Collect data from FortiRecon

Overview

Where the vendor is Fortinet, it's product is Fortirecon. For Fortirecon, right now we have the following product types/endpoints:

• Accounts

• ACI

• BP

• EASM

Inside each of those endpoints we have the YAML file to configure.

This API endpoint returns the list of assets that have been marked as False Positive.

Configuration

Parameters

• Domain (organizationId)

Secrets

• Auth Token (fortireconAuth)

To add a Secret, open the Secret fields and click New secret:

• Give the secret a Name.

• Turn off the Expiration date option.

• Click Add new value and paste the secret corresponding to the value.

• Click Save.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the EASM endpoint fields, or simply paste the desired YAML.

Configure as YAML

Manually Configure

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

• Duration - 5 minutes (5m) as default, adjust based on your needs.

• Offset - 5m

• Format - RCF3339

Authentication Phase

OFF

Enumeration Phase

OFF

Collection Phase

• Pagination Type* - pageNumber/PageSize

• Zero Index* - false

• Page Size* - 100

• Request

  • Response Type* - JSON

  • Method* - GET

  • URL* - https://api.fortirecon.forticloud.com/easm/${parameters.organizationId}/breaches

  • Headers -

    • Name - Authorization

    • Value - ${secrets.fortireconAuth}

  • Query params

    • Name - page

    • Value - ${pagination.pageNumber}

    • Name - Size

    • Value - ${pagination.pageSize}

    • Name - start_date

    • Value - ${temporalWindow.from}

    • Name - end_date

    • Value - ${temporalWindow.to}

• Output

  • Select - .hits

  • Map - .

  • Output Mode - element

Click Create labels to move on to the next step and define the required Labels if needed.