message": "",
"type": "",
"userId": "",
"id": "",
"itemCount": "",
"archived": "",
"stats": "",
"data": {
"scanName": "",
"scanId": "",
"updatedOn": ""
},
"name": "",
"startedOn": "",
"relatedId": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose basic process information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve basic process information from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on target whose basic process information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good processes. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good processes. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad processes. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad processes. By default, this option is unchecked. |
Good | Select this option to collect good processes. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk processes. By default, this option is unchecked. |
Bad | Select this option to collect bad processes. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious processes. By default, this option is unchecked. |
Unknown | Select this option to collect unknown processes. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist processes. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist processes. By default, this option is unchecked. |
Process Score |
Score operator based on which you want to collect processes from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value | Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect processes from Infocyte. |
Count |
Count operator based on which you want to collect processes from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect processes from Infocyte. |
Signed | Select this option to collect signed processes. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed processes. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed processes. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed processes. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for processes. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for processes. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for processes. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for processes. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for processes. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for processes. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for processes. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By | Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information for processes are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of process records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of processes from Infocyte. For example, {"where" : {"id" : "013a30d953c16d2313956b76503532a542e1b8ac"}} Following is an example of a complex open query {"where":{"and":[{"and":[{"signed":true},{"hasAvScan":false}]},{"hitCount":{"gte":5}},{"boxId":"f0a14878-2012-4b8f-bf1c-f6922034686a"}]},"order":["threatWeight desc","id"],"limit":25,"skip":0} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Process ID | ID of the process whose details you want to retrieve from Infocyte. |
Pagination Limit | Maximum number of process records to be retrieved from Infocyte by this operation. |
Offset | Offset, i.e., the index of the first item, based on which the details for the processes are retrieved from Infocyte. By default, this is set to 0. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose accounts details you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve account details from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose account information you want to retrieve from Infocyte. |
Admin | Select this option to collect admin privilege accounts. By default, this option is unchecked. |
User | Select this option to collect user privilege accounts. By default, this option is unchecked. |
Guest | Select this option to collect guest privilege accounts. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By | Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Name, Domain, Privileges, Hit Count, Logon Count, or Compromised. |
Offset | Offset, i.e., the index of the first item, based on which the details of accounts are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of account records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of accounts from Infocyte. For example, {"where" : {"id" : "0033240e-0612-40f0-8f5a-0bb891c53624"}} |
The output contains the following populated JSON schema:
[
{
"boxId": "",
"flagWeight": "",
"domain": "",
"remediatedBy": "",
"hitCount": "",
"remediatedByUserId": "",
"flagName": "",
"name": "",
"logonCount": "",
"remediatedOn": "",
"flagId": "",
"uid": "",
"id": "",
"compromised": "",
"priv": "",
"accountId": "",
"flagColor": "",
"remediated": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose module basic information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve basic module information details from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose basic module information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good modules. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good modules. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad modules. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad modules. By default, this option is unchecked. |
Good | Select this option to collect good modules. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk modules. By default, this option is unchecked. |
Bad | Select this option to collect bad modules. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious modules. By default, this option is unchecked. |
Unknown | Select this option to collect unknown modules. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist modules. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist modules. By default, this option is unchecked. |
Module Score |
Score operator based on which you want to collect modules from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value | Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect modules from Infocyte. |
Count |
Count operator based on which you want to collect modules from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect modules from Infocyte. |
