Category Archives: FortiSIEM

FortiSIEM CMDB Devices

Leave a reply
Devices

You would typically add devices to the CMDB through the Discovering Infrastructure process. However, there may be situations in which you want to add devices to the CMDB manually. For example, you may not have access credentials for a device but still want to be able to include network information about it so that logs received by FortiSIEM can be parsed properly. These topics describe those situations and provide instructions for how to successfully add a device to the CMDB:

Adding Devices to the CMDB Outside of Discovery

Adding a Synthetic Monitoring Test to a Business Service

FortiSIEM CMDB Default Passwords

Leave a reply
Default Passwords

The CMDB Default Password page contains a list of default vendor credentials. These well-known credentials should never be used in production. During device discovery FortiSIEM checks if the device credentials are still set to default , and the system rule Default Password Detected by System triggers an incident if they are.

A sample raw event log for a default password incident:

 

<174>Oct 20 22:50:03 [PH_AUDIT_DEFAULT_PWD_MATCH]:[phEventCategory]=2,[appTransportProto]=SNMP,[reptModel]=

 

Adding a New Default Password

  1. Log in to your Supervisor node.
  2. Go to CMDB > Default Passwords.
  3. Select a group where you want to add the default password, or create a new one.
  4. Click New.
  5. Select the Vendor and Model of the device for which you want to enter a default password.
  6. Select the Access Protocol that is used to connect to the device.
  7. Enter the default User Name and Password for the device.

 

 

 

 

 

 

 

 

 

 

 

FortiSIEM CMDB Creating CMDB Groups and Adding Objects to Them

Leave a reply
Creating CMDB Groups and Adding Objects to Them

In the CMDB browser pane you will see several categories, or groups, for each type of CMDB object. For example, under Applications, you will see the groups Infrastructure App, User App, and Ungrouped, with additional subcategorization within each of those groups. You can create your own groupings and add CMDB objects to them.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. In the CMDB browser pane, select the type of CMDB object you want to create a group for, and then click +.
  4. Enter a Group name and Description.
  5. Under Select Group Members, select any existing groups from which you would like to add objects to your new group.

The group containing all the CMDB objects of this type is selected by default.

  1. Select the objects you want to add to the group, and then click >> to add them to the group.
  2. Click OK.

Your new group, and the objects it contains, will be listed under that CMDB object type in the CMDB browser pane. You can add objects directly to the group by selecting it in the CMDB browser pane, and then following the process for adding a new object.

 

 

FortiSIEM CMDB Country Groups

Leave a reply
Country Groups

The Country Groups page contains a list of all the country names in the FortiSIEM geolocation database. You can also create folders that represent different organizations of countries for use in Analytics.

Adding a New Country or Country Group

  1. Log in to your Supervisor node.
  2. Go to CMDB > Country Groups.
  3. Select an existing country group, or create a new one.
  4. Click New.
  5. Enter a name and description for the new country.
  6. Click Save.

FortiSIEM CMDB Malware URLs

Leave a reply
Malware URLs

The CMDB Malware URLs page lists URLs that are known to host malware.

The Threat Stream Malware URL group is included in your FortiSIEM deployment.

Updating System-Defined Malware URL Group

Current system defined groups are updated by its own service

Threat Stream Malware URL

FortiSandbox Malware URL Hail-A-Taxi Malware URL

You only need to set these to update automatically on a schedule.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system defined group
  4. Click Update.
  5. Set Schedule
    1. Select Update Automatically to open the update scheduler and verify the URI of the update service.
    2. Set the schedule for how often you want the list to update from the service. c. Click OK.
    3. Click Save
  6. Set user name and password
    1. Select the link
    2. Click Edit
    3. Enter User Name and Password
    4. Set Data Format to Custom and Incremental
    5. Click Save

Manually Creating Malware URLs

  1. Create a group under Blocked URLs as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked URL you want to add, and then click Save.

Custom Malware URL Threat Feed

This topic describes how to import Malware URL information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – GUI import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL.

If the data is in comma separated value (CSV) format, then a simple integration is possible. Note that the separator need not be a comma but could be any separator.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

Threat Stream Malware URL (https://api.threatstream.com)

FortiSandbox Malware URL

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

  1. In the CMDB > Malware URLs, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware URL
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – GUI import

This requires that the web site data has the following structure.

The file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)

One line has only one entry

Follow these steps.

  1. Select CMDB > Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Set Data Format to CSV
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the URL is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format is not CSV. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case
    4. Select Custom as the Data Format.
    5. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.
Malware Hashes

The CMDB Malware Hash page can be used to define a list of malware files and their hash functions. When FortiSIEM monitors a directory, it generates these directory events:

Directory Event Generated by
PH_DEV_MON_CUST_FILE_CREATE New file creation
PH_DEV_MON_CUST_FILE_SCAN Directory is scanned
PH_DEV_MON_CUST_FILE_CHANGE_CONTENT Changes in file content

When FortiSIEM scans a file and collects its hash, it uses the system rule Malware Hash Check to check the list of malware hashes, and triggers an alert if a match is found.

