FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.
This document provides information about the Fortinet FortiRecon Brand Protection Connector, which facilitates automated interactions, with a Fortinet FortiRecon Brand Protection server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon Brand Protection Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon Brand Protection.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 7.6.1-5275
Fortinet FortiRecon Brand Protection Version Tested on: 24.4.a
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiRecon Brand Protection Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortirecon-brand-protection
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon Brand Protection connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Server name or IP address to which you will connect and perform the automated operations |
| API Key | API key to access the endpoint to which you will connect and perform the automated operations |
| Organization ID | The organization ID on which FortiRecon operations are to be performed. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
.
| Function | Description | Annotation and Category |
|---|---|---|
| Get Code Repo Exposures | Retrieves a list of code repo exposures based on the filter criteria that you have specified. | get_code_repo_exposures Investigation |
| Get Domain Threats | Retrieves list of code domain threats based on the filter criteria that you have specified. | get_domain_threats Investigation |
| Get Domain Threats By ID | Retrieves details of threats on a domain based on the threat ID that you have specified. | get_domain_threats_by_id Investigation |
| Get Executive Exposures | Retrieves list of executive exposures based on the filter criteria that you have specified. | get_executive_exposures Investigation |
| Get Executive Profiles | Retrieves list of executive profiles based on the name of the executive, page number, and page size that you have specified. | get_executive_profiles Investigation |
| Get Open Bucket Exposures | Retrieves list of open bucket exposures based on the filter criteria that you have specified. | get_open_bucket_exposures Investigation |
| Get Rogue Apps | Retrieves a list of Rogue Apps based on the status and keywords that you have specified for the query; rogue apps are mobile applications trying to look like apps from trusted brands. | get_rogue_apps Investigation |
| Get Rogue App By ID | Retrieves details of a rogue app based on the Rogue App ID that you have specified. | get_rogue_app_by_id Investigation |
| Get Social Media Threats | Retrieves list of social media threats based on the filter criteria that you have specified. | get_social_media_threats Investigation |
| Get Domain Threats Statistics | Retrieves statistics for domain threats. | get_domain_threats_stats Investigation |
| Get Original Domains Statistics | Retrieves the statistics of original domains threats based on the page number and the page size specified. | get_original_domains_stats Investigation |
| Get Open Bucket Exposures Statistics | Retrieves the statistics of open bucket exposures. | get_open_bucket_exposures_stats Investigation |
| Get Social Media Threats Statistics | Retrieves the statistics of social media threats. | get_social_media_threats_stats Investigation |
| Get Tags | Retrieves the list of active tags. | get_tags Investigation |
| Get Takedown Requests | Retrieves a list of takedown requests for rogue apps and typo domains for the given organization the filter criteria that you have specified. | get_takedown_requests Investigation |
| Get Code Repositories | Retrieves a list of code repositories based on the searched keyword, domain, risk level, and other filter criteria that you have specified. | get_code_repos Investigation |
| Get Code Repo Statistics | Retrieves statistics for all code repositories associated with the Organization ID specified in configuration parameters. | get_code_repos_stats Investigation |
| Get Code Repo Matched Domains Statistics | Retrieves statistics of all matched domains associated with the Organization ID specified in configuration parameters. | get_code_repo_matched_domains_stats Investigation |
| Update Code Repo Status | Updates the status of the Code Repo based on the code repo ID and the status to update. | update_code_repo_status Investigation |
| Update Domain Threat Status | Updates the status of the Domain Threat record based on the Domain Threat ID and the status to update. | update_domain_threat_status Investigation |
| Update Open Bucket Exposure Status | Updates the status of the Open Bucket Exposure record based on the Open Bucket Exposure ID and the status to update. | update_open_bucket_exposure_status Investigation |
| Update Rogue App Status | Updates the status of the Rogue App record based on the Rogue App ID and the status to update. | update_rogue_app_exposure_status Investigation |
| Update Social Media Threat Status | Updates the status of the Social Media Threat record based on the Social Media Threat ID and the status to update. | update_social_media_threat_status Investigation |
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in code repo exposures and retrieve results containing the specified keyword. |
| Matched Domain | (Optional) Specify a domain to search in code repo exposures and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve code repo exposures containing the specified domains. For example: domain1.com,domain2.com. |
| Risk Level | (Optional) Specify a risk level to search in code repo exposures and retrieve results containing the specified risk level. You can specify multiple comma-separated risk levels to retrieve code repo exposures containing the specified risk levels. For example, LOW,MEDIUM,HIGH. |
| Attribute Type | (Optional) Specify an attribute type to search in code repo exposures and retrieve results containing the specified attribute type. You can specify multiple comma-separated attribute types to retrieve code repo exposures containing the specified attribute types. For example, Email,Password. |
| Status | (Optional) Select a status to search in code repo exposures and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"attribute": "",
"attribute_type": "",
"id": "",
"matched_domain": "",
"raw_info": "",
"risk_level": "",
"status": "",
"url": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in domain threats and retrieve results containing the specified keyword. The keyword is searched in domain, URL, severity, original domain, online status, and fuzzer fields. |
| Original Domain | (Optional) Specify a domain to search in domain threats and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve domain threats containing the specified domains. For example: domain1.com,domain2.com. |
| Tags | (Optional) Specify a tag to search in domain threats and retrieve results containing the specified tags. You can specify multiple tags to retrieve domain threats containing the specified tags. For example: b7c4409f4e34eedc7a5447b077732c66,b7c4409f4e34eedc7a5447b077732c77.
