Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Fortinet FortiGuard Threat Intelligence

    Home FortiSOAR Connectors Fortinet FortiGuard Threat Intelligence
    3.1.1
    3.2.0
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.0.0
    1.0.0

    Fortinet FortiGuard Threat Intelligence v3.1.1

    About the connector

    FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. This connector facilitates automated operations to check IP, URL, Domain and File Hash Lookups and ingestion of daily threat feeds.

    This connector has a dependency on the Threat Intel Management Solution Pack. Install the Solution Pack before enabling ingestion of Threat Feeds from this source.

    This document provides information about the Fortinet FortiGuard Threat Intelligence Connector, which facilitates automated interactions, with a Fortinet FortiGuard Threat Intelligence server using FortiSOAR™ playbooks. Add the Fortinet FortiGuard Threat Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiGuard Threat Intelligence.

    IMPORTANT: The FortiGuard Threat Intelligence connector is not supported on the FortiSOAR Agent.

    Version information

    Connector Version: 3.1.1

    FortiSOAR™ Version Tested on: 7.4.0-3024

    Authored By: Fortinet

    Certified: Yes

    Release Notes for version 3.1.1

    Following enhancements have been made to the Fortinet FortiGuard Threat Intelligence Connector in version 3.1.1:

    • Playbook output displayed finished with error when feed logs returned Internal Server Error. After this fix, output of the Fortinet FortiGuard Threat Intelligence playbook step correctly displays Internal Server Error when feed logs return Internal Server Error.
    • Fixed the File Hash / Domain / IP / URL > Fortinet FortiGuard Threat Intelligence > Enrichment pluggable enrichment playbook failure that occurred when the provided File Hash/domain/IP/URL was invalid or when the reputation was unavailable with Fortinet FortiGuard. Now, the playbook does not fail but considers No Operation as the playbook result.

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

    You can also use the yum command as a root user to install the connector:

        yum install cyops-connector-fortinet-fortiguard-threat-intelligence

    Prerequisites to configuring the connector

    • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiGuard Threat Intelligence API server.
    • You require FortiSOAR™ release 7.2.0 as a baseline for enabling data ingestion with this connector. Other lookup actions work on older releases of FortiSOAR™.

    Minimum Permissions Required

    • Not applicable

    Configuring the connector

    For the procedure to configure a connector, click here

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Threat Intelligence connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server Name URL of the FortiGuard Threat Intelligence API server to which you will connect and perform automated operations.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

    Function Description Annotation and Category
    Threat Intel Search Retrieves information about a threat from FortiGuard Threat Intelligence based on the indicator you have specified. threat_intel_search
    Investigation
    Get Threat Categories Retrieves a static list of threat types and names from FortiGuard Threat Intelligence based on the title that you have specified. get_threat_categories
    Investigation
    Get Encyclopedia Lookup Retrieves a lookup from FortiGuard Threat Intelligence based on the threat source and the associated encyclopedia lookup ID you have specified. get_encyclopedia_lookup
    Investigation
    Fetch Threat Intel Feeds Downloads the FortiGuard Threat Intel Feeds. threat_intel_feeds
    Investigation

    operation: Threat Intel Search

    Input parameters

    Parameter Description
    Indicator Specify the threat indicator whose information to retrieve from the FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:

    {
    "reference_url": "",
    "ioc_cate": "",
    "confidence": "",
    "wf_cate": "",
    "spam_cates": [],
    "ioc_tags": [],
    "av_cate": ""
}

    operation: Get Threat Categories

    Input parameters

    Parameter Description
    Title Specify the title of the threat whose associated threat types and names to retrieve from FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:

    {
    "ctype": "",
    "title": "",
    "description": ""
}

    operation: Get Encyclopedia Lookup

    Input parameters

    Parameter Description
    Source Specify the source of the lookup, for example, viruses, botnet, etc., whose information to retrieve from FortiGuard Threat Intelligence server.
    ID Specify the ID of the encyclopedia lookup whose information to retrieve from the FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:

