Fortinet black logo

Fortinet FortiRecon Brand Protection

Fortinet FortiRecon Brand Protection v2.0.0

2.0.0
Copy Link
Copy Doc ID db69c48c-b50c-11ee-8673-fa163e15d75b:768

About the connector

FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.

This document provides information about the Fortinet FortiRecon Brand Protection Connector, which facilitates automated interactions, with a Fortinet FortiRecon Brand Protection server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon Brand Protection Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon Brand Protection.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 7.4.2-3279

Fortinet FortiRecon Brand Protection Version Tested on: 23.3.a

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Fortinet FortiRecon Brand Protection Connector in version 2.0.0:

  • Added the following actions:
    • Get Code Repo Exposures
    • Get Domain Threats
    • Get Domain Threats By ID
    • Get Executive Exposures
    • Get Executive Profiles
    • Get Open Bucket Exposures
    • Get Social Media Threats
    • Get Code Repo Exposures Statistics
    • Get Matched Domains Statistics
    • Get Domain Threats Statistics
    • Get Original Domains Statistics
    • Get Open Bucket Exposures Statistics
    • Get Social Media Threats Statistics
    • Get Tags
  • Removed the drop-down option Official from the Get Rogue Apps action's Status parameter
  • Renamed the parameter Keyword to Search By Keyword in the Get Rogue Apps action
  • Deprecated the following actions:
    • Search Alerts
    • Get Alert Details By Alert ID
    • Get Phishing Campaigns
    • Get Phishing Campaigns By ID
    • Get Typo Domains
    • Get Typo Domain By ID

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-fortinet-fortirecon-brand-protection

Prerequisites to configuring the connector

  • You must have the credentials of Fortinet FortiRecon Brand Protection server to which you will connect and perform automated operations.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiRecon Brand Protection server.

Minimum Permissions Required

  • Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon Brand Protection connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL Server name or IP address to which you will connect and perform the automated operations
API Key API key to access the endpoint to which you will connect and perform the automated operations
Organization ID The organization ID on which FortiRecon operations are to be performed.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set to True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

.

Function Description Annotation and Category
Get Code Repo Exposures Retrieves a list of code repo exposures based on the filter criteria that you have specified. get_code_repo_exposures
Investigation
Get Domain Threats Retrieves list of code domain threats based on the filter criteria that you have specified. get_domain_threats
Investigation
Get Domain Threats By ID Retrieves details of threats on a domain based on the threat ID that you have specified. get_domain_threats_by_id
Investigation
Get Executive Exposures Retrieves list of executive exposures based on the filter criteria that you have specified. get_executive_exposures
Investigation
Get Executive Profiles Retrieves list of executive profiles based on the name of the executive, page number, and page size that you have specified. get_executive_profiles
Investigation
Get Open Bucket Exposures Retrieves list of open bucket exposures based on the filter criteria that you have specified. get_open_bucket_exposures
Investigation
Get Rogue Apps Retrieves a list of Rogue Apps based on the status and keywords that you have specified for the query; rogue apps are mobile applications trying to look like apps from trusted brands. get_rogue_apps
Investigation
Get Rogue App By ID Retrieves details of a rogue app based on the Rogue App ID that you have specified. get_rogue_app_by_id
Investigation
Get Social Media Threats Retrieves list of social media threats based on the filter criteria that you have specified. get_social_media_threats
Investigation
Get Code Repo Exposures Statistics Retrieves statistics for code repo exposures. get_code_repo_exposures_stats
Investigation
Get Matched Domains Statistics Retrieves statistics of matched domains for the code repo exposures based on the page number and the page size specified. get_matched_domains_stats
Investigation
Get Domain Threats Statistics Retrieves statistics for domain threats. get_domain_threats_stats
Investigation
Get Original Domains Statistics Retrieves the statistics of original domains threats based on the page number and the page size specified. get_original_domains_stats
Investigation
Get Open Bucket Exposures Statistics Retrieves the statistics of open bucket exposures. get_open_bucket_exposures_stats
Investigation
Get Social Media Threats Statistics Retrieves the statistics of social media threats. get_social_media_threats_stats
Investigation
Get Tags Retrieves the list of active tags. get_tags
Investigation
Get Takedown Requests Retrieves a list of takedown requests for rogue apps and typo domains for the given organization the filter criteria that you have specified. get_takedown_requests
Investigation

