Fortinet FortiGuard Threat Intelligence v3.2.0

About the connector

FortiGuard Threat Intelligence is the global threat intelligence and research organization at Fortinet. This connector facilitates automated operations to check IP, URL, Domain and File Hash Lookups and ingestion of daily threat feeds.

This connector has a dependency on the Threat Intel Management Solution Pack. Install the Solution Pack before enabling ingestion of Threat Feeds from this source.

This document provides information about the Fortinet FortiGuard Threat Intelligence Connector, which facilitates automated interactions, with a Fortinet FortiGuard Threat Intelligence server using FortiSOAR™ playbooks. Add the Fortinet FortiGuard Threat Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiGuard Threat Intelligence.

Version information

Connector Version: 3.2.0

FortiSOAR™ Version Tested on: 7.6.1-5275

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.2.0

Following enhancements have been made to the Fortinet FortiGuard Threat Intelligence connector in version 3.2.0:

• Added field mappings for Pattern Type, Pattern Version, Indicator Types, and Name in the Create Record step of the > FortiGuard Threat Intelligence > Fetch and Create playbook.
• Unknown Threat Types detected are mapped to the Unknown Threat Type picklist within the Threat Intelligence Feed module.
• Only those records are fetched where the Valid Until time is greater than or equal to the Last Pull Time.

Known Issue

The following error message may appear during data ingestion:

    Error: Process 1046904 waits for ShareLock on transaction 781491; blocked by process 1046907.
    Process 1046907 waits for ShareLock on transaction 781489; blocked by process 1046904.
    HINT:  See server log for query details.
    CONTEXT:  while inserting index tuple (101319,1) in relation "threat_intel_feeds"
    URL: https://localhost/api/ingest-feeds/threat_intel_feeds?$statusOnly=true    

Resolution

Contact Fortinet support.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

    yum install cyops-connector-fortinet-fortiguard-threat-intelligence

Prerequisites to configuring the connector

• The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiGuard Threat Intelligence API server.
• You require FortiSOAR™ release 7.2.0 as a baseline for enabling data ingestion with this connector. Other lookup actions work on older releases of FortiSOAR™.

Minimum Permissions Required

• Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiGuard Threat Intelligence connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

operation: Threat Intel Search

Input parameters

Output

The output contains the following populated JSON schema:

{
    "reference_url": "",
    "ioc_cate": "",
    "confidence": "",
    "wf_cate": "",
    "spam_cates": [],
    "ioc_tags": [],
    "av_cate": ""
}

operation: Get Threat Categories

Input parameters

Output

The output contains the following populated JSON schema:

{
    "ctype": "",
    "title": "",
    "description": ""
}

operation: Get Encyclopedia Lookup

Input parameters

Output

The output contains the following populated JSON schema:

Output schema when you choose Source as Viruses:

{
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
}

Output schema when you choose Source as Intrusion Prevention:

{
    "Type": "",
    "ID": "",
    "Name": "",
    "isActive": "",
    "Risk": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "os_list": [],
    "app_list": [],
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Released": "",
    "Created": "",
    "Updated": ""
}

Output schema when you choose Source as Botnet:

{
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "Platform": "",
    "Created": "",
    "Updated": ""
}

Output schema when you choose Source as Endpoint Vulnerabilities:

{
    "Type": "",
    "ID": "",
    "Name": "",
    "Risk": "",
    "Summary": "",
    "Analysis": "",
    "Products": [],
    "SecurityRefs": [
        {
            "reftype": "",
            "refid": "",
            "url": ""
        }
    ],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Created": "",
    "Updated": ""
}

Output schema when you choose Source as Mobile:

{
    "Type": "",
    "ID": "",
    "Name": "",
    "Aliases": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "SecurityRefs": [],
    "DetectionAvailability": [
        {
            "product": "",
            "sigdb": "",
            "status": ""
        }
    ],
    "Discovered": "",
    "Created": "",
    "Updated": ""
}

Output schema when you choose Source as Application:

{
    "Type": "",
    "ID": "",
    "Name": "",
    "Category": "",
    "Risk": "",
    "RiskID": "",
    "Popularity": "",
    "Summary": "",
    "Symptoms": "",
    "Analysis": "",
    "Action": "",
    "DefaultAction": "",
    "BehaviorList": [],
    "AppPort": "",
    "References": [],
    "DeepAppCtrl": "",
    "Vendor": "",
    "Deprecated": "",
    "Language": "",
    "Technology": [],
    "os_list": [],
    "app_list": [],
    "Released": "",
    "Created": "",
    "Updated": "",
    "RequireApp": []
}

Output schema when you choose Source as Internet Services:

{
    "Type": "",
    "ID": "",
    "Name": "",
    "Analysis": ""
}

operation: Fetch Threat Intel Feeds

Input parameters

Output

The output contains the following populated JSON schema:

{
    "result": "",
    "message": ""
}

Included playbooks

The Sample - Fortinet FortiGuard Threat Intelligence - 3.2.0 playbook collection comes bundled with the Fortinet FortiGuard Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiGuard Threat Intelligence connector.