Signed | Select this option to collect signed modules. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed modules. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed modules. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed modules. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for modules. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for modules. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for modules. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for modules. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for modules. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for modules. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for modules. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information for modules are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of module records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of modules from Infocyte. For example, {"where" : {"id" : "1443b55832f5499cd5989bc69115674371d877f7"}} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Module ID | ID of the module whose details you want to retrieve from Infocyte. |
Offset | Offset, i.e., the index of the first item, based on which the details for modules are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of module records to be retrieved from Infocyte by this operation. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose driver basic information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve driver basic information from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose driver basic information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good drivers. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good drivers. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad drivers. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad drivers. By default, this option is unchecked. |
Good | Select this option to collect good drivers. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk drivers. By default, this option is unchecked. |
Bad | Select this option to collect bad drivers. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious drivers. By default, this option is unchecked. |
Unknown | Select this option to collect unknown drivers. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist drivers. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist drivers. By default, this option is unchecked. |
Driver Score |
Score operator based on which you want to collect divers from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value | Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect drivers from Infocyte. |
Count |
Count operator based on which you want to collect drivers from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect drivers from Infocyte. |
Signed | Select this option to collect signed drivers. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed drivers. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed drivers. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed drivers. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for drivers. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for drivers. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for drivers. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for drivers. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for drivers. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for drivers. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for drivers. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information for drivers are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of driver records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of drivers from Infocyte. For example, {"where" : {"id" : "019b92c309e1e700e94e6d9bf7710d6f868db650"}} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Parameter | Description |
---|---|
Driver ID | ID of the driver whose details you want to retrieve from Infocyte. |
Offset | Offset, i.e., the index of the first item, based on which the details for drivers are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of driver records to be retrieved from Infocyte by this operation. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose basic artifact information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve basic artifact information from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose basic artifact information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good artifacts. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good artifacts. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad artifacts. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad artifacts. By default, this option is unchecked. |
Good | Select this option to collect good artifacts. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk artifacts. By default, this option is unchecked. |
Bad | Select this option to collect bad artifacts. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious artifacts. By default, this option is unchecked. |
Unknown | Select this option to collect unknown artifacts. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist artifacts. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist artifacts. By default, this option is unchecked. |
Artifact Score |
Score operator based on which you want to collect artifacts from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value |
Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect artifacts from Infocyte. |
Count |
Count operator based on which you want to collect artifacts from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect artifacts from Infocyte. |
Signed | Select this option to collect signed artifacts. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed artifacts. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed artifacts. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed artifacts. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for artifacts. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for artifacts. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for artifacts. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for artifacts. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for artifacts. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for artifacts. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for artifacts. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information of the artifacts are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of artifact records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of artifacts from Infocyte. For example, {"where" : {"id" : "000c5fa0548fe249b5e1f37d496ea6078aaf6301"}} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Parameter | Description |
---|---|
Artifact ID | ID of the artifact whose details you want to retrieve from Infocyte. |