NOTE: Tag ID can be retrieved from the Get Tags action. |
| Online Status | (Optional) Select an online status search in domain threats and retrieve results containing the specified online status. You can select one of the following options:
|
| Status | (Optional) Select a status to search in domain threats and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"domain": "",
"expiration_date": "",
"fuzzer": "",
"id": "",
"is_false_positive": "",
"is_impersonation": "",
"is_parked": "",
"online_status": "",
"original_domain": "",
"registration_date": "",
"severity": "",
"source": "",
"source_name": "",
"status": "",
"tags": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Domain Threat ID | Specify an ID of the domain threat to retrieve its details. |
The output contains the following populated JSON schema:
{
"added_ts": "",
"domain": "",
"expiration_date": "",
"fuzzer": "",
"id": "",
"is_false_positive": "",
"is_impersonation": "",
"is_parked": "",
"online_status": "",
"original_domain": "",
"registration_date": "",
"severity": "",
"source": "",
"source_name": "",
"status": "",
"tags": [
{
"id": "",
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Source Type | (Optional) Specify a source type in which to search and retrieve results containing the specified Executive ID. |
| Executive ID | (Optional) Specify an executive ID to search and retrieve results containing the specified executive ID. |
| Start Date | (Optional) Select the start date of the range containing the date when a report was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a report was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"data": {},
"executive_id": "",
"id": "",
"matched_keywords": [
{
"type": "",
"value": ""
}
],
"source_type": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Executive Name | (Optional) Specify an executive name to search and retrieve results containing the specified executive's name. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in open bucket exposures and retrieve results containing the specified keyword. |
| File Type | (Optional) Specify a file type to search in open bucket exposures and retrieve results containing the specified file types. You can specify multiple comma-separated file types to retrieve open bucket exposures containing the specified file types. For example gz,tgz,docx. |
| Bucket Type | (Optional) Specify a bucket type to search in open bucket exposures and retrieve results containing the specified bucket types. You can specify multiple comma-separated bucket types to retrieve open bucket exposures containing the specified bucket types. For example gcp,aws,azure. |
| Status | (Optional) Select a status to search in open bucket exposures and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"accessibility_status": "",
"added_ts": "",
"bucket": "",
"bucket_id": "",
"bucket_type": "",
"file_name": "",
"file_size": "",
"file_type": "",
"full_path": "",
"id": "",
"source_id": "",
"status": "",
"url": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Status | (Optional) Select the rogue apps status type from the following options to filter the results:
|
| Search by Keyword | Specify the keywords to filter the results. Specified keyword is searched in these fields: Keyword, Source Name, Developer Name, App Name. |
| App Store Name | (Optional) Specify an app store in which to search for rogue apps and retrieve results. You can specify multiple comma-separated file types to retrieve rogue apps containing the specified file types. For example: Androidapk,Applestore. |
| Start Date | (Optional) Select the start date of the range containing the date when the rogue app was first seen. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a rogue app was first seen. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"app_name": "",
"app_size": "",
"appstore": "",
"description": "",
"developer_name": "",
"download_count": "",
"download_url": "",
"first_seen": "",
"id": "",
"keyword": "",
"package_name": "",
"status": "",
"ticket_id": "",
"updated_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Rogue App ID | Specify the ID of the rogue app to get its details. |
The output contains the following populated JSON schema:
{
"app_name": "",
"app_size": "",
"appstore": "",
"description": "",
"developer_name": "",
"developer_url": "",
"download_count": "",
"download_url": "",
"first_seen": "",
"id": "",
"is_whitelisted": "",
"keyword": "",
"last_seen": "",
"listing_url": "",
"package_name": "",
"review_count": "",
"review_stars": "",
"screenshot_url": "",
"status": "",
"ticket_id": "",
"updated_ts": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in social media threats and retrieve results containing the specified keyword in profile name or handle name fields. |
| Media Type | (Optional) Specify a social media platform to search in social media threats and retrieve results containing the specified social media platforms. You can specify multiple comma-separated social media platforms to retrieve social media threats containing the specified social media platforms. For example FACEBOOK,INSTAGRAM,TWITTER. |