• > FortiGuard Threat Intelligence > Fetch and Create
• Fetch Threat Intel Feeds
• File Hash / Domain / IP / URL > Fortinet FortiGuard Threat Intelligence > Enrichment
• FortiGuard Threat Intelligence > Ingest
• Get Encyclopedia Lookup
• Get Threat Categories
• Threat Intel Search

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Pluggable Enrichment

The Sample - Fortinet FortiGuard Threat Intelligence - 3.2.0 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for various indicator types. The indicator can be of any of the following types: File Hash, Domain, IP Address, or URL. The pluggable enrichment playbooks are in the format: <indicator type> > Fortinet FortiGuard Threat Intelligence > Enrichment format. For example, URL > Fortinet FortiGuard Threat Intelligence > Enrichment.

The Configuration step in all the pluggable enrichment playbooks contains variables that have default values for calculating the Verdict for various indicator types. The following table lists the variable names and their default values:

Based on the above default values and the Fortinet FortiGuard Threat Intelligence integration API response returns the Verdict and other variables:

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from FortiGuard Threat Intelligence. Currently, data ingested from FortiGuard Threat Intelligence is mapped to Threat Intel Feeds in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.

NOTE: For the ingestion playbooks to work you must install and configure the Threat Intel Management Solution Pack on your FortiSOAR™ instance. For more information on solution packs see the respective solution pack document on the Content Hub Portal.

Configure Data Ingestion

You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming FortiGuard Threat Intelligence data to FortiSOAR™'s Threat Intel Feeds.

The Data Ingestion Wizard helps you to configure the scheduled pulling of data from FortiGuard Threat Intelligence into FortiSOAR™. It also lets you pull some sample data from FortiGuard Threat Intelligence using which you can define the mapping of data between FortiGuard Threat Intelligence and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the FortiGuard Threat Intelligence data.

1. To begin configuring data ingestion, click Configure Data Ingestion on the FortiGuard Threat Intelligence connector's Configurations page.

   Click Let's Start by fetching some data, to open the Fetch Sample Data screen.

   

   Sample data is required to create a field mapping between FortiGuard Threat Intelligence data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.

2. On the Fetch Data screen, provide the configurations required to fetch data from FortiGuard Threat Intelligence.

   Users can pull data from FortiGuard Threat Intelligence by selecting the time duration for which they want to retrieve a list and the details of all the completed scans from FortiGuard Threat Intelligence from the Completion Time drop-down list. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the FortiGuard Threat Intelligence server.

   Select the Enable Bulk Ingest checkbox, if you want to create ingested records using the Ingest Bulk Feed step instead of the Create Record step in the ingestion playbooks. The advantage of using Enable Bulk Ingest is a significant reduction in the execution time of the ingestion playbook. Therefore, it is recommended to select the Enable Bulk Ingest checkbox for high-volume data ingestion. It is also recommended to schedule data ingestion to run during non-working hours.

   Known Issues: One known disadvantage of using the bulk ingest method is that it completely replaces all the fields of existing records; however, it keeps record correlations intact, i.e., the related records are not changed.

   The fetched data is used to create a mapping between the data from FortiGuard Threat Intelligence and FortiSOAR Threat Intel Feeds. Once you have completed specifying the configurations, click Fetch Data.

   

3. On the Field Mapping screen, map the fields of the ingested data FortiGuard Threat Intelligence to the fields of a Threat Intel Feeds present in FortiSOAR™.

   To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the uuid parameter of an ingested scan from FortiGuard Threat Intelligence to the value parameter of a FortiSOAR™ Threat Intel Feeds, click the Value field and then click the uuid field to populate its keys:

   

   For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to FortiGuard Threat Intelligence, so that the content gets pulled from the FortiGuard Threat Intelligence integration into FortiSOAR™

   On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.

   In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from FortiGuard Threat Intelligence every month, click Monthly, and in the minute, hour, and day of month boxes enter 1, 0, and 1 respectively. This means that the data will be pulled from FortiGuard Threat Intelligence on the first day of every month at 12:01 AM:

   

   Once you have completed scheduling, click Save Settings & Continue.

5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.