    Output schema when you choose Source as Viruses:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Intrusion Prevention:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "isActive": "",
    "Risk": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "os_list": [],
    "app_list": [],
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Released": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Botnet:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "Platform": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Endpoint Vulnerabilities:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Risk": "",
    "Summary": "",
    "Analysis": "",
    "Products": [],
    "SecurityRefs": [
        {
            "reftype": "",
            "refid": "",
            "url": ""
        }
    ],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Mobile:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Application:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Category": "",
    "Risk": "",
    "RiskID": "",
    "Popularity": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "AppPort": "",
    "References": [],
    "DeepAppCtrl": "",
    "Vendor": "",
    "Deprecated": "",
    "Language": "",
    "Technology": [],
    "os_list": [],
    "app_list": [],
    "Released": "",
    "Created": "",
    "Updated": "",
    "RequireApp": []
}

    Output schema when you choose Source as Internet Services:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Analysis": ""
}

    operation: Fetch Threat Intel Feeds

    Input parameters

    Parameter Description
    Fetch feeds created after Specify the start DateTime of the duration to fetch feeds incrementally since the last successful pull during data ingestion.
    Process Response As Select the method of returning the Feed Data information. You can choose from following options:
    • Create As Feed Records In FortiSOAR™: Specify the IRI of the playbook that creates feed records in FortiSOAR™ in the Record Creation Playbook IRI field.
    • Save to File: Select this option to write threat intel feed data to files on the FortiSOAR™ server.

    Output

    The output contains the following populated JSON schema:

    {
    "result": "",
    "message": ""
}

    Included playbooks

    The Sample - Fortinet FortiGuard Threat Intelligence - 3.1.1 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.

    • > FortiGuard Threat Intelligence > Fetch and Create
    • Fetch Threat Intel Feeds
    • File Hash / Domain / IP / URL > Fortinet FortiGuard Threat Intelligence > Enrichment
    • FortiGuard Threat Intelligence > Ingest
    • Get Encyclopedia Lookup
    • Get Threat Categories
    • Threat Intel Search

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

    Pluggable Enrichment

    The Sample - Fortinet FortiGuard Threat Intelligence - 3.1.1 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for various indicator types. The indicator can be of any of the following types: File Hash, Domain, IP Address, or URL. The pluggable enrichment playbooks are in the format: <indicator type> > Fortinet FortiGuard Threat Intelligence > Enrichment format. For example, URL > Fortinet FortiGuard Threat Intelligence > Enrichment.

    The Configuration step in all the pluggable enrichment playbooks contains variables that have default values for calculating the Verdict for various indicator types. The following table lists the variable names and their default values:

    Variable Name Default value (confidence)
    good_score low
    suspicious_score medium
    malicious_score high

    Based on the above default values and the Fortinet FortiGuard Threat Intelligence integration API response returns the Verdict and other variables:

    Variable Name Description Return Value
    verdict This connector returns a high-reliability value called Verdict. Use this verdict to find the reputation of the various types of indicators.

    If the confidence value returned is between the value specified in the malicious_score variable, then return the verdict as Malicious.
    If the confidence value returned is between the value specified in the suspicious_score variable, then return the verdict as Suspicious.
    If the confidence value returned is between the value specified in the good_score variable, then return the verdict as Good.
    For any other value, return the verdict as No Reputation Available
    cti_name The name of the connector is called the CTI (Cyber Threat Intelligence) name Fortinet FortiGuard Threat Intelligence
    cti_score The verdict value returned by the integration API. confidence
    Note: The cti_score returns the value contained in confidence. It does not apply any other decision-making flow to it.
    source_data The source_data response returned by the integration API. A JSON response object containing the source data of the threat intelligence integration.
    field_mapping The mapping of the FortiSOAR™ 'indicator' module fields with the Fortinet FortiGuard Threat Intelligence response fields. A JSON response object containing the field mapping of the threat intelligence integration.
    enrichment_summary The contents are added, in the HTML format, in the 'Description' field of the specified FortiSOAR™ indicator record.

