Fortinet FortiGuard Threat Intelligence

Fortinet FortiGuard Threat Intelligence v3.1.0

Home FortiSOAR Connectors Fortinet FortiGuard Threat Intelligence

3.1.0

Fortinet FortiGuard Threat Intelligence v3.1.0

About the connector

FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. It provides threat intelligence to protect them from malicious cyberattacks.

This document provides information about the FortiGuard Threat Intelligence connector, which facilitates automated interactions with FortiGuard Threat Intelligence using FortiSOAR™ playbooks. Add the FortiGuard Threat Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about a threat and a static list of threat types and names, etc. from FortiGuard Threat Intelligence.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from FortiGuard Threat Intelligence. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 3.1.0

FortiSOAR™ Version Tested on: 7.2.2-1098

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.1.0

The following enhancements have been made to the FortiGuard Threat Intelligence connector in version 3.1.0:

Added support for FortiGuard's 'Premium Feed Subscription' that allows for unrestricted ingestion of FortiGuard threat feeds and premium Threat Intelligence Management (TIM) features. FortiSOAR has added a new licensing option for getting this subscription. For more information, see the FortiSOAR product documentation-'Licensing option to enable unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features' topic in the Licensing FortiSOAR chapter in the "Deployment Guide."
Enhanced the message displayed by FortiSOAR, if matching threat intelligence feeds were not found; earlier a '404 error' was displayed.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortiguard-threat-intelligence

Prerequisites to configuring the connector

The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiGuard Threat Intelligence API server.
You require FortiSOAR release 7.2.0 as a baseline for enabling data ingestion with this connector. Other lookup actions work on older releases of FortiSOAR.

Minimum Permissions Required

Not applicable

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Fortinet FortiGuard Threat Intelligence connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter	Description
Server Name	URL of the FortiGuard Threat Intelligence API server to which you will connect and perform automated operations.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function	Description	Annotation and Category
Threat Intel Search	Retrieves information about a threat from Fortiguard Threat Intelligence based on the indicator you have specified.	threat_intel_search Investigation
Get Threat Categories	Retrieves a static list of threat types and names from FortiGuard Threat Intelligence based on the title that you have specified.	get_threat_categories Investigation
Get Encyclopedia Lookup	Retrieves a lookup from FortiGuard Threat Intelligence based on the threat source and the associated encyclopedia lookup ID you have specified.	get_encyclopedia_lookup Investigation
Fetch Threat Intel Feeds	Downloads the FortiGuard Threat Intel Feeds	threat_intel_feeds Investigation

operation: Threat Intel Search

Input parameters

Parameter	Description
Indicator	Indicator of the threat whose information you want to retrieve from the FortiGuard Threat Intelligence server.

Output

The output contains the following populated JSON schema:
{
"reference_url": "",
"ioc_cate": "",
"confidence": "",
"wf_cate": "",
"spam_cates": [],
"ioc_tags": [],
"av_cate": ""
}

operation: Get Threat Categories

Input parameters

Parameter	Description
Title	Title of the threat whose associated threat types and names you want to retrieve from the FortiGuard Threat Intelligence server.

Output

The output contains the following populated JSON schema:
{
"ctype": "",
"title": "",
"description": ""
}

operation: Get Encyclopedia Lookup

Input parameters

Parameter	Description
Source	Source of the lookup, for example, viruses, botnets, etc., whose information you want to retrieve from the FortiGuard Threat Intelligence server.
ID	The ID of the encyclopedia lookup whose information you want to retrieve from the FortiGuard Threat Intelligence server.

Output

If you have selected the 'Source' as 'Viruses', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Discovered": "",
"Created": "",
"Updated": ""
}

If you have selected the 'Source' as 'Intrusion Prevention', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"isActive": "",
"Risk": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"DefaultAction": "",
"BehaviorList": [],
"os_list": [],
"app_list": [],
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Released": "",
"Created": "",
"Updated": ""
}

If you have selected the 'Source' as 'Botnet', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"Platform": "",
"Created": "",
"Updated": ""
}

If you have selected the 'Source' as 'Endpoint Vulnerabilities', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Risk": "",
"Summary": "",
"Analysis": "",
"Products": [],
"SecurityRefs": [
{
"reftype": "",
"refid": "",
"url": ""
}
],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Created": "",
"Updated": ""
}

If you have selected the 'Source' as 'Mobile', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Aliases": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"SecurityRefs": [],
"DetectionAvailability": [
{
"product": "",
"sigdb": "",
"status": ""
}
],
"Discovered": "",
"Created": "",
"Updated": ""
}

If you have selected the 'Source' as 'Application', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Category": "",
"Risk": "",
"RiskID": "",
"Popularity": "",
"Summary": "",
"Symptoms": "",
"Analysis": "",
"Action": "",
"DefaultAction": "",
"BehaviorList": [],
"AppPort": "",
"References": [],
"DeepAppCtrl": "",
"Vendor": "",
"Deprecated": "",
"Language": "",
"Technology": [],
"os_list": [],
"app_list": [],
"Released": "",
"Created": "",
"Updated": "",
"RequireApp": []
}

If you have selected the 'Source' as 'Internet Services', then the output contains the following populated JSON schema:
{
"Type": "",
"ID": "",
"Name": "",
"Analysis": ""
}

operation: Fetch Threat Intel Feeds

Input parameters

Parameter	Description
Fetch feeds created after	Specify the time the feeds were last pulled from FortiGuard Threat Intelligence. In this case, the data will be returned from FortiGuard Threat Intelligence only if the feed has been refreshed after the specified time. This is used in scheduled data ingestion to fetch feeds incrementally since the last successful pull.
Process Response As	Select the method of returning the Feed Data information. You can choose between the data being created as "Feed records" in FortiSOAR (the Create as Feed Records in FortiSOAR option)or being written to files on the FortiSOAR server (the Save to File option). If you choose the 'Create as Feed Records in FortiSOAR' option, then in the Record Creation Playbook IRI field, specify the IRI of the playbook that creates feed records in FortiSOAR.

