It’s no secret that security operations teams are buried in tooling, telemetry and alerts. As the frontline teams in the security battle wage war against well-armed adversaries, the battle is as much for true signal in a sea of noise as it is for all-out cyber dominance. 

 

Fortinet has long been a leader in network security hardware and software. Whether it’s next generation firewalls or secure access service edge technologies, Fortinet is one of the largest publicly-traded, pure play cybersecurity providers on the market today. Over 800,000 customers rely on them to secure their organizations.

 

 

 

Fortinet Award-Winning SOAR Platform

 

Increasingly, companies are turning to Fortinet to help them manage their security operations as well. In fact, Fortinet recently earned the top spot in the coveted 2024 KuppingerCole Leadership Compass for Security Orchestration and Automation SOAR. It is Fortinet’s second year at the top of this list.

 

One of the keys to Fortinet’s success in this space is their robust ecosystem of integrations which enable low-friction adoption of FortiSOAR across a very wide range of security tooling

 

In our case, pulling in alphaMountain’s URL classification and IP intelligence means threat detection and response can be effortless with the integration of our data via one of two different alphaMountain connectors for FortiSOAR.

 

Threat Investigations & Incident Response

 

Use the alphaMountain Threat Response connector to interrogate or investigate any URL as part of an investigation or threat response playbook.

 

With the connector installed in your FortiSOAR instance, here are the functions you can invoke.

 

Function Description
Get Threat Score Retrieve threat rating scores stored in the alphaMountain.ai cloud for the provided URL or URI
Get URL Categories Fetch categories associated with an internet URL using alphaMountain’s statistical and neural network models, validated across multiple sources.

Note Category IDs are returned for performance reasons instead of textual category strings.

Get Likely Impersonated Domain for a URL Identifies domains that a URI may impersonate, which is crucial for detecting phishing, cyber-squatting, and typo domains.
Get Popularity of Domain Retrieves the popularity ranking of a domain or hostname within the last 24 hours.

 

These functions make individual calls to the alphaMountain API which then returns the verdicts directly into the workspace so analysts can move quickly to investigate threats. By implementing the alphaMountain Threat Response connector as a step in your playbooks, analysts will save time via automation and be able to act confidently in their responses.

 

 

 

Threat Hunting & Log Enrichment

 

The alphaMountain Feed connector enables threat hunting, log enrichment and further automation in your FortiSOAR environment. 

 

With the connector installed, you can call the ‘get_indicators’ function to begin automated operations in your playbooks.

 

Function Description Annotation and Category
Get Indicators Retrieves a list of all indicators from alphaMountain Feed. You can also filter the indicators retrieved from alphaMountain Feed based on the filter you have specified get_indicators

Investigation

 

There are also number of parameters which you can use to further refine the alphaMountain data pulled into the FortiSOAR connector.

 

Parameter Description
Start Date Specify the date time for the beginning of the feed record to fetch. Due to internal synchronization between servers, recent record timestamps may be delayed by up to six hours and thus the latest timestamp used should be now() – ‘6 hours’
Flags Specify the list of flags to exclude certain types of entries from the results. Possible values include “Exclude IP”,”Exclude Host”,”Exclude Path”,”Exclude Dead”.
Minimum Risk Specify a minimum risk score to include in the feed. Defaults to license entitlements
Maximum Risk Specify a maximum risk score to include in the feed. Defaults to license entitlements
Include Categories If you check this option, it will fetch newly classified and revalidated categorizations for retrieved feed indicators.

If you choose ‘true’

  • Categories: Specify a only list of categories to include in the returned feed. Defaults to license entitlements
Include Popularity If you check this option, it will fetch host popularity rankings for retrieved feed indicators.
Limit Specify a limit on the number of records returned. Defaults to license entitlements

 

This connector ingests large quantities (aka ‘feeds’) from the alphaMountain batch API into FortiSOAR for automating detection and response playbooks. You can also schedule ingests into FortiSOAR from the alphaMountain feed which is updated every hour.

 

alphaMountain API Key & Fortinet Integration Guides

 

Fortinet offers comprehensive guides to configuring and mapping the alphaMountain Threat Response and Feed connectors in FortiSOAR. The resources include:

 

Installing the alphaMountain Threat Response connector

Installing the alphaMountain Feed connector

Installing the FortiSOAR Threat Management solution pack (required for Feed automation)

 

Naturally, to take advantage of alphaMountain’s real-time domain and IP threat intelligence inside FortiSOAR, you’ll need an API key from us. We offer a no-pressure, 30-day free trial of our API which you can request here.