| Profile Name | (Optional) Specify a profile name to search and retrieve social media threats containing the specified profile name. |
| Handle Name | (Optional) Specify a handle name to search and retrieve social media threats containing the specified handle name. |
| Is Verified | (Optional) Select whether the profile or the handle name is verified to retrieve social media threats containing only verified profile or handle name. You can select one of the following options:
|
| Status | (Optional) Select a status to search in social media threats and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"followers_count": "",
"friends_count": "",
"handle_name": "",
"id": "",
"is_verified": "",
"location": "",
"media_type": "",
"posts_count": "",
"profile_creation_ts": "",
"profile_name": "",
"profile_url": "",
"source_id": "",
"status": "",
"ticket_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
None.
The output contains the following populated JSON schema:
{
"count_by_action": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_domain_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_tags": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None
The output contains the following populated JSON schema:
{
"count_by_original_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"count_by_accessibility_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_bucket_type": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_file_type": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"count_by_is_verified": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_media_type": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Status | (Optional) Select a status to search in take-down requests and retrieve results containing the specified status. You can select from the following options:
|
| Category | (Optional) Select a category to search in take-down requests and retrieve results containing the specified category. you can select from the following options:
|
| Search by Keyword | (Optional) Specify a keyword to search in take-down requests and retrieve results containing the specified keyword in ticket Id or entity fields. The entity field may contain domain name, title of a report, or Phished Domain. |
| Start Date | (Optional) Select the start date of the range containing the date when the takedown was requested. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when the takedown was requested. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"category": "",
"entity": "",
"id": "",
"resource_id": "",
"status": "",
"ticket_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in code repositories and retrieve results containing the specified keyword. |
| Matched Domain | (Optional) Specify a domain to search in code repositories and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve code repo exposures containing the specified domains. For example: domain1.com,domain2.com. |
| Risk Level | (Optional) Specify a risk level to search in code repositories and retrieve results containing the specified risk level. You can specify multiple comma-separated risk levels to retrieve code repositories containing the specified risk levels. For example: LOW,MEDIUM,HIGH. |
| Attribute Type | (Optional) Specify an attribute type to search in code repositories and retrieve results containing the specified attribute type. You can specify multiple comma-separated attribute types to retrieve code repositories containing the specified attribute types. For example: Email,Password. |
| Status | (Optional) Select a status to search in code repositories and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"repo_url": "",
"files_count": "",
"risk_level": "",
"attribute": "",
"matched_domain": "",
"attribute_type": "",
"added_ts": "",
"status": ""
}
],
"page": "",
"size": "",
"total": ""
}
None.
The output contains the following populated JSON schema:
{
"count_by_action": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_attribute_type": {
"aggregations": [
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_risk_level": {
"aggregations": [
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"count_by_matched_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
| Parameter | Description |
|---|---|
| Code Repo ID | Specify the ID of the code repo whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Domain Threat ID | Specify the threat ID of the domain whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Open Bucket Exposure ID | Specify the exposure ID of the open bucket whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Rogue App ID | Specify the ID of the rogue app whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Social Media Threat ID | Specify the threat ID of the social media whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
The Sample - Fortinet FortiRecon Brand Protection - 2.1.0 playbook collection comes bundled with the Fortinet FortiRecon Brand Protection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon Brand Protection connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.
