FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets. This connector facilitates the automated operations related to ACI.
This document provides information about the Fortinet FortiRecon ACI Connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.6.1-5275
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortirecon-aci
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon ACI connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL or IP address of the FortiRecon server to connect and perform the automated operations. |
| API Key | Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs. |
| Organization ID | Specify the organization ID for fetch the records using the Fortinet FortiRecon ACI connector. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get IOCs | Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the organization ID specified in the configuration parameters and other input parameters you have specified. | get_iocs Investigation |
| Get Leaked Cards | Retrieves a list of all leaked cards or specific leaked cards found for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. | get_leaked_cards Investigation |
| Get Widgets | Retrieves a list of all widgets or specific widgets for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. | get_widgets Investigation |
| Get OSINT Feeds | Retrieves a list of all OSINT feeds or specific OSINT feeds for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. | get_osint_feeds Investigation |
| Get Reports | Retrieves a list of all reports or specific reports for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data. | get_reports Investigation |
| Get Reports With IOCs | Retrieves details, including IOCs, for a specific report for the organization ID specified in the configuration parameters and the report ID you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports. | get_reports_with_iocs Investigation |
| Get ICL Saved Searches | Retrieves a list of intelligence collection lookup (ICL) searches saved for the organization ID specified in the configuration parameters based on the search keyword, query type, and other filter criteria that you have specified. | get_icl_saved_searches Investigation |
| Get ICL Saved Searches By ID | Retrieves a list of intelligence collection lookup (ICL) searches saved for the organization ID specified in the configuration parameters based on the search ID, time period, and other filter criteria that you have specified. | get_icl_saved_searches_by_id Investigation |
| Get Stealers Infections Leaked Count | Retrieves a count of systems for the organization ID specified in the configuration parameters that have been infected with credential stealers or malware programs designed to capture sensitive data, such as usernames, passwords, and other credentials from compromised machines; filtered by affiliated domain or stealer. | get_stealers_infections_leaked_count Investigation |
| Get Leaked Stealers Infections | Retrieves a list of systems for the organization ID specified in the configuration parameters that have been infected with credential stealers or malware programs designed to capture sensitive data, such as usernames, passwords, and other credentials from compromised machines; based on the search keyword, stealer name, and other filter criteria that you have specified. | get_leaked_stealers_infections Investigation |
| Get Vendor Exposures By Vendor ID | Retrieves detailed intelligence about vendor-specific security exposures or vulnerabilities tied to a particular vendor (a third-party supplier, software provider, or hardware manufacturer) vendor exposures for the organization ID specified in the configuration parameters based on the required information type and vendor ID that you have specified | get_vendor_exposures_by_id Investigation |
| Get Vendor Watchlist | Retrieves potential security risks and exposures associated with specific vendors that are part of their supply chain or external partnerships for the organization ID specified in the configuration parameters based on the domain, name, and other filter criteria that you have specified. | get_vendor_watchlist Investigation |
| Get Vendor Details By ID | Retrieves a vendor's details for the organization ID specified in the configuration parameters based on the vendor ID that you have specified. | get_vendor_details_by_id Investigation |
| Get Vulnerability Intelligence CVEs | Retrieves a list of Vulnerability Intelligence CVEs for the organization ID specified in the configuration parameters based on the source type, FortiRecon severity, and other filter criteria that you have specified. | get_vulnerability_intelligence_cves Investigation |
| Get Vulnerability Intelligence CVEs By ID | Retrieves a list of Vulnerability Intelligence CVEs for the organization ID specified in the configuration parameters based on the vulnerability ID that you have specified. | get_vulnerability_intelligence_cves_by_id Investigation |
| Get Vulnerability Intelligence vulnerable products | Retrieves a list of vulnerability intelligence on vulnerable products for the organization ID specified in the configuration parameters based on the input source type, sorting criteria and other filter criteria that you have specified. | get_vulnerability_intelligence_vulnerable_products Investigation |
| Get Vulnerability Intelligence vulnerable vendors | >Retrieves a list of vulnerability intelligence on vulnerable vendors for the organization ID specified in the configuration parameters based on the input source type, sorting criteria and other filter criteria that you have specified. | get_vulnerability_intelligence_vulnerable_vendors Investigation |
| Get Vulnerability Intelligence hits By CVE ID | Retrieves vulnerability intelligence found in the various data sources for a given CVE ID based on the selected source, CVE ID, and other filter criteria that you have specified. | get_vulnerability_intelligence_hits_by_cve_id Investigation |
| Get Vulnerability Intelligence Stats For CVE ID | Retrieves vulnerability intelligence statistics for a given CVE ID based on the selected source, CVE ID, and other filter criteria that you have specified. | get_vulnerability_intelligence_stats_for_cve_id Investigation |
| Get Stealers Infections On Sale Count | Retrieves the count of compromised systems affiliated with the organization ID specified in the configuration parameters that are currently being offered for sale on darknet marketplaces. | get_stealers_infections_on_sale_count Investigation |
| Get Stealers Infections On Sale | Retrieves information on compromised systems affiliated with the organization ID specified in the configuration parameters that are currently being offered for sale on darknet marketplaces, based on searched keyword, stealer name and other filter criteria that you have specified. | get_stealers_infections_on_sale Investigation |
| Get Ransomware Victims | Retrieves a list of ransomware victims affiliated with the organization ID specified in the configuration parameters based on the searched keyword, ransomware name, and other filter criteria that you have specified. | get_ransomware_victims Investigation |
| Get Ransomware Victim Details By ID | Retrieves details of a ransomware victim based on the ID that you have specified. | get_ransomware_victims_details_by_id Investigation |
| Get Ransomware Vendors Added For Ransomware Intelligence Monitoring | Retrieves vendors being monitored for potential ransomware threats based on the pagination parameters that you have specified. | get_ransomware_intel_vendors_watchlist Investigation |
| Get Ransomware Vendors Matched | Retrieves a list of vendors for the organization ID specified in the configuration parameters and who have been affected by ransomware activity based on the pagination parameters that you have specified. | get_ransomware_intel_vendors_watchlist_matched Investigation |
| Get Ransomware Intelligence Stats | Retrieves statistics of a ransomware activity for the organization ID specified in the configuration parameters based on the statistics type, time range type, and other filter criteria that you have specified. | get_ransomware_intelligence_statistics Investigation |
| Get Ransomware Threat Campaign | Retrieves ransomware threat campaigns for the organization ID specified in the configuration parameters based on the pagination parameters that you have specified. | get_ransomware_threat_campaigns Investigation |
| Get Potential Ransomware Victims | Retrieves potential ransomware victim targets for the organization ID specified in the configuration parameters based on the threat actor name, country, and other filter criteria that you have specified. | get_ransomware_potential_victims Investigation |
| Get Ransomware Intelligence Orgs Watchlist To Monitor | Retrieves organizations added, for ransomware intelligence monitoring, within the organization ID specified in the configuration parameters based on the pagination parameters that you have specified. | get_ransomware_intel_org_watchlist Investigation |
| Get The Matched Organizations For Ransomware Intelligence Monitoring | Retrieves a list of organizations for the organization ID specified in the configuration parameters and who have been affected by ransomware activity based on the pagination parameters that you have specified. | get_ransomware_intel_org_watchlist_matched Investigation |
| Get The Technical Indicators For The Given Ransomware Group | Retrieves specific tactics, techniques, and procedures (TTPs), such as IP addresses, file hashes, and malware signatures, associated with a particular ransomware group based on the ransomware group name and other filter criteria that you have specified. | get_technical_indicators_for_given_ransomware_group Investigation |
| Get Ransomware Group Information | Retrieves detailed intelligence on a specific ransomware group, including their known tactics, techniques, procedures (TTPs), targeted industries, history of attacks, and associated malware based on the ransomware group name that you have specified. | get_ransomware_group_info Investigation |
| Update Stealers Leaked Status | Updates the status of stealer malware that has been leaked or exposed, typically in underground forums or marketplaces based on the stealers leaked record ID. | update_stealers_leaked_status Investigation |
| Update Stealers On Sale(Marketplaces) Status | Updates the status of stealer malware that is currently being sold or traded on underground marketplaces based on the stealers record ID. | update_stealers_on_sale_status Investigation |
| Parameter | Description |
|---|---|
| Report ID | Specify a comma-separated list of report IDs from which to fetch the IOCs. |
| IOC Type | Specify a comma-separated string or single string of the type of IOCs to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION |
| Start Date | Specify the date from when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
| Get All Records | (Optional) Select to retrieve all records. Selecting this parameter ignores values in parameters Page and Size. By default, this is selected, i.e. set to true. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Type | Specify the type of leaked card to retrieve from Fortinet FortiRecon ACI. |
| Bin | Specify the bin associated with the leaked card to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321 |
| Start Date | Specify the date from when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Widget ID | Specify the Widget ID using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Keyword | Specify the keyword using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Relevance Rating | Specify a comma-separated string or single string of the relevance ratings of the reports to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low. |
| Tags | Specify a comma-separated string or single string of the tags associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime. |
| Adversary | Specify a comma-separated string or single string of the adversary associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34. |
| Source Category | Specify a comma-separated string or single string of the source category associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet. |
| Report Type | Specify a comma-separated string or single string of the type of reports to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert. |
| Industry | Specify a comma-separated string or single string of the industry associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology. |
| Geography | Specify a comma-separated string or single string of the geography of the reports to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia. |
| Keyword | Specify the keyword using which to filter the reports retrieved from Fortinet FortiRecon ACI. |
| Source Reliability | Specify the source reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Information Reliability | Specify the information reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Start Date | Specify the date from when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the ID of the report whose details, including IOCs, to retrieve from Fortinet FortiRecon ACI. |
The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to filter the retrieve results by searching in sources and query fields of the saved searches. |
| Alert | (Optional) Select True to return ICL saved searches that trigger alerts. Select False to return searches that do not trigger alerts. |
| Query Type | (Optional) Select a query type to filter retrieved results. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range when a saved search was added.