Offset | Offset, i.e., the index of the first item, based on which the details of the artifacts are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of artifact records to be retrieved from Infocyte by this operation. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
The Sample - Infocyte - 1.1.0
playbook collection comes bundled with the Infocyte connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Infocyte connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Infocyte automates the process of threat hunting, allowing you to dig deep into forensics and eliminate threats quickly.
This document provides information about the Infocyte connector, which facilitates automated interactions, with your Infocyte server using FortiSOAR™ playbooks. Add the Infocyte connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of hosts that are added in Infocyte, triggering a scan on a host, and retrieving scan details from Infocyte.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Infocyte connector in version 1.1.0:
Note: The configuration parameters for the Infocyte connector in version 1.1.0 is different from the earlier versions, therefore, in this case, the connector configurations of the previous version are unavailable and you will require to reconfigure this connector. For configuring Infocyte 1.1.0, you will require the API key to connect to the Infocyte server.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-infocyte
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors
page, click the Infocyte connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Infocyte server to which you will connect and perform the automated operations. |
API Key | API Key of the Infocyte server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Scans Of Target | Get scans associated with a specific target from Infocyte, based on the target ID you have specified. | get_scans_of_target Investigation |
Get Hosts Artifacts | Retrieves details of all artifacts or a specific artifact associated with hosts, based on the open query you have specified from Infocyte. | get_hosts_artifacts Investigation |
Get Host Addresses | Retrieves addresses of all the hosts, or specific hosts based on the host ID and other input parameters you have specified from Infocyte. | get_host_address Investigation |
Get Target Group Details | Retrieves details of all target groups, or specific target groups, based on the target group ID and other input parameters you have specified from Infocyte. | get_target_group Investigation |
Run Scan | Triggers a scan on a host on Infocyte based on the target ID, and optionally the host address ID and other input parameters that you have specified. | run_scan Investigation |
Get Scans | Retrieves details of all scans, or specific scans based on the input parameters that you have specified from Infocyte. | get_scans Investigation |
Get Scan Status By User Task ID | Retrieves the status of all scans, or specific scans based on the user task ID that you have specified from Infocyte. | get_scan_status_by_user_taskid Investigation |
Get Processes | Retrieves basic information, such as threat, score, etc for all processes, or specific processes based on the target ID and other input parameters that you have specified from Infocyte. | get_processes Investigation |
Get Process Details | Retrieves all details for all processes, or specific processes based on the process ID and other input parameters that you have specified from Infocyte. | get_processes_details Investigation |
Get Accounts | Retrieves details of all accounts, or specific accounts based on the target ID and other input parameters that you have specified from Infocyte. | get_accounts Investigation |
Get Modules | Retrieves basic information, such as threat, score, etc for all modules, or specific module based on the target ID and other input parameters that you have specified from Infocyte. | get_modules Investigation |
Get Module Details | Retrieves all details for all modules, or specific module based on the module ID that you have specified from Infocyte. | get_modules_details Investigation |
Get Drivers | Retrieves basic information, such as threat, score, etc for all drivers, or specific driver based on the target ID and other input parameters that you have specified from Infocyte. | get_drivers Investigation |
Get Driver Details | Retrieves details of all drivers, or specific drivers based on the driver ID that you have specified from Infocyte. | get_drivers_details Investigation |
Get Artifacts | Retrieves basic information, such as threat, score, etc for all artifacts, or specific artifact based on the target ID and other input parameters that you have specified from Infocyte. | get_artifacts Investigation |
Get Artifact Details | Retrieves details of all artifacts, or specific artifacts based on the artifact ID that you have specified from Infocyte. | get_artifacts_details Investigation |
Parameter | Description |
---|---|
Target ID | ID of the target whose associated scans details you want to retrieve from Infocyte. |
The output contains the following populated JSON schema:
[
{
"startedOn": "",
"autostartCount": "",
"moduleCount": "",
"accountCount": "",
"targetDeleted": "",
"completedOn": "",
"memoryCount": "",
"id": "",
"totalHostCount": "",
"name": "",
"applicationCount": "",
"hookCount": "",
"targetId": "",
"scriptCount": "",
"processCount": "",
"artifactCount": "",
"connectionCount": "",
"updatedOn": "",
"hostCount": "",
"targetName": "",
"driverCount": ""
}
]
Parameter | Description |
---|---|
Open Query | (Optional) A generalized query that you can enter in this field to get artifacts details for hosts on Infocyte. For example, {"where" : {"hostname":"AD"}} |
The output contains the following populated JSON schema:
[
{
"hostname": "",
"hostId": "",
"signed": "",
"path": "",
"avTotal": "",
"hasAvScan": "",
"staticAnalysis": "",
"notMalicious": "",
"hostScanId": "",
"synapse": "",
"whitelist": "",
"flagName": "",
"managed": "",
"flagColor": "",
"localWhitelist": "",
"compromised": "",
"threatWeight": "",
"localBlacklist": "",
"scannedOn": "",
"blacklist": "",
"modifiedOn": "",
"artifactType": "",
"suspicious": "",
"threatScore": "",
"avPositives": "",
"unknown": "",
"id": "",
"flagWeight": "",
"name": "",
"artifactId": "",
"scanId": "",
"hitCount": "",
"threatName": "",
"malicious": "",
"dynamicAnalysis": "",
"flagId": "",
"failed": "",
"fileRepId": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
The 'id
' field in the output is the address ID.