    The following values are returned in the HTML format:

    • Confidence
    • Web Filter Category
    • IOC Category
    • AV Category
    • IOC Tag

    The following image displays a sample of the populated 'Description' field in a FortiSOAR™ indicator record:

    Data Ingestion Support

    Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from FortiGuard Threat Intelligence. Currently, data from FortiGuard Threat Intelligence are mapped to "threat intel feeds" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

    Prerequisites

    Before you begin ingesting data into FortiSOAR™, it is strongly recommended that you deploy and set up the Threat Intel Management Solution Pack, since, by default, data ingestion is mapped to the Threat Intel Feed modules.

    Configure Data Ingestion

    You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiGuard Threat Intelligence data to FortiSOAR™ "threat intel feeds". The Data Ingestion Wizard enables you to configure the scheduled pulling of data from the FortiGuard Threat Intelligence into FortiSOAR™. It also lets you pull some sample data from FortiGuard Threat Intelligence using which you can define the mapping of data between the FortiGuard Threat Intelligence and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiGuard Threat Intelligence.

    1. To begin configuring data ingestion, click Configure Data Ingestion on the FortiGuard Threat Intelligence connector’s "Configurations" page.

      Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.
      Sample data is required to create a field mapping between the FortiGuard Threat Intelligence and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
    2. On the Fetch Data screen, provide the configurations required to fetch data from FortiGuard Threat Intelligence. You can pull threat intel feeds from FortiGuard Threat Intelligence and add custom confidence level, reputation, TLP, and maximum age to that feed.

      The fetched data is used to create a mapping between the FortiGuard Threat Intelligence and FortiSOAR™ threat intel feeds. Once you have completed specifying the configurations, click Fetch Data.
    3. On the Field Mapping screen, map the fields of FortiGuard's threat intelligence feed to the fields of a threat intel feed present in FortiSOAR™.
      To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the valid_from parameter of a FortiGuard threat intelligence feed to the LastSeen parameter of a FortiSOAR™ threat intel feed, click the LastSeen field, and then click the valid_from field to populate its keys:

      For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
    4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiGuard Threat Intelligence, so that the content gets pulled from the FortiGuard Threat Intelligence integration into FortiSOAR™.
      On the Scheduling screen, from the Do to schedule the ingestion? drop-down list, select Yes.
      In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if to pull data from FortiGuard Threat Intelligence every hour, click Hourly, and in the hour box enter */1:

      Once you have completed scheduling, click Save Settings & Continue.
    5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.
    Previous
    Next

    Fortinet FortiGuard Threat Intelligence v3.1.1

    About the connector

    FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. This connector facilitates automated operations to check IP, URL, Domain and File Hash Lookups and ingestion of daily threat feeds.

    This connector has a dependency on the Threat Intel Management Solution Pack. Install the Solution Pack before enabling ingestion of Threat Feeds from this source.

    This document provides information about the Fortinet FortiGuard Threat Intelligence Connector, which facilitates automated interactions, with a Fortinet FortiGuard Threat Intelligence server using FortiSOAR™ playbooks. Add the Fortinet FortiGuard Threat Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiGuard Threat Intelligence.

    IMPORTANT: The FortiGuard Threat Intelligence connector is not supported on the FortiSOAR Agent.

    Version information

    Connector Version: 3.1.1

    FortiSOAR™ Version Tested on: 7.4.0-3024

    Authored By: Fortinet

    Certified: Yes

    Release Notes for version 3.1.1

    Following enhancements have been made to the Fortinet FortiGuard Threat Intelligence Connector in version 3.1.1:

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

    You can also use the yum command as a root user to install the connector:

        yum install cyops-connector-fortinet-fortiguard-threat-intelligence

    Prerequisites to configuring the connector

    Minimum Permissions Required

    Configuring the connector

    For the procedure to configure a connector, click here

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Threat Intelligence connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server Name URL of the FortiGuard Threat Intelligence API server to which you will connect and perform automated operations.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