NOTE: Selecting a start date is mandatory if an end date is selected. |
| End Date | (Optional) Select the end date of the range when a saved search was added. Default is current date.
NOTE: Selecting a start date is mandatory if a start date is selected. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"alert": "",
"id": "",
"query": "",
"query_title": "",
"query_type": "",
"sources": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get ICL Saved Searches Result Based On | Select a criteria or platform based on which to fetch the ICL Saved Searches Result. You can choose from the following options:
|
| ID | Specify the saved search ID to fetch its details. |
| Start Date | (Optional) Select the start date of the range when a saved search was added. Default is last 12 months.
NOTE: Selecting a start date is mandatory if an end date is selected. |
| End Date | (Optional) Select the end date of the range when a saved search was added. Default is current date.
NOTE: Selecting a start date is mandatory if a start date is selected. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
Output schema when you choose Get ICL Saved Searches Result Based On as Archived Forums:
{
"hits": [
{
"content": "",
"published_ts": "",
"source_site": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Defacements:
{
"hits": [
{
"author_name": "",
"defaced_domain": "",
"mirror_link": "",
"published_ts": "",
"source_site": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Forums:
{
"hits": [
{
"author_name": "",
"content": "",
"published_ts": "",
"source_site": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Leak Docs:
{
"hits": [
{
"information_source": "",
"published_ts": "",
"title": "",
"victim_company": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Osint Feeds:
{
"hits": [
{
"content": "",
"published_ts": "",
"source_url": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Pastes:
{
"hits": [
{
"author_name": "",
"content": "",
"published_ts": "",
"source_url": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Ransomware:
{
"hits": [
{
"content": "",
"published_ts": "",
"ransomware_name": "",
"title": "",
"victim_company": "",
"victim_country": "",
"victim_domains": "",
"victim_sectors": []
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Telegram:
{
"hits": [
{
"author_id": "",
"author_name": "",
"channel": "",
"message": "",
"published_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Based On | Select the criteria based on which to fetch the count of systems infected with stealers malware and whose data might have been leaked in underground forums or marketplaces. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Based On as Affiliated Domain:
{
"count_by_affiliated_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
Output schema when you choose Based On as Status:
{
"count_by_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
Output schema when you choose Based On as Stealer:
{
"count_by_stealer": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in systems that have been infected by credential stealers by searching the given keyword in username and stealer name. |
| Stealer Name | (Optional) Specify a keyword to search by the specified stealer name. Multiple stealer names can be specified as comma-separated OR values. For example: Vidar,Redline,Racoon,AZORult,risepro. |
| Affiliated Domain | (Optional) Specify a keyword to search by the specified affiliated domain. Multiple affiliated domains can be specified as comma-separated OR values. For example: domain1.com,domain2.com. |
| Status | (Optional) Select the current state of the stealer infection or the data leak event. You can choose from the following options:
|
| User Type | (Optional) Select the type of the user to filter based on the affected users who have had their credentials or other sensitive information compromised by stealer malware. You can choose from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which the data leak by the stealer infection was reported.
NOTE: Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the timeframe during which the data leak by the stealer infection was reported. Default is the current date. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"country": "",
"country_code": "",
"id": "",
"infection_ts": "",
"ip": "",
"status": "",
"stealer_name": "",
"url": "",
"username": "",
"user_type": "",
"affiliated_domain": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get Exposures For | Select the exposure type to fetch for the specified vendor. You can choose from the following options:
|
| ID | Specify the vendor ID to fetch its details related to the selected exposure type. |
The output contains the following populated JSON schema:
Output schema when you choose Get Exposures For as Attack Surface Exposure:
{
"asset_distribution": [
{
"country": "",
"severity": {},
"total_assets": ""
}
],
"commonly_targeted_services": [
{
"count": "",
"port_number": ""
}
],
"issues_by_severity": {
"high": "",
"low": "",
"medium": ""
},
"risk_level": "",
"security_issues": [
{
"asset_count": "",
"issue_bucket": "",
"issue_count": {
"high": "",
"low": "",
"medium": ""
},
"sub_issues": [
{
"asset_count": "",
"issue_name": ""
}
]
}
]
}
Output schema when you choose Get Exposures For as Darknet Exposure:
{
"botnet_infections": {
"compromised_employee": [
{
"count": "",
"duration": ""
}
],
"compromised_user": [
{
"count": "",
"duration": ""
}
],
"stealer_marketplace": [
{
"count": "",
"duration": ""
}
]
},
"credential_breaches": {
"credex": [
{
"count": "",
"duration": ""
}
],
"credex_indexed": [
{
"count": "",
"duration": ""
}
],
"credex_names": [
{
"count": "",
"name": ""
}
]
},
"darknet_mentions": {
"count": ""
},
"dataleak_mentions": {
"count": ""
},
"risk_level": ""
}
Output schema when you choose Get Exposures For as Incidents:
{
"fortirecon_reportings": {
"count": "",
"hits": [
{
"actor": "",
"affected_domain": "",
"timestamp": ""
}
]
},
"ransomware_incidents": {
"count": "",
"hits": [
{
"affected_domain": "",
"ransomware_name": "",
"timestamp": ""
}
]
},
"risk_level": ""
}
| Parameter | Description |
|---|---|
| Filter By Domain | (Optional) Specify a domain to filter the retrieved vendors added for monitoring by the specified domain. |
| Filter By Name | (Optional) Specify a name to filter the retrieved vendors added for monitoring by the specified name. |
| Approval Status | (Optional) Select the approval status of the vendor. You can choose from the following options:
|
| Status | (Optional) Select the monitoring status of the vendor. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"vendor_id": "",
"name": "",
"domain": "",
"website": "",
"logo": "",
"risk_level": "",
"status": "",
"approval_status": "",
"last_refreshed_on": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the vendor ID to fetch its details like Alexa rank, approval status, and country.. |
The output contains the following populated JSON schema:
{
"vendor_id": "",
"alexa_rank": "",
"approval_status": "",
"continent": "",
"country": "",
"desc": "",
"domain": "",
"employee_count": "",
"logo": "",
"name": "",
"revenue": "",
"primary_industry": [],
"status": "",
"website": ""
}
| Parameter | Description |
|---|---|
| Input Source Type | Select the input source type based on which to filter the retrieved results. You can choose from the following options:
|
| Fortirecon Severity | (Optional) Select the severity based on which you want to filter the result. You can choose from the following options:
|
| NVD Severity | (Optional) Select the severity based on which you want to filter the result. You can choose from the following options:
|
| CVE Year | (Optional) Specify the year when the CVE was reported to filter the results by the specified CVE year. Multiple CVE years can be specified as comma-separated OR values. For example: 2018,2019. |
| Addition | (Optional) Select the input source type to filter the results when the value selected in the parameter Input Type is CLIENT. You can choose from the following options:
|
| Vulnerability Exploitation | (Optional) Select the vulnerability exploitation type to filter the retrieved results. You can choose from the following options:
|
| Vendors | (Optional) Specify the vendor based on which to filter the retrieved results. Multiple vendors can be specified as comma-separated OR values. For example: debian,canonical,nodejs,openssl. |
| Products | (Optional) Specify the products based on which to filter the retrieved results. Multiple products can be specified as comma-separated OR values. For example: debian,canonical,nodejs,openssl. |
| Tag IDs | (Optional) Specify the tag IDs based on which to filter the retrieved results. Multiple tag IDs can be specified as comma-separated OR values. For example: 65dd1123aa1d5e9ab668ac56,56dd1768aa1d5o9ab668ac56. |
| Keyword | (Optional) Specify the keyword based on which to filter the retrieved results. Specified keyword is used to perform partial search in the CVE ID field. For example: CVE-2018. |
| Elevated | (Optional) Select to fetch the CVEs (Common Vulnerabilities and Exposures) associated with a higher level of impact or severity. |
| Sort By Recon Score | (Optional) Select the order by which to sort the results. You can choose from the following options:
|
| Data Sources | (Optional) Specify the data sources based on which to filter the retrieved results. Multiple data sources can be specified as comma-separated OR values. You can choose more than one from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which the vulnerability intelligence CVE was added. |
| End Date | (Optional) Select the end date of the timeframe during which the vulnerability intelligence CVE was added. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"cve_id": "",
"is_active": "",
"nvd_score": "",
"status": "",
"nvd_severity": "",
"recon_score": "",
"recon_severity": "",
"year": "",
"tags": "",
"description": "",
"products": [],
"vendors": [],
"iasm_affected_hosts": [],
"easm_affected_hosts": [],
"last_refreshed_ts": "",
"created_ts": "",
"published_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the CVE ID to fetch its details. |
The output contains the following populated JSON schema:
{
"cve_id": "",
"is_active": "",
"status": "",
"nvd_score": "",
"nvd_severity": "",
"recon_score": "",
"recon_severity": "",
"year": "",
"vendors": [],
"tags": [],
"products": [],
"description": "",
"easm_affected_hosts": [],
"iasm_affected_hosts": [],
"last_refreshed_ts": "",
"published_ts": "",
"created_ts": "",
"lookup_priority": "",
"nvd_metadata": ""
}
| Parameter | Description |
|---|---|
| Input Source Type | Select the input source type based on which to filter the retrieved results. You can choose from the following options:
|
| Sort By Product Count | (Optional) Select the order by which to sort the results. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"product": "",
"count": "",
"recon_severity": {
"low": "",
"medium": "",
"critical": ""
},
"nvd_severity": {
"medium": "",
"high": "",
"critical": "",
"low": ""
}
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Input Source Type | Select the input source type based on which to filter the retrieved results. You can choose from the following options:
|
| Sort By Vendor Count | (Optional) Select the order by which to sort the results. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"vendor": "",
"count": "",
"recon_severity": {
"low": "",
"medium": "",
"critical": ""
},
"nvd_severity": {
"medium": "",
"high": "",
"critical": "",
"low": ""
}
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get the CVE hits for a given CVE ID Based On | Select on what basis you want to filter the vulnerability intelligence hits. You can choose from the following options:
|
| CVE ID | Specify the CVE ID to filter the vulnerability intelligence hits. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
Output schema when you choose Get the CVE hits for a given CVE ID Based On as ACI Reporting:
{
"hits": [
{
"report_id": "",
"report_title": "",
"summary": "",
"publish_date": "",
"relevance_rating": "",
"_id": "",
"adversary": "",
"source_category": "",
"motivation": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Darknet Chatter:
{
"hits": [
{
"published_ts": "",
"is_topic": "",
"source_site": "",
"title": "",
"thread_id": "",
"thread_url": "",
"content": "",
"author_name": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Working Exploits:
{
"hits": [
{
"url": "",
"published_ts": "",
"repo_source": "",
"author_name": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as POC Exploits:
{
"hits": [
{
"html_url": "",
"owner_username": "",
"repo_name": "",
"description": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Security Blogs:
{
"hits": [
{
"title": "",
"description": "",
"link": "",
"author": "",
"published_date": "",
"is_trusted": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Hacktivist Chatter:
{
"hits": [
{
"channel": "",
"message": "",
"message_type": "",
"image_url": "",
"author_id": "",
"author_name": "",
"published_ts": "",
"message_link": "",
"sender_url": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Social Media:
{
"hits": [
{
"_id": "",
"author_id": "",
"author_name": "",
"source_url": "",
"content": "",
"published_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get stats for the given CVE ID Based On | Select on what basis you want to filter the vulnerability intelligence statistics. You can choose from the following options:
|
| CVE ID | Specify the CVE ID to filter the vulnerability intelligence statistics. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
Output schema when you choose Get stats for the given CVE ID Based On as Data Source Distribution:
{
"hits": [
{
"count": "",
"label": ""
}
]
}
Output schema when you choose Get stats for the given CVE ID Based On as Data Source Trend:
{
"hits": [
{
"data": {
"ACI Reporting": "",
"Darknet Chatter": "",
"FortiGuard Outbreak Alert": "",
"Hacktivist Chatter": "",
"POC Exploit": "",
"Security Blogs": "",
"Social Media": "",
"Working Exploit": ""
},
"date": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get stats for the given CVE ID Based On as Score Trend:
{
"hits": [
{
"date": "",
"epss_score": "",
"recon_score": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Based On | Select the criteria based on which to fetch the count of systems infected with stealers malware and whose data is on sale in underground forums or marketplaces. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Based On as Matched Domain:
{
"count_by_matched_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
Output schema when you choose Based On as Stealer:
{
"count_by_stealer": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in systems that have been infected by credential stealers by searching the given keyword in username, stealer name, sites, country, ISP, and state fields. |
| Stealer Name | (Optional) Specify a keyword to filter the results by the specified stealer name. Multiple stealer names can be specified as comma-separated OR values. For example: Vidar,Redline,Racoon,AZORult,risepro. |
| Marketplace Name | (Optional) Specify a marketplace name to filter the results by the specified marketplace name. Multiple marketplace names can be specified as comma-separated OR values. For example: 2easy,genesis,russian market. |
| ISP Name | (Optional) Specify a ISP name to filter the results by the specified ISP. Multiple ISPs can be specified as comma-separated OR values. For example: Amazon.com,IRANET TELECOM |
| Country Name | (Optional) Specify a country name to filter the results by the specified country. Multiple countries can be specified as comma-separated OR values. For example: India,Colombia. |
| State Name | (Optional) Specify a state name to filter the results by the specified state. Multiple states can be specified as comma-separated OR values. For example: Indiana,Texas. |
| Matched Domain | (Optional) Specify a keyword to search by the specified matched domain. Multiple matched domains can be specified as comma-separated OR values. For example: domain1.com,domain2.com. |
| Status | (Optional) Specify the status of stolen credentials that are on sale. You can choose from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which the leaked credentials appearing on marketplace was reported.