Parameter | Description |
---|---|
Filter By | Filter hosts that are retrieved from Infocyte, based on the entity that you select in this field. You can choose from the following options: Hostname, IP Address, or TargetID. |
Filter Value | Value of the filter based on which you want to filter hosts from Infocyte. The filter value that you specify will be based on the Filter By option you have chosen. |
Offset | Index of the first item based on which the list of hosts are retrieved from Infocyte. By default, this is set to 0. |
Pagination Limit | Maximum number of host records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of hosts on Infocyte. For example, {"where": {"hostname":"AD"}}} |
The output contains the following populated JSON schema:
[
{
"port135": "",
"lastScannedOn": "",
"port5986": "",
"port22": "",
"accessWmi": "",
"accessSsh": "",
"osLinux": "",
"username": "",
"latency": "",
"agentId": "",
"accessible": "",
"lastScanDate": "",
"os": "",
"taskId": "",
"hostname": "",
"accessSmb": "",
"accessPs": "",
"port445": "",
"osOther": "",
"id": "",
"osOSX": "",
"ip": "",
"deleted": "",
"targetId": "",
"port139": "",
"accessRst": "",
"queryId": "",
"osWindows": "",
"ipstring": "",
"lastAccessedOn": "",
"failed": "",
"failureReason": "",
"accessAgent": ""
}
]
Parameter | Description |
---|---|
Target Group ID | ID of the target group whose details you want to retrieve from Infocyte. |
Offset | Index of the first item based on which the list of target groups are retrieved from Infocyte. By default, this is set to 0. |
Pagination Limit | Maximum number of target groups to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of target groups from Infocyte. For example, {"where" : {"id" : "e42e963178fb46dbfac23c197dd0116149d4e81b"}} |
The output contains the following populated JSON schema:
[
{
"deleted": "",
"totalAddressCount": "",
"lastScannedOn": "",
"id": "",
"reachableAddressCount": "",
"name": "",
"accessibleAddressCount": ""
}
]
Parameter | Description |
---|---|
Target ID | ID of the target on which you want to run the scan on Infocyte. |
Host Address ID | ID of the host on which you want to run the scan on Infocyte. |
Collect Drivers | Select this option to collect driver information. By default, this option is unchecked. |
Collect Memory | Select this option to collect memory information. By default, this option is unchecked. |
Collect Artifacts | Select this option to collect artifacts information. By default, this option is unchecked. |
Collect Autostarts | Select this option to collect autostarts information. By default, this option is unchecked. |
Collect Hooks | Select this option to collect hooks information. By default, this option is unchecked. |
Collect Network Connections | Select this option to collect network connections information. By default, this option is unchecked. |
Collect Applications | Select this option to collect applications information. By default, this option is unchecked. |
Delete survey after execution | Select this option to delete the survey after the scan is executed. By default, this option is unchecked. |
Delete log after execution | Select this option to delete the logs after the scan is executed. By default, this option is unchecked. |
The output contains the following populated JSON schema:
[
{
"userTaskId": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Offset | Index of the first item based on which the details of scans are retrieved from Infocyte. By default, this is set to 0. |
Pagination Limit | Maximum number of scan records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of scans from Infocyte. For example, {"where": {"scanId":"306eb731-215b-1f1f-6c07-257d632d5687"}}} |
The output contains the following populated JSON schema:
[
{
"ip": "",
"remediated": "",
"remediatedByUserId": "",
"boxId": "",
"id": "",
"completedOn": "",
"compromised": "",
"addressId": "",
"failed": "",
"scanId": "",
"remediatedOn": "",
"hostId": ""
}
]
Parameter | Description |
---|---|
User Task ID | (Optional) ID of the user task whose scan status you want to retrieve from Infocyte. |
The output contains the following populated JSON schema:
{
"status": "",
"jobId": "",
"createdOn": "",
"progress": "",
"endedOn": "",
"message": "",
"type": "",
"userId": "",
"id": "",
"itemCount": "",
"archived": "",
"stats": "",
"data": {
"scanName": "",
"scanId": "",
"updatedOn": ""
},
"name": "",
"startedOn": "",
"relatedId": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose basic process information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve basic process information from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on target whose basic process information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good processes. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good processes. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad processes. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad processes. By default, this option is unchecked. |
Good | Select this option to collect good processes. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk processes. By default, this option is unchecked. |
Bad | Select this option to collect bad processes. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious processes. By default, this option is unchecked. |
Unknown | Select this option to collect unknown processes. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist processes. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist processes. By default, this option is unchecked. |
Process Score |
Score operator based on which you want to collect processes from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value | Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect processes from Infocyte. |
Count |
Count operator based on which you want to collect processes from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect processes from Infocyte. |
Signed | Select this option to collect signed processes. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed processes. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed processes. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed processes. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for processes. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for processes. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for processes. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for processes. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for processes. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for processes. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for processes. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By | Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information for processes are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of process records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of processes from Infocyte. For example, {"where" : {"id" : "013a30d953c16d2313956b76503532a542e1b8ac"}} Following is an example of a complex open query {"where":{"and":[{"and":[{"signed":true},{"hasAvScan":false}]},{"hitCount":{"gte":5}},{"boxId":"f0a14878-2012-4b8f-bf1c-f6922034686a"}]},"order":["threatWeight desc","id"],"limit":25,"skip":0} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Process ID | ID of the process whose details you want to retrieve from Infocyte. |
