FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. It provides threat intelligence to protect them from malicious cyberattacks.
This document provides information about the FortiGuard Threat Intelligence connector, which facilitates automated interactions with FortiGuard Threat Intelligence using FortiSOAR™ playbooks. Add the FortiGuard Threat Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about a threat and static list of threat types and names, etc. from FortiGuard Threat Intelligence.
Important: Version 2.0.0 of the FortiGuard Threat Intelligence connector is supported only on FortiSOAR™ version 6.4.4-3164.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.4-3164
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the FortiGuard Threat Intelligence connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortiguard-threat-intelligence
For the procedure to configure a connector, click here.
Important: If you get an error such as "The version of cryptography does not match the loaded shared object. This can happen if you have multiple copies of cryptography installed in your Python path. Please try creating a new virtual environment to resolve this issue. Loaded python version: 2.7, shared object version: b'3.4.7'" while configuring your connector, you need to remove the pycache as follows:
pycache and restart the uwsgi service./opt/cyops-integrations/integrations/connectors/fortinet-fortiguard-threat-intelligence_2_0_0 directory remove pycache using the rm -rf __pycache__ command.uwsgi service using the systemctl restart uwsgi command.In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Threat Intelligence connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server Name | URL of the FortiGuard Threat Intelligence API server to which you will connect and perform automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Threat Intel Search | Retrieves information about a threat from Fortiguard Threat Intelligence based on the indicator you have specified. | threat_intel_search Investigation |
| Get Threat Categories | Retrieves a static list of threat types and names from FortiGuard Threat Intelligence based on the title that you have specified. | get_threat_categories Investigation |
| Get Encyclopedia Lookup | Retrieves a lookup from FortiGuard Threat Intelligence based on the threat source and the associated encyclopedia lookup ID you have specified. | get_encyclopedia_lookup Investigation |
| Parameter | Description |
|---|---|
| Indicator | Indicator of the threat whose information you want to retrieve from the FortiGuard Threat Intelligence server. |
The output contains the following populated JSON schema:
{
"reference_url": "",
"ioc_cate": "",
"confidence": "",
"wf_cate": "",
"spam_cates": [],
"ioc_tags": [],
"av_cate": ""
}
| Parameter | Description |
|---|---|
| Title | Title of the threat whose associated threat types and names you want to retrieve from FortiGuard Threat Intelligence server. |
The output contains the following populated JSON schema:
{
"ctype": "",
"title": "",
"description": ""
}
| Parameter | Description |
|---|---|
| Source | Source of the lookup, for example, viruses, botnet, etc., whose information you want to retrieve from FortiGuard Threat Intelligence server. |
| ID | ID of the encyclopedia lookup whose information you want to retrieve from the FortiGuard Threat Intelligence server. |
If you have selected the 'Source' is 'Viruses', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Discovered": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Intrusion Prevention', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"isActive": "",
"Risk": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"DefaultAction": "",
"BehaviorList": [],
"os_list": [],
"app_list": [],
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Released": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Botnet', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"Platform": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Endpoint Vulnerabilities', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Risk": "",
"Summary": "",
"Analysis": "",
"Products": [],
"SecurityRefs": [
{
"reftype": "",
"refid": "",
"url": ""
}
],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Mobile', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Discovered": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Application', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Category": "",
"Risk": "",
"RiskID": "",
"Popularity": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"DefaultAction": "",
"BehaviorList": [],
"AppPort": "",
"References": [],
"DeepAppCtrl": "",
"Vendor": "",
"Deprecated": "",
"Language": "",
"Technology": [],
"os_list": [],
"app_list": [],
"Released": "",
"Created": "",
"Updated": "",
"RequireApp": []
}
If you have selected the 'Source' is 'Internet Services', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Analysis": ""
}
The Sample - Fortinet FortiGuard Threat Intelligence - 2.0.0 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. It provides threat intelligence to protect them from malicious cyberattacks.