NOTE: Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the timeframe during which the leaked credentials appearing on marketplace was reported. Default is the current date. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"marketplace": "",
"isp": "",
"sites": [],
"stealer_name": "",
"country": "",
"country_code": "",
"state": "",
"matched_domains": [],
"price": "",
"currency": "",
"vendor": "",
"status": "",
"discovery_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify the keyword based on which to filter the retrieved results. Specified keyword is used to perform search in the title, ransomware name, and description fields. |
| Filter By Ransomware Name | (Optional) Specify a ransomware name based on which to filter the ransomware victims. |
| Country | (Optional) Specify a country name to filter the results by the specified country. Multiple countries can be specified as comma-separated OR values. For example: India,Colombia. |
| Sectors | (Optional) Specify a sector name to filter the results by the specified sector. Multiple sectors can be specified as comma-separated OR values. For example: Business Services,Accounting Services. |
| Start Date | (Optional) Select the start date of the timeframe during which to retrieve ransomware victims. |
| End Date | (Optional) Select the end date of the timeframe during which to retrieve ransomware victims. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"title": "",
"name": "",
"domains": [],
"revenue": "",
"post_text": "",
"sectors": [],
"country": "",
"continent": "",
"ransomware_name": "",
"description": "",
"added_ts": "",
"updated_ts": "",
"collection_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the ransomware victim ID to fetch its details. |
The output contains the following populated JSON schema:
{
"id": "",
"post_title": "",
"post_text": "",
"ransomware_name": "",
"victim_domains": [],
"victim_company": "",
"victim_country": "",
"victim_continent": "",
"victim_sectors": [],
"victim_description": "",
"victim_parent_org": "",
"victim_revenue_in_usd": [],
"posted_ts": "",
"updated_ts": "",
"collection_ts": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"domain": "",
"vendor_name": "",
"added_ts": "",
"updated_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"domains": [],
"name": "",
"type": "",
"collection_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get Ransomware Intelligence Stats For | Select the type of stats you want to fetch for ransomware intelligence. You can choose from the following options:
|
| Time Range Type | (Optional) Specify the time range to get the ransomware intelligence stats. You can choose from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which to retrieve intelligence stats. |
| End Date | (Optional) Select the end date of the timeframe during which to retrieve intelligence stats. |
The output contains the following populated JSON schema:
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Victims By Sector:
{
"items": [
{
"items": [
{
"count": "",
"country": ""
}
]
}
],
"sectors": "Manufacturing"
}
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Victims By Revenue:
{
"items": [
{
"data": [
{
"name": "",
"ransomware_name": "",
"revenue": "",
"revenue_in_number": ""
}
],
"display_id": "",
"label": ""
}
]
}
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Victims By Country:
{
"items": [
{
"country": "",
"items": [
{
"count": "",
"sectors": ""
}
]
}
]
}
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Groups:
{
"date_range": "",
"items": [
{
"count": "",
"group": ""
}
],
"total": ""
}
Output schema when you choose Get Ransomware Intelligence Stats For as Ransomware Victims Over Time:
{
"items": [
{
"count": "",
"date": ""
}
],
"total": ""
}
Output schema when you choose Get Ransomware Intelligence Stats For as Latest Active Ransomware Groups:
{
"items": [
{
"count": "",
"group": "",
"last_added": ""
}
],
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"actors": "",
"id": "",
"ransomware_name": "",
"report_date": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Filter By Actor Name | (Optional) Specify an actor name to filter the results by the specified actor. Multiple actors can be specified as comma-separated OR values. For example: abc,pqr. |
| Country | (Optional) Specify a country name to filter the results by the specified country. Multiple countries can be specified as comma-separated OR values. For example: India,Colombia. |
| Sectors | (Optional) Specify a sector name to filter the results by the specified sector. Multiple sectors can be specified as comma-separated OR values. For example: Business Services,Accounting Services. |
| Start Date | (Optional) Select the start date of the timeframe during which to retrieve potential ransomware victims. |
| End Date | (Optional) Select the end date of the timeframe during which to retrieve potential ransomware victims. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"actor": "",
"collection_date": "",
"country": "",
"description": "",
"domains": [],
"id": "",
"name": "",
"report_id": "",
"revenue": "",
"sectors": [],
"source": "",
"updated_date": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Added Type | (Optional) Select the input source type to filter the results. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"domain": "",
"org_name": "",
"type": "",
"added_ts": "",
"updated_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"domains": [],
"name": "",
"type": "",
"collection_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Ransomware Group Name | Specify the ransomware group name to fetch its technical indicators. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Ransomware Group Name | Specify the ransomware Group Name to fetch its information. |
The output contains the following populated JSON schema:
{
"first_seen": "",
"total_victims": "",
"victim_countries": [
{
"count": "",
"country": ""
}
],
"victim_sectors": [
{
"count": "",
"sector": ""
}
]
}
| Parameter | Description |
|---|---|
| Stealers Leaked Record ID | Specify the stealers leaked record ID to update the status. |
| Status | Specify the status to update to the Stealers Leaked Record. You can choose from:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Stealers On Sale(Marketplaces) Record ID | Specify the stealers on sale (marketplaces) record ID to update the status. |
| Status | Specify the status to update the stealers on sale (marketplaces) record. You can choose from:
|
The output contains the following populated JSON schema:
{
"message": ""
}
The Sample - Fortinet FortiRecon ACI - 2.0.0 playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.
NOTE: In the Threat Intel Management Solution Pack's Threat Intel Report module we fetch reports containing indicators whose source category is Technical Intelligence.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling reports from Fortinet FortiRecon ACI. Currently, reports in Fortinet FortiRecon ACI are mapped to Threat Intel Management in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming FortiRecon ACI reports to Threat Intel Management in FortiSOAR™.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiRecon ACI into FortiSOAR™. It also lets you pull some sample data from FortiRecon ACI using which you can define the mapping of data between FortiRecon ACI Reports and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiRecon ACI reports.
To begin configuring data ingestion, click Configure Data Ingestion on the FortiRecon ACI connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between FortiRecon ACI reports and FortiSOAR™ Threat Intel Management. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch reports from FortiRecon ACI. You can specify the Pull Reports Created in Past X Hours reports from FortiRecon ACI. The fetched data is used to create a mapping between the FortiRecon ACI reports and FortiSOAR™ Threat Intel Management.
Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a FortiRecon ACI reports to the fields of Threat Intel Management present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiRecon ACI, so that the content gets pulled from the FortiRecon ACI integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiRecon ACI every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., indicators will be pulled from FortiRecon ACI every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.The Adversary Centric Intelligence (ACI) module leverages FortiGuard Threat Analysts to provide comprehensive coverage of dark web, open source, and technical threat intelligence, including threat actor insights. This information enables administrators to proactively assess risks, respond faster to incidents, better understand their attackers, and protect assets. This connector facilitates the automated operations related to ACI.