Pagination Limit | Maximum number of process records to be retrieved from Infocyte by this operation. |
Offset | Offset, i.e., the index of the first item, based on which the details for the processes are retrieved from Infocyte. By default, this is set to 0. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose accounts details you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve account details from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose account information you want to retrieve from Infocyte. |
Admin | Select this option to collect admin privilege accounts. By default, this option is unchecked. |
User | Select this option to collect user privilege accounts. By default, this option is unchecked. |
Guest | Select this option to collect guest privilege accounts. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By | Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Name, Domain, Privileges, Hit Count, Logon Count, or Compromised. |
Offset | Offset, i.e., the index of the first item, based on which the details of accounts are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of account records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of accounts from Infocyte. For example, {"where" : {"id" : "0033240e-0612-40f0-8f5a-0bb891c53624"}} |
The output contains the following populated JSON schema:
[
{
"boxId": "",
"flagWeight": "",
"domain": "",
"remediatedBy": "",
"hitCount": "",
"remediatedByUserId": "",
"flagName": "",
"name": "",
"logonCount": "",
"remediatedOn": "",
"flagId": "",
"uid": "",
"id": "",
"compromised": "",
"priv": "",
"accountId": "",
"flagColor": "",
"remediated": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose module basic information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve basic module information details from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose basic module information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good modules. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good modules. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad modules. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad modules. By default, this option is unchecked. |
Good | Select this option to collect good modules. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk modules. By default, this option is unchecked. |
Bad | Select this option to collect bad modules. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious modules. By default, this option is unchecked. |
Unknown | Select this option to collect unknown modules. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist modules. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist modules. By default, this option is unchecked. |
Module Score |
Score operator based on which you want to collect modules from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value | Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect modules from Infocyte. |
Count |
Count operator based on which you want to collect modules from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect modules from Infocyte. |
Signed | Select this option to collect signed modules. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed modules. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed modules. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed modules. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for modules. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for modules. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for modules. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for modules. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for modules. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for modules. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for modules. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information for modules are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of module records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of modules from Infocyte. For example, {"where" : {"id" : "1443b55832f5499cd5989bc69115674371d877f7"}} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Module ID | ID of the module whose details you want to retrieve from Infocyte. |
Offset | Offset, i.e., the index of the first item, based on which the details for modules are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of module records to be retrieved from Infocyte by this operation. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose driver basic information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve driver basic information from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose driver basic information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good drivers. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good drivers. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad drivers. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad drivers. By default, this option is unchecked. |
Good | Select this option to collect good drivers. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk drivers. By default, this option is unchecked. |
Bad | Select this option to collect bad drivers. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious drivers. By default, this option is unchecked. |
Unknown | Select this option to collect unknown drivers. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist drivers. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist drivers. By default, this option is unchecked. |
Driver Score |
Score operator based on which you want to collect divers from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value | Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect drivers from Infocyte. |
Count |
Count operator based on which you want to collect drivers from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect drivers from Infocyte. |