operation: Get Code Repo Exposures

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in code repo exposures and retrieve results containing the specified keyword.
Matched Domain (Optional) Specify a domain to search in code repo exposures and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve code repo exposures containing the specified domains. For example: domain1.com,domain2.com.
Risk Level (Optional) Specify a risk level to search in code repo exposures and retrieve results containing the specified risk level. You can specify multiple comma-separated risk levels to retrieve code repo exposures containing the specified risk levels. For example, LOW,MEDIUM,HIGH.
Attribute Type (Optional) Specify an attribute type to search in code repo exposures and retrieve results containing the specified attribute type. You can specify multiple comma-separated attribute types to retrieve code repo exposures containing the specified attribute types. For example, Email,Password.
Status (Optional) Select a status to search in code repo exposures and retrieve results containing the specified status. You can select from following options:
  • Active
  • Ignored
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "attribute": "",
            "attribute_type": "",
            "id": "",
            "matched_domain": "",
            "raw_info": "",
            "risk_level": "",
            "status": "",
            "url": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Domain Threats

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in domain threats and retrieve results containing the specified keyword. The keyword is searched in domain, URL, severity, original domain, online status, and fuzzer fields.
Original Domain (Optional) Specify a domain to search in domain threats and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve domain threats containing the specified domains. For example: domain1.com,domain2.com.
Tags (Optional) Specify a tag to search in domain threats and retrieve results containing the specified tags. You can specify multiple tags to retrieve domain threats containing the specified tags. For example: b7c4409f4e34eedc7a5447b077732c66,b7c4409f4e34eedc7a5447b077732c77.

NOTE: Tag ID can be retrieved from the Get Tags action.

Online Status (Optional) Select an online status search in domain threats and retrieve results containing the specified online status. You can select one of the following options:
  • Online
  • Not Available
  • Non Functional
  • Offline
Status (Optional) Select a status to search in domain threats and retrieve results containing the specified status. You can select from following options:
  • Active
  • Ignored
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "domain": "",
            "expiration_date": "",
            "fuzzer": "",
            "id": "",
            "is_false_positive": "",
            "is_impersonation": "",
            "is_parked": "",
            "online_status": "",
            "original_domain": "",
            "registration_date": "",
            "severity": "",
            "source": "",
            "source_name": "",
            "status": "",
            "tags": []
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Domain Threats By ID

Input parameters

Parameter Description
Domain Threat ID Specify an ID of the domain threat to retrieve its details.

Output

The output contains the following populated JSON schema:

{
    "added_ts": "",
    "domain": "",
    "expiration_date": "",
    "fuzzer": "",
    "id": "",
    "is_false_positive": "",
    "is_impersonation": "",
    "is_parked": "",
    "online_status": "",
    "original_domain": "",
    "registration_date": "",
    "severity": "",
    "source": "",
    "source_name": "",
    "status": "",
    "tags": [
        {
            "id": "",
            "name": ""
        }
    ]
}

operation: Get Executive Exposures

Input parameters

Parameter Description
Source Type (Optional) Specify a source type in which to search and retrieve results containing the specified Executive ID.
Executive ID (Optional) Specify an executive ID to search and retrieve results containing the specified executive ID.
Start Date (Optional) Select the start date of the range containing the date when a report was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a report was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "data": {},
            "executive_id": "",
            "id": "",
            "matched_keywords": [
                {
                    "type": "",
                    "value": ""
                }
            ],
            "source_type": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Executive Profiles

Input parameters

Parameter Description
Executive Name (Optional) Specify an executive name to search and retrieve results containing the specified executive's name.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "id": "",
            "name": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Open Bucket Exposures

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in open bucket exposures and retrieve results containing the specified keyword.
File Type (Optional) Specify a file type to search in open bucket exposures and retrieve results containing the specified file types. You can specify multiple comma-separated file types to retrieve open bucket exposures containing the specified file types. For example gz,tgz,docx.
Bucket Type (Optional) Specify a bucket type to search in open bucket exposures and retrieve results containing the specified bucket types. You can specify multiple comma-separated bucket types to retrieve open bucket exposures containing the specified bucket types. For example gcp,aws,azure.
Status (Optional) Select a status to search in open bucket exposures and retrieve results containing the specified status. You can select from following options:
  • Active
  • Ignored
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "accessibility_status": "",
            "added_ts": "",
            "bucket": "",
            "bucket_id": "",
            "bucket_type": "",
            "file_name": "",
            "file_size": "",
            "file_type": "",
            "full_path": "",
            "id": "",
            "source_id": "",
            "status": "",
            "url": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Rogue Apps

Input parameters

Parameter Description
Status (Optional) Select the rogue app's status type from the following options to filter the results:
  • Unofficial:Apps published by users that are not recognized officially
  • RogueApps: Apps published by known malicious actors or deemed to be potentially malicious.
Search by Keyword Specify the keywords to filter the results. Specified keyword is searched in these fields: Keyword, Source Name, Developer Name, App Name.