This document provides information about the Fortinet FortiRecon ACI Connector, which facilitates automated interactions, with a Fortinet FortiRecon ACI server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon ACI Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon ACI.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.6.1-5275
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiRecon ACI Connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortirecon-aci
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon ACI connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL or IP address of the FortiRecon server to connect and perform the automated operations. |
| API Key | Specify the API key configured for your account for using the Fortinet FortiRecon ACI APIs. |
| Organization ID | Specify the organization ID for fetch the records using the Fortinet FortiRecon ACI connector. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get IOCs | Retrieves a list of all IOCs or specific IOCs published in ACI reporting for the organization ID specified in the configuration parameters and other input parameters you have specified. | get_iocs Investigation |
| Get Leaked Cards | Retrieves a list of all leaked cards or specific leaked cards found for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. | get_leaked_cards Investigation |
| Get Widgets | Retrieves a list of all widgets or specific widgets for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. | get_widgets Investigation |
| Get OSINT Feeds | Retrieves a list of all OSINT feeds or specific OSINT feeds for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. | get_osint_feeds Investigation |
| Get Reports | Retrieves a list of all reports or specific reports for the organization ID specified in the configuration parameters and other input parameters you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, and the metadata related to the reports. Note that IOCs are not included in the returned data. | get_reports Investigation |
| Get Reports With IOCs | Retrieves details, including IOCs, for a specific report for the organization ID specified in the configuration parameters and the report ID you have specified from Fortinet FortiRecon ACI. The data returned by this operation contains a list of all the filtered reports with title, summary, report URL, IOCs, and the metadata related to the reports. | get_reports_with_iocs Investigation |
| Get ICL Saved Searches | Retrieves a list of intelligence collection lookup (ICL) searches saved for the organization ID specified in the configuration parameters based on the search keyword, query type, and other filter criteria that you have specified. | get_icl_saved_searches Investigation |
| Get ICL Saved Searches By ID | Retrieves a list of intelligence collection lookup (ICL) searches saved for the organization ID specified in the configuration parameters based on the search ID, time period, and other filter criteria that you have specified. | get_icl_saved_searches_by_id Investigation |
| Get Stealers Infections Leaked Count | Retrieves a count of systems for the organization ID specified in the configuration parameters that have been infected with credential stealers or malware programs designed to capture sensitive data, such as usernames, passwords, and other credentials from compromised machines; filtered by affiliated domain or stealer. | get_stealers_infections_leaked_count Investigation |
| Get Leaked Stealers Infections | Retrieves a list of systems for the organization ID specified in the configuration parameters that have been infected with credential stealers or malware programs designed to capture sensitive data, such as usernames, passwords, and other credentials from compromised machines; based on the search keyword, stealer name, and other filter criteria that you have specified. | get_leaked_stealers_infections Investigation |
| Get Vendor Exposures By Vendor ID | Retrieves detailed intelligence about vendor-specific security exposures or vulnerabilities tied to a particular vendor (a third-party supplier, software provider, or hardware manufacturer) vendor exposures for the organization ID specified in the configuration parameters based on the required information type and vendor ID that you have specified | get_vendor_exposures_by_id Investigation |
| Get Vendor Watchlist | Retrieves potential security risks and exposures associated with specific vendors that are part of their supply chain or external partnerships for the organization ID specified in the configuration parameters based on the domain, name, and other filter criteria that you have specified. | get_vendor_watchlist Investigation |
| Get Vendor Details By ID | Retrieves a vendor's details for the organization ID specified in the configuration parameters based on the vendor ID that you have specified. | get_vendor_details_by_id Investigation |
| Get Vulnerability Intelligence CVEs | Retrieves a list of Vulnerability Intelligence CVEs for the organization ID specified in the configuration parameters based on the source type, FortiRecon severity, and other filter criteria that you have specified. | get_vulnerability_intelligence_cves Investigation |
| Get Vulnerability Intelligence CVEs By ID | Retrieves a list of Vulnerability Intelligence CVEs for the organization ID specified in the configuration parameters based on the vulnerability ID that you have specified. | get_vulnerability_intelligence_cves_by_id Investigation |
| Get Vulnerability Intelligence vulnerable products | Retrieves a list of vulnerability intelligence on vulnerable products for the organization ID specified in the configuration parameters based on the input source type, sorting criteria and other filter criteria that you have specified. | get_vulnerability_intelligence_vulnerable_products Investigation |
| Get Vulnerability Intelligence vulnerable vendors | >Retrieves a list of vulnerability intelligence on vulnerable vendors for the organization ID specified in the configuration parameters based on the input source type, sorting criteria and other filter criteria that you have specified. | get_vulnerability_intelligence_vulnerable_vendors Investigation |
| Get Vulnerability Intelligence hits By CVE ID | Retrieves vulnerability intelligence found in the various data sources for a given CVE ID based on the selected source, CVE ID, and other filter criteria that you have specified. | get_vulnerability_intelligence_hits_by_cve_id Investigation |
| Get Vulnerability Intelligence Stats For CVE ID | Retrieves vulnerability intelligence statistics for a given CVE ID based on the selected source, CVE ID, and other filter criteria that you have specified. | get_vulnerability_intelligence_stats_for_cve_id Investigation |
| Get Stealers Infections On Sale Count | Retrieves the count of compromised systems affiliated with the organization ID specified in the configuration parameters that are currently being offered for sale on darknet marketplaces. | get_stealers_infections_on_sale_count Investigation |
| Get Stealers Infections On Sale | Retrieves information on compromised systems affiliated with the organization ID specified in the configuration parameters that are currently being offered for sale on darknet marketplaces, based on searched keyword, stealer name and other filter criteria that you have specified. | get_stealers_infections_on_sale Investigation |
| Get Ransomware Victims | Retrieves a list of ransomware victims affiliated with the organization ID specified in the configuration parameters based on the searched keyword, ransomware name, and other filter criteria that you have specified. | get_ransomware_victims Investigation |
| Get Ransomware Victim Details By ID | Retrieves details of a ransomware victim based on the ID that you have specified. | get_ransomware_victims_details_by_id Investigation |
| Get Ransomware Vendors Added For Ransomware Intelligence Monitoring | Retrieves vendors being monitored for potential ransomware threats based on the pagination parameters that you have specified. | get_ransomware_intel_vendors_watchlist Investigation |
| Get Ransomware Vendors Matched | Retrieves a list of vendors for the organization ID specified in the configuration parameters and who have been affected by ransomware activity based on the pagination parameters that you have specified. | get_ransomware_intel_vendors_watchlist_matched Investigation |
| Get Ransomware Intelligence Stats | Retrieves statistics of a ransomware activity for the organization ID specified in the configuration parameters based on the statistics type, time range type, and other filter criteria that you have specified. | get_ransomware_intelligence_statistics Investigation |
| Get Ransomware Threat Campaign | Retrieves ransomware threat campaigns for the organization ID specified in the configuration parameters based on the pagination parameters that you have specified. | get_ransomware_threat_campaigns Investigation |
| Get Potential Ransomware Victims | Retrieves potential ransomware victim targets for the organization ID specified in the configuration parameters based on the threat actor name, country, and other filter criteria that you have specified. | get_ransomware_potential_victims Investigation |
| Get Ransomware Intelligence Orgs Watchlist To Monitor | Retrieves organizations added, for ransomware intelligence monitoring, within the organization ID specified in the configuration parameters based on the pagination parameters that you have specified. | get_ransomware_intel_org_watchlist Investigation |
| Get The Matched Organizations For Ransomware Intelligence Monitoring | Retrieves a list of organizations for the organization ID specified in the configuration parameters and who have been affected by ransomware activity based on the pagination parameters that you have specified. | get_ransomware_intel_org_watchlist_matched Investigation |