This document provides information about the Fortinet FortiRecon Brand Protection Connector, which facilitates automated interactions, with a Fortinet FortiRecon Brand Protection server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon Brand Protection Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon Brand Protection.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 7.6.1-5275
Fortinet FortiRecon Brand Protection Version Tested on: 24.4.a
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiRecon Brand Protection Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-fortinet-fortirecon-brand-protection
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon Brand Protection connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Server name or IP address to which you will connect and perform the automated operations |
| API Key | API key to access the endpoint to which you will connect and perform the automated operations |
| Organization ID | The organization ID on which FortiRecon operations are to be performed. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
.
| Function | Description | Annotation and Category |
|---|---|---|
| Get Code Repo Exposures | Retrieves a list of code repo exposures based on the filter criteria that you have specified. | get_code_repo_exposures Investigation |
| Get Domain Threats | Retrieves list of code domain threats based on the filter criteria that you have specified. | get_domain_threats Investigation |
| Get Domain Threats By ID | Retrieves details of threats on a domain based on the threat ID that you have specified. | get_domain_threats_by_id Investigation |
| Get Executive Exposures | Retrieves list of executive exposures based on the filter criteria that you have specified. | get_executive_exposures Investigation |
| Get Executive Profiles | Retrieves list of executive profiles based on the name of the executive, page number, and page size that you have specified. | get_executive_profiles Investigation |
| Get Open Bucket Exposures | Retrieves list of open bucket exposures based on the filter criteria that you have specified. | get_open_bucket_exposures Investigation |
| Get Rogue Apps | Retrieves a list of Rogue Apps based on the status and keywords that you have specified for the query; rogue apps are mobile applications trying to look like apps from trusted brands. | get_rogue_apps Investigation |
| Get Rogue App By ID | Retrieves details of a rogue app based on the Rogue App ID that you have specified. | get_rogue_app_by_id Investigation |
| Get Social Media Threats | Retrieves list of social media threats based on the filter criteria that you have specified. | get_social_media_threats Investigation |
| Get Domain Threats Statistics | Retrieves statistics for domain threats. | get_domain_threats_stats Investigation |
| Get Original Domains Statistics | Retrieves the statistics of original domains threats based on the page number and the page size specified. | get_original_domains_stats Investigation |
| Get Open Bucket Exposures Statistics | Retrieves the statistics of open bucket exposures. | get_open_bucket_exposures_stats Investigation |
| Get Social Media Threats Statistics | Retrieves the statistics of social media threats. | get_social_media_threats_stats Investigation |
| Get Tags | Retrieves the list of active tags. | get_tags Investigation |
| Get Takedown Requests | Retrieves a list of takedown requests for rogue apps and typo domains for the given organization the filter criteria that you have specified. | get_takedown_requests Investigation |
| Get Code Repositories | Retrieves a list of code repositories based on the searched keyword, domain, risk level, and other filter criteria that you have specified. | get_code_repos Investigation |
| Get Code Repo Statistics | Retrieves statistics for all code repositories associated with the Organization ID specified in configuration parameters. | get_code_repos_stats Investigation |
| Get Code Repo Matched Domains Statistics | Retrieves statistics of all matched domains associated with the Organization ID specified in configuration parameters. | get_code_repo_matched_domains_stats Investigation |
| Update Code Repo Status | Updates the status of the Code Repo based on the code repo ID and the status to update. | update_code_repo_status Investigation |
| Update Domain Threat Status | Updates the status of the Domain Threat record based on the Domain Threat ID and the status to update. | update_domain_threat_status Investigation |
| Update Open Bucket Exposure Status | Updates the status of the Open Bucket Exposure record based on the Open Bucket Exposure ID and the status to update. | update_open_bucket_exposure_status Investigation |
| Update Rogue App Status | Updates the status of the Rogue App record based on the Rogue App ID and the status to update. | update_rogue_app_exposure_status Investigation |
| Update Social Media Threat Status | Updates the status of the Social Media Threat record based on the Social Media Threat ID and the status to update. | update_social_media_threat_status Investigation |
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in code repo exposures and retrieve results containing the specified keyword. |
| Matched Domain | (Optional) Specify a domain to search in code repo exposures and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve code repo exposures containing the specified domains. For example: domain1.com,domain2.com. |
| Risk Level | (Optional) Specify a risk level to search in code repo exposures and retrieve results containing the specified risk level. You can specify multiple comma-separated risk levels to retrieve code repo exposures containing the specified risk levels. For example, LOW,MEDIUM,HIGH. |
| Attribute Type | (Optional) Specify an attribute type to search in code repo exposures and retrieve results containing the specified attribute type. You can specify multiple comma-separated attribute types to retrieve code repo exposures containing the specified attribute types. For example, Email,Password. |
| Status | (Optional) Select a status to search in code repo exposures and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"attribute": "",
"attribute_type": "",
"id": "",
"matched_domain": "",
"raw_info": "",
"risk_level": "",
"status": "",
"url": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in domain threats and retrieve results containing the specified keyword. The keyword is searched in domain, URL, severity, original domain, online status, and fuzzer fields. |
| Original Domain | (Optional) Specify a domain to search in domain threats and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve domain threats containing the specified domains. For example: domain1.com,domain2.com. |
| Tags | (Optional) Specify a tag to search in domain threats and retrieve results containing the specified tags. You can specify multiple tags to retrieve domain threats containing the specified tags. For example: b7c4409f4e34eedc7a5447b077732c66,b7c4409f4e34eedc7a5447b077732c77.