NOTE: Leaving this parameter blank returns an empty response.

Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "developer_name": "",
            "download_count": "",
            "first_seen": "",
            "id": "",
            "index_ts": "",
            "keyword": "",
            "name": "",
            "size": "",
            "source_name": "",
            "status": "",
            "ticket_id": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Rogue App By ID

Input parameters

Parameter Description
Rogue App ID Specify the ID of the rogue app to get its details.

Output

The output contains the following populated JSON schema:

{
    "developer_name": "",
    "download_count": "",
    "first_seen": "",
    "id": "",
    "index_ts": "",
    "keyword": "",
    "name": "",
    "size": "",
    "source_name": "",
    "status": "",
    "ticket_id": ""
}

operation: Get Social Media Threats

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in social media threats and retrieve results containing the specified keyword in profile name or handle name fields.
Media Type (Optional) Specify a social media platform to search in social media threats and retrieve results containing the specified social media platforms. You can specify multiple comma-separated social media platforms to retrieve social media threats containing the specified social media platforms. For example FACEBOOK,INSTAGRAM,TWITTER.
Profile Name (Optional) Specify a profile name to search and retrieve social media threats containing the specified profile name.
Handle Name (Optional) Specify a handle name to search and retrieve social media threats containing the specified handle name.
Is Verified (Optional) Select whether the profile or the handle name is verified to retrieve social media threats containing only verified profile or handle name. You can select one of the following options:
  • True
  • False
Status (Optional) Select a status to search in social media threats and retrieve results containing the specified status. You can select from following options:
  • Active
  • False Positive
  • Takedown
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "followers_count": "",
            "friends_count": "",
            "handle_name": "",
            "id": "",
            "is_verified": "",
            "location": "",
            "media_type": "",
            "posts_count": "",
            "profile_creation_ts": "",
            "profile_name": "",
            "profile_url": "",
            "source_id": "",
            "status": "",
            "ticket_id": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Code Repo Exposures Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_action": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_attribute_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_risk_level": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Matched Domains Statistics

Input parameters

Parameter Description
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "count_by_matched_domain": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Domain Threats Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_action": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_domain_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_tags": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Original Domains Statistics

Input parameters

Parameter Description
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "count_by_original_domain": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Open Bucket Exposures Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_accessibility_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_bucket_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_file_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Social Media Threats Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_is_verified": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_media_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Tags

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "id": "",
            "name": ""
        }
    ]
}

operation: Get Takedown Requests

Input parameters

Parameter Description
Status (Optional) Select a status to search in take-down requests and retrieve results containing the specified status. You can select from following options:
  • Requested
  • Acknowledged
  • Initiated
  • Closed
Category (Optional) Select a category to search in take-down requests and retrieve results containing the specified category. you can select from the following options:
  • Phishing
  • Fraudulent Domains
  • Typosquatting
  • RogueApps
  • Alert
Keyword (Optional) Specify a keyword to search in take-down requests and retrieve results containing the specified keyword in ticket Id or entity fields. The entity field may contain domain name, title of a report, or Phished Domain.
Start Date (Optional) Select the start date of the range containing the date when the takedown was requested. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when the takedown was requested. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "category": "",
            "comment": "",
            "comment_at": "",
            "comment_by": "",
            "created_at": "",
            "entity": "",
            "is_client": "",
            "org_name": "",
            "progress": "",
            "requested_at": "",
            "requested_by_user": "",
            "requested_by_volon": "",
            "sla": "",
            "status": "",
            "takedown_request_id": "",
            "ticket_id": "",
            "ttr": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

Included playbooks

The Sample - Fortinet FortiRecon Brand Protection - 2.0.0 playbook collection comes bundled with the Fortinet FortiRecon Brand Protection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon Brand Protection connector.