| Get The Technical Indicators For The Given Ransomware Group | Retrieves specific tactics, techniques, and procedures (TTPs), such as IP addresses, file hashes, and malware signatures, associated with a particular ransomware group based on the ransomware group name and other filter criteria that you have specified. | get_technical_indicators_for_given_ransomware_group Investigation |
| Get Ransomware Group Information | Retrieves detailed intelligence on a specific ransomware group, including their known tactics, techniques, procedures (TTPs), targeted industries, history of attacks, and associated malware based on the ransomware group name that you have specified. | get_ransomware_group_info Investigation |
| Update Stealers Leaked Status | Updates the status of stealer malware that has been leaked or exposed, typically in underground forums or marketplaces based on the stealers leaked record ID. | update_stealers_leaked_status Investigation |
| Update Stealers On Sale(Marketplaces) Status | Updates the status of stealer malware that is currently being sold or traded on underground marketplaces based on the stealers record ID. | update_stealers_on_sale_status Investigation |
| Parameter | Description |
|---|---|
| Report ID | Specify a comma-separated list of report IDs from which to fetch the IOCs. |
| IOC Type | Specify a comma-separated string or single string of the type of IOCs to retrieve from Fortinet FortiRecon ACI. For example, cve,IP-REPUTATION |
| Start Date | Specify the date from when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve IOCs from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
| Get All Records | (Optional) Select to retrieve all records. Selecting this parameter ignores values in parameters Page and Size. By default, this is selected, i.e. set to true. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
},
{
"ioc": "",
"ioc_type": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Type | Specify the type of leaked card to retrieve from Fortinet FortiRecon ACI. |
| Bin | Specify the bin associated with the leaked card to retrieve from Fortinet FortiRecon ACI. For example, 123456,654321 |
| Start Date | Specify the date from when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve leaked cards from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"bank_name": "",
"base_name": "",
"bg_code": "",
"bin": "",
"brand_name": "",
"category": "",
"city": "",
"country": "",
"expiry": "",
"holder_name": "",
"index_ts": "",
"org_id": "",
"price": "",
"shop_name": "",
"state": "",
"type": "",
"unique_id": "",
"zip": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
},
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Widget ID | Specify the Widget ID using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Keyword | Specify the keyword using which to filter the OSINT feeds retrieved from Fortinet FortiRecon ACI. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"content_snippet": "",
"is_latest": "",
"link": "",
"publish_date": "",
"tags": [
"",
""
],
"title": "",
"widget_id": "",
"widget_name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Relevance Rating | Specify a comma-separated string or single string of the relevance ratings of the reports to retrieve from Fortinet FortiRecon ACI. For example, Medium,High,Low. |
| Tags | Specify a comma-separated string or single string of the tags associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Data Breach,Cyber Crime. |
| Adversary | Specify a comma-separated string or single string of the adversary associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, Databases,APT 34. |
| Source Category | Specify a comma-separated string or single string of the source category associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, OSINT,Darknet. |
| Report Type | Specify a comma-separated string or single string of the type of reports to retrieve from Fortinet FortiRecon ACI. For example, Flash Report,Flash Alert. |
| Industry | Specify a comma-separated string or single string of the industry associated with the reports to retrieve from Fortinet FortiRecon ACI. For example, All Sectors,Technology. |
| Geography | Specify a comma-separated string or single string of the geography of the reports to retrieve from Fortinet FortiRecon ACI. For example, Western Europe,South East Asia. |
| Keyword | Specify the keyword using which to filter the reports retrieved from Fortinet FortiRecon ACI. |
| Source Reliability | Specify the source reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Information Reliability | Specify the information reliability of the reports to retrieve from Fortinet FortiRecon ACI. |
| Start Date | Specify the date from when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Now - 6 months (YYYY-MM-DD). |
| End Date | Specify the date till when to retrieve reports from Fortinet FortiRecon ACI. By default, this is set to Current Date (YYYY-MM-DD). |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"adversary": [
""
],
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"report_type": "",
"source_category": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"threat": [
"",
""
],
"tlp": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the ID of the report whose details, including IOCs, to retrieve from Fortinet FortiRecon ACI. |
The output contains the following populated JSON schema:
{
"adversary": [
""
],
"category": "",
"customer_tag": "",
"geography": [
""
],
"industry_tags": [
""
],
"information_date": "",
"information_reliability": "",
"ioc": [],
"motivation": "",
"publish_date": "",
"relevance_rating": "",
"report_id": "",
"report_title": "",
"source_name": "",
"source_reliability": "",
"status": "",
"summary": "",
"tags": [
"",
""
],
"tlp": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to filter the retrieve results by searching in sources and query fields of the saved searches. |
| Alert | (Optional) Select True to return ICL saved searches that trigger alerts. Select False to return searches that do not trigger alerts. |
| Query Type | (Optional) Select a query type to filter retrieved results. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range when a saved search was added.
NOTE: Selecting a start date is mandatory if an end date is selected. |
| End Date | (Optional) Select the end date of the range when a saved search was added. Default is current date.
NOTE: Selecting a start date is mandatory if a start date is selected. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"alert": "",
"id": "",
"query": "",
"query_title": "",
"query_type": "",
"sources": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get ICL Saved Searches Result Based On | Select a criteria or platform based on which to fetch the ICL Saved Searches Result. You can choose from the following options:
|
| ID | Specify the saved search ID to fetch its details. |
| Start Date | (Optional) Select the start date of the range when a saved search was added. Default is last 12 months.
NOTE: Selecting a start date is mandatory if an end date is selected. |
| End Date | (Optional) Select the end date of the range when a saved search was added. Default is current date.
NOTE: Selecting a start date is mandatory if a start date is selected. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
Output schema when you choose Get ICL Saved Searches Result Based On as Archived Forums:
{
"hits": [
{
"content": "",
"published_ts": "",
"source_site": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Defacements:
{
"hits": [
{
"author_name": "",
"defaced_domain": "",
"mirror_link": "",
"published_ts": "",
"source_site": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Forums:
{
"hits": [
{
"author_name": "",
"content": "",
"published_ts": "",
"source_site": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Leak Docs:
{
"hits": [
{
"information_source": "",
"published_ts": "",
"title": "",
"victim_company": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Osint Feeds:
{
"hits": [
{
"content": "",
"published_ts": "",
"source_url": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Pastes:
{
"hits": [
{
"author_name": "",
"content": "",
"published_ts": "",
"source_url": "",
"title": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Ransomware:
{
"hits": [
{
"content": "",
"published_ts": "",
"ransomware_name": "",
"title": "",
"victim_company": "",
"victim_country": "",
"victim_domains": "",
"victim_sectors": []
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get ICL Saved Searches Result Based On as Telegram:
{
"hits": [
{
"author_id": "",
"author_name": "",
"channel": "",
"message": "",
"published_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Based On | Select the criteria based on which to fetch the count of systems infected with stealers malware and whose data might have been leaked in underground forums or marketplaces. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Based On as Affiliated Domain:
{
"count_by_affiliated_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
Output schema when you choose Based On as Status:
{
"count_by_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
Output schema when you choose Based On as Stealer:
{
"count_by_stealer": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in systems that have been infected by credential stealers by searching the given keyword in username and stealer name. |
| Stealer Name | (Optional) Specify a keyword to search by the specified stealer name. Multiple stealer names can be specified as comma-separated OR values. For example: Vidar,Redline,Racoon,AZORult,risepro. |
| Affiliated Domain | (Optional) Specify a keyword to search by the specified affiliated domain. Multiple affiliated domains can be specified as comma-separated OR values. For example: domain1.com,domain2.com. |
| Status | (Optional) Select the current state of the stealer infection or the data leak event. You can choose from the following options:
|
| User Type | (Optional) Select the type of the user to filter based on the affected users who have had their credentials or other sensitive information compromised by stealer malware. You can choose from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which the data leak by the stealer infection was reported.