Signed | Select this option to collect signed drivers. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed drivers. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed drivers. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed drivers. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for drivers. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for drivers. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for drivers. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for drivers. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for drivers. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for drivers. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for drivers. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information for drivers are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of driver records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of drivers from Infocyte. For example, {"where" : {"id" : "019b92c309e1e700e94e6d9bf7710d6f868db650"}} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Parameter | Description |
---|---|
Driver ID | ID of the driver whose details you want to retrieve from Infocyte. |
Offset | Offset, i.e., the index of the first item, based on which the details for drivers are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of driver records to be retrieved from Infocyte by this operation. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Target ID | ID of the target whose basic artifact information you want to retrieve from Infocyte. |
Duration |
Duration for which you want to retrieve basic artifact information from Infocyte. You can choose from the following options: Last 7 days, Last 30 days, or Last 90 days. |
Scan ID On Target | ID of the scan on the target whose basic artifact information you want to retrieve from Infocyte. |
Verified Good | Select this option to collect verified good artifacts. By default, this option is unchecked. |
Probably Good | Select this option to collect probably good artifacts. By default, this option is unchecked. |
Probably Bad | Select this option to collect probably bad artifacts. By default, this option is unchecked. |
Verified Bad | Select this option to collect verified bad artifacts. By default, this option is unchecked. |
Good | Select this option to collect good artifacts. By default, this option is unchecked. |
Low Risk | Select this option to collect low risk artifacts. By default, this option is unchecked. |
Bad | Select this option to collect bad artifacts. By default, this option is unchecked. |
Suspicious | Select this option to collect suspicious artifacts. By default, this option is unchecked. |
Unknown | Select this option to collect unknown artifacts. By default, this option is unchecked. |
Whitelist | Select this option to collect whitelist artifacts. By default, this option is unchecked. |
Blacklist | Select this option to collect blacklist artifacts. By default, this option is unchecked. |
Artifact Score |
Score operator based on which you want to collect artifacts from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Score Value |
Value for the score (considering what you have chosen from the Score drop-down list) based on which you want to collect artifacts from Infocyte. |
Count |
Count operator based on which you want to collect artifacts from Infocyte. You can choose from the following options: Between, Equals, Greater than, Greater or Equal, Less Than, Less or Equal. |
Count Value | Value for the count (considering what you have chosen from the Count drop-down list) based on which you want to collect artifacts from Infocyte. |
Signed | Select this option to collect signed artifacts. By default, this option is unchecked. |
Not Signed | Select this option to collect not signed artifacts. By default, this option is unchecked. |
Package Manager | Select this option to collect package managed artifacts. By default, this option is unchecked. |
No Package Manager | Select this option to collect not package managed artifacts. By default, this option is unchecked. |
Antivirus Data | Select this option to collect antivirus data for artifacts. By default, this option is unchecked. |
No Antivirus Data | Select this option to collect no antivirus data for artifacts. By default, this option is unchecked. |
Static Analysis | Select this option to collect static analysis data for artifacts. By default, this option is unchecked. |
No Static Analysis | Select this option to collect no static analysis data for artifacts. By default, this option is unchecked. |
Sandbox Analysis | Select this option to collect sandbox analysis data for artifacts. By default, this option is unchecked. |
No Sandbox Analysis | Select this option to collect no sandbox analysis data for artifacts. By default, this option is unchecked. |
Exclude Failures | Select this option to exclude failures for artifacts. By default, this option is unchecked. |
Sort Order | Orders the search results retrieved from Infocyte. You can choose either Ascending or Descending. |
Sort By |
Sorts the search results retrieved from Infocyte based on the filter criterion you have specified. You can choose from the following options: Path, Hit Count, Threat Score, or Threat Weight. |
Offset | Offset, i.e., the index of the first item, based on which the basic information of the artifacts are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of artifact records to be retrieved from Infocyte by this operation. |
Open Query | A generalized query that you can enter in this field to get details of artifacts from Infocyte. For example, {"where" : {"id" : "000c5fa0548fe249b5e1f37d496ea6078aaf6301"}} |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"flagColor": "",
"whitelist": "",
"name": "",
"path": "",
"id": "",
"hasAvScan": "",
"signed": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"compromised": "",
"avPositives": "",
"notMalicious": "",
"size": "",
"flagId": "",
"fileRepId": "",
"unknown": "",
"threatName": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
Parameter | Description |
---|---|
Artifact ID | ID of the artifact whose details you want to retrieve from Infocyte. |
Offset | Offset, i.e., the index of the first item, based on which the details of the artifacts are retrieved from Infocyte. By default, this is set to 0 . |
Pagination Limit | Maximum number of artifact records to be retrieved from Infocyte by this operation. |
The output contains the following populated JSON schema:
[
{
"flagWeight": "",
"localBlacklist": "",
"hitCount": "",
"threatScore": "",
"localWhitelist": "",
"compromised": "",
"fileRepId": "",
"whitelist": "",
"name": "",
"timestampSubject": "",
"flagColor": "",
"avPositives": "",
"sha256": "",
"id": "",
"hasAvScan": "",
"signed": "",
"serialNumber": "",
"blacklist": "",
"suspicious": "",
"boxId": "",
"dynamicAnalysis": "",
"staticAnalysis": "",
"managed": "",
"subjectName": "",
"timestampIssuer": "",
"md5": "",
"path": "",
"issuerName": "",
"sha1": "",
"ssdeep": "",
"notMalicious": "",
"size": "",
"flagId": "",
"unknown": "",
"threatName": "",
"signatureType": "",
"synapse": "",
"malicious": "",
"threatWeight": "",
"avTotal": "",
"flagName": "",
"failed": ""
}
]
The Sample - Infocyte - 1.1.0
playbook collection comes bundled with the Infocyte connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Infocyte connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.