FortiSOAR™ provides you with a number of pre-installed connectors or built-ins, such as the Utilities or Database connectors that you can use within FortiSOAR™ playbooks, as a connector step, and perform automated operations. These connectors are bundled and named based on the type of operations the connectors can perform. For example, the Database connector would contain actions that you can perform with respect to the database like querying the database. It is easy to extend and enhance these connectors.
Apart from the FortiSOAR™ Built-in connectors, Fortinet also provides a number of connectors for popular integrations like SIEMs, such as FortiSIEM, Splunk, etc., and Ticketing systems such as Jira. You can see a list of published connectors on the FortiSOAR Connectors Documentation site.
The process of installing, configuring, and using connectors is defined in the Introduction to connectors chapter in the "Connectors Guide", which is part of the FortiSOAR™ documentation or see the Installing a connector and Configuring a connector articles.
FortiSOAR™ Built-in connectors are upgraded by default with a FortiSOAR™ upgrade. Use the Content Hub to upgrade your connectors to the latest version. For more information on the connector store, see the Introduction to connectors chapter and see the FortiSOAR Built-in connectors article.
Important: Before you upgrade your FortiSOAR™ version, it is highly recommended that you take a backup of your FortiSOAR™ Built-in connector's (SSH, IMAP, Database, Utilities, etc.) configuration since the configuration of your FortiSOAR™ Built-in connectors might be reset if there are changes to the configuration parameters across versions.
FortiSOAR™ in version 6.0.0 has refactored the output of some operations of some built-in connectors such as the "Email: Extracts email's metadata from email file" operation of the Utilities connector. Due to refactoring, there have been some changes to the output of the Utilities connector which are not backward compatible. For example, the body key in the response now returns a dictionary with keys 'json', 'html' instead of an array of these. It is recommended to switch to the new format. However, if you want to retain the old output format, and you have only upgraded the connector version and not upgraded your FortiSOAR™ version, then you must do the following:
/opt/cyops-integrations/integrations/configs/config.ini file:[connector_configuration]
extract_email_metadata_legacy: trueextract_email_metadata_legacy parameter. If the extract_email_metadata_legacy parameter is set as true then the output will be generated in the old format, and if it is set as false, then the output will be generated in the new format./opt/cyops-integrations/integrations/integrations/settings.py file:APPLICATION_CONFIG = application_configuswgi service using the following command:# systemctl restart uwsgiImportant: If you are upgrading to FortiSOAR™ 6.0.0, then you need to perform only steps 1 and 3.
Use this connector for performing operations in FortiSOAR™, such as performing a FortiSOAR™ search using the Query API, updating a FortiSOAR™ resource, and creating a FortiSOAR™ resource. This connector also contains other useful utilities such as extracting email metadata such as indicators from an email file, uploading a file to FortiSOAR™ and associating that file with an attachment, i.e., providing the File IRI in the output, converting file formats, such as XML to JSON or CEF to JSON, and zipping and password protecting a file.
This connector is ready to use, and you do not need to configure this connector.
cyops_filepath" key in the response contains the name of the file under /tmp on a FortiSOAR instance. You can use this value as an input to any next step that needs to consume this file. For example, sending the file as an attachment using the corresponding action of the 'Exchange' connector."Connector step is failing with error 'Invalid input :: Given filename/filepath /tmp/f68ab00fb7da4dfd9db4bb95abb1471e doesn't exists'". This is expected behavior since when a file download operation is performed on an FSR agent, the operation cleans the file when the response is returned to the base FortiSOAR™ node. Therefore, if any following step expects the downloaded file to be present at the agent will cause that step to fail. For more information on FSR agents, see the Segmented Network Support chapter in the "Administration Guide", which is part of the FortiSOAR™ documentation.An example of the utilities that are included in the Utilities connector is the "Utils: Convert JSON into an HTML table" utility. This utility generates an HTML-formatted string based on the input JSON. The HTML-formatted string will appear as follows:
<table class="cs-data-table">
<tr>
<th>pid</th>
<th>path</th>
<th>username</th>
</tr>
<tr>
<td>4</td>
<td>c:\\windows\\system32\\ntoskrnl.exe</td>
<td>NT AUTHORITY\\SYSTEM</td>
</tr>
<tr>
<td>296</td>
<td>c:\\windows\\system32\\smss.exe</td>
<td>NT AUTHORITY\\SYSTEM</td>
</tr>
</table>
For the given input JSON:
{
"operation": "get_process_list",
"data": [
{
"path": "c:\\windows\\system32\\ntoskrnl.exe",
"create_time": 1529090266,
"command_line": "",
"parent_guid": "00000004-0000-0000-0000-000000000000",
"proc_guid": "00000004-0000-0004-01d4-04dd8adc9fb8",
"parent": 0,
"username": "NT AUTHORITY\\SYSTEM",
"pid": 4,
"sid": "s-1-5-18"
},
{
"path": "c:\\windows\\system32\\smss.exe",
"create_time": 1529090266,
"command_line": "\\SystemRoot\\System32\\smss.exe",
"parent_guid": "00000004-0000-0004-01d4-04dd8adc9fb8",
"proc_guid": "00000004-0000-0128-01d4-04dd8ae6291c",
"parent": 4,
"username": "NT AUTHORITY\\SYSTEM",
"pid": 296,
"sid": "s-1-5-18"
},
"status": "Success",
"message": ""
}
For some of the operations, enhancements, bug fixes, and various versions of the Utilities connector see the Utilities Connector Release Notes section.