    Function Description Annotation and Category
    Threat Intel Search Retrieves information about a threat from FortiGuard Threat Intelligence based on the indicator you have specified. threat_intel_search
    Investigation
    Get Threat Categories Retrieves a static list of threat types and names from FortiGuard Threat Intelligence based on the title that you have specified. get_threat_categories
    Investigation
    Get Encyclopedia Lookup Retrieves a lookup from FortiGuard Threat Intelligence based on the threat source and the associated encyclopedia lookup ID you have specified. get_encyclopedia_lookup
    Investigation
    Fetch Threat Intel Feeds Downloads the FortiGuard Threat Intel Feeds. threat_intel_feeds
    Investigation

    operation: Threat Intel Search

    Input parameters

    Parameter Description
    Indicator Specify the threat indicator whose information to retrieve from the FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:

    {
    "reference_url": "",
    "ioc_cate": "",
    "confidence": "",
    "wf_cate": "",
    "spam_cates": [],
    "ioc_tags": [],
    "av_cate": ""
}

    operation: Get Threat Categories

    Input parameters

    Parameter Description
    Title Specify the title of the threat whose associated threat types and names to retrieve from FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:

    {
    "ctype": "",
    "title": "",
    "description": ""
}

    operation: Get Encyclopedia Lookup

    Input parameters

    Parameter Description
    Source Specify the source of the lookup, for example, viruses, botnet, etc., whose information to retrieve from FortiGuard Threat Intelligence server.
    ID Specify the ID of the encyclopedia lookup whose information to retrieve from the FortiGuard Threat Intelligence server.

    Output

    The output contains the following populated JSON schema:

    Output schema when you choose Source as Viruses:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Intrusion Prevention:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "isActive": "",
    "Risk": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "os_list": [],
    "app_list": [],
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Released": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Botnet:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "Platform": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Endpoint Vulnerabilities:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Risk": "",
    "Summary": "",
    "Analysis": "",
    "Products": [],
    "SecurityRefs": [
        {
            "reftype": "",
            "refid": "",
            "url": ""
        }
    ],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Mobile:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
}

    Output schema when you choose Source as Application:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Category": "",
    "Risk": "",
    "RiskID": "",
    "Popularity": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "AppPort": "",
    "References": [],
    "DeepAppCtrl": "",
    "Vendor": "",
    "Deprecated": "",
    "Language": "",
    "Technology": [],
    "os_list": [],
    "app_list": [],
    "Released": "",
    "Created": "",
    "Updated": "",
    "RequireApp": []
}

    Output schema when you choose Source as Internet Services:

    {
    "Type": "",
    "ID": "",
    "Name": "",
    "Analysis": ""
}

    operation: Fetch Threat Intel Feeds

    Input parameters

    Parameter Description
    Fetch feeds created after Specify the start DateTime of the duration to fetch feeds incrementally since the last successful pull during data ingestion.
    Process Response As Select the method of returning the Feed Data information. You can choose from following options:
    • Create As Feed Records In FortiSOAR™: Specify the IRI of the playbook that creates feed records in FortiSOAR™ in the Record Creation Playbook IRI field.
    • Save to File: Select this option to write threat intel feed data to files on the FortiSOAR™ server.

    Output

    The output contains the following populated JSON schema:

    {
    "result": "",
    "message": ""
}

    Included playbooks

    The Sample - Fortinet FortiGuard Threat Intelligence - 3.1.1 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

    Pluggable Enrichment

    The Sample - Fortinet FortiGuard Threat Intelligence - 3.1.1 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for various indicator types. The indicator can be of any of the following types: File Hash, Domain, IP Address, or URL. The pluggable enrichment playbooks are in the format: <indicator type> > Fortinet FortiGuard Threat Intelligence > Enrichment format. For example, URL > Fortinet FortiGuard Threat Intelligence > Enrichment.