NOTE: Tag ID can be retrieved from the Get Tags action. |
| Online Status | (Optional) Select an online status search in domain threats and retrieve results containing the specified online status. You can select one of the following options:
|
| Status | (Optional) Select a status to search in domain threats and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"domain": "",
"expiration_date": "",
"fuzzer": "",
"id": "",
"is_false_positive": "",
"is_impersonation": "",
"is_parked": "",
"online_status": "",
"original_domain": "",
"registration_date": "",
"severity": "",
"source": "",
"source_name": "",
"status": "",
"tags": []
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Domain Threat ID | Specify an ID of the domain threat to retrieve its details. |
The output contains the following populated JSON schema:
{
"added_ts": "",
"domain": "",
"expiration_date": "",
"fuzzer": "",
"id": "",
"is_false_positive": "",
"is_impersonation": "",
"is_parked": "",
"online_status": "",
"original_domain": "",
"registration_date": "",
"severity": "",
"source": "",
"source_name": "",
"status": "",
"tags": [
{
"id": "",
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Source Type | (Optional) Specify a source type in which to search and retrieve results containing the specified Executive ID. |
| Executive ID | (Optional) Specify an executive ID to search and retrieve results containing the specified executive ID. |
| Start Date | (Optional) Select the start date of the range containing the date when a report was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a report was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"data": {},
"executive_id": "",
"id": "",
"matched_keywords": [
{
"type": "",
"value": ""
}
],
"source_type": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Executive Name | (Optional) Specify an executive name to search and retrieve results containing the specified executive's name. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in open bucket exposures and retrieve results containing the specified keyword. |
| File Type | (Optional) Specify a file type to search in open bucket exposures and retrieve results containing the specified file types. You can specify multiple comma-separated file types to retrieve open bucket exposures containing the specified file types. For example gz,tgz,docx. |
| Bucket Type | (Optional) Specify a bucket type to search in open bucket exposures and retrieve results containing the specified bucket types. You can specify multiple comma-separated bucket types to retrieve open bucket exposures containing the specified bucket types. For example gcp,aws,azure. |
| Status | (Optional) Select a status to search in open bucket exposures and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"accessibility_status": "",
"added_ts": "",
"bucket": "",
"bucket_id": "",
"bucket_type": "",
"file_name": "",
"file_size": "",
"file_type": "",
"full_path": "",
"id": "",
"source_id": "",
"status": "",
"url": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Status | (Optional) Select the rogue apps status type from the following options to filter the results:
|
| Search by Keyword | Specify the keywords to filter the results. Specified keyword is searched in these fields: Keyword, Source Name, Developer Name, App Name. |
| App Store Name | (Optional) Specify an app store in which to search for rogue apps and retrieve results. You can specify multiple comma-separated file types to retrieve rogue apps containing the specified file types. For example: Androidapk,Applestore. |
| Start Date | (Optional) Select the start date of the range containing the date when the rogue app was first seen. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a rogue app was first seen. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"app_name": "",
"app_size": "",
"appstore": "",
"description": "",
"developer_name": "",
"download_count": "",
"download_url": "",
"first_seen": "",
"id": "",
"keyword": "",
"package_name": "",
"status": "",
"ticket_id": "",
"updated_ts": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Rogue App ID | Specify the ID of the rogue app to get its details. |
The output contains the following populated JSON schema:
{
"app_name": "",
"app_size": "",
"appstore": "",
"description": "",
"developer_name": "",
"developer_url": "",
"download_count": "",
"download_url": "",
"first_seen": "",
"id": "",
"is_whitelisted": "",
"keyword": "",
"last_seen": "",
"listing_url": "",
"package_name": "",
"review_count": "",
"review_stars": "",
"screenshot_url": "",
"status": "",
"ticket_id": "",
"updated_ts": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in social media threats and retrieve results containing the specified keyword in profile name or handle name fields. |
| Media Type | (Optional) Specify a social media platform to search in social media threats and retrieve results containing the specified social media platforms. You can specify multiple comma-separated social media platforms to retrieve social media threats containing the specified social media platforms. For example FACEBOOK,INSTAGRAM,TWITTER. |
| Profile Name | (Optional) Specify a profile name to search and retrieve social media threats containing the specified profile name. |
| Handle Name | (Optional) Specify a handle name to search and retrieve social media threats containing the specified handle name. |
| Is Verified | (Optional) Select whether the profile or the handle name is verified to retrieve social media threats containing only verified profile or handle name. You can select one of the following options:
|
| Status | (Optional) Select a status to search in social media threats and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"followers_count": "",
"friends_count": "",
"handle_name": "",
"id": "",
"is_verified": "",
"location": "",
"media_type": "",
"posts_count": "",
"profile_creation_ts": "",
"profile_name": "",
"profile_url": "",
"source_id": "",
"status": "",
"ticket_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
None.