NOTE: Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the timeframe during which the data leak by the stealer infection was reported. Default is the current date. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"country": "",
"country_code": "",
"id": "",
"infection_ts": "",
"ip": "",
"status": "",
"stealer_name": "",
"url": "",
"username": "",
"user_type": "",
"affiliated_domain": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get Exposures For | Select the exposure type to fetch for the specified vendor. You can choose from the following options:
|
| ID | Specify the vendor ID to fetch its details related to the selected exposure type. |
The output contains the following populated JSON schema:
Output schema when you choose Get Exposures For as Attack Surface Exposure:
{
"asset_distribution": [
{
"country": "",
"severity": {},
"total_assets": ""
}
],
"commonly_targeted_services": [
{
"count": "",
"port_number": ""
}
],
"issues_by_severity": {
"high": "",
"low": "",
"medium": ""
},
"risk_level": "",
"security_issues": [
{
"asset_count": "",
"issue_bucket": "",
"issue_count": {
"high": "",
"low": "",
"medium": ""
},
"sub_issues": [
{
"asset_count": "",
"issue_name": ""
}
]
}
]
}
Output schema when you choose Get Exposures For as Darknet Exposure:
{
"botnet_infections": {
"compromised_employee": [
{
"count": "",
"duration": ""
}
],
"compromised_user": [
{
"count": "",
"duration": ""
}
],
"stealer_marketplace": [
{
"count": "",
"duration": ""
}
]
},
"credential_breaches": {
"credex": [
{
"count": "",
"duration": ""
}
],
"credex_indexed": [
{
"count": "",
"duration": ""
}
],
"credex_names": [
{
"count": "",
"name": ""
}
]
},
"darknet_mentions": {
"count": ""
},
"dataleak_mentions": {
"count": ""
},
"risk_level": ""
}
Output schema when you choose Get Exposures For as Incidents:
{
"fortirecon_reportings": {
"count": "",
"hits": [
{
"actor": "",
"affected_domain": "",
"timestamp": ""
}
]
},
"ransomware_incidents": {
"count": "",
"hits": [
{
"affected_domain": "",
"ransomware_name": "",
"timestamp": ""
}
]
},
"risk_level": ""
}
| Parameter | Description |
|---|---|
| Filter By Domain | (Optional) Specify a domain to filter the retrieved vendors added for monitoring by the specified domain. |
| Filter By Name | (Optional) Specify a name to filter the retrieved vendors added for monitoring by the specified name. |
| Approval Status | (Optional) Select the approval status of the vendor. You can choose from the following options:
|
| Status | (Optional) Select the monitoring status of the vendor. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"vendor_id": "",
"name": "",
"domain": "",
"website": "",
"logo": "",
"risk_level": "",
"status": "",
"approval_status": "",
"last_refreshed_on": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the vendor ID to fetch its details like Alexa rank, approval status, and country.. |
The output contains the following populated JSON schema:
{
"vendor_id": "",
"alexa_rank": "",
"approval_status": "",
"continent": "",
"country": "",
"desc": "",
"domain": "",
"employee_count": "",
"logo": "",
"name": "",
"revenue": "",
"primary_industry": [],
"status": "",
"website": ""
}
| Parameter | Description |
|---|---|
| Input Source Type | Select the input source type based on which to filter the retrieved results. You can choose from the following options:
|
| Fortirecon Severity | (Optional) Select the severity based on which you want to filter the result. You can choose from the following options:
|
| NVD Severity | (Optional) Select the severity based on which you want to filter the result. You can choose from the following options:
|
| CVE Year | (Optional) Specify the year when the CVE was reported to filter the results by the specified CVE year. Multiple CVE years can be specified as comma-separated OR values. For example: 2018,2019. |
| Addition | (Optional) Select the input source type to filter the results when the value selected in the parameter Input Type is CLIENT. You can choose from the following options:
|
| Vulnerability Exploitation | (Optional) Select the vulnerability exploitation type to filter the retrieved results. You can choose from the following options:
|
| Vendors | (Optional) Specify the vendor based on which to filter the retrieved results. Multiple vendors can be specified as comma-separated OR values. For example: debian,canonical,nodejs,openssl. |
| Products | (Optional) Specify the products based on which to filter the retrieved results. Multiple products can be specified as comma-separated OR values. For example: debian,canonical,nodejs,openssl. |
| Tag IDs | (Optional) Specify the tag IDs based on which to filter the retrieved results. Multiple tag IDs can be specified as comma-separated OR values. For example: 65dd1123aa1d5e9ab668ac56,56dd1768aa1d5o9ab668ac56. |
| Keyword | (Optional) Specify the keyword based on which to filter the retrieved results. Specified keyword is used to perform partial search in the CVE ID field. For example: CVE-2018. |
| Elevated | (Optional) Select to fetch the CVEs (Common Vulnerabilities and Exposures) associated with a higher level of impact or severity. |
| Sort By Recon Score | (Optional) Select the order by which to sort the results. You can choose from the following options:
|
| Data Sources | (Optional) Specify the data sources based on which to filter the retrieved results. Multiple data sources can be specified as comma-separated OR values. You can choose more than one from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which the vulnerability intelligence CVE was added. |
| End Date | (Optional) Select the end date of the timeframe during which the vulnerability intelligence CVE was added. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"cve_id": "",
"is_active": "",
"nvd_score": "",
"status": "",
"nvd_severity": "",
"recon_score": "",
"recon_severity": "",
"year": "",
"tags": "",
"description": "",
"products": [],
"vendors": [],
"iasm_affected_hosts": [],
"easm_affected_hosts": [],
"last_refreshed_ts": "",
"created_ts": "",
"published_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the CVE ID to fetch its details. |
The output contains the following populated JSON schema:
{
"cve_id": "",
"is_active": "",
"status": "",
"nvd_score": "",
"nvd_severity": "",
"recon_score": "",
"recon_severity": "",
"year": "",
"vendors": [],
"tags": [],
"products": [],
"description": "",
"easm_affected_hosts": [],
"iasm_affected_hosts": [],
"last_refreshed_ts": "",
"published_ts": "",
"created_ts": "",
"lookup_priority": "",
"nvd_metadata": ""
}
| Parameter | Description |
|---|---|
| Input Source Type | Select the input source type based on which to filter the retrieved results. You can choose from the following options:
|
| Sort By Product Count | (Optional) Select the order by which to sort the results. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"product": "",
"count": "",
"recon_severity": {
"low": "",
"medium": "",
"critical": ""
},
"nvd_severity": {
"medium": "",
"high": "",
"critical": "",
"low": ""
}
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Input Source Type | Select the input source type based on which to filter the retrieved results. You can choose from the following options:
|
| Sort By Vendor Count | (Optional) Select the order by which to sort the results. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"vendor": "",
"count": "",
"recon_severity": {
"low": "",
"medium": "",
"critical": ""
},
"nvd_severity": {
"medium": "",
"high": "",
"critical": "",
"low": ""
}
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get the CVE hits for a given CVE ID Based On | Select on what basis you want to filter the vulnerability intelligence hits. You can choose from the following options:
|
| CVE ID | Specify the CVE ID to filter the vulnerability intelligence hits. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
Output schema when you choose Get the CVE hits for a given CVE ID Based On as ACI Reporting:
{
"hits": [
{
"report_id": "",
"report_title": "",
"summary": "",
"publish_date": "",
"relevance_rating": "",
"_id": "",
"adversary": "",
"source_category": "",
"motivation": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Darknet Chatter:
{
"hits": [
{
"published_ts": "",
"is_topic": "",
"source_site": "",
"title": "",
"thread_id": "",
"thread_url": "",
"content": "",
"author_name": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Working Exploits:
{
"hits": [
{
"url": "",
"published_ts": "",
"repo_source": "",
"author_name": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as POC Exploits:
{
"hits": [
{
"html_url": "",
"owner_username": "",
"repo_name": "",
"description": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Security Blogs:
{
"hits": [
{
"title": "",
"description": "",
"link": "",
"author": "",
"published_date": "",
"is_trusted": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Hacktivist Chatter:
{
"hits": [
{
"channel": "",
"message": "",
"message_type": "",
"image_url": "",
"author_id": "",
"author_name": "",
"published_ts": "",
"message_link": "",
"sender_url": "",
"_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get the CVE hits for a given CVE ID Based On as Social Media:
{
"hits": [
{
"_id": "",
"author_id": "",
"author_name": "",
"source_url": "",
"content": "",
"published_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get stats for the given CVE ID Based On | Select on what basis you want to filter the vulnerability intelligence statistics. You can choose from the following options:
|
| CVE ID | Specify the CVE ID to filter the vulnerability intelligence statistics. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
Output schema when you choose Get stats for the given CVE ID Based On as Data Source Distribution:
{
"hits": [
{
"count": "",
"label": ""
}
]
}
Output schema when you choose Get stats for the given CVE ID Based On as Data Source Trend:
{
"hits": [
{
"data": {
"ACI Reporting": "",
"Darknet Chatter": "",
"FortiGuard Outbreak Alert": "",
"Hacktivist Chatter": "",
"POC Exploit": "",
"Security Blogs": "",
"Social Media": "",
"Working Exploit": ""
},
"date": ""
}
],
"page": "",
"size": "",
"total": ""
}
Output schema when you choose Get stats for the given CVE ID Based On as Score Trend:
{
"hits": [
{
"date": "",
"epss_score": "",
"recon_score": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Based On | Select the criteria based on which to fetch the count of systems infected with stealers malware and whose data is on sale in underground forums or marketplaces. You can choose from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Based On as Matched Domain:
{
"count_by_matched_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
Output schema when you choose Based On as Stealer:
{
"count_by_stealer": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in systems that have been infected by credential stealers by searching the given keyword in username, stealer name, sites, country, ISP, and state fields. |
| Stealer Name | (Optional) Specify a keyword to filter the results by the specified stealer name. Multiple stealer names can be specified as comma-separated OR values. For example: Vidar,Redline,Racoon,AZORult,risepro. |
| Marketplace Name | (Optional) Specify a marketplace name to filter the results by the specified marketplace name. Multiple marketplace names can be specified as comma-separated OR values. For example: 2easy,genesis,russian market. |
| ISP Name | (Optional) Specify a ISP name to filter the results by the specified ISP. Multiple ISPs can be specified as comma-separated OR values. For example: Amazon.com,IRANET TELECOM |
| Country Name | (Optional) Specify a country name to filter the results by the specified country. Multiple countries can be specified as comma-separated OR values. For example: India,Colombia. |
| State Name | (Optional) Specify a state name to filter the results by the specified state. Multiple states can be specified as comma-separated OR values. For example: Indiana,Texas. |
| Matched Domain | (Optional) Specify a keyword to search by the specified matched domain. Multiple matched domains can be specified as comma-separated OR values. For example: domain1.com,domain2.com. |
| Status | (Optional) Specify the status of stolen credentials that are on sale. You can choose from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which the leaked credentials appearing on marketplace was reported.