  • Get Code Repo Exposures
  • Get Code Repo Exposures Statistics
  • Get Domain Threats
  • Get Domain Threats By ID
  • Get Domain Threats Statistics
  • Get Executive Exposures
  • Get Executive Profiles
  • Get Matched Domains Statistics
  • Get Open Bucket Exposures
  • Get Open Bucket Exposures Statistics
  • Get Original Domains Statistics
  • Get Rogue App By ID
  • Get Rogue Apps
  • Get Social Media Threats
  • Get Social Media Threats Statistics
  • Get Tags
  • Get Takedown Requests

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

FortiRecon is a Digital Risk Protection Service (DRPS) product that provides an outside-the-network view to the risks posed to your enterprise.

This document provides information about the Fortinet FortiRecon Brand Protection Connector, which facilitates automated interactions, with a Fortinet FortiRecon Brand Protection server using FortiSOAR™ playbooks. Add the Fortinet FortiRecon Brand Protection Connector as a step in FortiSOAR™ playbooks and perform automated operations with Fortinet FortiRecon Brand Protection.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 7.4.2-3279

Fortinet FortiRecon Brand Protection Version Tested on: 23.3.a

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Fortinet FortiRecon Brand Protection Connector in version 2.0.0:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-fortinet-fortirecon-brand-protection

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiRecon Brand Protection connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL Server name or IP address to which you will connect and perform the automated operations
API Key API key to access the endpoint to which you will connect and perform the automated operations
Organization ID The organization ID on which FortiRecon operations are to be performed.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set to True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

.

Function Description Annotation and Category
Get Code Repo Exposures Retrieves a list of code repo exposures based on the filter criteria that you have specified. get_code_repo_exposures
Investigation
Get Domain Threats Retrieves list of code domain threats based on the filter criteria that you have specified. get_domain_threats
Investigation
Get Domain Threats By ID Retrieves details of threats on a domain based on the threat ID that you have specified. get_domain_threats_by_id
Investigation
Get Executive Exposures Retrieves list of executive exposures based on the filter criteria that you have specified. get_executive_exposures
Investigation
Get Executive Profiles Retrieves list of executive profiles based on the name of the executive, page number, and page size that you have specified. get_executive_profiles
Investigation
Get Open Bucket Exposures Retrieves list of open bucket exposures based on the filter criteria that you have specified. get_open_bucket_exposures
Investigation
Get Rogue Apps Retrieves a list of Rogue Apps based on the status and keywords that you have specified for the query; rogue apps are mobile applications trying to look like apps from trusted brands. get_rogue_apps
Investigation
Get Rogue App By ID Retrieves details of a rogue app based on the Rogue App ID that you have specified. get_rogue_app_by_id
Investigation
Get Social Media Threats Retrieves list of social media threats based on the filter criteria that you have specified. get_social_media_threats
Investigation
Get Code Repo Exposures Statistics Retrieves statistics for code repo exposures. get_code_repo_exposures_stats
Investigation
Get Matched Domains Statistics Retrieves statistics of matched domains for the code repo exposures based on the page number and the page size specified. get_matched_domains_stats
Investigation
Get Domain Threats Statistics Retrieves statistics for domain threats. get_domain_threats_stats
Investigation
Get Original Domains Statistics Retrieves the statistics of original domains threats based on the page number and the page size specified. get_original_domains_stats
Investigation
Get Open Bucket Exposures Statistics Retrieves the statistics of open bucket exposures. get_open_bucket_exposures_stats
Investigation
Get Social Media Threats Statistics Retrieves the statistics of social media threats. get_social_media_threats_stats
Investigation
Get Tags Retrieves the list of active tags. get_tags
Investigation
Get Takedown Requests Retrieves a list of takedown requests for rogue apps and typo domains for the given organization the filter criteria that you have specified. get_takedown_requests
Investigation

operation: Get Code Repo Exposures

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in code repo exposures and retrieve results containing the specified keyword.
Matched Domain (Optional) Specify a domain to search in code repo exposures and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve code repo exposures containing the specified domains. For example: domain1.com,domain2.com.
Risk Level (Optional) Specify a risk level to search in code repo exposures and retrieve results containing the specified risk level. You can specify multiple comma-separated risk levels to retrieve code repo exposures containing the specified risk levels. For example, LOW,MEDIUM,HIGH.
Attribute Type (Optional) Specify an attribute type to search in code repo exposures and retrieve results containing the specified attribute type. You can specify multiple comma-separated attribute types to retrieve code repo exposures containing the specified attribute types. For example, Email,Password.
Status (Optional) Select a status to search in code repo exposures and retrieve results containing the specified status. You can select from following options:
  • Active
  • Ignored
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "attribute": "",
            "attribute_type": "",
            "id": "",
            "matched_domain": "",
            "raw_info": "",
            "risk_level": "",
            "status": "",
            "url": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Domain Threats