The output contains the following populated JSON schema:
{
"count_by_action": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_domain_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_tags": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None
The output contains the following populated JSON schema:
{
"count_by_original_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"count_by_accessibility_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_bucket_type": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_file_type": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"count_by_is_verified": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_media_type": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_status": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Status | (Optional) Select a status to search in take-down requests and retrieve results containing the specified status. You can select from the following options:
|
| Category | (Optional) Select a category to search in take-down requests and retrieve results containing the specified category. you can select from the following options:
|
| Search by Keyword | (Optional) Specify a keyword to search in take-down requests and retrieve results containing the specified keyword in ticket Id or entity fields. The entity field may contain domain name, title of a report, or Phished Domain. |
| Start Date | (Optional) Select the start date of the range containing the date when the takedown was requested. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when the takedown was requested. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"added_ts": "",
"category": "",
"entity": "",
"id": "",
"resource_id": "",
"status": "",
"ticket_id": ""
}
],
"page": "",
"size": "",
"total": ""
}
| Parameter | Description |
|---|---|
| Search By Keyword | (Optional) Specify a keyword to search in code repositories and retrieve results containing the specified keyword. |
| Matched Domain | (Optional) Specify a domain to search in code repositories and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve code repo exposures containing the specified domains. For example: domain1.com,domain2.com. |
| Risk Level | (Optional) Specify a risk level to search in code repositories and retrieve results containing the specified risk level. You can specify multiple comma-separated risk levels to retrieve code repositories containing the specified risk levels. For example: LOW,MEDIUM,HIGH. |
| Attribute Type | (Optional) Specify an attribute type to search in code repositories and retrieve results containing the specified attribute type. You can specify multiple comma-separated attribute types to retrieve code repositories containing the specified attribute types. For example: Email,Password. |
| Status | (Optional) Select a status to search in code repositories and retrieve results containing the specified status. You can select from the following options:
|
| Start Date | (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected. |
| End Date | (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date. |
| Page | (Optional) Specify the page number from which to retrieve the results. Default value is 1. |
| Size | (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page. |
The output contains the following populated JSON schema:
{
"hits": [
{
"id": "",
"repo_url": "",
"files_count": "",
"risk_level": "",
"attribute": "",
"matched_domain": "",
"attribute_type": "",
"added_ts": "",
"status": ""
}
],
"page": "",
"size": "",
"total": ""
}
None.
The output contains the following populated JSON schema:
{
"count_by_action": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_attribute_type": {
"aggregations": [
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
}
],
"total": ""
},
"count_by_risk_level": {
"aggregations": [
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
},
{
"count": "",
"id": ""
}
],
"total": ""
}
}
None.
The output contains the following populated JSON schema:
{
"count_by_matched_domain": {
"aggregations": [
{
"count": "",
"id": ""
}
],
"total": ""
}
}
| Parameter | Description |
|---|---|
| Code Repo ID | Specify the ID of the code repo whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Domain Threat ID | Specify the threat ID of the domain whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Open Bucket Exposure ID | Specify the exposure ID of the open bucket whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Rogue App ID | Specify the ID of the rogue app whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Social Media Threat ID | Specify the threat ID of the social media whose status to update on Fortinet FortiRecon Brand Protection. |
| Status | Specify the status to update on Fortinet FortiRecon Brand Protection. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"message": ""
}
The Sample - Fortinet FortiRecon Brand Protection - 2.1.0 playbook collection comes bundled with the Fortinet FortiRecon Brand Protection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon Brand Protection connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.