FortiSIEM CMDB Malware IPs

Malware IPs

The CMDB Malware IPs page lists IP addresses that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The two default groups included in your FortiSIEM deployment, Emerging Threats and Zeus, contain IP addresses that are derived from the websites rules.emergingthreats.net and zeustracker.abuse.ch. Because malware IP addresses are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System-Defined Malware IP Groups

System defined groups are Emerging Threats and Zeus, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.
  8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Malware IP Addresses and Groups

  1. Create a group under Blocked IPs as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked IP address you want to add, and then click Save.

Custom Malware IP Threat Feed

This topic describes how to import Malware IP information into FortiSIEM from external threat feed websites.

Prerequisites

Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Websites with built in support

The following websites are supported

Emerging threat (http://rules.emergingthreats.net)

Zeus (https://zeustracker.abuse.ch)

Threat Stream Malware IP (https://api.threatstream.com)

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

For Threat Stream Malware IP, the following Malware types are imported

Bot IP

Actor IP

APT Email

APT IP

Bruteforce IP

Compromised IP

Malware IP

DDoS IP

Phishing email IP

Phish URL IP

Scan IP

Spam IP

To import data from these websites, follow these steps

  1. In the CMDB > Malware IPs, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware IP
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP is in third position, then choose 3 in the Position
    7. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low IP is in first position, then choose 1 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.