NOTE: Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the timeframe during which the leaked credentials appearing on marketplace was reported. Default is the current date. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"marketplace": "",
"isp": "",
"sites": [],
"stealer_name": "",
"country": "",
"country_code": "",
"state": "",
"matched_domains": [],
"price": "",
"currency": "",
"vendor": "",
"status": "",
"discovery_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify the keyword based on which to filter the retrieved results. Specified keyword is used to perform search in the title, ransomware name, and description fields. |
| Filter By Ransomware Name | (Optional) Specify a ransomware name based on which to filter the ransomware victims. |
| Country | (Optional) Specify a country name to filter the results by the specified country. Multiple countries can be specified as comma-separated OR values. For example: India,Colombia. |
| Sectors | (Optional) Specify a sector name to filter the results by the specified sector. Multiple sectors can be specified as comma-separated OR values. For example: Business Services,Accounting Services. |
| Start Date | (Optional) Select the start date of the timeframe during which to retrieve ransomware victims. |
| End Date | (Optional) Select the end date of the timeframe during which to retrieve ransomware victims. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"title": "",
"name": "",
"domains": [],
"revenue": "",
"post_text": "",
"sectors": [],
"country": "",
"continent": "",
"ransomware_name": "",
"description": "",
"added_ts": "",
"updated_ts": "",
"collection_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| ID | Specify the ransomware victim ID to fetch its details. |
The output contains the following populated JSON schema:
{
"id": "",
"post_title": "",
"post_text": "",
"ransomware_name": "",
"victim_domains": [],
"victim_company": "",
"victim_country": "",
"victim_continent": "",
"victim_sectors": [],
"victim_description": "",
"victim_parent_org": "",
"victim_revenue_in_usd": [],
"posted_ts": "",
"updated_ts": "",
"collection_ts": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"domain": "",
"vendor_name": "",
"added_ts": "",
"updated_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"domains": [],
"name": "",
"type": "",
"collection_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Get Ransomware Intelligence Stats For | Select the type of stats you want to fetch for ransomware intelligence. You can choose from the following options:
|
| Time Range Type | (Optional) Specify the time range to get the ransomware intelligence stats. You can choose from the following options:
|
| Start Date | (Optional) Select the start date of the timeframe during which to retrieve intelligence stats. |
| End Date | (Optional) Select the end date of the timeframe during which to retrieve intelligence stats. |
The output contains the following populated JSON schema:
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Victims By Sector:
{
"items": [
{
"items": [
{
"count": "",
"country": ""
}
]
}
],
"sectors": "Manufacturing"
}
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Victims By Revenue:
{
"items": [
{
"data": [
{
"name": "",
"ransomware_name": "",
"revenue": "",
"revenue_in_number": ""
}
],
"display_id": "",
"label": ""
}
]
}
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Victims By Country:
{
"items": [
{
"country": "",
"items": [
{
"count": "",
"sectors": ""
}
]
}
]
}
Output schema when you choose Get Ransomware Intelligence Stats For as Top Ransomware Groups:
{
"date_range": "",
"items": [
{
"count": "",
"group": ""
}
],
"total": ""
}
Output schema when you choose Get Ransomware Intelligence Stats For as Ransomware Victims Over Time:
{
"items": [
{
"count": "",
"date": ""
}
],
"total": ""
}
Output schema when you choose Get Ransomware Intelligence Stats For as Latest Active Ransomware Groups:
{
"items": [
{
"count": "",
"group": "",
"last_added": ""
}
],
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"actors": "",
"id": "",
"ransomware_name": "",
"report_date": "",
"report_id": "",
"report_title": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Filter By Actor Name | (Optional) Specify an actor name to filter the results by the specified actor. Multiple actors can be specified as comma-separated OR values. For example: abc,pqr. |
| Country | (Optional) Specify a country name to filter the results by the specified country. Multiple countries can be specified as comma-separated OR values. For example: India,Colombia. |
| Sectors | (Optional) Specify a sector name to filter the results by the specified sector. Multiple sectors can be specified as comma-separated OR values. For example: Business Services,Accounting Services. |
| Start Date | (Optional) Select the start date of the timeframe during which to retrieve potential ransomware victims. |
| End Date | (Optional) Select the end date of the timeframe during which to retrieve potential ransomware victims. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"actor": "",
"collection_date": "",
"country": "",
"description": "",
"domains": [],
"id": "",
"name": "",
"report_id": "",
"revenue": "",
"sectors": [],
"source": "",
"updated_date": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Added Type | (Optional) Select the input source type to filter the results. You can choose from the following options:
|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"domain": "",
"org_name": "",
"type": "",
"added_ts": "",
"updated_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"domains": [],
"name": "",
"type": "",
"collection_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Ransomware Group Name | Specify the ransomware group name to fetch its technical indicators. |
| Page | (Optional) Specify a page number to retrieve information from that page. Defaults to 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and the maximum value is 500. |
The output contains the following populated JSON schema:
{
"hits": [
{
"ioc": "",
"ioc_type": "",
"report_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Ransomware Group Name | Specify the ransomware Group Name to fetch its information. |
The output contains the following populated JSON schema:
{
"first_seen": "",
"total_victims": "",
"victim_countries": [
{
"count": "",
"country": ""
}
],
"victim_sectors": [
{
"count": "",
"sector": ""
}
]
}
| Parameter | Description |
|---|---|
| Stealers Leaked Record ID | Specify the stealers leaked record ID to update the status. |
| Status | Specify the status to update to the Stealers Leaked Record. You can choose from:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Stealers On Sale(Marketplaces) Record ID | Specify the stealers on sale (marketplaces) record ID to update the status. |
| Status | Specify the status to update the stealers on sale (marketplaces) record. You can choose from:
|
The output contains the following populated JSON schema:
{
"message": ""
}
The Sample - Fortinet FortiRecon ACI - 2.0.0 playbook collection comes bundled with the Fortinet FortiRecon ACI connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon ACI connector.
NOTE: In the Threat Intel Management Solution Pack's Threat Intel Report module we fetch reports containing indicators whose source category is Technical Intelligence.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling reports from Fortinet FortiRecon ACI. Currently, reports in Fortinet FortiRecon ACI are mapped to Threat Intel Management in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming FortiRecon ACI reports to Threat Intel Management in FortiSOAR™.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from FortiRecon ACI into FortiSOAR™. It also lets you pull some sample data from FortiRecon ACI using which you can define the mapping of data between FortiRecon ACI Reports and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the FortiRecon ACI reports.
To begin configuring data ingestion, click Configure Data Ingestion on the FortiRecon ACI connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between FortiRecon ACI reports and FortiSOAR™ Threat Intel Management. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch reports from FortiRecon ACI. You can specify the Pull Reports Created in Past X Hours reports from FortiRecon ACI. The fetched data is used to create a mapping between the FortiRecon ACI reports and FortiSOAR™ Threat Intel Management.
Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a FortiRecon ACI reports to the fields of Threat Intel Management present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiRecon ACI, so that the content gets pulled from the FortiRecon ACI integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiRecon ACI every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., indicators will be pulled from FortiRecon ACI every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.