    The Configuration step in all the pluggable enrichment playbooks contains variables that have default values for calculating the Verdict for various indicator types. The following table lists the variable names and their default values:

    Variable Name Default value (confidence)
    good_score low
    suspicious_score medium
    malicious_score high

    Based on the above default values and the Fortinet FortiGuard Threat Intelligence integration API response returns the Verdict and other variables:

    Variable Name Description Return Value
    verdict This connector returns a high-reliability value called Verdict. Use this verdict to find the reputation of the various types of indicators.

    If the confidence value returned is between the value specified in the malicious_score variable, then return the verdict as Malicious.
    If the confidence value returned is between the value specified in the suspicious_score variable, then return the verdict as Suspicious.
    If the confidence value returned is between the value specified in the good_score variable, then return the verdict as Good.
    For any other value, return the verdict as No Reputation Available
    cti_name The name of the connector is called the CTI (Cyber Threat Intelligence) name Fortinet FortiGuard Threat Intelligence
    cti_score The verdict value returned by the integration API. confidence
    Note: The cti_score returns the value contained in confidence. It does not apply any other decision-making flow to it.
    source_data The source_data response returned by the integration API. A JSON response object containing the source data of the threat intelligence integration.
    field_mapping The mapping of the FortiSOAR™ 'indicator' module fields with the Fortinet FortiGuard Threat Intelligence response fields. A JSON response object containing the field mapping of the threat intelligence integration.
    enrichment_summary The contents are added, in the HTML format, in the 'Description' field of the specified FortiSOAR™ indicator record.

    The following values are returned in the HTML format:

    • Confidence
    • Web Filter Category
    • IOC Category
    • AV Category
    • IOC Tag

    The following image displays a sample of the populated 'Description' field in a FortiSOAR™ indicator record:

    Data Ingestion Support

    Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from FortiGuard Threat Intelligence. Currently, data from FortiGuard Threat Intelligence are mapped to "threat intel feeds" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

    Prerequisites

    Before you begin ingesting data into FortiSOAR™, it is strongly recommended that you deploy and set up the Threat Intel Management Solution Pack, since, by default, data ingestion is mapped to the Threat Intel Feed modules.

    Configure Data Ingestion

    You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming FortiGuard Threat Intelligence data to FortiSOAR™ "threat intel feeds". The Data Ingestion Wizard enables you to configure the scheduled pulling of data from the FortiGuard Threat Intelligence into FortiSOAR™. It also lets you pull some sample data from FortiGuard Threat Intelligence using which you can define the mapping of data between the FortiGuard Threat Intelligence and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiGuard Threat Intelligence.

    1. To begin configuring data ingestion, click Configure Data Ingestion on the FortiGuard Threat Intelligence connector’s "Configurations" page.

      Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.
      Sample data is required to create a field mapping between the FortiGuard Threat Intelligence and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
    2. On the Fetch Data screen, provide the configurations required to fetch data from FortiGuard Threat Intelligence. You can pull threat intel feeds from FortiGuard Threat Intelligence and add custom confidence level, reputation, TLP, and maximum age to that feed.

      The fetched data is used to create a mapping between the FortiGuard Threat Intelligence and FortiSOAR™ threat intel feeds. Once you have completed specifying the configurations, click Fetch Data.
    3. On the Field Mapping screen, map the fields of FortiGuard's threat intelligence feed to the fields of a threat intel feed present in FortiSOAR™.
      To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the valid_from parameter of a FortiGuard threat intelligence feed to the LastSeen parameter of a FortiSOAR™ threat intel feed, click the LastSeen field, and then click the valid_from field to populate its keys:

      For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
    4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiGuard Threat Intelligence, so that the content gets pulled from the FortiGuard Threat Intelligence integration into FortiSOAR™.
      On the Scheduling screen, from the Do to schedule the ingestion? drop-down list, select Yes.
      In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if to pull data from FortiGuard Threat Intelligence every hour, click Hourly, and in the hour box enter */1:

      Once you have completed scheduling, click Save Settings & Continue.
    5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.
    Previous
    Next