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in domain threats and retrieve results containing the specified keyword. The keyword is searched in domain, URL, severity, original domain, online status, and fuzzer fields.
Original Domain (Optional) Specify a domain to search in domain threats and retrieve results containing the specified domain name. You can specify multiple comma-separated domains to retrieve domain threats containing the specified domains. For example: domain1.com,domain2.com.
Tags (Optional) Specify a tag to search in domain threats and retrieve results containing the specified tags. You can specify multiple tags to retrieve domain threats containing the specified tags. For example: b7c4409f4e34eedc7a5447b077732c66,b7c4409f4e34eedc7a5447b077732c77.

NOTE: Tag ID can be retrieved from the Get Tags action.

Online Status (Optional) Select an online status search in domain threats and retrieve results containing the specified online status. You can select one of the following options:
  • Online
  • Not Available
  • Non Functional
  • Offline
Status (Optional) Select a status to search in domain threats and retrieve results containing the specified status. You can select from following options:
  • Active
  • Ignored
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "domain": "",
            "expiration_date": "",
            "fuzzer": "",
            "id": "",
            "is_false_positive": "",
            "is_impersonation": "",
            "is_parked": "",
            "online_status": "",
            "original_domain": "",
            "registration_date": "",
            "severity": "",
            "source": "",
            "source_name": "",
            "status": "",
            "tags": []
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Domain Threats By ID

Input parameters

Parameter Description
Domain Threat ID Specify an ID of the domain threat to retrieve its details.

Output

The output contains the following populated JSON schema:

{
    "added_ts": "",
    "domain": "",
    "expiration_date": "",
    "fuzzer": "",
    "id": "",
    "is_false_positive": "",
    "is_impersonation": "",
    "is_parked": "",
    "online_status": "",
    "original_domain": "",
    "registration_date": "",
    "severity": "",
    "source": "",
    "source_name": "",
    "status": "",
    "tags": [
        {
            "id": "",
            "name": ""
        }
    ]
}

operation: Get Executive Exposures

Input parameters

Parameter Description
Source Type (Optional) Specify a source type in which to search and retrieve results containing the specified Executive ID.
Executive ID (Optional) Specify an executive ID to search and retrieve results containing the specified executive ID.
Start Date (Optional) Select the start date of the range containing the date when a report was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a report was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "data": {},
            "executive_id": "",
            "id": "",
            "matched_keywords": [
                {
                    "type": "",
                    "value": ""
                }
            ],
            "source_type": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Executive Profiles

Input parameters

Parameter Description
Executive Name (Optional) Specify an executive name to search and retrieve results containing the specified executive's name.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "id": "",
            "name": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Open Bucket Exposures

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in open bucket exposures and retrieve results containing the specified keyword.
File Type (Optional) Specify a file type to search in open bucket exposures and retrieve results containing the specified file types. You can specify multiple comma-separated file types to retrieve open bucket exposures containing the specified file types. For example gz,tgz,docx.
Bucket Type (Optional) Specify a bucket type to search in open bucket exposures and retrieve results containing the specified bucket types. You can specify multiple comma-separated bucket types to retrieve open bucket exposures containing the specified bucket types. For example gcp,aws,azure.
Status (Optional) Select a status to search in open bucket exposures and retrieve results containing the specified status. You can select from following options:
  • Active
  • Ignored
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "accessibility_status": "",
            "added_ts": "",
            "bucket": "",
            "bucket_id": "",
            "bucket_type": "",
            "file_name": "",
            "file_size": "",
            "file_type": "",
            "full_path": "",
            "id": "",
            "source_id": "",
            "status": "",
            "url": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Rogue Apps

Input parameters

Parameter Description
Status (Optional) Select the rogue app's status type from the following options to filter the results:
  • Unofficial:Apps published by users that are not recognized officially
  • RogueApps: Apps published by known malicious actors or deemed to be potentially malicious.
Search by Keyword Specify the keywords to filter the results. Specified keyword is searched in these fields: Keyword, Source Name, Developer Name, App Name.

NOTE: Leaving this parameter blank returns an empty response.

Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "developer_name": "",
            "download_count": "",
            "first_seen": "",
            "id": "",
            "index_ts": "",
            "keyword": "",
            "name": "",
            "size": "",
            "source_name": "",
            "status": "",
            "ticket_id": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Rogue App By ID

Input parameters

Parameter Description
Rogue App ID Specify the ID of the rogue app to get its details.

Output

The output contains the following populated JSON schema:

{
    "developer_name": "",
    "download_count": "",
    "first_seen": "",
    "id": "",
    "index_ts": "",
    "keyword": "",
    "name": "",
    "size": "",
    "source_name": "",
    "status": "",
    "ticket_id": ""
}

operation: Get Social Media Threats

Input parameters

Parameter Description
Search By Keyword (Optional) Specify a keyword to search in social media threats and retrieve results containing the specified keyword in profile name or handle name fields.
Media Type (Optional) Specify a social media platform to search in social media threats and retrieve results containing the specified social media platforms. You can specify multiple comma-separated social media platforms to retrieve social media threats containing the specified social media platforms. For example FACEBOOK,INSTAGRAM,TWITTER.
Profile Name (Optional) Specify a profile name to search and retrieve social media threats containing the specified profile name.
Handle Name (Optional) Specify a handle name to search and retrieve social media threats containing the specified handle name.
Is Verified (Optional) Select whether the profile or the handle name is verified to retrieve social media threats containing only verified profile or handle name. You can select one of the following options:
  • True
  • False
Status (Optional) Select a status to search in social media threats and retrieve results containing the specified status. You can select from following options:
  • Active
  • False Positive
  • Takedown
  • Resolved
Start Date (Optional) Select the start date of the range containing the date when a profile was added. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when a profile was added. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "added_ts": "",
            "followers_count": "",
            "friends_count": "",
            "handle_name": "",
            "id": "",
            "is_verified": "",
            "location": "",
            "media_type": "",
            "posts_count": "",
            "profile_creation_ts": "",
            "profile_name": "",
            "profile_url": "",
            "source_id": "",
            "status": "",
            "ticket_id": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

operation: Get Code Repo Exposures Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_action": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_attribute_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_risk_level": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Matched Domains Statistics

Input parameters

Parameter Description
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "count_by_matched_domain": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Domain Threats Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_action": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_domain_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_tags": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Original Domains Statistics

Input parameters

Parameter Description
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "count_by_original_domain": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Open Bucket Exposures Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_accessibility_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_bucket_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_file_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Social Media Threats Statistics

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "count_by_is_verified": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_media_type": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    },
    "count_by_status": {
        "aggregations": [
            {
                "count": "",
                "id": ""
            }
        ],
        "total": ""
    }
}

operation: Get Tags

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "id": "",
            "name": ""
        }
    ]
}

operation: Get Takedown Requests

Input parameters

Parameter Description
Status (Optional) Select a status to search in take-down requests and retrieve results containing the specified status. You can select from following options:
  • Requested
  • Acknowledged
  • Initiated
  • Closed
Category (Optional) Select a category to search in take-down requests and retrieve results containing the specified category. you can select from the following options:
  • Phishing
  • Fraudulent Domains
  • Typosquatting
  • RogueApps
  • Alert
Keyword (Optional) Specify a keyword to search in take-down requests and retrieve results containing the specified keyword in ticket Id or entity fields. The entity field may contain domain name, title of a report, or Phished Domain.
Start Date (Optional) Select the start date of the range containing the date when the takedown was requested. Selecting a start date is mandatory if an End Date is selected.
End Date (Optional) Select the end date of the range containing the date when the takedown was requested. Default is the current date.
Page (Optional) Specify the page number from which to retrieve the results. Default value is 1.
Size (Optional) Specify the number of records to fetch per page. Default value is 10 and you can specify a maximum value of 500 per page.

Output

The output contains the following populated JSON schema:

{
    "hits": [
        {
            "category": "",
            "comment": "",
            "comment_at": "",
            "comment_by": "",
            "created_at": "",
            "entity": "",
            "is_client": "",
            "org_name": "",
            "progress": "",
            "requested_at": "",
            "requested_by_user": "",
            "requested_by_volon": "",
            "sla": "",
            "status": "",
            "takedown_request_id": "",
            "ticket_id": "",
            "ttr": ""
        }
    ],
    "page": "",
    "size": "",
    "total": ""
}

Included playbooks

The Sample - Fortinet FortiRecon Brand Protection - 2.0.0 playbook collection comes bundled with the Fortinet FortiRecon Brand Protection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiRecon Brand Protection connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next