tmp. This could lead to tmp getting filled up regularly leading to issues while running other operations.EMAIL_CHARACTER_COUNT_MAX parameter, and by default, it is set to 100000 characters. To change the limit, edit the EMAIL_CHARACTER_COUNT_MAX parameter that is present in the /opt/cyops-integrations/integrations/configs/config.ini file. For example:EMAIL_CHARACTER_COUNT_MAX = 100000 <- Change this value as per your requirement. EMAIL_CHARACTER_COUNT_MAX parameter then you have to restart the uwsgi and celeryd services for the change to take effect.# systemctl restart celeryd and # systemctl restart uwsgi commands to restart the celeryd and uswgi services. EMAIL_CHARACTER_COUNT_MAX parameter. /tmp directory once the playbook completes its execution. Now, when the "Email: Extracts email's metadata from email file" operation extracts any eml file that contains an attachment, then the attachment is downloaded as a temporary file, and stored in the /tmp directory, which will now be deleted once the playbook completes its execution.extract_email_metadata_legacy to true in the /opt/cyops-integrations/integrations/configs/connectors.yml file. By default, extract_email_metadata_legacy is set as false. # systemctl restart uwsgiImportant: If you upgrade the Utilities connector to v2.7.0, then playbooks that contain the "Utils: Make REST API Call" and "FSR: Make FortiSOAR API Call" operations reset the get, put, post, and delete methods if they were not written in capital letters. This occurs due to the current enhancements in the Utilities connector v2.7.0. However, there will not be any functional impact due to this since the playbook will execute successfully after the upgrade, and you can correctly add the methods to the playbook post-upgrade.
Apart from the above enhancements, the Utilities connector also contains better error handling, which includes displaying enhanced, precise, and detailed error messages, making it easier for you to debug Utilities connector issues. For information on common Utilities connector issues, see the Common Utilities connector errors section in the Debugging common playbook and connector issues article present in the Fortinet Knowledge Base.
FortiSOAR™ provides you with a number of pre-installed connectors or built-ins, such as the Utilities or Database connectors that you can use within FortiSOAR™ playbooks, as a connector step, and perform automated operations. These connectors are bundled and named based on the type of operations the connectors can perform. For example, the Database connector would contain actions that you can perform with respect to the database like querying the database. It is easy to extend and enhance these connectors.
Apart from the FortiSOAR™ Built-in connectors, Fortinet also provides a number of connectors for popular integrations like SIEMs, such as FortiSIEM, Splunk, etc., and Ticketing systems such as Jira. You can see a list of published connectors on the FortiSOAR Connectors Documentation site.
The process of installing, configuring, and using connectors is defined in the Introduction to connectors chapter in the "Connectors Guide", which is part of the FortiSOAR™ documentation or see the Installing a connector and Configuring a connector articles.
FortiSOAR™ Built-in connectors are upgraded by default with a FortiSOAR™ upgrade. Use the Content Hub to upgrade your connectors to the latest version. For more information on the connector store, see the Introduction to connectors chapter and see the FortiSOAR Built-in connectors article.
Important: Before you upgrade your FortiSOAR™ version, it is highly recommended that you take a backup of your FortiSOAR™ Built-in connector's (SSH, IMAP, Database, Utilities, etc.) configuration since the configuration of your FortiSOAR™ Built-in connectors might be reset if there are changes to the configuration parameters across versions.
FortiSOAR™ in version 6.0.0 has refactored the output of some operations of some built-in connectors such as the "Email: Extracts email's metadata from email file" operation of the Utilities connector. Due to refactoring, there have been some changes to the output of the Utilities connector which are not backward compatible. For example, the body key in the response now returns a dictionary with keys 'json', 'html' instead of an array of these. It is recommended to switch to the new format. However, if you want to retain the old output format, and you have only upgraded the connector version and not upgraded your FortiSOAR™ version, then you must do the following:
/opt/cyops-integrations/integrations/configs/config.ini file:[connector_configuration]
extract_email_metadata_legacy: trueextract_email_metadata_legacy parameter. If the extract_email_metadata_legacy parameter is set as true then the output will be generated in the old format, and if it is set as false, then the output will be generated in the new format./opt/cyops-integrations/integrations/integrations/settings.py file:APPLICATION_CONFIG = application_configuswgi service using the following command:# systemctl restart uwsgiImportant: If you are upgrading to FortiSOAR™ 6.0.0, then you need to perform only steps 1 and 3.