Adding a New Malware Hash

  1. Log in to your Supervisor node.
  2. Go to CMDB > Malware Hash.
  3. Select a group where you want to add the malware hash, or create a new one.
  4. Click New.
  5. Enter information for the malware hash.

 

 

 

 

 

 

 

 

Updating System Defined Malware Hash Group

Current system defined groups are updated by its own service

Threat Stream Malware Hash FortiSandbox Malware Hash

You only need to set these to update automatically on a schedule.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.
  8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Manual Hash

  1. Create a group under Malware Hash as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Malware Hash you want to add, and then click Save.

Custom Malware Hash Threat Feed

This topic describes how to import Malware Hash information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed  websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

ThreatStream Malware Hash (https://api.threatstream.com)

FortiSandbox Malware Hash

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

  1. In the CMDB > Malware Hash, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware Hash
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Hash is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed  websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low Hash is in first position, then choose 1 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Hash Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new

data from the website.

  1. The imported data will show on the right pane after some time.

FortiSIEM CMDB Malware IPs

Leave a reply
Malware IPs

The CMDB Malware IPs page lists IP addresses that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The two default groups included in your FortiSIEM deployment, Emerging Threats and Zeus, contain IP addresses that are derived from the websites rules.emergingthreats.net and zeustracker.abuse.ch. Because malware IP addresses are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System-Defined Malware IP Groups

System defined groups are Emerging Threats and Zeus, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.
  8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Malware IP Addresses and Groups

  1. Create a group under Blocked IPs as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked IP address you want to add, and then click Save.

Custom Malware IP Threat Feed

This topic describes how to import Malware IP information into FortiSIEM from external threat feed websites.

Prerequisites

Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Websites with built in support

The following websites are supported

Emerging threat (http://rules.emergingthreats.net)

Zeus (https://zeustracker.abuse.ch)

Threat Stream Malware IP (https://api.threatstream.com)

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

For Threat Stream Malware IP, the following Malware types are imported

Bot IP

Actor IP

APT Email

APT IP

Bruteforce IP

Compromised IP

Malware IP

DDoS IP

Phishing email IP

Phish URL IP

Scan IP

Spam IP

To import data from these websites, follow these steps

  1. In the CMDB > Malware IPs, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware IP
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP is in third position, then choose 3 in the Position
    7. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low IP is in first position, then choose 1 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

FortiSIEM CMDB Malware Domains

Leave a reply
Malware Domains

The CMDB Malware Domains page lists domains that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The three default groups included in your FortiSIEM deployment, MalwareDomainList, Zeus Domains, and SANS Domains, contain malware domains that are derived from the websites malwaredomainlist.com, zeustracker.abuse.ch, and isc.sans.edu. Because malware domains are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System Defined Malware Domain Groups

System defined groups are MalwareDomainList, Zeus Domains, and SANS Domains, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

Setting Schedule

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.

Adding/Removing entries

  1. If you want to remove a domain or set of domains from the group, clear the Enable selection next to the domain name, and then click Co ntinue to confirm.

The domain will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware domain to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Changing to STIX/TAXII

If the system defined threat feeds are available via STIX/TAXII, then check the STIX/TAXII box.

Manually Creating Malware Domains and Groups

  1. Create a group under Blocked Domains as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked Domain you want to add, and then click Save.

Custom Malware Domain Threat Feed

This topic describes how to import malware domain information into FortiSIEM from external threat feed websites.

Pre-requisites

Threat feed Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Pre-requisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed Websites with built in support

The following websites are supported

Malware domain list (http://www.malwaredomainlist.com)

Zeus domains (https://zeustracker.abuse.ch)

SANS Domains (https://isc.sans.edu/feeds/)

Threat Stream Domains  (https://api.threatstream.com)

Hail-A-TAXII Domains  (http://hailataxii.com/)

For Threat Stream the following malware domain types are included

Command and Control Domain

Compromised Domain

Malware Domain

Dynamic DNS Domain

APT Domain

To import data from these websites, follow these steps

  1. In the CMDB > Malware Domains, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created. 5. Select Update via API
  5. For Website, Click Add.
  6. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  7. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  8. The imported data will show on the right pane after some time.

FortiSIEM CMDB Applications

Leave a reply
Applications

Applications in the CMDB are grouped at the highest level by Infrastructure and User apps, with further sub-categorization in each of those two categories.

Adding an Application

  1. Log in to your Supervisor node.
  2. Go to CMDB > Applications.
  3. Create a new application group or select an existing one.
  4. Click New.
  5. Enter an Application Name and Process.
  6. Enter any other information for the application.
  7. Click Save.