This document provides information about the FortiGuard Threat Intelligence connector, which facilitates automated interactions with FortiGuard Threat Intelligence using FortiSOAR™ playbooks. Add the FortiGuard Threat Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about a threat and static list of threat types and names, etc. from FortiGuard Threat Intelligence.
Important: Version 2.0.0 of the FortiGuard Threat Intelligence connector is supported only on FortiSOAR™ version 6.4.4-3164.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.4-3164
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the FortiGuard Threat Intelligence connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortiguard-threat-intelligence
For the procedure to configure a connector, click here.
Important: If you get an error such as "The version of cryptography does not match the loaded shared object. This can happen if you have multiple copies of cryptography installed in your Python path. Please try creating a new virtual environment to resolve this issue. Loaded python version: 2.7, shared object version: b'3.4.7'" while configuring your connector, you need to remove the pycache as follows:
pycache and restart the uwsgi service./opt/cyops-integrations/integrations/connectors/fortinet-fortiguard-threat-intelligence_2_0_0 directory remove pycache using the rm -rf __pycache__ command.uwsgi service using the systemctl restart uwsgi command.In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Threat Intelligence connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server Name | URL of the FortiGuard Threat Intelligence API server to which you will connect and perform automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Threat Intel Search | Retrieves information about a threat from Fortiguard Threat Intelligence based on the indicator you have specified. | threat_intel_search Investigation |
| Get Threat Categories | Retrieves a static list of threat types and names from FortiGuard Threat Intelligence based on the title that you have specified. | get_threat_categories Investigation |
| Get Encyclopedia Lookup | Retrieves a lookup from FortiGuard Threat Intelligence based on the threat source and the associated encyclopedia lookup ID you have specified. | get_encyclopedia_lookup Investigation |
| Parameter | Description |
|---|---|
| Indicator | Indicator of the threat whose information you want to retrieve from the FortiGuard Threat Intelligence server. |
The output contains the following populated JSON schema:
{
"reference_url": "",
"ioc_cate": "",
"confidence": "",
"wf_cate": "",
"spam_cates": [],
"ioc_tags": [],
"av_cate": ""
}
| Parameter | Description |
|---|---|
| Title | Title of the threat whose associated threat types and names you want to retrieve from FortiGuard Threat Intelligence server. |
The output contains the following populated JSON schema:
{
"ctype": "",
"title": "",
"description": ""
}
| Parameter | Description |
|---|---|
| Source | Source of the lookup, for example, viruses, botnet, etc., whose information you want to retrieve from FortiGuard Threat Intelligence server. |
| ID | ID of the encyclopedia lookup whose information you want to retrieve from the FortiGuard Threat Intelligence server. |
If you have selected the 'Source' is 'Viruses', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Discovered": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Intrusion Prevention', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"isActive": "",
"Risk": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"DefaultAction": "",
"BehaviorList": [],
"os_list": [],
"app_list": [],
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Released": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Botnet', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"Platform": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Endpoint Vulnerabilities', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Risk": "",
"Summary": "",
"Analysis": "",
"Products": [],
"SecurityRefs": [
{
"reftype": "",
"refid": "",
"url": ""
}
],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Mobile', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Discovered": "",
"Created": "",
"Updated": ""
}
If you have selected the 'Source' is 'Application', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Category": "",
"Risk": "",
"RiskID": "",
"Popularity": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"DefaultAction": "",
"BehaviorList": [],
"AppPort": "",
"References": [],
"DeepAppCtrl": "",
"Vendor": "",
"Deprecated": "",
"Language": "",
"Technology": [],
"os_list": [],
"app_list": [],
"Released": "",
"Created": "",
"Updated": "",
"RequireApp": []
}
If you have selected the 'Source' is 'Internet Services', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Analysis": ""
}
The Sample - Fortinet FortiGuard Threat Intelligence - 2.0.0 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.