Parameter

Description

Fetch feeds created after

Specify the time the feeds were last pulled from FortiGuard Threat Intelligence. In this case, the data will be returned from FortiGuard Threat Intelligence only if the feed has been refreshed after the specified time. This is used in scheduled data ingestion to fetch feeds incrementally since the last successful pull.

Process Response As

Select the method of returning the Feed Data information. You can choose between the data being created as "Feed records" in FortiSOAR (the Create as Feed Records in FortiSOAR option)or being written to files on the FortiSOAR server (the Save to File option).
If you choose the 'Create as Feed Records in FortiSOAR' option, then in the Record Creation Playbook IRI field, specify the IRI of the playbook that creates feed records in FortiSOAR.

Output

The output contains the following populated JSON schema:
{
"result": "",
"message": ""
}

Included playbooks

The Sample - Fortinet FortiGuard Threat Intelligence - 3.1.0 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.

Fetch Threat Intelligence Feeds
File Hash / Domain / IP / URL > Fortinet FortiGuard Threat Intelligence > Enrichment
Get Encyclopedia Lookup
Get Threat Categories
Threat Intel Search

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Pluggable Enrichment

The Sample - Fortinet FortiGuard Threat Intelligence - 3.1.2 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for various indicator types. The indicator can be of any of the following types: File Hash, Domain, IP Address, or URL. The pluggable enrichment playbooks are in the format: '<indicator type> > Fortinet FortiGuard Threat Intelligence > Enrichment' format. For example, 'URL > Fortinet FortiGuard Threat Intelligence > Enrichment'.

The 'Configuration' step in all the pluggable enrichment playbooks contains variables that have default values for calculating the 'Verdict' for various indicator types. The following table lists the variable names and their default values:

Variable Name	Default value (`confidence`)
`good_score`	low
`suspicious_score`	medium
`malicious_score`	high

Based on the above default values and the Fortinet FortiGuard Threat Intelligence integration API response returns the 'Verdict' and other variables:

Variable Name	Description	Return Value
`verdict`	This connector returns a high-reliability value called 'verdict'. Use this verdict to find the reputation of the various types of indicators.	If the `confidence` value returned is between the value specified in the `malicious_score` variable, then return the verdict as Malicious. If the `confidence` value returned is between the value specified in the `suspicious_score` variable, then return the verdict as Suspicious. If the `confidence` value returned is between the value specified in the `good_score` variable, then return the verdict as Good. For any other value, return the verdict as No Reputation Available
`cti_name`	The name of the connector is called the CTI (Cyber Threat Intelligence) name	`Fortinet FortiGuard Threat Intelligence`
`cti_score`	The verdict value returned by the integration API.	`confidence` Note: The `cti_score` returns the value contained in `confidence`. It does not apply any other decision-making flow to it.
`source_data`	The source_data response returned by the integration API.	A JSON response object containing the source data of the threat intelligence integration.
`field_mapping`	The mapping of the FortiSOAR 'indicator' module fields with the Fortinet FortiGuard Threat Intelligence response fields.	A JSON response object containing the field mapping of the threat intelligence integration.
`enrichment_summary`	The contents are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record.	The following values are returned in the HTML format: Confidence Web Filter Category IOC Category AV Category IOC Tag The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record:

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from FortiGuard Threat Intelligence. Currently, data from FortiGuard Threat Intelligence are mapped to "threat intel feeds" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Prerequisites

Before you begin ingesting data into FortiSOAR, it is strongly recommended that you deploy and set up the Threat Intel Management Solution Pack, since, by default, data ingestion is mapped to the Threat Intel Feed modules.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiGuard Threat Intelligence data to FortiSOAR™ "threat intel feeds". The Data Ingestion Wizard enables you to configure the scheduled pulling of data from the FortiGuard Threat Intelligence into FortiSOAR™. It also lets you pull some sample data from FortiGuard Threat Intelligence using which you can define the mapping of data between the FortiGuard Threat Intelligence and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiGuard Threat Intelligence.

To begin configuring data ingestion, click Configure Data Ingestion on the FortiGuard Threat Intelligence connector’s "Configurations" page.

Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.
Sample data is required to create a field mapping between the FortiGuard Threat Intelligence and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch data from FortiGuard Threat Intelligence. You can pull threat intel feeds from FortiGuard Threat Intelligence and add custom confidence level, reputation, TLP, and maximum age to that feed.

The fetched data is used to create a mapping between the FortiGuard Threat Intelligence and FortiSOAR™ threat intel feeds. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of FortiGuard's threat intelligence feed to the fields of a threat intel feed present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the valid_from parameter of a FortiGuard threat intelligence feed to the LastSeen parameter of a FortiSOAR™ threat intel feed, click the LastSeen field, and then click the valid_from field to populate its keys:

For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiGuard Threat Intelligence, so that the content gets pulled from the FortiGuard Threat Intelligence integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiGuard Threat Intelligence every hour, click Hourly, and in the hour box enter */1:

Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.

About the connector

FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. It provides threat intelligence to protect them from malicious cyberattacks.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from FortiGuard Threat Intelligence. For more information, see the Data Ingestion Support section.