It’s no secret that security operations teams are buried in tooling, telemetry and alerts. As the frontline teams in the security battle wage war against well-armed adversaries, the battle is as much for true signal in a sea of noise as it is for all-out cyber dominance.
Fortinet has long been a leader in network security hardware and software. Whether it’s next generation firewalls or secure access service edge technologies, Fortinet is one of the largest publicly-traded, pure play cybersecurity providers on the market today. Over 800,000 customers rely on them to secure their organizations.
Fortinet Award-Winning SOAR Platform
Increasingly, companies are turning to Fortinet to help them manage their security operations as well. In fact, Fortinet recently earned the top spot in the coveted 2024 KuppingerCole Leadership Compass for Security Orchestration and Automation SOAR. It is Fortinet’s second year at the top of this list.
One of the keys to Fortinet’s success in this space is their robust ecosystem of integrations which enable low-friction adoption of FortiSOAR across a very wide range of security tooling
In our case, pulling in alphaMountain’s domain and IP intelligence means threat detection and response can be effortless with the integration of our data via one of two different alphaMountain connectors for FortiSOAR.
Threat Investigations & Incident Response
Use the alphaMountain Threat Response connector to interrogate or investigate any URL as part of an investigation or threat response playbook.
With the connector installed in your FortiSOAR instance, here are the functions you can invoke.
| Function | Description |
| Get Threat Score | Retrieve threat rating scores stored in the alphaMountain.ai cloud for the provided URL or URI |
| Get URL Categories | Fetch categories associated with an internet URL using alphaMountain’s statistical and neural network models, validated across multiple sources.
Note Category IDs are returned for performance reasons instead of textual category strings. |
| Get Likely Impersonated Domain for a URL | Identifies domains that a URI may impersonate, which is crucial for detecting phishing, cyber-squatting, and typo domains. |
| Get Popularity of Domain | Retrieves the popularity ranking of a domain or hostname within the last 24 hours. |
These functions make individual calls to the alphaMountain API which then returns the verdicts directly into the workspace so analysts can move quickly to investigate threats. By implementing the alphaMountain Threat Response connector as a step in your playbooks, analysts will save time via automation and be able to act confidently in their responses.
Threat Hunting & Log Enrichment
The alphaMountain Feed connector enables threat hunting, log enrichment and further automation in your FortiSOAR environment.
With the connector installed, you can call the ‘get_indicators’ function to begin automated operations in your playbooks.
| Function | Description | Annotation and Category |
| Get Indicators | Retrieves a list of all indicators from alphaMountain Feed. You can also filter the indicators retrieved from alphaMountain Feed based on the filter you have specified | get_indicators
Investigation |
There are also number of parameters which you can use to further refine the alphaMountain data pulled into the FortiSOAR connector.
| Parameter | Description |
| Start Date | Specify the date time for the beginning of the feed record to fetch. Due to internal synchronization between servers, recent record timestamps may be delayed by up to six hours and thus the latest timestamp used should be now() – ‘6 hours’ |
| Flags | Specify the list of flags to exclude certain types of entries from the results. Possible values include “Exclude IP”,”Exclude Host”,”Exclude Path”,”Exclude Dead”. |
| Minimum Risk | Specify a minimum risk score to include in the feed. Defaults to license entitlements |
| Maximum Risk | Specify a maximum risk score to include in the feed. Defaults to license entitlements |
| Include Categories | If you check this option, it will fetch newly classified and revalidated categorizations for retrieved feed indicators.
If you choose ‘true’
|
| Include Popularity | If you check this option, it will fetch host popularity rankings for retrieved feed indicators. |
| Limit | Specify a limit on the number of records returned. Defaults to license entitlements |
This connector ingests large quantities (aka ‘feeds’) from the alphaMountain batch API into FortiSOAR for automating detection and response playbooks. You can also schedule ingests into FortiSOAR from the alphaMountain feed which is updated every hour.
alphaMountain API Key & Fortinet Integration Guides
Fortinet offers comprehensive guides to configuring and mapping the alphaMountain Threat Response and Feed connectors in FortiSOAR. The resources include:
Installing the alphaMountain Threat Response connector
Installing the alphaMountain Feed connector
Installing the FortiSOAR Threat Management solution pack (required for Feed automation)
Naturally, to take advantage of alphaMountain’s real-time domain and IP threat intelligence inside FortiSOAR, you’ll need an API key from us. We offer a no-pressure, 30-day free trial of our API which you can request here.