Collect data from FortiRecon

Overview

Where the vendor is Fortinet, it's product is Fortirecon. For Fortirecon, right now we have the following product types/endpoints:

Accounts
ACI
BP
EASM

Inside each of those endpoints we have the YAML file to configure.

This API endpoint returns the list of assets that have been marked as False Positive.

Configuration

Parameters

Domain (organizationId)

Secrets

Auth Token (fortireconAuth)

After entering the required parameters and secrets, you can choose to manually enter the EASM endpoint fields, or simply paste the desired YAML.

Configure as YAML

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: "page"
  pageSize: 100
  isZeroIndex: false
  request:
    responseType: json
    method: GET
    url: https://api.fortirecon.forticloud.com/easm/${parameters.organizationId}/breaches
    headers:
      - name: Authorization
        value: ${secrets.fortireconAuth}
    queryParams:
      - name: page
        value: "${pagination.pageNumber}"
      - name: size
        value: "${pagination.pageSize}"
      - name: start_date
        value: ${temporalWindow.from}
      - name: end_date
        value: ${temporalWindow.to}
  output:
    select: ".hits"
    map: "."
    outputMode: element

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: "page"
  pageSize: 100
  isZeroIndex: false
  request:
    responseType: json
    method: GET
    url: https://api.fortirecon.forticloud.com/easm/${parameters.organizationId}/leaked_creds
    headers:
      - name: Authorization
        value: ${secrets.fortireconAuth}
    queryParams:
      - name: page
        value: "${pagination.pageNumber}"
      - name: size
        value: "${pagination.pageSize}"
      - name: start_date
        value: ${temporalWindow.from}
      - name: end_date
        value: ${temporalWindow.to}
  output:
    select: ".hits"
    map: "."
    outputMode: element

Manually Configure

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 5 minutes (5m) as default, adjust based on your needs.
Offset - initial offset should be 0 (the latest alert).
Format - RCF3339

Authentication Phase

OFF

Enumeration Phase

OFF

Collection Phase

Pagination Type* - pageNumber/PageSize
Zero Index* - false
Page Size* - 100
Request
- Response Type* - JSON
- Method* - GET
- URL* - https://api.fortirecon.forticloud.com/easm/${parameters.organizationId}/breaches
- Headers -
  - Name - Authorization
  - Value - ${secrets.fortireconAuth}
- Query params
  - Name - page
  - Value - ${pagination.pageNumber}
  - Name - Size
  - Value - ${pagination.pageSize}
  - Name - start_date
  - Value - ${temporalWindow.from}
  - Name - end_date
  - Value - ${temporalWindow.to}
Output
- Select - .hits
- Map - .
- Output Mode - element

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousCollect data from Dropbox NextCollect data from Netskope

Last updated 11 days ago

Was this helpful?