Use this connector for performing operations in FortiSOAR™, such as performing a FortiSOAR™ search using the Query API, updating a FortiSOAR™ resource, and creating a FortiSOAR™ resource. This connector also contains other useful utilities such as extracting email metadata such as indicators from an email file, uploading a file to FortiSOAR™ and associating that file with an attachment, i.e., providing the File IRI in the output, converting file formats, such as XML to JSON or CEF to JSON, and zipping and password protecting a file.
This connector is ready to use, and you do not need to configure this connector.
cyops_filepath" key in the response contains the name of the file under /tmp on a FortiSOAR instance. You can use this value as an input to any next step that needs to consume this file. For example, sending the file as an attachment using the corresponding action of the 'Exchange' connector."Connector step is failing with error 'Invalid input :: Given filename/filepath /tmp/f68ab00fb7da4dfd9db4bb95abb1471e doesn't exists'". This is expected behavior since when a file download operation is performed on an FSR agent, the operation cleans the file when the response is returned to the base FortiSOAR™ node. Therefore, if any following step expects the downloaded file to be present at the agent will cause that step to fail. For more information on FSR agents, see the Segmented Network Support chapter in the "Administration Guide", which is part of the FortiSOAR™ documentation.An example of the utilities that are included in the Utilities connector is the "Utils: Convert JSON into an HTML table" utility. This utility generates an HTML-formatted string based on the input JSON. The HTML-formatted string will appear as follows:
<table class="cs-data-table">
<tr>
<th>pid</th>
<th>path</th>
<th>username</th>
</tr>
<tr>
<td>4</td>
<td>c:\\windows\\system32\\ntoskrnl.exe</td>
<td>NT AUTHORITY\\SYSTEM</td>
</tr>
<tr>
<td>296</td>
<td>c:\\windows\\system32\\smss.exe</td>
<td>NT AUTHORITY\\SYSTEM</td>
</tr>
</table>
For the given input JSON:
{
"operation": "get_process_list",
"data": [
{
"path": "c:\\windows\\system32\\ntoskrnl.exe",
"create_time": 1529090266,
"command_line": "",
"parent_guid": "00000004-0000-0000-0000-000000000000",
"proc_guid": "00000004-0000-0004-01d4-04dd8adc9fb8",
"parent": 0,
"username": "NT AUTHORITY\\SYSTEM",
"pid": 4,
"sid": "s-1-5-18"
},
{
"path": "c:\\windows\\system32\\smss.exe",
"create_time": 1529090266,
"command_line": "\\SystemRoot\\System32\\smss.exe",
"parent_guid": "00000004-0000-0004-01d4-04dd8adc9fb8",
"proc_guid": "00000004-0000-0128-01d4-04dd8ae6291c",
"parent": 4,
"username": "NT AUTHORITY\\SYSTEM",
"pid": 296,
"sid": "s-1-5-18"
},
"status": "Success",
"message": ""
}
For some of the operations, enhancements, bug fixes, and various versions of the Utilities connector see the Utilities Connector Release Notes section.
tmp. This could lead to tmp getting filled up regularly leading to issues while running other operations.EMAIL_CHARACTER_COUNT_MAX parameter, and by default, it is set to 100000 characters. To change the limit, edit the EMAIL_CHARACTER_COUNT_MAX parameter that is present in the /opt/cyops-integrations/integrations/configs/config.ini file. For example:EMAIL_CHARACTER_COUNT_MAX = 100000 <- Change this value as per your requirement. EMAIL_CHARACTER_COUNT_MAX parameter then you have to restart the uwsgi and celeryd services for the change to take effect.# systemctl restart celeryd and # systemctl restart uwsgi commands to restart the celeryd and uswgi services. EMAIL_CHARACTER_COUNT_MAX parameter. /tmp directory once the playbook completes its execution. Now, when the "Email: Extracts email's metadata from email file" operation extracts any eml file that contains an attachment, then the attachment is downloaded as a temporary file, and stored in the /tmp directory, which will now be deleted once the playbook completes its execution.extract_email_metadata_legacy to true in the /opt/cyops-integrations/integrations/configs/connectors.yml file. By default, extract_email_metadata_legacy is set as false. # systemctl restart uwsgiImportant: If you upgrade the Utilities connector to v2.7.0, then playbooks that contain the "Utils: Make REST API Call" and "FSR: Make FortiSOAR API Call" operations reset the get, put, post, and delete methods if they were not written in capital letters. This occurs due to the current enhancements in the Utilities connector v2.7.0. However, there will not be any functional impact due to this since the playbook will execute successfully after the upgrade, and you can correctly add the methods to the playbook post-upgrade.
Apart from the above enhancements, the Utilities connector also contains better error handling, which includes displaying enhanced, precise, and detailed error messages, making it easier for you to debug Utilities connector issues. For information on common Utilities connector issues, see the Common Utilities connector errors section in the Debugging common playbook and connector issues article present in the Fortinet Knowledge Base.