FortiSIEM CMDB Malware URLs

Leave a reply
Malware URLs

The CMDB Malware URLs page lists URLs that are known to host malware.

The Threat Stream Malware URL group is included in your FortiSIEM deployment.

Updating System-Defined Malware URL Group

Current system defined groups are updated by its own service

Threat Stream Malware URL

FortiSandbox Malware URL Hail-A-Taxi Malware URL

You only need to set these to update automatically on a schedule.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system defined group
  4. Click Update.
  5. Set Schedule
    1. Select Update Automatically to open the update scheduler and verify the URI of the update service.
    2. Set the schedule for how often you want the list to update from the service. c. Click OK.
    3. Click Save
  6. Set user name and password
    1. Select the link
    2. Click Edit
    3. Enter User Name and Password
    4. Set Data Format to Custom and Incremental
    5. Click Save

Manually Creating Malware URLs

  1. Create a group under Blocked URLs as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked URL you want to add, and then click Save.

Custom Malware URL Threat Feed

This topic describes how to import Malware URL information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – GUI import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL.

If the data is in comma separated value (CSV) format, then a simple integration is possible. Note that the separator need not be a comma but could be any separator.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

Threat Stream Malware URL (https://api.threatstream.com)

FortiSandbox Malware URL

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

  1. In the CMDB > Malware URLs, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware URL
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – GUI import

This requires that the web site data has the following structure.

The file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)

One line has only one entry

Follow these steps.

  1. Select CMDB > Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Set Data Format to CSV
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the URL is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format is not CSV. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case
    4. Select Custom as the Data Format.
    5. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.
Malware Hashes

The CMDB Malware Hash page can be used to define a list of malware files and their hash functions. When FortiSIEM monitors a directory, it generates these directory events:

Directory Event Generated by
PH_DEV_MON_CUST_FILE_CREATE New file creation
PH_DEV_MON_CUST_FILE_SCAN Directory is scanned
PH_DEV_MON_CUST_FILE_CHANGE_CONTENT Changes in file content

When FortiSIEM scans a file and collects its hash, it uses the system rule Malware Hash Check to check the list of malware hashes, and triggers an alert if a match is found.

Adding a New Malware Hash

  1. Log in to your Supervisor node.
  2. Go to CMDB > Malware Hash.
  3. Select a group where you want to add the malware hash, or create a new one.
  4. Click New.
  5. Enter information for the malware hash.

 

 

 

 

 

 

 

 

Updating System Defined Malware Hash Group

Current system defined groups are updated by its own service

Threat Stream Malware Hash FortiSandbox Malware Hash

You only need to set these to update automatically on a schedule.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.
  8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Manual Hash

  1. Create a group under Malware Hash as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Malware Hash you want to add, and then click Save.

Custom Malware Hash Threat Feed

This topic describes how to import Malware Hash information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed  websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

ThreatStream Malware Hash (https://api.threatstream.com)

FortiSandbox Malware Hash

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

  1. In the CMDB > Malware Hash, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware Hash
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Hash is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed  websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low Hash is in first position, then choose 1 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Hash Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new

data from the website.

  1. The imported data will show on the right pane after some time.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.